How to setup Device Management in Windows 10 and Windows 11
Device Management in Windows 10
You have learned about remote administration and jump server configuration for troubleshooting, deployment, and general work use scenarios in the previous chapters. In this chapter, we'll look at at the new Mobile device management (MDM) capabilities of Windows 10, discuss caveats of the Windows 10 GPO processing and have a deeper look at patching and servicing including the deployment solutions of the needed quality and feature updates like Windows Update (for Business), WSUS, SCCM and third-party solutions.
The following topics will be covered:
- Mobile device management
- Changes to GPOs in Windows 10
- Update deployment solutions
- Patching and servicing
Evolving business needs
According to Forrester Research, mobility is the new normal. Information workers will erase the boundary between enterprise and consumer technologies and therefore mobility is certainly a defining vector in the evolution of the new business world. 56% of information workers send their first email before getting to the office, and 73% send their last email after leaving the office. 52% of information workers are using three or more devices for work.
Business needs are evolving with the new Industry 4.0 from employees working Monday to Friday, 9 to 5 toward a 24/7 blur of work and personal activity; from computers on a LAN corporate network toward multiple devices, any time, anywhere; and from on-premises applications and file hosting towards Software as a Service (SaaS) applications and cloud based file hosting.
So also, old-school methods of managing computers need to evolve without increasing complexity over value. Windows 10 has enabled MDM:
In Windows 10, the MDM agent is already built-in and usable with firstparty (Intune/SCCM) and third-party solutions. MDM policies can also be created/applied by the Windows Configuration Designer or with a script and the integrated Windows Management Instrumentation (WMI) bridge. MDM policies can be used in domain joined, Azure AD joined, AD/Azure AD hybrid joined, and Azure AD account added scenarios. MDM can be used as a lightweight GPO replacement for computers joined only to Azure AD and mobile solutions such as Intune, AirWatch, or MobileIron.
As all available configurations in Windows 10 can no longer be covered by GPOs alone (for example, Windows Information Protection (WIP) or rovable PC Health), even without using Azure, you will be forced to use MDM management or suitable scripts in conjunction with the WMI bridge or a Windows 10 compatible configuration solution such as Microsoft SCCM, LANDESK, and HEAT.
As there are new MDM configuration settings with each new version of Windows 10, the configuration solution you use also needs to be upgraded to keep pace.
Mobile device management
When discussing MDM, we need to look back in time to understand its origin and some of its limitations. Back in June 2002, the non-profit organization Open Mobile Alliance (OMA) formed. The OMA Device Management (OMA DM) specification was originally designed for the management of mobile devices like mobile phones, tablets, and PDAs. It was intended to provision and configure devices and enable software updates and fault management. There is a fixed set of OMA DM protocol commands all vendors support. Currently, Windows 10 1607 and higher supports MDM protocol version 6.0. MDM configuration objects are stored in a so called OMA Uniform Resource Identifier (OMA URI).You will need this OMA URI to add custom policies to your MDM solution if the setting is not available out-of-the-box. You can compare the use of such a custom URI as similar to writing your own custom ADMX templates. Like custom ADMX files need to write a supported registry key, the OMA URI needs to modify a supported resource identifier with a configuration service provider (CSP) capable of interpreting and applying the URI. Custom URIs can be added to Intune easily. Select Windows Custom Policy and fill out the Add or edit OMA-URI Setting box.
Here is an example of the dialog box:
The following diagram shows as an example the BitLocker configuration service provider in tree format. As you can see from ./Device/Vendor/MSFT, it is a URI only applicable to Microsoft products:
When configuring this CSP, a Synchronization Markup Language (SyncML) XML is generated and transmitted. Here is a (partial) sample of such a SyncML BitLocker XML:
As OMA DMs and OMA URIs originate from mobile device management, the design of these URIs favor integer values for their settings, which is quite alright for the OS but a bit uncomfortable for human readability. Therefore you will need the corresponding CSP pages for translation very often. Here is an example of the possible BitLocker Encryption type values:
Another thing to note when displaying MDM settings on your client is that there is currently no comparable tool like GPRESULT.exe built in into Windows 10. You can get all applied settings by reading the registry but you will just see a long list of values and not the originator of the value. Use the following PowerShell command line for reading the registry:
A resultant set of policies, like a log file, can be exported in the system settings. Go to Settings | Accounts | Access work or school | Export your management log files:
Unfortunately, this file is in plain XML style, which is hard to read. So you will need a converter, which is currently not built-in into Windows 10.
