Microsoft Offers Further Windows 10 Servicing Clarifications
The rather complicated Windows 10 updating process that Microsoft expects organizations to follow got some additional light this month.
New details on Microsoft's update process for Windows 10 were described in a Microsoft "Windows 10 Deployment Overview and Live Q&A" Web presentation held on Nov. 18 by Stephen Rose, industry lead for U.S. Windows and Devices at Microsoft, as well as Michael Niehaus, director of product marketing for Windows at Microsoft. The presentation is now available on demand here.
Questions during the presentation came from both Rose and viewers. One highlight of the presentation is that Microsoft is now saying that Windows 10 current branch for business releases are supported for about 18 months (or longer) plus 60 days, apparently because the company has slowed down its software update release process. The presentation also described Microsoft's coming technologies for managing the bandwidth hits delivered by Windows 10 cumulative updates, which can be hefty. What follows is a summary of the talk's main points.
Microsoft follows a so-called "Windows as a service" update routine with Windows 10, releasing about two major feature updates to the operating system per year. As a consequence, it would not be unusual for organizations to be piloting one version of Windows 10, while using another version in production environments and potentially using a third version, Niehaus said. The updates are cumulative, which means that they contain all past updates.
Windows 10 releases follow a pattern. Microsoft first delivers Windows Insider preview releases for early testing. Six months later, that release becomes a "current branch" (CB) release, "which we expect organizations to use for pilot deployment," Niehaus said. Four months later, the release becomes a current branch for business (CBB) release and is considered by Microsoft to be "ready for broad deployment."
"So there's not really any difference between current branch and current branch for business -- it's really about time," Niehaus explained.
Microsoft also publishes Windows 10 "media refresh" releases after declaring a CBB. Niehaus explained that these media refreshes are "nothing more than taking the original media, injecting the latest cumulative update into it and then publishing it to the Volume License Service Center, but it is just a convenience -- you could do that manually without any issue."
As far as alerting Windows 10 users about the arrival of a new CBB, Niehaus said that Microsoft publishes announcements at this Windows for IT Pros TechNet blog. Microsoft's Windows 10 update history is published at this TechNet page.
"This is really different for our customers that are now going to always be in a state of piloting, deploying and managing Windows and not necessarily one version at a time," Rose commented, regarding the Windows-as-a-service release cycle. He showed the following slide:
Based on the November date on that slide, Niehaus said that we're currently in the evaluation phase for the next Windows 10 feature update release happening in 2017, or the so-called "Creators Update." Microsoft had previously described this update as bringing added support for graphic designers using Windows 10, including 3D and virtual reality aspects.
"We've announced that the Creators Update will be coming out in early 2017," Niehaus said.
Rose commented that organizations should become part of the Windows Insider Program to do testing on the release. They'll gain four to six months before the update gets delivered.
The summer 2016 release was released in August and is known as the Windows 10 1607 "anniversary update" release, but Niehaus said Microsoft has been moving away from using marketing names with Windows 10 releases and prefers to refer to it as "the 1607 release." He explained that "1607 is still in that pilot phase because it's still considered current branch." Organizations today are typically deploying it to 10 percent to 20 percent of their PCs to check and see that everything works OK, he added.
One question posed during the presentation was about organizations running Windows 10 1607 alongside Windows 10 1511, and what will happen to version 1511 in November. Here, Niehaus offered somewhat new information.
"Our basic policy is that we will support two CBB releases at all times. We clarified that recently to say that each one of them would be for a minimum of 18 months, but since we've released a little less frequently over the last two years, it's actually been a longer period of time for each one. For 1511 as the example, when the first release in 2017 comes out, and four months after that it's likely to be declared as CBB, that would then signal that 1511 is no longer going to be serviced. So we'll give you the extra 60 days warning to let you know that after this date, you're not going to see any more patches for 1511. It'll continue to work, but you'll be more and more at risk as you don't have any fixes for that release."
The 18 months plus 60 days of support for a CBB, as shown in Figure 1, for Windows 10 1507 appears to be a new characterization of the process. Early descriptions of the update process had suggested that a CBB would be supported for 12 months max, which was described as eight months of CBB support plus another four months from the CB release. The 60-day interval mentioned by Niehaus wasn't explained during the presentation. Other Windows 10 versions shown in Figure 1 seem to have longer support phases, for some reason. On the management tooling side, there's some capability for delaying Windows 10 updates. For instance, Microsoft's Delivery Optimization service does have a "Pause" capability, but it can only defer delivering updates to PCs for 35 days max.
