Enterprise Mobility and Security Blog

RSS

Win10-EMS

One of the biggest changes you are likely already seeing with Windows 10 is something we call the Windows 10 Servicing Options. These are the good kinds of rings (e.g. onion, Saturn, wedding), not the kind forged in the bowels of some evil mountain. I’m talking about the Windows Servicing Options.

Looking ahead, at any given time there are going to be multiple branches of the Windows code in the market, and you’ll even have multiple branches deployed within your organization. This will become normal (and not at all as complex as it may at first sound), but understanding what each branch does is very important. The authoritative source for definitions and details of the various Windows 10 servicing options can be found here. I recommend that you become super familiar with this blog and refer to it as you make decisions on which Windows branch to use in each scenario within your organization.

In this post, I’ll touch on the definitions of the servicing options and share some insight on how the individuals and devices in your organization can participate in all of the rings – as well as how you can manage all the servicing options via SCCM and EMS.

As we’ve worked on Windows 10 to define the overall strategy for how Windows will be delivered as a service, servicing the multiple servicing options is something we have spent a lot of time discussing. We understand that the majority of Enterprise organizations are going to use ConfigMgr and EMS to manage Windows 10 devices, and we have significantly enhanced the capabilities of ConfigMgr to help you manage and report across the servicing options.

What are the Servicing Options and Why?

Let me start with the why.

I regularly get asked for advice on how to best keep Windows devices secure, reliable, and compatible. At Microsoft we have a pretty strong point-of-view on this: Your devices will be more secure, more reliable, and more compatible if you are keeping up with the updates we regularly release.

Most people I talk with generally agree with that point-of-view, but they still have concerns about whether or not their devices can handle all the updates without first rigorously verifying that the updates won’t break something. That process can, obviously, consume a ton of time. Some examples of devices in this type of scenario are PC’s that operate in truly mission-critical roles (e.g. operating and assembly line or in an operating room). These mission-critical use cases are very different from the typical Information Worker scenarios where the devices get used for a lot of different activities and can therefore be more flexible.

In our mobile-first, cloud-first world, Information Workers expect (and, you could argue, insist) on having new value and new capabilities constantly flowing to them. Most of these workers have smart phones and regularly accept the updates to their apps from the various app stores. The iOS and Android ecosystems also release updates to the OS on a regular cadence.

With this in mind, making updates isn’t abnormal, and we are committed to continuously rolling out new capabilities to users around the globe – but we also understand that there are use cases where this simply doesn’t make sense. Windows is unique in that it is used in an incredibly broad set of scenarios – from a simple phone to some of the most complex and mission critical use scenarios in factories and hospitals. One size (and one servicing model) does not fit all of these scenarios.

To strike a balance between the needed updates for such a wide range of device types, there are four servicing options you will want to deeply understand.

  • Windows Insider Program
  • Current Branch (CB)
  • Current Branch for Business (CBB)
  • Long-Term Servicing Branch (LTSB)

Windows Insider Program

The Windows Insider program is where individuals who want to see the new innovations coming out as early as possible can sign up and receive regular updates – essentially directly from the Windows engineering team. Having millions of devices participating in this program and getting regular updates has been a wonderful part of building Windows 10. As soon as we think the new capabilities/features are ready to put in the hands of customer, we release it to the Insiders.

I am sure many (if not all of you) have said sometime in your career that you wished you had an early/inside view of the capabilities that would be coming out in the next version of Windows so that you could start preparing for them – this is exactly what the Insider program does for you. Insiders can see, months in advance, the capabilities being developed.

At any given time, we expect there to >10M devices participating in Windows Insider Program. This gives us early feedback on functionality as well as any compatibility issues that may surface.

Current Branch (CB)

As scenarios mature, and as our confidence in the capabilities/compatibility meet a specific bar, we move code to the Current Branch. The Current Branch is what we will be distributing through Windows Update to the 100’s of millions of consumer devices around the globe.

On a regular basis, consumers around the globe will have new functionality as well as core fixes in stability, reliability, and compatibility distributed out through the Windows Update solution that we all know so well.

Today, Windows Update services/updates close to 1 billion PCs each month. It is one of the most amazing services I have ever worked on. You will definitely have users/devices on this branch – it will be the most common branch you will see on BYO devices.

Windows devices being serviced from the Current Branch will be referred to as “serviced from CBs.”

