Windows Update Rings

Configure Windows Update for Business using Microsoft Intune

Microsoft is aligning their servicing models with twice-per-year feature update releases targeting March and September. As part of the alignment with Windows 10 and Office 365 ProPlus, they are also adopting common terminology to make it as easy to understand the servicing process.  In this blog I’ll focus on one of the terms and how to configure Windows Update for Business Using Microsoft Intune.

Semi-Annual Channel. These are the twice-per-year feature update releases, designed for general-purpose PCs used throughout organizations.  (The Semi-Annual Channel replaces the Current Branch [CB] and Current Branch for Business [CBB] concepts.) So from now on I’ll be referring to the older concepts as:

OLD New
Current Branch (CB) Semi-Annual Channel (Targeted)
Current Branch for Business (CBB) Semi-Annual Channel (Broad)

I have to mention there is also “Long-Term Servicing Channel”. These are less frequent releases designed for special-purpose PCs. Then there’s also Windows Insider Program. I’ll leave these two for another blog.

Feature updates

Feature updates are delivered more frequently than with previous Windows releases. Both Office 365 ProPlus and Windows 10 updates will deliver their major updates semi-annually, around March and September.

Quality updates

There is only one cumulative monthly update that supersedes the previous month’s update, containing both security and non-security fixes. This approach makes patching simpler and reduces unexpected issues resulting from patching.

Windows Update for Business; Configuring Deployment Rings

In this example I will configure three update rings for Windows 10;

Ring Servicing chanel Deferal feature updates Deferal quality updates Example
Pilot Semi-Annual Channel (Targeted) None None Pilot Group
Targeted Semi-Annual Channel (Targeted) 7-14 7-14 teams used to evaluate the major release prior to broad deployment
Broad Semi-Annual Channel (Broad) 120 30 Broadly deployed to most of the organization

 

Sign into the Azure portal and navigate to >Intune>Software Updates>Windows 10 Update Rings and Click on Create

Windows Update for Business - Update Rings

 

Now fill in the blanks and create your Update Rings. Use the table above as a starting point. Once you are done, click OK, and then on the Create Update Ring blade, click Create.The Servicing Branch (Branch readiness) level determines which update channel to use where Semi-Annual Channel (Targeted) is the default for all Windows 10 devices

Configuring Windows 10 Update Rings

Note:

Due to naming changes, older terms like CB,CBB may still be displayed in Intune. Remember that CB refers to Semi-Annual Channel (Targeted), while CBB refers to Semi-Annual Channel (Broad). If you want to know more about each setting then please read this blog.

To manage quality and feature updates, you must create security groups that align with your deployment rings.  I have three update rings and therefore three security groups.

Update Ring Security Group Name Members
Pilot Intune – Windows 10 Update Ring Pilot Pilot devices
Targeted Intune – Windows 10 Update Ring Targeted Targeted Users
Broad Intune – Windows 10 Update Ring Broad All Other users

Assign the update Ring to a security group (user or device group). You can use a device group for the Pilot Ring to make sure only selected devices are included. These could be secondary devices for example. This way the pilot users primary device will not receive updates from this ring. The Broad ring usually targets a user group.

Assigning Windows 10 Update Rings to Security Groups

That’s it. You can follow the status of your policy and update rings by going to Intune>Software Updates>Overview

Windows Update for Business status

 

You can also check if all settings have been applied to your Windows 10 devices. Go to settings>Update & Settings>Advanced Options and see if the settings match your update ring.

Windows 10 Advanced Update settings

 

Summary

In this article, I’ve shown you how to manage updates for MDM enrolled Windows 10 devices using Intune. You have now configured the Pilot, Target and Broad  deployment rings to receive quality and feature updates using configured settings. If you want to catch up with your reading, feel free to have a look at the following resources:

Leave a Reply

avatar

This site uses Akismet to reduce spam. Learn how your comment data is processed.

  Subscribe  
Notify of