Long-Term Servicing Branch
In addition to preview, CB and CBB releases, Windows 10 Enterprise and Education editions have a long-term servicing branch (LTSB) update option that delivers fewer feature updates. However, Microsoft doesn't recommended LTSB for organizations. Niehaus called it a "different kind of animal," although it's similar in many ways to Microsoft's old service-pack approach seen with Windows 7. Feature updates for LTSB users arrive at yearly rate, although security updates still arrive monthly.
"LTSB is basically a very stable version of Windows," Niehaus said. "So, once it's released, we won't add any new functionality to it for its entire life."
Microsoft removes certain features from LTSB that get frequent updates, such as Cortana and the Microsoft Edge browser, which are "incompatible with LTSB," Niehaus said. He argued that frequent updates add innovation as well as greater security. Faster Windows 10 updates provide a potential "protection gap" between releases, he contended, showing the following slide:
Users of the Windows 10 LTSB will eventually get Microsoft's new OS features, but they could arrive after a few years.
"LTSB will eventually get those features but with an expected release cycle of about once every three years for new LTSB releases, you're going to have to wait awhile," Niehaus said. "We had an LTSB release in 2015. We had another one in 2016 that corresponded with the Windows Server 2016 release because it's an LTSB release as well, so it made sense to have another one, but we don't expect another LTSB release until 2019."
It's possible to perform an in-place Windows 10 upgrade from LTSB to the CB or CBB branch. However, an in-place upgrade is not supported when moving from CBB to LTSB. Reimaging is necessary to move from CB or CBB to LTSB, Niehaus explained.
"We generally position LTSB, though, for special-purpose devices only, and we clarify that to say that if it runs Office, it's not a special-purpose device," Niehaus said. "LTSB is really designed for those factory-floor PCs."
The various service-branch deployment options are illustrated in this slide:
Microsoft recommends that IT pros use a triage approach for testing Windows 10 updates, with users segregated into different deployment "rings." The IT department should become testing ring No. 1, but IT pros should also include a group of volunteer workers in that same ring.
The Windows 10 preview also should be tested, but it can be done by a smaller number of people ("a few dozen"), such as the IT architects or infrastructure desktop specialists, Niehaus said. Organizations could have multiple rings -- "it's really about how much risk you want to take at one point in time," Niehaus explained.
Niehaus offered an optimist's view of this Windows 10 update scheme, urging IT pros to just get active when problems are encountered.
"We expect everything will work well because app compat is like 99 percent with Windows 10," Niehaus said. "But there is that small percentage of things that might not work, so we want to not spend so much time doing formal testing of three thousand or four thousand or however many applications you have. Instead just do pilot deployments to these volunteers and tell them to call the help desk if they find any problems. So react to issues rather than trying to proactively identify them."
Niehaus said that organizations should have a fallback plan with Windows 10 updates. They can roll back to the previous feature update if a critical application doesn't work, or they can set up a virtual machine or remote desktop session as a remediation plan.
However, since Windows 10 updates are cumulative, organizations have a month at longest to fix issues with the monthly security and nonsecurity patches when following the CBB route. In a previous communication, Microsoft had suggested that organizations should open a case with Microsoft or contact the software vendor should problems arise with Windows 10 updating.
Monthly Update Recommendations
Microsoft releases security and nonsecurity patches each month. For updating Windows 10 PCs on a monthly basis, Microsoft recommends using Express Updates, which delivers only the changed bits. With Express Updates, there's less of an impact on the network. A typical Windows 10 1511 monthly patch is about 1GB in size, but it slims down to 100MB per machine when using Express Updates. Express Updates is currently supported by most of Microsoft's management tools but not yet by third-party solutions.
"Today we can support Express Updates with WSUS, with Windows Update, with Windows Update for Business, but we can't support it with System Center Configuration Manager or third-party patching products because the capability doesn't exist in the operating system yet," Niehaus explained.
Microsoft is working on adding the necessary APIs to Windows 10 so that the management tools will be capable of using Express Updates.
"We'll do that in Q1 of 2017 through a cumulative update for Windows 10 1607," Niehaus said and added that Express Updates "then will be able to be leveraged by System Center Configuration Manager and third-party software tools."