Current Branch for Business (CBB)

This is the branch where many/most of your Information Worker’s CYO devices will ultimately end up. There will be 100s of millions of devices running code in the CB before we classify the capabilities as ready for Current Branch for Business.

Consider this for a minute: 100’s of millions of devices will have been running the code that is in CBB for a few months and, through the telemetry coming in from CB, we will be able to see any issues and address them prior to the code moving into CBB. This is a huge benefit to every organization using this branch: All the telemetry coming in gives us a view of the reliability/stability of the new features, and this means IT can have confidence that what they’re deploying is stable and ready for use. Additionally, end-Users get a constant stream of new features – so it’s a win-win!

Windows devices being serviced from the Current Branch for Business will be referred to as “serviced from CBB’s.”

Long-Term Servicing Branch (LTSB)

For the mission-critical scenarios in which Windows devices will be used, we will release what we call Long-Term Servicing branches at the appropriate time intervals. Devices on these branches will receive the level of enterprise support expected for the mission critical systems and it will keep those systems more secure with the latest security and critical updates, while minimizing change by not delivering new features for the duration of mainstream or extended support.

Bringing it All Together

With this approach, you can enable innovations to roll out to your users and their devices at different speeds. It provides you with a tremendous amount of flexibility.

Now what you need is a way to see all of this in one view and get that all-up perspective. That is what ConfigMgr provides. In ConfigMgr we have delivered a dashboard (see below) and the ability to see an all-up status in one place. I know that many of you already use the ConfigMgr reports as a part of your security and compliance efforts – but now I believe it’s important for you to have that same kind of report across these servicing options. With ConfigMgr you can now aggregate all of this together.

Here is are some screen shots of what is coming:

Picture1

In terms of suggestions/guidance, this is where I think many of you will want to go:

  • Windows Insiders Program
    Take a few of your organization’s technology enthusiasts and have their primary device participate in the Insiders Program. This could be your architects, or it could be individuals in IT who have been the most active participants over the years in the TAP and beta programs. You want to have some of your thought leaders getting that super early view of what is coming. This will also give you the opportunity to have some of your apps in very early compatibility testing as these users do their daily work.
  • Current Branch
    If you are enabling BYO, the majority of your users’ BYO devices are going to be on this branch. If you are not enabling BYO, you will want to identify a set of users who like being the first to use something new and then have them on this branch. You could take an approach where you have a handful of users from each of the major departments (engineering, sales, marketing, etc.) on the consumer branch to test its widespread applicability. If you do this, you are going to have a set of users/devices validating that the core apps work (a form of real-world compatibility testing) across all the departments.
  • Current Branch for Business
    This is where the majority of your Information Workers devices will reside. I expect that they will love the continuous flow of new capabilities. The fact that you have had individuals participating in the Insider Program and Consumer Branch will provide a level of confidence for compatibility and stability before you roll these updates out to any user.
  • Long Term Servicing Branch
    Identify the devices that are mission critical or have more strict regulations around change (a stock traders desktop, a PC being used in pharmaceutical trials, etc.) and group those devices here.

ConfigMgr is going to enable you to have the dashboard to approve and monitor what is happening across the servicing options. A big part of what is enabling this the additional business capabilities we are building into Windows Update, e.g. we announced Windows Update for Business in May 2015.

I have been leading the ConfigMgr team since 2003, and my philosophy (and the view of Microsoft) is that we want to deliver increasingly rich capabilities in our platforms and then provide more granular and detailed management capabilities through solutions like ConfigMgr and EMS. This is exactly the case with Windows Update for Business. The Windows Update for Business capabilities will be integrated into ConfigMgr just like WSUS has been integrated into ConfigMgr. As you read about Windows Update for Business capabilities, they will be exposed through ConfigMgr.

ConfigMgr will continue to be that single pane of glass for all your updates – both Microsoft updates and our partners’ updates.

Windows 10 brings an incredible amount of flexibility to how you want to flow innovation out to your users and devices. I believe we have tackled this in the right way. We are hoping you will enable the updates to flow to your devices as quickly as possible, and we believe that, as you do this, your devices will be performant, secure, reliable, and compatible.

This is how we see working together moving forward: We are updating the tools you use today to enable this flexibility with the skills and knowledge you already have.

 

In_The_Cloud_Logos