Windows 10 is looming large on the horizon for many enterprises as they look to refresh their desktop estates. Understanding what is new in Microsoft’s flagship operating system is vital to making the correct deployment decisions. Unfortunately, as with Microsoft’s arcane licensing terms, understanding the new “servicing branches” in Windows 10 isn’t as clear-cut as we’d all like it to be.
First, let’s make the distinction between “feature upgrades” and “servicing updates”.
“Feature upgrades” provide, according to Microsoft the “latest new features, experiences, and capabilities on devices”. It also makes the point that unlike previous versions, where new features might appear in a Service Pack which had to be installed after the base operating system, feature upgrades contain the entire operating system. Essentially, to those of us who like things the old-fashioned way, that would make the RTM version of Windows 10 officially version 10.0, the 1511 update codenamed Threshold would be version 10.1, and the upcoming Redstone update would qualify as Windows 10.2. Indications that “Windows-As-A-Service” has potentially already arrived.
“Servicing updates”, on the other hand, are what we traditionally know as security patches and hotfixes.
Windows 10 Editions
Next, let’s remind ourselves of Windows 10 Editions. It comes in:
- Mobile Enterprise
- IoT Core
- IoT Professional
Let’s ignore the last four of those. Home, Professional, Education and Enterprise are the desktop editions, and Education is essentially Enterprise without the Long-Term Servicing Branch (LTSB) option and a lower pricing model for schools. So essentially, the editions we need to concentrate on are Home, Professional, and Enterprise. Any reference I make to Enterprise after this can be considered applicable to Education as well – with the exception of LTSB.
Upgrade Delivery Mechanisms
Next, how do we deliver these feature upgrades and servicing updates to our user base? We have the following options available:
- Windows Update
- Windows Update For Business
- Microsoft tools like WSUS or SCCM
- A third-party alternative
For purposes of this discussion, we will concentrate on the three Microsoft-provided options – WU, WUB, or WSUS/SCCM.
Finally, we need to consider our “servicing branch”. There are:
- Windows Insider Program – Available on all Windows editions
- Current Branch (CB) – Available on all Windows editions
- Current Branch for Business (CBB) – Available on Professional/Enterprise editions
- Long-Term Servicing Branch (LTSB) – Available on Enterprise only
Each of these servicing branches offer a different method and timing for the provisioning of your feature upgrades and servicing updates.
Still with me? Good. Let’s break it down a bit…
Windows Insider Program
At the top of the tree we have our Windows Insider program. These guys are essentially the alpha testers. You can configure your Windows 10 devices for Insider builds by creating a logon and then changing the relevant options in the Update area of the Windows 10 settings applet. You have the option to choose a “speed” for your updates, essentially deciding whether you will be sitting right on the bleeding edge or just slightly ahead of the normal release schedule, dependent on how potentially unstable you fancy your system being. Needless to say, this should only be used for test machines.
Next we have the users on Windows 10 Home. The Home edition only supports being on the Current Branch and does not support deployment via Windows Update for Business or WSUS/SCCM. Essentially, this means that these users are Microsoft’s beta testers – they cannot defer updates, and receive all feature upgrades and servicing updates as soon as they are released. If you don’t stay current (the servicing lifetime is four months), then you won’t get any more patches!
Current Branch is intended to keep devices as up-to-date as possible, and as I’ve just said, if you’re running Windows 10 Home it’s either Current Branch or nothing. If you’re running on Professional or Enterprise you can use Current Branch should you wish to – but given that it will simply shovel all available updates in your direction with no chance of avoidance, I can’t imagine that any Professional or Enterprise users would choose to do this.
Current Branch for Business
The next servicing branch, and the one Microsoft would like everyone outside of the consumer environment to be on, is Current Branch for Business (CBB). This is available on Enterprise and Professional and allows you to do a number of different things. The first is the option to use Windows Update for Business.
Windows Update for Business (WUB) is primarily aimed at SMEs and appears to be a set of GPOs that will allow you to split your machines into “fast” and “slow” rings for deployment of feature upgrades and servicing updates. The “fast” ring will get them in the first wave, deployed straight away as with Current Branch. The “slow” ring will have these updates deferred for up to four months. It’s not clear yet how WUB will work – details on it are sketchy – and also whether the deferral period can be configured differently for sets of machines, if it is a single setting applied to all in the slow ring, or even if the deferral depends on when Microsoft actually release their next feature upgrade. However, it is clear that SMEs will be able to divide their estates into “test” and “live” streams for purposes of identifying and reducing the potential impact of updates, at least for a period of time. WUB will also allow you to use Windows Update Delivery Optimization, a peer-to-peer update delivery mechanism that reduces the need for all endpoints to connect to the Internet.
However an important point to make is that once a feature upgrade is deployed, all associated servicing updates will then also be deployed to the endpoint. Deferral only applies to feature upgrades and to exercise the same control over servicing updates for the feature upgrades, you would need to use WSUS/SCCM and utilize the approval method to release servicing updates.
Using WSUS/SCCM on CBB also allows the deferral of feature upgrades for up to four months (again, whether this is configurable or deigned by Microsoft’s release schedule is unclear), but as mentioned previously, allows you to also control the release and installation of the associated servicing updates.
CBB’s deferral (no matter whether you use WUB or WSUS/SCCM) means that you have up to eight months in your servicing lifetime, rather than four as with Current Branch. But as with CB, once the eight months are up, if you haven’t deployed the feature upgrade, no more patches will be delivered!
Long-Term Servicing Branch
Which leads us to Long-Term Servicing Branch, which is available only on Enterprise (not Education). Enterprise LTSB is essentially a different version of the Windows 10 operating system when compared to standard Windows 10 Enterprise. Most of the Modern Apps (including Edge) are removed, and the servicing lifetime is set at ten years (rather than being “approximate” as with CB and CBB). Each year a feature upgrade will be released that supports LTSB, in that servicing updates will be provided for ten years hereafter. One of the things to note about LTSB is that if you choose to switch back to CB or CBB after you’ve installed it, there may be issues. Microsoft note that “reconfiguring a device running Windows 10 Enterprise LTSB to run other editions of Windows 10 may require IT administrators to restore data and/or reinstall applications on the device after the other edition has been installed”, so be warned!
So, what’s the best option?
Microsoft’s idea for businesses that have mission-critical apps seems to be a mix of CBB and LTSB on Enterprise. The “regular” machines are intended to run CBB (so never falling more than about eight months behind the current release schedule) with anything hyper-critical (like life support systems and air-traffic control stuff) sitting on LTSB. That’s what they’ve envisaged, anyway.
Unfortunately, there are problems with this. Firstly, many businesses consider their “regular” desktops to be mission-critical, especially when they are being used by employees that generate revenue streams. A feature upgrade or servicing update that kills an application that is vital to these employees will be a big issue. Of course, Microsoft envisions that the four-month deferral should be enough to identify any problems and correct them, but is this enough? What about seasonal applications only used at particular times? A good testing process should help with this, but sometimes vendors can have turnaround times for fixes that will far exceed a four-month limit. And if the vendor position becomes “our application should only be run on LTSB in a Windows 10 environment” (which it might well do!) then you might find yourself having to change tack rather abruptly.
The second problem is that Microsoft have surreptitiously turned the sacrosanct system of Windows Update into a vehicle that delivers not just security patches and fixes, but now appears to have been abused to push advertising, unwanted upgrades, make patches that were manually disabled reappear, and run activation and DRM updates. It took a lot of time after the 2003 Blaster and Sasser attacks to get people to take updating their Windows machines seriously. Now that we’ve reached that stage, do we want Windows 10’s aggressive update functionality to potentially turn them back the other way?
Of course, many people point to Apple’s OSX, and the Chrome and Firefox browsers, as examples of how an aggressive, fast-release update cadence works well. The Windows operating system, though, is a different kettle of fish. Breaking a browser doesn’t generally bring things to a grinding halt – you can simply switch to an alternative. And Apple’s OSX doesn’t have the huge legacy application compatibility that Windows prides itself on to be considered comparable – in fact, that backwards compatibility is often one of the reasons Windows operating systems are actually in use.
So in summary, what’s the way to go?
You need to think very carefully about Windows 10; and the depth of that thought depends on the applications you rely heavily on. Because there’s been a change to the way updates are handled, you need to ensure that your update processes and the applications that they support are going to be safe on a Windows 10 platform. And if you can’t ensure that they will run without interruption, you need to take the appropriate remedial actions, whether that be adopting LTSB, virtualizing them through an application virtualization/layering solution, or something else. Windows 10 brings with a big difference to the way we’ve managed our environments for the last fifteen years or so – and you need to make sure you’re not just aware of it, but well on top of it.