Patch management is more important than ever and sometimes you might end up with questions like “what is the difference between CB and CBB – and how many days should I defer?”
Together with questions like “what is the current best practice for DHCP servers” (which have changed twice the last ten years) you might stumble upon the update regime for Windows.
Those questions arise around people who still have the mindset of the traditional on-prem AD, Windows 7 and SCCM patch management. Let me tell you, Windows as a Service (WaaS) is something completely different.
Windows as a Service
As a general guideline, it is recommended that business customers follow the Current Branch for Business in favor of the consumer- oriented Current Branch. This way, all patches, security updates and feture upgrades are tested on a broader audience before hitting your organization a few weeks or months later. However, it is also recommended not to defer updates (set to 0 days). This will allow the business users to defer from some of the bugs that might occur in the earlier versions of a build or patch, but still get the zero- day hotfixes.
When Microsoft describes Windows as a Service, Windows servicing model is usually illustrated as having thousands of internal testers, before millions of Windows Insiders receive the same insight. The CB and hundreds of millions og users then gets the latest updates. Current Branch for Business will then wait for in-the-field feedback and experiences before shipping the same updates to CBB, ensuring high quality of service and stability to the business users (figure 1).
For business customers who utilize Microsoft Intune, this might be configured with ease in the Azure portal
- Navigate to http://portal.azure.com and log in to the tenant where the policy should be applied
- Search for Microsoft Intune under “more services“
- In Microsoft Intune, select “Software updates“, this will open the “Software updates – Windows 10 Update Rings” pane
- In the “Software updates – Windows 10 Update Rings” pane, click “Windows 10 Update Rings“, click “Create“
- Enter a name, and preferably a description before you click “Configure“
- Select CBB as Servicing branch, and edit the rest of the configuration settings acording to your flavor. Click OK
- Click Create
- When created, click “Assignments” and assign to “App deploy” by clicking “Select groups“, select the desired group and click Save
Like mentioned above, please leave the deferral period to zero days, this way you will get the best of both worlds as most patches and updates are tested in-depth by millions of CB users before your organization hits the fan and issues gets spread all over. Microsoft have some resources that might be worth digging into – personally I find this one helpful when talking to peers and customers and one line is worth copy-paste:
Organizations are expected to initiate targeted deployment on Semi-Annual Channel releases, while after about 4 months, we will announce broad deployment readiness, indicating that Microsoft, independent software vendors (ISVs), partners, and customers believe that the release is ready for broad deployment. Each feature update release will be supported and updated for 18 months from the time of its release
Microsoft WaaS blog