Microsoft is aligning their servicing models with twice-per-year feature update releases targeting March and September. As part of the alignment with Windows 10 and Office 365 ProPlus, they are also adopting common terminology to make it as easy to understand the servicing process. In this blog I’ll focus on one of the terms and how to configure Windows Update for Business Using Microsoft Intune.
Semi-Annual Channel. These are the twice-per-year feature update releases, designed for general-purpose PCs used throughout organizations. (The Semi-Annual Channel replaces the Current Branch [CB] and Current Branch for Business [CBB] concepts.) So from now on I’ll be referring to the older concepts as:
|Current Branch (CB)||Semi-Annual Channel (Targeted)|
|Current Branch for Business (CBB)||Semi-Annual Channel (Broad)|
I have to mention there is also “Long-Term Servicing Channel”. These are less frequent releases designed for special-purpose PCs. Then there’s also Windows Insider Program. I’ll leave these two for another blog.
Feature updates are delivered more frequently than with previous Windows releases. Both Office 365 ProPlus and Windows 10 updates will deliver their major updates semi-annually, around March and September.
There is only one cumulative monthly update that supersedes the previous month’s update, containing both security and non-security fixes. This approach makes patching simpler and reduces unexpected issues resulting from patching.
Windows Update for Business; Configuring Deployment Rings
In this example I will configure three update rings for Windows 10;
|Ring||Servicing chanel||Deferal feature updates||Deferal quality updates||Example|
|Pilot||Semi-Annual Channel (Targeted)||None||None||Pilot Group|
|Targeted||Semi-Annual Channel (Targeted)||7-14||7-14||teams used to evaluate the major release prior to broad deployment|
|Broad||Semi-Annual Channel (Broad)||120||30||Broadly deployed to most of the organization|
Sign into the Azure portal and navigate to >Intune>Software Updates>Windows 10 Update Rings and Click on Create
Now fill in the blanks and create your Update Rings. Use the table above as a starting point. Once you are done, click OK, and then on the Create Update Ring blade, click Create.The Servicing Branch (Branch readiness) level determines which update channel to use where Semi-Annual Channel (Targeted) is the default for all Windows 10 devices
Due to naming changes, older terms like CB,CBB may still be displayed in Intune. Remember that CB refers to Semi-Annual Channel (Targeted), while CBB refers to Semi-Annual Channel (Broad). If you want to know more about each setting then please read this blog.
To manage quality and feature updates, you must create security groups that align with your deployment rings. I have three update rings and therefore three security groups.
|Update Ring||Security Group Name||Members|
|Pilot||Intune – Windows 10 Update Ring Pilot||Pilot devices|
|Targeted||Intune – Windows 10 Update Ring Targeted||Targeted Users|
|Broad||Intune – Windows 10 Update Ring Broad||All Other users|
Assign the update Ring to a security group (user or device group). You can use a device group for the Pilot Ring to make sure only selected devices are included. These could be secondary devices for example. This way the pilot users primary device will not receive updates from this ring. The Broad ring usually targets a user group.
That’s it. You can follow the status of your policy and update rings by going to Intune>Software Updates>Overview
You can also check if all settings have been applied to your Windows 10 devices. Go to settings>Update & Settings>Advanced Options and see if the settings match your update ring.
In this article, I’ve shown you how to manage updates for MDM enrolled Windows 10 devices using Intune. You have now configured the Pilot, Target and Broad deployment rings to receive quality and feature updates using configured settings. If you want to catch up with your reading, feel free to have a look at the following resources: