Windows as a service: A new way to build, deploy, and service Windows
Windows 10 introduces a new way to build, deploy, and service Windows. Microsoft has reimagined each part of the process, to simplify the lives of IT pros and maintain a consistent Windows 10 experience for its customers. These improvements focus on maximizing customer involvement in Windows development, simplifying the deployment and servicing of Windows client computers, and leveling out the resources needed to deploy and maintain Windows over time.
The content in this post is excerpted from the Overview of Windows as a service article published on the Windows IT Center.
Prior to Windows 10, Microsoft released new versions of Windows every few years. This traditional deployment schedule imposed a training burden on users because the feature revisions were often significant. That schedule also meant waiting long periods without new features, a scenario that doesn’t work in today’s rapidly changing world where new security, management, and deployment capabilities are necessary to address challenges.
Windows as a Service will deliver smaller feature updates two to three times per year to help address these issues. With Windows 10, new features will be delivered to the Windows Insider community promptly during the development cycle, through a process called flighting, so that organizations can see exactly what Microsoft is developing and start their testing as soon as possible.
Throughout the development process, Microsoft uses feedback so that adjustments can be made quickly, rather than waiting until after release. Individuals and organizations can join the Windows Insider Program to help shape Windows.
We believe deploying Windows 10 is simpler than with previous versions of Windows. When migrating from earlier versions of Windows, an easy in-place upgrade process can be used to automatically preserve all apps, settings, and data. And once running Windows 10, deployment of Windows 10 feature updates will be equally simple.
One of the biggest challenges for organizations when it comes to deploying a new version of Windows is compatibility testing. Compatibility was previously a concern for organizations upgrading to a new version of Windows. Windows 10 is compatible with most hardware and software capable of running on Windows 7 or later. Because of this high level of compatibility, the app compatibility testing process can be greatly simplified. We discussed application compatibility on a recent Windows and Devices Partner call.
Application compatibility testing has historically been a burden when approaching a Windows deployment or upgrade. With Windows 10, application compatibility from the perspective of desktop applications, websites, and apps built on the Universal Windows Platform (UWP), has improved. Microsoft understands the challenges organizations experienced when they migrated from the Windows XP operating system to Windows 7. It was important to us that Windows 10 upgrades offered a better experience.
Most Windows 7 compatible desktop applications will be compatible with Windows 10 straight out of the box. Windows 10 achieved such high compatibility because the changes in the existing Win32 application programming interfaces were minimal. Combined with valuable feedback via the Windows Insider Program and telemetry data, this level of compatibility can be maintained through each feature update. As for websites, Windows 10 includes Internet Explorer 11 and its backward-compatibility modes for legacy websites. Finally, UWP apps follow a compatibility story like desktop applications, so most of them will be compatible with Windows 10.
For the most important business critical applications, organizations should still perform testing on a regular basis to validate compatibility with new builds. For remaining applications, consider validating them as part of a pilot deployment process to reduce the time spent on compatibility testing.
Device compatibility in Windows 10 is also very comprehensive. New hardware is not needed for Windows 10 as any device capable of running Windows 7 or later can run Windows 10. In fact, the minimum hardware requirements to run Windows 10 are the same as those required for Windows 7. Most hardware drivers that functioned in Windows 8.1, Windows 8, or Windows 7 will continue to function in Windows 10. However, we recommend our new OEM and first party devices as a representative of “modern devices” to support all the new hardware capabilities.
Traditional Windows servicing has included several release types. These are major revisions, service packs, and monthly updates. With Windows 10, there are two release types. These are feature updates that add new functionality two to three times per year, and quality updates that provide security and reliability fixes at least once a month.
With Windows 10, organizations will need to change the way they approach deploying updates. Servicing branches are the first way to separate users into deployment groups for feature and quality updates. With the introduction of servicing branches comes the concept of a deployment ring, which is simply a way to categorize the combination of a deployment group and a servicing branch to group devices for successive waves of deployment. Look for a Windows and Devices Partner enablement blog post about deployment rings in the coming weeks.
To align with this new update delivery model, Windows 10 has three servicing branches, each of which provides different levels of flexibility over when these updates are delivered to client computers: Current Branch, Current Branch for Business, and Long Term Servicing Branch.
With Windows 10, Microsoft will package new features into feature updates that can be deployed using existing management tools. Because feature updates are delivered two to three times per year rather than every three to five years as with previous Windows releases, changes will be rolled out in smaller segments rather than all at once and end user readiness time will be reduced.
In response to customer feedback about the size of the two-to-three times per year Windows 10 feature updates, we announced a new differential upgrade capability that will reduce the download size for feature updates by approximately 35%. This capability is delivered via the Unified Update Platform (UUP). This reduction will take effect with the feature update released after the Creators Update, so the benefits will be seen later in 2017.
Monthly updates in previous Windows versions were often overwhelming because of the sheer number of updates available each month. Many organizations selectively chose which updates they wanted to install and which they didn’t, and this created countless scenarios in which organizations deployed essential security updates but picked only a subset of non-security fixes.
In Windows 10, rather than receiving several updates each month and trying to figure out which updates the organization needs, which ultimately causes platform fragmentation, administrators will see one cumulative monthly update that includes both security and other fixes and supersedes the previous month’s update. This approach makes patching simpler and ensures that customers’ devices are more closely aligned with the testing done at Microsoft, reducing unexpected issues resulting from patching.
Comparison of patch environment in enterprise compared to test
The image below is an example of Windows 7 devices in an enterprise and what their current patch level might look like. On the right is what the Microsoft test environment PCs contain. This drastic difference is the basis for many compatibility issues and system anomalies related to Windows updates.
Introduced to align with how feature updates and quality updates are delivered for Windows 10, servicing branches allow customers to designate how aggressively individual devices are updated. For example, an organization may have test devices that the IT department can update with new features as soon as possible, and specialized devices that require a longer feature update cycle to ensure continuity.
Microsoft offers three servicing branches for Windows 10:
- Current Branch (CB)
- Current Branch for Business (CBB)
- Long-Term Servicing Branch (LTSB)
If you're a Windows Insider, you also have access to prerelease builds to test and provide feedback about.
While the concept of servicing branches is new, there is an existing benefit. Organizations can use the same management tools they used to manage updates and upgrades in previous versions of Windows.
Current Branch (CB)
In the Current Branch servicing model, feature updates are available as soon as Microsoft releases them. The CB servicing model is ideal for pilot deployments and testing of Windows 10 feature updates and for users such as developers who need to work with the latest features immediately.
For example, when Microsoft officially releases a feature update for Windows 10, that update is marked for Current Branch, making it available to any PC not configured to defer feature updates so that those devices can immediately install it. Organizations that use Windows Server Update Services (WSUS), System Center Configuration Manager, or Windows Update for Business, however, can defer CB feature updates to selective devices by withholding their approval and deployment. In this scenario, the content available for CB will be available but not necessarily immediately mandatory, depending on the policy of the management system. Only one CB build of Windows is supported at a time, so those clients not on the most current build will not receive quality updates (after a 60-day grace period) until the most current feature update has been installed.
Current Branch for Business (CBB)
Organizations typically prefer a testing cycle before broadly deploying new features to business users. For Windows 10, most pilot testing will be done using the CB servicing branch. In contrast, the Current Branch for Business servicing branch is typically used for broad deployment. Windows 10 clients in the CBB servicing branch receive the same build of Windows 10 as those in the CB servicing branch, just later. CB releases are transitioned to CBB after approximately 4 months, indicating that Microsoft, independent software vendors (ISVs), partners, and customers believe that the release is ready for broad deployment. Therefore, CB and CBB have an inherent “staging” effect. Both branches have a purpose in the overall deployment process for an enterprise, providing another layer of testing capabilities in addition to the traditional phased deployment methods to specific groups of machines. Microsoft will support two CBB builds at a time, plus a 60-day grace period. Each feature update release will be supported and updated for a minimum of 18 months.
CBB is a configuration state, meaning that if a computer has the Defer Updates and Upgrades flag enabled, either through Group Policy, a mobile device management product like Microsoft Intune, or manually on the client, it’s considered to be in the CBB servicing branch. The benefit of tying this servicing model and CB to a configuration state rather than a SKU is that they are easily interchangeable. If an organization accidentally selects CBB on a machine that doesn’t need delayed updates, it’s simple to change it back.
Long-Term Servicing Branch (LTSB)
Specialized systems, such as PCs that control medical equipment, point-of-sale systems, and ATMs, often require a longer servicing option because of their purpose. These devices typically perform a single important task and don’t need feature updates as frequently as other devices in the organization. It’s more important that these devices be kept as stable and secure as possible than up to date with user interface changes. The Long-Term Servicing Branch servicing model prevents Windows 10 Enterprise LTSB devices from receiving the usual feature updates and provides only quality updates to ensure that device security stays up to date. Quality updates are still immediately available to Windows 10 Enterprise LTSB clients, but customers can choose to defer them by using one of the servicing tools mentioned in the section Servicing tools.
Microsoft never publishes feature updates through Windows Update on devices that run Windows 10 Enterprise LTSB. Instead, it typically offers new LTSB releases every 2-3 years, and organizations can choose to install them as in-place upgrades, or even skip releases, over a 10-year life cycle.
LTSB is available only in the Windows 10 Enterprise LTSB edition. This build of Windows doesn’t contain many in-box applications, such as Microsoft Edge, Windows Store client, Cortana, Microsoft Mail, Calendar, OneNote, Weather, News, Sports, Money, Photos, Camera, Music, and Clock. It’s important to remember that Microsoft has positioned the LTSB model primarily for specialized devices.
Windows Insider Program
For many IT pros, gaining visibility into feature updates early, before they’re available to the CB servicing branch, can be both intriguing and valuable for future end user communications as well as provide additional prestaging for CB machines. With Windows 10, feature flighting enables Windows Insiders to consume and deploy preproduction code to their test machines, gaining early visibility into the next build. Testing the early builds of Windows 10 helps both Microsoft and its customers because they may discover possible issues before the update is ever publicly available and can report it to Microsoft. Also, as flighted builds get closer to their release to CB, organizations can test their deployment on test devices for compatibility validation.
Microsoft recommends that all organizations have at least a few PCs enrolled in the Windows Insider Program and provide feedback on any issues they encounter.
There are many tools with which IT pros can service WaaS. Each option has its pros and cons, ranging from capabilities and control to simplicity and low administrative requirements. The following are examples of the servicing tools available to manage WaaS updates.
Windows Update (standalone)
Provides limited control over feature updates, with IT pros manually configuring the device to be in the CBB servicing branch. Organizations can control which devices defer updates and stay in the CBB servicing branch or remain in CB by selecting the Defer upgrades check box in Start\Settings\Update and Security\Advanced Options on a Windows 10 client.
Windows Update for Business
This is the second option for servicing Windows as a service. This servicing tool includes a little more control over update deferment and provides centralized management using Group Policy. In Windows 10 version 1511, Windows Update for Business can be used to defer feature updates for up to 8 months and quality updates for up to four weeks. Also, these deferment options were available only to clients in the CBB servicing branch. In Windows 10 version 1607 and later, Windows Update for Business can be used to defer feature updates for up to 180 days and quality updates for up to 30 days. These deployment options are available to clients in either the CB or CBB servicing branch. In addition to being able to use Group Policy to manage Windows Update for Business, either option can be configured without requiring any on-premises infrastructure by using Intune. In addition to Intune, organizations can use Group Policy to manage Windows Update for Business.
Windows Server Update Services (WSUS)
Windows Service Update Services provides extensive control over Windows 10 updates and is natively available in the Windows Server operating system. In addition to the ability to defer updates, organizations can add an approval layer for updates and choose to deploy them to specific computers or groups of computers whenever ready.
System Center Configuration Manager
System Center Configuration Manager provides the greatest control over servicing Windows as a service. IT pros can defer updates, approve them, and have multiple options for targeting deployments and managing bandwidth usage and deployment times.
- Overview of Windows as a service (full article)
- Windows IT Center
- Windows Blogs
- Windows 10 partner content
- Partner technical presales and deployment services
- Sign up for the Windows Insider Program
Windows and Devices Partner Community
- Community call schedule
- Windows and Devices Partners Yammer group
- Community blog series
- Training and enablement
We look forward to continuing the conversation with you about the Windows 10 opportunity. We use our Windows and Devices Partner Community calls, blog posts, and Yammer group to share information and connect with you. If you’re serious about building and sustaining a profitable Windows practice, and want in-depth assistance, email WinRecruit@microsoft.com or post your question in the Yammer group.