Configure a Windows 10 device for Current Branch for Business in Microsoft Intune
When managing Windows 10 devices with Microsoft Intune, you should create a strategy for your devices on how they’re gonna retrieve upcoming releases for Windows 10. As part of the new Windows-as-a-Service release model, it’s important to define at what interval your devices will receive feature upgrades (new version of Windows 10) and servicing updates (patches). This is done by configuring Windows Update on the Windows 10 device to either defer upgrades or not. If you’d choose to defer the upgrade, the device be treated as it’s in the Current Branch for Business (CBB), and when defer is not configured, it’s in the Current Branch.
As seen in the picture below, a Windows 10 device is not configured to defer upgrades, which means that it will be treated as it’s in the Current Branch and will receive feature upgrades and servicing updates when they’ve been approved for the Current Branch by Microsoft after testing by millions of Windows Insiders.
Strategy and Branches
In your deployment strategy for Windows 10, you should at least have a few devices that’s in enrolled into the Windows Insider branch. This will bring an early opportunity for your organization to check out new features that are coming in the next release, and also validate compatibility in your environment. In addition to having a few devices enrolled into the Windows Insider branch, it’s also a good idea to have for instance a group of IT-administrators testing and validating the release that becomes available for the Current Branch. Since the new servicing model will bring new releases of Windows 10 more often that we’ve previously been used to, it’s important to have a strategy that evaluates the new releases and the functionality it brings to the table.
Microsoft’s idea with Windows 10 and the different servicing branches are to allow for a flexible and fast release model that suites the high demand for new functionality and support for the latest technology from consumers and business users. Although, organization would want to thoroughly test and validate the new releases, and Microsoft has therefor created the Current Branch for Business. Within this branch, organizations will have an option to defer feature upgrades for a period of up to 8 months after the release has been made available to the Current Branch for Business. Servicing updates (patches) can be deferred up to 4 weeks. This will allow organizations to further test the release of Windows 10 and make sure it’s ready to be distributed in their environment.
So, how do we actually configure a device to be a part of the Current Branch for Business? For organizations that will leverage System Center Configuration Manager (ConfigMgr) to upgrade to the latest CBB release for a more controlled distribution, will download the released build and leverage the In-Place upgrade task sequence. But for smaller organizations that does not have ConfigMgr, or in BYOD / CYOD scenarios, devices will receive the feature upgrades from Windows Update. In this post, I’ll cover the BYOD / CYOD scenario where we have a bunch of devices joined to Azure AD and managed with Microsoft Intune. Through Microsoft Intune, we’d want to make sure that we can control what devices are a part of the CBB. This can be done by deploying a Custom Configuration policy for Windows 10.
Enable a device for Current Branch for Business
With the release of Windows 10 1511 (TH2), there’s a lot of new OMA-URI settings that we can use to managed Windows 10 through the MDM agent. If you’re not familiar with how to manage Windows 10 with OMA-DM, I suggest that you read the following blog post that I wrote on the subject:
Before you go ahead and follow the instructions below, I’d suggest that you create a group in Microsoft Intune of all your devices that you want to configure for CBB. We’ll use this group for targeting the policy that we’re about to create.
1. Logon to manage.microsoft.com, click on the Policy workspace, select Configuration Policies and click Add.
2. Expand Windows, select Custom Configuration (Windows 10 Desktop and Mobile and later) and select Create Policy.
3. Name the policy e.g. Current Branch for Business and click on Add in the OMA-URI Settings section.
4. Add the following:
Setting name: RequireDeferUpgrade
Setting description: Configure device for CBB
Data type: Integer
5. Click Save Policy.
6. Click Yes in the window asking if you want to deploy the policy now.
7. Select a group of Windows 10 devices that you want to deploy this policy to. I’d suggest that you select the group that you’ve already created for your CBB devices. Click OK.
Once the deployment have been created, your devices should within their policy refresh cycle obtain the custom configuration policy and apply the OMA-URI setting that we’ve configured. Once configured, validate the configuration by opening Settings -> Update and Security -> Windows Update -> Advanced options.
As I’ve already mentioned, organizations can defer features upgrades and servicing updates be configure what we’ve gone over in this post. In addition, there’s also options for deferring feature upgrades and servicing updates for a period of time after the release of the new version of Windows to CBB. This is what Microsoft calls deferral period. For feature upgrades, you’re allowed to defer them up to 8 months after the release date. For servicing updates, you’re allowed to defer them for up to 4 weeks.
If you require more time to evaluate and validate feature upgrades or servicing updates in your environment, you have the option to add additional OMA-URI settings to your custom configuration policy. Here’s what’s currently available:
Defer feature upgrades
|Description||Policy to defer feature upgrades for up to 8 months|
|Allowed values||0: Apply updates immediately
1-8: number of months to defer feature upgrades
Defer servicing updates
|Description||Policy to defer software updates for up to 4 weeks|
|Allowed values||0: Apply updates immediately
1-4: number of weeks to defer software updates
If you’d want to see what else you can manage in Windows 10 through Microsoft Intune and OMA-DM, see the following TechNet article:
That’s it, I hope it helps!
Principal Consultant and Enterprise Mobility MVP since 2016. Nickolaj has been in the IT industry for the past 10 years specializing in Enterprise Mobility and Security, Windows devices and deployments including automation. Currently working for TrueSec as a Principal Consultant. Awarded as PowerShell Hero in 2015 by the community for his script and tools contributions. Creator of ConfigMgr Prerequisites Tool, ConfigMgr OSD FrontEnd, ConfigMgr WebService to name a few. Frequent speaker at conferences and user groups.