Notes from Implement Windows as a Service: Understand how to do it (BRK3136)

Here are notes from the Implement Windows as a Service: Understand how to do it (BRK3136) session at Microsoft Ignite 2016, compiled by Ami Casto (@MDTPro).


Why do we adjust the way Windows is delivered?

  • Security threats
  • Improving productivity
  • Faster adoption of new technologies
  • Get rid of the big deployment projects

What is Windows as a Service?

  • Building
    • Continual on going development
    • Deliver new features 2x year
    • Insider preview 
      • Validate in your environment
      • Give early feedback to adjust the direction of the platform
  • Deploying
    • Stay current with simple, automated update process
    • Application compatibility
    • Flexible timelines, methods, tools
  • Servicing
    • Simplified process ensures:
      • Consistency
      • Stability
      • Reliability
  • Delivered using CU
  • Eliminate platform fragmentation

Windows as a service: Deploying Windows

  • Insider preview branch
    • See what's coming
    • Run small pilots
  • Current Branch (10-20% of your PCs should be in this ring)
    • Pilot deployments allow you to iron out issues immediately
      • Validate apps and infrastructure
  • Current Branch for Business (remaining population of PCs in your environment)
    • Signifies readiness for broad deployment 4 months after Current Branch
    • Risk of waiting means you don’t have MS resources available for identifying and remediating fixes
  • Long Term Servicing Branch
    • Specialized systems
    • Mission critical systems
    • No need for frequent changes/update to the system
    • Expensive – becomes a large deployment project just to stay current
  • Expected process
    • Insider preview
    • Pilot (CB)
      • Group 1 IT
      • Group 2 volunteers who will call the helpdesk when they have issues, not call a VP
    • Broad deployment (CBB)
    • Break up into cross sections of business groups
  • Patching
    • Windows 7/8.1 selective patches causes fragmentation
    • Windows 10 “pick a patch model” goes away – each new one supersedes the previous one so you only need to install the latest to be fully patched
    • This is why you want ring deployments so you can find the issues in small population and work internally and with MS to fix it


  • Quality updates
  • Feature updates
    • Twice per year (Target) providing new capabilities
    • Very reliable
    • Built-in rollback options
      • 1511 30 days
      • 1607 10 days
    • Simple to deploy In-place upgrade leveraging existing tools
    • Can be tested through Insider Preview

Windows as a service: timelines

  • Insider preview: 6 months active development
  • Current Branch: 4 months
  • Current Branch for Business: 12 months
  • MS will always support 2 CBB releases at 1 time.  So if there are 3 in the market, the oldest drops service – after a 60 day grace period
  • Can I skip from 1507 to 1607?
  • Can't deploy the newest until it's released, but you need to finish deployment by the end of 6 months of 1507 grace period

How to do Windows as a service

  • What needs to change?
    • Traditional deployment project
      • 3-5 years
      • A lot of man-power
      • Eliminate imaging expense – don’t need a golden image to move from feature to feature because you will use in-place upgrade
      • Golden image is only needed for bare-metal deployments
      • Lighter dependencies on Active Directory
      • Simplify the way to keep ConfigMgr up to date
      • Drivers are preserved by the upgrade process
  • Deployment Strategy
    • Configure Insider PC
      • Lab or secondary PC
      • Enough to explore new features
      • Measure compatibility
    • Identify Special PCs
      • Deploy Windows 10 Enterprise LTSB
      • Limited numbers of this version installed, if at all
    • Recruit volunteers for pilots
      • Willing participants who will provide feedback (not tell on you)
      • Cover the broadest set of apps/devices/users as possible
    • Divide broad population of PCs
      • Standard deployment best practice
      • Focus on risk reduction which minimizes disruptions

Compare Servicing Choices


Understand LTSB

  • Remove anything that has the ability to change – that is why it is for specialized systems
  • Will be basically patched at the security level only – extremely minimal feature patching available
  • No Cortana, Edge, Store, and almost all inbox apps (minus settings app) – make sure  you know what you're giving up if you go with this solution

Specifying a preference for what comes next (what does this PC get next)

  • Devices are/are not considered CB/CBB
  • Windows 10 release transition from one to the next
    • Starts as CB, progresses to CBB
  • Devices specify when they prefer to move to the next FU
    • Specify to defer updates
  • Each deployment or management tool can implement this idea differently

Implementing a deployment process

  • Validate critical apps and infrastructure
    • Ensure new release works with business-critical apps and core infrastructure tools
  • Begin pilot deployments
    • Start with IT, expand to broader volunteer audiences for app and hardware validation
  • React as needed to feedback
    • A few issues are expected to have a remediation plan in place
  • Deploy to the broad population
    • Focusing on risk reduction, minimizing disruption through scheduling, segmentation

Compatibility in Windows 10

  • Most apps will just work due to minimal changes to Win32 APIs
  • Crash data is analyzed through telemetry/feedback
  • 2 browser model in Windows 10 is to help with legacy web compatibility
    • Improved Enterprise mode capabilities in Win10
    • Edge will actually have the best compatibility options
    • Enable a policy that redirects an incompatible website to IE, and when in IE if it doesn't require compatibility it gets redirected back to Edge
  • Support statements
    • ISV declared supported on Windows 10
        • Searchable directory for vendor/app for the ISV support statement
        • Integrated into Windows Upgrade Analytics service (below)