MDM policies are applied on a fixed schedule. When joining/enrolling a Windows PC to your MDM solution, it will check for new policies every 3 minutes for 30 minutes and then runs at its normal frequency of checking every eight hours (eight hours for Windows mobile and Windows 10 desktop, 24 hours for Windows RT).
Last but not least, there is some added complexity due to the several origins of MDM settings in Windows 10. Besides the built-in MDM client, which can be connected to for instance Intune, AirWatch, or MobileIron, MDM settings can be induced by Exchange ActiveSync settings, the built-in EAS client, and the built-in WMI bridge used by SCCM, or Windows PowerShell:
Depending on whether the MDM setting is a security setting or non-security, there are different override rules when applying them to a client. For security-related settings, the most restrictive setting will always win. For non-security settings, the base settings are Microsoft, OEM, or enterprisecreated PPKG packages. They will be overridden by EAS and MDM clients, and at the topmost priority is GPO (if the setting is also configured by GPO). Without using XML log troubleshooting, MDM settings are very hard and time consuming.
Changes to GPOs in Windows 10
Besides the major changes to MDM management, there are also changes to the GPO processing of Windows 10, which will be covered now. These changes begin with GPOs only applicable to certain SKUs, known issues when upgrading your central policy definition store, and known issues when editing new GPOs, including Group Policy Preferences (GPPs) with the old Group Policy Management Console (GPMC) console.
Enterprise/Education - only GPOs
There have been policies that apply only to Windows 10, but for the first time ever in Windows history, now there are also GPOs that apply to certain Stock Keeping Units (SKUs) only. Several GPOs for customizing Windows 10 apply only to Windows 10 Enterprise and Education SKUs. At the time of writing this book, the following GPOs have such a restriction:
- Configure Spotlight on lock screen
- Turn off all Windows Spotlight features
- Turn off Microsoft consumer features
- Do not display the lock screen
- Do not require Ctrl + Alt + Delete combined with turning off app notifications on the lock screen
- Do not show Windows Tips
- Force a specific default lock screen image
- Start layout and taskbar layout
- Turn off the store application
- Only display the private store within the Windows Store app
- Don't search the web or display web results
A full and updated list of group policies that apply only to Windows 10 Enterprise/Education editions can be found at https://technet.microsoft.com/enus/itpro/windows/manage/group-policies-for-enterprise-and-education-editions.
There are expected to be more Enterprise/Education only GPOs in future releases of Windows 10, especially for more fine-grained UX control.
Known issues when upgrading the central policy store
ADMX definition files are not only updated with every new release of Windows, but sometimes also in between with cumulative updates. You should always keep an eye on cumulative update release notes and check your PolicyDefinitions folder for new entries from time to time.
With new ADMX files, not only are new settings available, but also old entries can be removed, renamed, or moved to a new category. When entries are removed and you've used them in your existing GPOs, you will see Display names for some settings cannot be found. You might be able to resolve this issue by updating the .ADM files used by Group Policy Management in the GPO report section:
If old and new ADMX files with double definitions are in place, you will get an error message called Namespace 'abc' is already defined as the target namespace for another file in the store. File <xxxx>, Line y, Column z.
In both cases you need to carefully review all ADMX changes. To prevent such known issues while upgrading the policy definitions/changes to ADMX files in different Windows versions, you should review https://support.microsoft.com/en-us/help/4015786/known-issues-managing-a-windows-10-group-policy-client-in-windows-serv and https://blogs.technet.microsoft.com/grouppolicy/2017/03/28/managing-adm x-changes-in-windows-10/.
There is also a comprehensive GPO XLS describing all changes between Vista and Windows 10/Server 2016 at https://go.microsoft.com/fwlink/?linkid=845418.
You should also update one client with RSAT tools or a server with new ADMX definitions and then check every report of every existing GPO for these failures.
Also review all your settings to see if they are still supported under the new OS. A helpful entry point could be Group Policy search, for more information visit https://gpsearch.azurewebsites.net/.
Known issues with Group Policy Preferences/GPMC
Normal GPO definitions are stored inside the ADMX files and their translation in the corresponding ADML file. When updating your PolicyDefinitions folder or your central policy definitions store on Sysvol, you are able to create/define new GPO settings for the new OS. You could use older GPMC versions and things would basically work.
GPP are in total contrast to this behavior. They are hard-coded inside the GPMC. So to get these new settings and filtering options, you need to use the newest RSAT tools or the newest GPMC on the server OS.
Unfortunately, it is not only, not seeing the new options when using an older GPMC, but you can seriously damage your GPO with GPP content when just opening it in an older GPMC.
When opening such a GPO with new GPP settings/item-level targeting in an outdated GPMC, the older GPMC does not recognize the new settings. So at best, you might not be able to see all the options. For example, you would not find an option to filter on Windows 10 or Windows Server 2016 families in older GPMCs.
At worst, the older GPMC can interpret the new settings as Corruption. Corrupted settings are automatically repaired/removed. This repair attempt can trigger the GPO was changed event and therefore trigger. So by just opening the GPO with GPP, you could accidentally remove settings without a notice/warning message. You would only notice an updated/higher revision number of your GPO.
So always edit/administer new GPP settings only with the newest GPMC of Windows 10/Server 2016. To prevent such problems in multi-OS environments, when not all GPO/GPP editing systems can be updated at once, you should mark your new GPO/GPPs with, for example, _W10 and open such _W10 files only with the newest GPMC.
Servicing and patching
When we talk about changes to the way to service (or patch) Windows, it's important to first understand how things worked with Windows 7 and Windows 8.1. Each month, Microsoft released somewhere between 1 and 20 individual fixes for each one: some security updates, some non-security updates. Most of these patches were General Distribution Release (GDR), meaning available on WU, WSUS, and Windows Update Catalog. Some patches where released under Limited Distribution Release (LDR) (also formerly known as Quick Fix Engineering (QFE)). LDR packages contain other fixes that have not undergone testing as extensive, and resolve issues that only a fraction of the millions of Windows users might ever encounter. These LDR patches need to be downloaded on separate KB pages or sometimes requested from Microsoft services.
Most organizations deploy the security fixes right away. But the nonsecurity fixes sometimes aren't deployed at all, especially when talking about LDR non-security fixes. The result is that each organization ends up with its own unique Windows configuration, defined by the set of patches that they have installed.
Compare that to the configuration that Microsoft test in its lab: fully patched PCs that have all the updates ever released installed. For each new update, Microsoft verifies that there are no adverse effects on these fully patched PCs.
But we've seen instances where these new updates cause issues on partially updated PCs (often with specific combinations of updates): Microsoft can't possibly test all these different possible combinations. And affected customers wonder why Microsoft didn't catch these simple issues when they did their testing.
For example, when speaking about Windows 7, there are more than 4,000 fixes since the release of SP1. And about 600 of these patches are not widely spread. Now try to calculate all possible combinations of patches if one or more of these 600 patches are missing.
Why cumulative updates?
So Microsoft decided that to improve the overall quality of Windows, and to reduce the overall complexity of the patching process, they would rework the patching process altogether with Windows 10. Let's explore these changes in more depth. Patches are now divided into Quality Updates and Feature Updates.
These so-called Quality Updates are a single monthly cumulative update containing security fixes, reliability fixes, bug fixes, and so on. These cumulative updates supersede the previous month's update. Normally, they contain no new features. Beginning with Windows 10 1703, there will be one mandatory cumulative update on the second Patch Tuesday and possibly multiple cumulative updates throughout the month with added non-security content. To stay on the secure side, you need to at minimum deploy the second Patch Tuesday portion. The other patches can be optionally deployed on some or all systems.
Feature updates are done twice per year, each spring and fall, with new capabilities. Feature updates are technically simple deployments using inplace upgrades, driven by existing tools with built-in rollback capabilities. New features can be tested with Insider Preview.
Each Quality Update raises the version number of your Windows 10 release. You can see the Quality Update release build number as the last set of digits of WINVER.exe (for example, 540). The feature update raises the version itself (for instance, 1703) and the build number's first set of digits (for example, 15063). The SKU of Windows 10 is in the 4th line (for example, Windows 10 Pro).
A comprehensive and always-updated list with content of each cumulative update can be found at the Windows 10 and Windows Server 2016 update history page at https://support.microsoft.com/en-us/help/4000825/windows-10-windows-server-2016-update-history.
As cumulative updates (CU) are now all or nothing, it is no longer possible to exclude single patches if they break something in your environment. Due to always fully patched systems, there should be a reduced risk of incompatibilities, but it is still possible. So you should pay special attention to the second Patch Tuesday CU and test/deploy it as fast as possible as it contains new security fixes. If there are any problems,
report them to Microsoft right away so they can fix it. Meanwhile, you can only uninstall/not deploy this CU and risk the security flaws. When you uninstall a CU, your system automatically falls back to the last installed CU version. For non-security parts, you can test 1-3 extra CUs per month.
These Quality Updates can grow very fast to sizes of 1 GB and more. To reduce the WAN traffic and/or workload on your on-premises servers, you need to configure the Delivery Optimization (when using WU), BranchCache (when using WSUS), SCCM peer delivery (when using SCCM), or the solution-specific peer delivery (when using third-party).
Update delivery solutions
Updates can be deployed with different solutions. We will look at Windows Update, Windows Update for Business, Windows Server Update Services and management solutions like SCCM, and third-party solutions.
The well-known Windows Update (WU) relies on Microsoft cloud servers to patch and upgrade your systems. Upgrades are installed as they are released (subject to throttling in waves). To reduce load on the servers and speed up delivery, optimization for peer-to-peer (P2P) distribution is used since first version of Windows 10. This update method is the only option for Windows 10 Home. Both, Windows 10 Home and Windows 10 S SKUs, do not support domain joining. Windows 10 Home has very limited MDM capabilities, Windows 10 S can be managed and patched by a MDM solution. The options for P2P can be changed in GUI under Settings | Windows Update | Advanced options | Delivery Optimization:
Windows 10 1709 introduced two new GUI entries Advanced options and Activity monitor. With Advanced options you can now specify exact limits for download and upload bandwidth and define a Monthly upload limit including an info graphic showing how much is left. Bandwidth can be set between minimum a 5% and a maximum 100%, upload limit can be set between a minimum 5 GB and maximum 500 GB. Before 1709, these settings were only available via GPO:
To see the benefits of downloading from other PCs you can use the new Activity monitor. It will display download statistics for how much content is downloaded from Microsoft WU directly, from PCs on the local network and from PCs in the internet (if enabled). It also shows upload statistics for PCs in the local network and PCs in the internet (again if enabled). And last but not least some download speed statistics. The statistics are reset monthly:
If you are using a domain join capable Windows 10 version like Pro, for Workstation, Enterprise or Education, you can define all these and even more fine granular settings by GPO. You will find the relevant settings under Computer Settings | Administrative Templates | Windows Components | Delivery Optimization:
With Windows 10 1709 these settings were again extended. Now you can define Delivery Optimization In-Network Cache (DOINC) server via GPO. At the time of writing this book there was no documentation for DOINC available. Please see TechNet documentation for further information about DOINC and its benefits as soon as information is released.
Beside all these fine tuning settings the most important setting in this section will still remain on Download mode. With this GPO you can disable the new Delivery Optimization completely (Bypass) and use old Background Intelligent Transfer Service (BITS) instead, you can limit Delivery Optimization to use only HTTP download without peering (HTTP only), to use internet and local PCs (Internet), to use local PCs only when behind same NAT (LAN), to use local PCs only within same AD site (if exist) or same domain (Group).
By selecting the Simple option you use only HTTP but without contacting the Delivery Optimization cloud service. Most enterprise customers decide to use LAN or Group option to prohibit upload:
Windows Update for Business
Windows Update for Business (WUfB) is often seen as an extra or new way of delivering updates to your clients, but it still uses Windows Update (WU) for the content. It extends the classic WU with a set of configuration that enables the control of Windows 10 quality and feature update deployment. Updates and upgrades can be deferred and preview builds can be managed. This helps small business users without their own on-premises patching infrastructure to build servicing rings and get a more fine-grained update experience. WUfB control settings are only available to Windows 10 Pro, for Workstation, Enterprise and Education SKUs. The corresponding GPOs can be found under Computer Settings | Administrative Templates | Windows Components | Windows Update | Windows Update for Business:
The WUfB GPOs help to create update rings via GPO for monthly cumulative updates (Quality Updates) and semi-annual servicing updates (feature updates). Update rings are explained in more detail in the servicing paragraph. If you are using Windows Server Update Service (WSUS), System Center Configuration Manager (SCCM) or third-party update solutions, you need to create target groups/collections in these solutions, as they will most likely ignore your WUfB GPO settings. By enabling and defining the Select when Quality Updates are received GPO you can specify a delay between 0 and 30 days. You can also specify a date for temporarily pausing Quality Updates in the case of a known problem. When enabling the pause it will remain in effect for 35 days or until you clear the start date field in the GPO. This GPO will have no effect if you set your Allow Telemetry to 0 = Security only.
Another available WUfB GPO is the Select when Feature Updates are received. It was renamed in 1709 to Select when Preview Builds and Feature Updates are received and is now capable of not only selecting Semi-Annual Channel (Targeted) (former Current Branch) and SemiAnnual Channel (former Current Branch for Business) but also selecting Preview Build - Fast, Preview Build - Slow and Release Preview as a readiness level for the servicing updates. For building servicing rings via GPO you can defer the servicing updates.
When selecting Semi-Annual Channel (former CB or CBB) you can defer up to 365 days (even if shorter ranges are recommended). Like in Quality Updates GPO you can also specify a date for temporarily pausing servicing updates in the case of a known problem. When enabling the pause it will remain in effect for 35 days or until you clear the start date field in the GPO. For deferring CB and CBB you need to set your Allow Telemetry to minimum 1 = Basic.
Preview channel builds can only be deferred up to 14 days or paused for up to 35 days. For deferring any preview build you need to set your Allow Telemetry to minimum 2 = Enhanced and register your domain on insider.windows.com.
Windows 10 1709 introduced a new WUfB GPO Manage preview builds. You can select to Disable preview builds to prevent installing previews on that device and preventing users from opting into the Windows Insider Program via GUI. Selecting Enable preview builds will allow installing or opting in to insider builds on this machine.
To automatically install preview builds you additionally need to configure the Select when Feature Updates are received GPO described before. The third option Disable preview builds once next release is public will automatically stop receiving insider builds once the current Insider Preview is going Release to Manufacturing (RTM) / public. This will gracefully opt out the device from flighting and prevents accidentally going into the next preview build phase.
Windows Server Update Services
Windows Server Update Services (WSUS) is the first solution of the above mentioned to be on premises. If configured to download content to your WSUS infrastructure, updates are distributed from your WSUS servers, which is significantly reducing the WAN traffic. Updates and upgrades are deployed when you approve them to your WSUS defined target groups. You need to build your update and servicing rings via target groups inside WSUS.
With the default setting of WSUS it will download the full-size update packages and deploy them to the clients. This will rise very quickly to 1 GB per CU per client per month. To reduce workload on your WSUS infrastructure, you should configure BranchCache to reduce bandwidth usage on the WSUS server. Another option is to activate the Download express installation files option on your WSUS:
WSUS is rather good in deploying monthly cumulative updates / Quality Updates. But there are several caveats and problems when deploying servicing / feature updates with WSUS. Some of the limitations and caveats are:
- WSUS servicing media can not be updated manually. You will deploy RTM version until re-release about four months later. Also later on you have no option to update servicing media after that.
- There is no option for a task sequence. Scripts and installations which need to be executed before or after an in-place upgrade are hard to target and a lot of fiddle.
- Language packs and suitable configuration files to customize setup with parameters need to be placed before targeting a client for update. There is no built-in check for file existence or similar. Again a lot of fiddle and custom scripting needed.
Michael Niehaus, director of product marketing for Windows at Microsoft, explained on his public talks about Windows as a Service and Windows 10 that there are improvements planned for WSUS for future versions to avoid some of the mentioned problems. This will help small and medium size business customers still using WSUS standalone. But currently there are no details available and the earliest next full server version will be in about two years.
SCCM and third-party solutions
Using Windows Update for servicing updates is not an option for business customers, especially at large scale enterprise due to missing task sequence functionality. Small and medium size business customers using Pro and higher SKUs can use WUfB and WSUS for updating, but the missing task sequence will complicate the update.
You will run into situation where you need to update a driver or software before being able to upgrade. Or get into a situation where you need to do additional configuration steps and clean-up after in-place upgrade.
SCCM and third-party solutions (such as LANDesk, HEAT, and many other) are the best solution for serving updates and in-place upgrades. Like with WSUS, Quality and feature update content distributed from on premises, such as configuration manager DPs, will significantly reduce use on WAN bandwidth. Upgrades can be extended using a scripted task sequence, and you get extended software update capabilities in addition.
BranchCache and solution-specific peer delivery like peer SCCM delivery (client peer cache support for express installation files for Windows 10 and Office 365 available with SCCM 1706 and newer versions) should be enabled to reduce bandwidth/workload on your servers. There is also a new option in SCCM 1702 and newer for downloading express packages for Windows 10 only:
When selecting this option it will only download express files for Windows 10 and therefore the needed storage amount on your WSUS will not excessively raise like in the WSUS standalone scenario described in the paragraph before.
For building update and servicing rings you need to use the SCCM or solution specific techniques, like SCCM collections. SCCM will ignore the GPO settings for Quality Updates and feature updates.
For deploying wipe and load or in-place upgrade installations of Windows 10 an updated / corresponding version of the Windows 10 Assessment and Deployment Kit (ADK) with newest Windows PE should be used if no exceptions are made by the Product Group. Please review the SCCM supportable matrix with every new Windows 10 release and every SemiAnnual Channel update for minimum version of SCCM needed. A always updated matrix can be found at https://docs.microsoft.com/en-us/sccm/core/plan-design/configs/support-for-windows-10.
At the time of writing this book SCCM team still planning with three releases a year and the supportable matrix did not include Windows 10 1709 yet, but should be updated short before, latest at RTM/ General Availability (GA) of Windows 10 1709. If no serious issues or blockers are detected until release of 1709 it can be expected to get a backwards compatible for SCCM 1706 and full supported for SCCM 1710:
Other third-party solutions like LANDesk, HEAT, and many others already announced to update their deployment solutions at least one to two times a year to keep up with Windows 10 and fully support the deployment. For example LANDesk will release yearly major releases called LANDESK Management Suite 2017.1. Next updated version in 2017 will be 2017.2 and so on. A support matrix for LANDesk and Windows 10 can be found at https://community.ivanti.com/docs/DOC-23848.
Please review the solution relevant support matrices and plan to update your deployment solution also in a higher cadence than with former operating systems.
Windows 10 servicing
The pros and cons of wipe and load verses in-place upgrades, Installation and Upgrading. When you successfully jumped on the Windows 10 train you need to plan to upgrade to new versions of Windows 10 within 18 months:
Every new Windows 10 release will be in a preview phase for about six months. This phase is marked grey (preview) in scale. During this preview phase there will be several hundred builds created to stabilize platform and integrate new features. Some builds are internal only or distributed to enterprise customers in a special technology adoption program. Builds with serious errors during internal validation are also not published.
Consumers and business customers who do not want to register at WIPfBiz can join the normal insider program at https://insider.windows.com/ but possibly miss some business test scenario descriptions.
When participating in the Insider Preview program you will get first-hand information about new or deprecated features, you will get new builds early and can test it with your software for compatibility at an early stage.
When participating in the preview you can access the fast ring for the bleeding-edge experience with the newest release at a slightly higher risk of features not working. If you want to work on a more stable preview or want to save download bandwidth with less updates you can join the slow ring with updates about every two weeks.
During this preview phase your feedback is very valuable and a lot of decisions and changes in Windows 10 were already triggered by customers participating. Don't miss the chance to actively shape the future of Windows 10.
If you do not participate in the Insider Preview phase, then the official RTM or GA of the new Windows 10 release should be the starting signal for validating the new Windows 10 release in your environment. Microsoft will release it into the Semi-Annual Channel (Targeted) (former Current Branch).
You now have a time-frame of approximately four months to carefully test it for compatibility with your LOB applications and report all possible remaining bugs to increase stability until the official broad release of Windows 10. This phase is marked as light blue (Pilot) in the scale.
After approximately four months, when Windows 10 is in normal SemiAnnual Channel release, you should be able to broaden your deployment to all business users. This phase is marked as dark blue (broad deployment) in the scale.
There is no universal one-fits-all recommendation how many rings each phase should contain. It depends on the amount of clients, on the different use cases of your clients (office PC, manufacturing PC, and so on) and how many issues were detected during piloting.
Most Enterprise customers visited, started with one ring for Insider Preview, 2-3 rings for Pilot phase, and 4-5 rings for Broad deployment, where the highest ring is for blocking issues. According to the preceding scale here is a sample for building rings and their timing. You can use it as a basis and adopt it to your environmental needs. Don't use the weeks recommendation as absolute minimum, faster deployment times are possible and have been observed, especially when iterating this job for the second or third time.
In this Article, you learned about the new MDM capabilities and changes in GPO processing of Windows 10. In the servicing and update part we discussed the different update delivery solutions and gave recommendations for building servicing rings to keep up with the fast Windows 10 release cadence.