More control on Windows-as-a-Service with Microsoft Intune Feature Update Deployments

With the introduction of Feature Update Deployments, IT-administrators get more control over how Windows 10 feature updates are installed via Windows Update for Business. With Feature Update Deployments, they have the ability to choose a given feature update (e.g. 1803, 1809, or 1903) and stay there indefinitely*. It provides more granular and predictable control the way feature updates find their way to devices across your organization.

Update management can be challenging, particular in large environments keeping your devices up-to-date at any time while minimizing business impact and keep-up end-users productivity. There are many options to keep your devices up-to-date and reduce the surface attack area so your devices are less vulnerable. Most common options are Windows Software Update Services (WSUS), Configuration Manager (…eh Microsoft Endpoint Configuration Manager ☺) or Windows Update for Business (WUfB). Regardless type of organization (whether a startup or large enterprise) update management can be challenging using Windows Update for Business.

The challenge of staying current

Windows Update for Business is ideal for small organizations that want to stay current, without the need having to approve (quality) updates individually. This is often accompanied by the lack of resources, where no dedicated IT-administrator are available to manage updates. In contrast Windows Software Update Services or Microsoft Endpoint Configuration Manager are often used by larger organizations because it provides a desired granularity and control to push out updates to devices which Windows Update for Business lacks.

Why Feature Update Deployments?

By default Windows Update for Business give IT-administrators controls over when feature updates are pushed to devices. Servicing channels (Semi-Annual Channel & Long Term Servicing Channel) introduced the concept of deployment rings, which is simply a way to categorize the combination of a deployment group and a servicing channel to group devices for successive waves of deployment.

• 

• 

Before, the installation of both feature- and quality updates could be deferred from deploying to devices within a bounded range of time from when those updates are first made available on the Windows Update service. The way feature- and quality updates had to be configured was via a single or multiple combined deployment rings.

Over time the servicing model for Office and Windows 10 got revised to align their release cadence, service terminology, and servicing guidance. As a result the Semi Annual Channel Targeted servicing channel disappeared, which means the options for staying on a certain build were reduced too.

The most important change with the introduction of Feature Update Deployments is the ability to configure feature and quality updates separately. With Feature Update Deployments IT-administrators have their control (back) to easily stay on a certain feature update (build), by just creating a Feature Update deployment policy.

Restrictions

In case you’re using Windows Updates for Business to control both feature- & quality updates in your environment, please consider the following notes:

• Once a subject to Feature update Deployments there is no way back how feature updates are controlled.
• Feature Update Deployments applies from Windows 10 1703 and higher.
• Feature Update Deployments applies to Windows 10 Enterprise, Education & Professional. (Windows 10 Team, Phone or Evaluation SKU’s are not supported).

Important!

When you deploy both a Windows 10 feature update and a Windows 10 update ring policy to the same device, review the update ring for the following configurations:

• The Feature update deferral period (days) must be set to 0
• Feature updates for the update ring must be running. They must not be paused.

• 

• 

Limitations

At time of writing Feature Update Deployments is in preview and has some limitations to keep in mind.

• Feature Updates Deployments supports only device based targeting.
• Feature Update Deployments doesn’t support Windows Insider Program servicing channels. Windows Insider channel remains managed by using regular deployment rings.
• At time of writing Windows feature updates 1803, 1809 or 1903 can be controlled via Feature Update Deployments.

Conclusion

With the introduction of Feature Update Deployments, IT-administrators has the ability to manage feature- and quality updates separately and have therefore more granular control over the way feature updates find their way to your devices across your organization. In addition, it introduces extended and improved reporting capabilities regarding feature- and quality updates, which improves insights about your update compliance state.

If your company is tend to keep-up with the latest and greatest and want to be a front runner with the latest features to your end-users with no costs, please stay on or keep-up with Windows 10 Update Rings for sure. For organization when you subject to change management process, traditional application landscape or manufacturing (as successor of Long Term Service Channel, aka LTSB) Feature Update Deployments is your best friend!

Feature Update Deployments provides more granular, friction-less and predictable control IT-administrators love, the more taking into account the prestage update mechanism which turns your 1903 devices to 1909 a wink. Windows Updates for Business – Feature Update Deployments FTW!

Sources

Windows 10 feature updates https://docs.microsoft.com/en-us/intune/protect/windows-update-for-business-configure#windows-10-feature-updates

Overview of Windows as a service https://docs.microsoft.com/en-us/windows/deployment/update/waas-overview

Deploy updates using Windows Update for Business https://docs.microsoft.com/en-us/windows/deployment/update/waas-manage-updates-wufb