Broadly speaking, Windows 10 receives three kinds of updates:
- Security Updates – pretty self explanatory, they fix bugs and security holes that have been identified. It’s important to always apply these as soon as possible to protect the integrity of the device, the contents and the network it operates on.
- Quality Updates – these are monthly releases, sometimes known as cumulative updates, that combine any security patches and OS stability improvements into a single update. Generally released on the second Tuesday of the month, it has coined the term “Patch Tuesday”.
- Feature Updates – with the decision to standardize Windows on the “Windows 10” moniker, the Feature Updates amount to a new version of Windows 10 and are released approximately every six months, generally around the March/September cadence. Hence, you see release names such as 1903 (released around March 2019) and 1909 (released March 2019).
For a more detailed explanation, this is not a bad starting point to read.
IT Administrators take different approaches to applying these settings based on their preferences and organisational needs. Much of the control of Windows 10 comes down to the Deployment Rings and this documentation is the authoritative starting point.
Deployment rings in Windows 10 are similar to the deployment groups most organizations constructed for previous major revision upgrades. They are simply a method by which to separate machines into a deployment timeline. With Windows 10, you construct deployment rings a bit differently in each servicing tool, but the concepts remain the same. Each deployment ring should reduce the risk of issues derived from the deployment of the feature updates by gradually deploying the update to entire departments. As previously mentioned, consider including a portion of each department’s employees in several deployment rings.
In other words – mitigate the risk of issues by deploying updates to small groups of users across your organisation’s different groups, seeing if there are issues, and then rolling out to the majority of users after that.
Educational Contexts For Feature Updates:
Many K-12 and H.Ed institutes do not want changes to devices happening during the school term or semester where any new changes introduced by Feature Updates has the potential to confuse students/educators or unlock new apps/services that the school has not had a chance to test yet.
In fact, in the older approach of creating a “gold image” for devices, they were largely untouched for an entire academic year to prevent changes from occurring. With the flexibility that Modern Management of Windows 10 brings, it’s important for school IT administrators to think carefully about how to introduce Feature Updates.
For Windows as a service, maintenance is ongoing and iterative
Microsoft Intune and Endpoint Manager gives the required control and options to achieve any outcome – the key documentation is here.
Windows 10 Feature Update Options:
There are really three options for an IT Administrator to consider:
- Upgrade – this would see the significant Feature Update rolled out to devices based on the current Rings policy in place, with the device updating to the latest Feature Update as soon as Microsoft makes it available.
- Pros: End users get the latest feature updates they may have been waiting for, it’s likely to have better performance, be more stable and feature rich.
- Cons: the update will be sizable (usually well over 1GB) so bandwidth and device storage considerations need to be factored in. Additionally, changes may be confusing for some users.
- Delay – Up until recently, an IT Administrator could choose to delay the roll out of Feature Updates, as per the documentation here. They can specify the number of days for which Feature Updates are deferred. This period is in addition to any deferral period that is part of the service channel you select. The deferral period begins when the policy is received by the device (supported deferral period: Windows version 1709 and later – 0 to 365 days Windows version 1703 – 0 to 180 days)
- Pros: An IT Administrator can have some confidence that the major Feature Update won’t kick off in the middle of a school day, potentially impacting the availability of the device for learning; they could delay for up to a year
- Cons: It was only ever going to be a delay – in other words, the Feature Update was going to happen at some point. Also, it was necessary for the IT Admin to calculate (in days!) when a good period would be e.g. during Semester Break and “count back” to understand how many days to defer it
- Freeze – This is new and currently in Public Preview – see documentation here. With Windows 10 feature updates, you select the Windows feature version that you want devices to remain at, like Windows 10 version 1903 or version 1909. You can set a feature level of 1803 or later. Once set, the device will continue to receive Security and Quality updates as normal, but will be immune from Feature Updates.
- Pros: Very clear control over the Feature Updates – you can set the freeze and not have to think about calculating days when the Feature Update will arrive (like with Delay), when you’re ready to roll it out, simply update your policy.
- Cons: IT Admins may become ‘lazy’ and choose not to roll out new Feature Updates at all, preferring stability over the new features released in subsequent Feature Updates. This will slow adoption and uptake amongst users.
In my experience, few educational institutes take the same approach to managing devices, therefore the ability to choose how the major Feature Updates are distributed to devices is a good thing. There are some prerequisites for this new policy to work:
- Devices must be enrolled in Intune MDM and Azure AD joined or Azure AD registered.
- To use the Feature Updates policy with Intune, devices must have telemetry turned on, with a minimum setting of Basic. Telemetry is configured under Reporting and Telemetry as part of a Device Restriction policy.
- This is under review as the product moves towards General Availability, but for now, in Public Preview, telemetry reporting is required.
If you want to give this a go immediately, following the steps in the documentation is pretty simple:
Create and assign Windows 10 feature updates
- Sign in to the Microsoft Endpoint Manager Admin Center.
- Select Devices > Windows > Windows 10 Feature updates > Create.
- Under Basics, specify a name, a description (optional), and for Feature update to deploy, select the version of Windows with the feature set you want, and then select Next.
- Under Assignments, choose + Select groups to include and then assign the feature update deployment to one or more groups. Select Next to continue.
- Under Review + create, review the settings and select Create when ready to save the Windows 10 feature updates policy.
Windows 10 should be thought about as an “ever green” operating system – applying updates regularly is a better approach to adoption of new features than leaving years between updates. In my experience, organisations that progressively release new versions see a less jarring experience for their end users with the smaller, more frequent changes, compared to those that have leaped many versions in one go.
Perhaps the most dramatic examples were those organisations that perceived they were “stuck” on Windows XP or Windows 7 (both end of life now) because of some software they used, being forced to make the leap to Windows 10. The user interface changes that occurred with Windows 8, 8.1 and the early versions of Windows 10 were significant, and many end users found the changes hard to adapt to.
Consequently, taking a more measured approach to regular updates is recommended and now with Feature Updates Freeze, IT Administrators have an additional option to manage change. For educational institutes, this is really helpful, my caution is always to not become ‘lazy’ and settle on a particular version and not upgrade from there. For devices that really should not change regularly, e.g. where there is no internet connection or where stability is prized above all else (such as managing medical equipment), the Long Term Servicing Channel should be considered – see documentation here.
For another good review of this new feature around freezing Feature Updates, check out this helpful blog here.