App Validation Process

  • Directory of all business apps used across the org
    • Much narrower subset of an application whitelist which can be thousands of items
  • Prioritize by level of critical
    • Will the business shut down if these apps don't work
    • Do the rest via pilot
  • Windows Upgrade Analytics
    • Leverage telemetry through a portal to make decisions and drive deployment
    • Free tool based on OMS and Azure service
    • Requires PCs to send telemetry and if you tag it to your org, you can use the dashboard to get specifics for your organization
    • Identify PCs that are pilot candidates
    • Identify which apps are ready to go
    • Identify specific application uses
    • ISV known issues
    • MS known issues found through internal testing and fixes if available
    • Lists can be imported into ConfigMgr to build the collections to move forward with the process
    • Link:

Distributing content using P2P tools

  • Shift network load from center (bottle neck) out to the edges by enabling:
    • BranchCache
    • Delivery Optimization
    • Enable/Disable/Tweak BITS throttling
  • Immediate ROI
    • 90% of network traffic is shifted away from the core
    • Controls and policies are immediately available to set/tweak

Identifying a tool to use


Windows Update for Business

  • Allows a set and forget it scenario
  • Still have controls to mitigate problems
  • Simplifies infrastructure because capabilities are all built-in to the OS
  • Control over granular deployment scenarios and deferrals
  • Drivers can be optionally excluded
  • No WSUS integration is required
  • MDM (Intune) or GPO (AD/AAD) settings for control

For More Info:

  • Find out where to get information on WUFB, including white papers, etc. in an auto-response email. 
  • Are there features that you need to make WUfB better? Let us know here. 
  • Not finding what you need to know? Put your question in the email and we’ll help you find the answer. 

WSUS 4.0

  • Deploy feature updates (requires server 2012 + hotfix)
  • Create computer groups for ring deployment
    • Admin driven creation process – not automated
  • Broad deployment
    • Auto approval rules
    • Deadline rules
  • Anything that needs to be complex, must be done manually

System Center Configuration Manager

  • Servicing plans for Windows 10
    • Provides automation through rules driven collections
    • Can be "set and forget"


Q: If I'm using ConfigMgr – registry change to indicate CB or CBB? 
A: in 1511 – configure defer upgrades and updates policy – if enabled it's CBB if not enabled, it's CB. 1607 – look under windows updates to set these ones ConfigMgr doesn't use deferral settings

Q: Compare Windows 10 servicing in ConfigMgr vs. Task Sequence based approach 
A: Both perform in-place upgrade process Task Sequence allows pre/post processing (steps before/after).Task Sequence requires media. Servicing plan uses WU packages DL through WSUS and distributed through ConfigMgr – smaller

Q: Configurability of servicing plan 
A: more flexibility around scheduling or pre/post requires TS based approach

Q: WaaS – CBB broader adoption – does MSFT recommend a self-service option with an expiration? 
A: MSFT has seen some customers have success with self-service.  Not seen too often so push mode is best to ensure everybody gets it

Q: Any plans to control the size of the update package to be used in a task sequence or bare metal deployment? 
A: Process will remain as is FU will install the same way as always and looking into mechanisms to reduce the footprint of the package.

Q: Upgrade Analytics – threshold between insufficient data, adopted, and highly adopted 
A: will show a legend for what each means

Q: P2P sharing – performance tradeoff for devices participating 
A: DO will only pick very capable PCs (disk, RAM), GPO to target/exclude PCs BC will send out broadcasts + whoever responds quickest gets it – there are config options to influence BC to pick one over the other, GPO to target/exclude PCs ConfigMgr – you can declare super peers On modern hardware, this should be invisible to the end user – on older hardware, yes you might notice performance lag

Q: WUfB compliance reporting tools 
A: Intune, ConfigMgr , OMS will have the tools needed to report back

Q: How do I make sure I'm always up to date? 
A: always deploy the most recent FU

Q: How long will an FU take to complete install 
A: rough timeframe ~1 hour but timing varies – older hardware will take longer – download will not impact end user performance

Q: Does P2P work well for a mobile workforce? 
A: If there is not a peer available for an update, it will failback to Windows Update. It depends on the tool – DO is internet based so it will always look online for a peer. BranchCache – only find peers when on the corporate network. ConfigMgr all depends on the options that are set

Q: WU4B does it have P2P functionality? 
A: WUfB will use DO that is already built in to the OS

Q: PCs in small remote offices with no supporting infrastructure – how to get updates to them? 
A: If there is no need to pull updates from a corporate network, then point them to MS through Windows Update for Business – you still can set controls about when and how by MDM/GPO even though they are internet based

Q: Pausing updates – what happens when the updates are unpaused in a scenario where the updates were paused on day 3 of a 5 day window 
A: Calculates based on when patches release – so all rings could potentially go immediately when unpaused – but maintenance windows/ active hours still apply so it may not be instant

Q: Defer upgrades – does that delay from CBB date or CB release 
A: Deferring updates puts you on CBB – it's defer from that CBB point forward, not the original CB

About the author

Johan Arwidmark

0 0 votes
Article Rating
Notify of
Inline Feedbacks
View all comments