Windows desktop management is in transition. The destination – at least from Microsoft’s perspective – is what the company calls “modern management”, and there are some key ingredients.
The first is cloud-based deployment and provisioning, which is based on configuration rather than system images. The second – identity management and authentication – is either based on Azure Active Directory (AAD), which is Microsoft’s global cloud directory as used by Office 365, or a combination of on-premise Active Directory and AAD. The third ingredient concerns settings and configuration, which are made via a mobile device management (MDM) model rather than by Group Policy.
Group Policy is not going away, and still offers a finer degree of control. But the MDM approach has its advantages, including greater efficiency, the ability to manage Windows and non-Windows devices, and having no dependency on Active Directory.
One key aspect of Windows administration that is affected by this transition is managing Windows updates – and getting this right is critically important.
On the one hand, unpatched PCs are a security risk and denying users recent new features added to Windows can affect productivity. On the other hand, rolling out Windows updates too early can be detrimental if there are incompatibilities with key corporate applications.
Windows 10 – which is now nearly four years old – introduced the concept of Windows as a service. This means that instead of big new releases every three years or so, Windows 10 is updated with new features on a regular basis – currently
twice a year.
With one exception – the Long-Term Servicing Channel (LTSC) – these updates are not optional, though administrators can and should control the time between when Microsoft releases updates and when they are deployed.
Quality updates are security and bug fixes that do not add new features. Feature updates add, modify and sometimes remove features of Windows.
Microsoft has introduced the concept of servicing channels, where different servicing channels reflect the maturity of feature updates. The Semi-Annual Channel (SAC) is the normal channel for most users. Features are updated every six months, subject to a configurable delay.
Microsoft also sometimes distinguishes between SAC, which is the more cautious channel (this was once called Current Branch for Business), and SAC (Targeted) which gives users new features earlier (this was once called Current Branch).
In this context, “targeted” means it is intended for roll-out to a limited number of users so that any compatibility issues can be identified early. Windows Insider is the earliest release of the new features. This is a preview channel designed for testing and feedback.
Although the term “targeted” is still sometimes seen, it is not necessary to distinguish between SAC and SAC (Targeted) since they are essentially the same except that SAC has a built-in deferral.
Microsoft intends to remove the “targeted” designation, though it still recommends earlier roll-out to a limited number of users. In a blog post, Microsoft’s John Wilcox wrote: “Start targeted deployments in your organisation as soon as a release is available, deploying to an initial servicing ring, or rings, for validation. Target specific devices until you feel confident to make the decision to deploy broadly, at which time you will then update all of the devices in your organisation.”
Windows administrators can defer feature updates for up to 365 days, and quality updates for up to 30 days. Definition updates for endpoint security cannot be deferred, and production releases of Windows 10 are supported with security patches for at least 18 months after first-release.
For the Enterprise and Education editions, the October releases (from 1809 on) are supported for 30 months. The LTSC is an exception because it is not Windows as a service. LTSC releases receive no feature updates, only quality updates.
There have been three LTSC releases to date: 1507, 1607 and 1809 (the numbers show the year and the month of each release). An LTSC release is supported with quality updates for 10 years.
Three ways to update Windows 10
There are three ways to manage Windows 10 updates. First, Windows Server Update Services (WSUS) offers centralised on-premise control of Windows 10 updates for domain-joined PCs, with deferral options for Windows 10.
Second, System Center Configuration Manager (SCCM) provides all the features of WSUS with additional control over bandwidth and deployment times.
With the third option, Windows Update for Business, updates are delivered directly from Microsoft (accelerated by peer-to-peer delivery), but controlled by administrators.
Windows Update for Business can be managed by Group Policy, SCCM, integrated with WSUS, or managed by Intune. Windows Update for Business was first available in Windows 10 1511. Its features have been enhanced in later editions. For example, in 1809, there is an option to prevent users from pausing updates.
Advantages of Update for Businesses with Intune
Intune is Microsoft’s cloud-based PC and device management product. The current Intune is different from the first version, now sometimes called “Intune Classic”.
Intune Classic required a PC client and was based on Group Policy, for PCs rather than for mobile devices. Intune Classic is still required for Windows 7 PCs, or Windows 10 earlier than 1607.
By contrast, Intune in Azure manages PCs and mobile devices using the mobile device management model. It depends on Azure Active Directory, and enrolment is either manual – when users add an AAD account (work account) to their PCs – or automatic, if a PC is joined to AAD.
Hybrid Azure AD is where computers are joined both to Active Directory and AAD, via an Intune Connector component which is installed on one or more of your domain-joined servers.
Update management using Intune is based on Windows 10 update rings. An update ring is a configuration assigned to a group of computers or users, based on a particular update channel, generally either Semi-Annual Channel or Semi-Annual Channel (Targeted). Windows administrators can also configure Windows Insider channels.
By defining an update ring, the Windows administrator sets the deferral period for both quality and feature updates. This makes it easy to create policies that vary from bleeding edge to cautious.
The most cautious policy would be based on the Semi-Annual Channel with feature updates deferred for 365 days.
An administrator can also set whether to include updates for Microsoft products, Windows drivers and user experience settings from aggressive (auto-install and reboot without user consent) to fully user-controlled (notify download).
It is possible to control for how long a user can defer a pending restart where it’s necessary to complete update installation.
A Windows administrator can also configure Active Hours, during which updates will not be installed, as well as whether the PC should check things such as battery level before restarting.
Intune makes Windows update configuration substantially easier than with WSUS or SCCM. This starts with not having to install and configure servers.
The update policies are relatively simple, and you also get device compliance checking built in.
Monitoring update compliance in Azure
Whichever update method is chosen for Windows 10, administrators can check compliance in Windows Azure by enrolling devices in Windows Analytics. There are several steps in configuring this. First, create a Log Analytics workspace in Microsoft Azure, then create an Update Compliance resource and attach it to the Log Analytics workspace. Finally, copy a unique Commercial ID key from an Update Compliance monitoring tool and deploy it to computers using either a deployment script or group policy.
The key tells Microsoft to send telemetry from the enrolled computers to the Windows administrator’s log analytics workspace. Update Compliance does require at least basic telemetry to be enabled on your Windows 10 devices.
Modern update management
Microsoft is not yet at the point where the Intune MDM approach is recommended for all PCs in an organisation. For desktop PCs, or devices that are already domain-joined, traditional management with SCCM is still the normal path. On the other hand, for laptops or for computers deployed using a bring-your-own-device (BYOD) or choose-your-own-device (CYOD) model, and for small businesses, Intune MDM makes the most sense.
There is no doubting the general direction, which is towards AAD and cloud-based management. The buzzword now is co-management: managing devices using both SCCM and Intune.
The older hybrid MDM approach, where System Center controlled MDM via a connection to Intune, is now deprecated.
“On 1 September, any remaining hybrid MDM devices will no longer receive policy, apps or security updates,” said Microsoft.
These deployments should be migrated to Intune on Azure. When Microsoft introduced Windows as a service, with compulsory upgrades for most users, it was demanding customers to trust the company to maintain system stability and to avoid breaking applications.
Sometimes things do go wrong, but careful update management using modern tools and
taking advantage of update deferrals mitigates these issues, and is now easier to manage for businesses of every size.