Microsoft illustrated the timeline for enabling Express Updates in this slide:
Feature Updates File Size
Windows 10 also has feature updates, which are fairly large downloads. Nominally, feature updates are shown at about 3.5GB in size. Organizations may be thinking that they will "crush" their networks, but Niehaus said that the size is actually 2.5GB if using a "servicing-based approach with Windows Updates, WSUS or the Config Manager Windows 10 servicing capability." Those services all use Electronic Software Distribution (ESD) files for feature updates, which are better compressed, he explained.
Microsoft also is working on delivering in 2017 the ability to perform a "differential upgrade," which will "reduce the size by another 35 percent," making it around 1.8GB in size per PC per month, Niehaus added. The differential upgrade capability is based on a coming "Unified Update Platform" technology that had its debut with Windows 10 build 14959, which was released to Windows Insider Program testers earlier this month, Microsoft previously explained.
The concept of using differential upgrades to reduce Windows 10 feature update size was illustrated by the following slide during the presentation:
Organizations also can use peer-to-peer services to lessen network bandwidth hits from feature updates. Microsoft has BranchCache, a wide area network content distribution caching solution that is built into some Windows editions. It also has Delivery Optimization, a new update management capability that had its debut with the release of Windows 10 version 1607. Delivery Optimization has content delivery controls that can be configured by Group Policy, as previously explained by Niehaus.
A peer-to-peer management capability also will be coming to System Center Configuration Manager.
"The Configuration Manager team is working on their own peer-to-peer mechanism built into the Config Manager client, and that one should be available soon, too," Niehaus said. Third-party software tools also can be hooked into Configuration Manager for "advanced capabilities," he added.
Deployment and Management Tools
The presentation added a few details about Windows 10 deployment, management and planning tools.
On the deployment side, Niehaus commented that Microsoft's tools tend to have compatibility support with previous versions of the operating system. "So the Windows 10 1607 ADK [Assessment and Deployment Kit] should work fine to deploy Windows 10 1511."
A new version of the Microsoft Deployment Toolkit was released last month. It's labelled "MDT build 8443." It doesn't have many new features, but it'll be updated regularly to keep pace with supported Windows OS releases, Niehaus explained.
Niehaus said that any supported Windows Server release will work with Windows 10 client deployments. However, there are some nuances when using Windows Server Update Services (WSUS) with certain Windows Servers for patch management, particularly with regard to Windows Server 2008 R2.
"WSUS built into Windows Server 2008 R2 supports the monthly patches for Windows 10, but it doesn't support Windows 10 feature updates. We added support for doing feature updates into [Windows] Server 2012 and 2012 R2. It's built into [Windows Server] 2016. But for [Windows Server] 2008 R2, it's in extended support, so we're not adding new functionality to [Windows Server] 2008 R2. In order to deploy those feature updates, your WSUS server should be at least running Windows Server 2012. So there are some dependencies like that."
WSUS 3.0 was going to expire in July 2017, but there were over a million-plus WSUS 3.0 servers out there, so Microsoft extended the support through January 2020 (the end of extended support for Windows 7), Niehaus said.
Microsoft also has a tool called "Upgrade Analytics," part of the Microsoft Operations Management Suite (OMS), which can help in planning organizational upgrades to Windows 10. It can be used to drive piloting and deployment planning, Niehaus said. Upgrade Analytics is free for Enterprise customers, although it requires providing a credit card number that doesn't get charged.
"It's free for everyone because even if you don't have OMS you can have an Azure subscription," Niehaus said. "OMS has various usage levels, including a free one. Windows Upgrade Analytics only requires the free level of OMS. Enterprise customers [have] no charge -- all you need is an Azure subscription."
One question asked during the presentation was whether Microsoft would make it easier for IT pros to remove the applications included in Windows 10. Niehaus said that there weren't any such plans. PowerShell is the easiest way of removing them, he said. However, Microsoft is working on adding support in the Windows 10 Creator's Update so that apps removed by the user won't return with the next cumulative update release.
"The problem is that IT, when they deprovision apps from Windows, we don't have a way yet to keep track of what has been deprovisioned," Niehaus said. "So, as a result, even with the Creator's Update, they'll come back. But as of that point we'll start keeping track of what apps have been deprovisioned, so that when we deploy the next update, the next feature update later in 2017, then the apps won't come back."
Niehaus also debunked a claim that the command line interface will be going away in favor of PowerShell. User of the shell can just change the default. "The only thing that really changed is they changed the default from command line to PowerShell," he said.