Enterprise Best Practice Windows 10 Updates

kamidon

So we're thinking of setting a GPO that will put most users in the "Current Branch for Business" track, which would be a much slower track than the default. (one cycle behind 3-4 months).
We're also thinking about putting a handful of users in the regular branch (one that we're on) since they're more technical and we'll get to see what issues they run into so we can prepared when the rest have the same issue.
Finally, my boss and I will be in the Technical preview branch to see what issues their are with Windows 10 far before they happen.
Sooooo....Does that sound like it would be best practice? Or can you all think of something else I'm missing out on?
Thank you

DustinB3403

I don't know if I would roll out this update like that. I personally would pick a few select users who I know to be the worst, and see what they can "break".

After a successful period and of these users asking others why they aren't updated yet, would I push the updates out to the rest of your organization.

MattSpeller

@DustinB3403 said:

I don't know if I would roll out this update like that. I personally would pick a few select users who I know to be the worst, and see what they can "break".

After a successful period and of these users asking others why they aren't updated yet, would I push the updates out to the rest of your organization.

I second this advice, but I always add in a couple power users to the mix of "special" ones.

JaredBusch

@DustinB3403 said:

I don't know if I would roll out this update like that.

He is not talking about rolling out "an update"

He is setting standard policy for Windows updates in general.

JaredBusch

@kamidon said:

So we're thinking of setting a GPO that will put most users in the "Current Branch for Business" track, which would be a much slower track than the default. (one cycle behind 3-4 months).
We're also thinking about putting a handful of users in the regular branch (one that we're on) since they're more technical and we'll get to see what issues they run into so we can prepared when the rest have the same issue.
Finally, my boss and I will be in the Technical preview branch to see what issues their are with Windows 10 far before they happen.
Sooooo....Does that sound like it would be best practice? Or can you all think of something else I'm missing out on?
Thank you

If MS had not changed the update process so much I would tell you not to use the tiered structure and just have everyone on the standard track.

But there has only been one major update so far (release 1511) to judge the process on. I really dislike the annoying "Hi." screen that non-domain users get. For my domain clients that have 10, non of them rolled to 10 until after 1511 was released so I am not sure if the process is any different for domain machines.

Dashrender

I do not agree with the tiered approach either.

Also, MS just announced last week that 1511 is now considered the current branch, so you all would be on the level anyhow.

But, even if you did do this, the main difference, from what I can tell is that your slow ring people would be on the last major revision and the normal ring would be current, but everyone would be on the same security patches level as MS will be releasing them for both.

It might be easier to think about Service Packs. Again, from what I understand, your solution will have staggered Service Packs. But MS has in general released the security updates for the current and one previous SP.

IRJ

We are about a week behind on workstations. I have a test target group of about 20 computers that I push updates to first. If all goes well, the rest get them. I never really have issues with workstation updates.

Dashrender

@IRJ said:

We are about a week behind on workstations. I have a test target group of about 20 computers that I push updates to first. If all goes well, the rest get them. I never really have issues with workstation updates.

I had two issues last year. Outlook had a problem with a view after an update last year. Don't recall the other one.

kamidon

@Dashrender We've had quite a number of issues.
Surface Pro 4s: Waking from sleep mode and the video signal doesn't pass thru, Touchscreen fails to initialize, the usual...freezing, hotbag, multitouch issues, other mouse issues (erratic behavior/skipping and clicking around screen randomly)
Surface Pro 3: Wifi related issue (only one case thankfully)
All others: Issues with Outlook (Common cursor issue with one of the latest 2016 updates), Excel crashing, resolution stuck at 640x320 while using display port cables, Windows Freezing/lockups (pre-1511), video driver crashing (Intel), Broken activations after upgrading to 1511 (all machines....), applocker breaking, no directaccess issues so that's nice
For the most part it's been great, but we're just trying to see if there's a recommended or a best practice with going about putting users in different update rings.

Thank you all for your input, look forward to continuing to read all your feedback.

kamidon

@Dashrender And the main reason for delaying updates would be for builds, besides the activation issues we've had (and the over 30 hours of being on the phone with Microsoft to get them to add now 100 more activations to our MAK), we've had the latest build break a large number of our Trend Micro installs.
Builds seems to wreck things, despite fixing a huge number of bugs

Dashrender

MAKs? why are you using MAKs? unless your fleet is never in the office?

Jason

@kamidon said:

@Dashrender We've had quite a number of issues.
Surface Pro 4s: Waking from sleep mode and the video signal doesn't pass thru, Touchscreen fails to initialize, the usual...freezing, hotbag, multitouch issues, other mouse issues (erratic behavior/skipping and clicking around screen randomly)
Surface Pro 3: Wifi related issue (only one case thankfully)
All others: Issues with Outlook (Common cursor issue with one of the latest 2016 updates), Excel crashing, resolution stuck at 640x320 while using display port cables, Windows Freezing/lockups (pre-1511), video driver crashing (Intel), Broken activations after upgrading to 1511 (all machines....), applocker breaking, no directaccess issues so that's nice
For the most part it's been great, but we're just trying to see if there's a recommended or a best practice with going about putting users in different update rings.

Thank you all for your input, look forward to continuing to read all your feedback.

These issues aren't related to Windows 10. Surface Pro's are poor quality machines. we've abonded them. And we had a good number in service (maybe 500-100)

Jason

@Dashrender said:

MAKs? why are you using MAKs? unless your fleet is never in the office?

Depends on the sites of the company. KMS is great for server but when you are a large enterprise with different business units (and budgets) for end users then KMS can be a management nightmare.

Dashrender

@Jason said:

@Dashrender said:

MAKs? why are you using MAKs? unless your fleet is never in the office?

Depends on the sites of the company. KMS is great for server but when you are a large enterprise with different business units (and budgets) for end users then KMS can be a management nightmare.

How so? KMS doesn't care about actual paid licenses. One KMS server can (though probably shouldn't) handle a 20,000 employee/device company and only requires that you have a single KMS license. The actual license aspect is completely unrelated - i.e. each department can pay for their own stuff like they have before.

Jason

@Dashrender said:

@Jason said:

@Dashrender said:

MAKs? why are you using MAKs? unless your fleet is never in the office?

Depends on the sites of the company. KMS is great for server but when you are a large enterprise with different business units (and budgets) for end users then KMS can be a management nightmare.

How so? KMS doesn't care about actual paid licenses. One KMS server can (though probably shouldn't) handle a 20,000 employee/device company and only requires that you have a single KMS license. The actual license aspect is completely unrelated - i.e. each department can pay for their own stuff like they have before.

It said it's a management nightmare not that it can't. We have separate Keys for each business unit (not the same as a department at all https://en.wikipedia.org/wiki/Strategic_business_unit). Using KMS is harder to keep track of. Microsoft has even admitted KMS is usually bad and how company get in licensing trouble.

It takes all of two seconds for our technicians to enter a key. From a list and at the same time put the computer/user in a database for keeping track of licensing. If you have KMS it will just activate itself.

Dashrender

@Jason said:

@Dashrender said:

@Jason said:

@Dashrender said:

MAKs? why are you using MAKs? unless your fleet is never in the office?

Depends on the sites of the company. KMS is great for server but when you are a large enterprise with different business units (and budgets) for end users then KMS can be a management nightmare.

How so? KMS doesn't care about actual paid licenses. One KMS server can (though probably shouldn't) handle a 20,000 employee/device company and only requires that you have a single KMS license. The actual license aspect is completely unrelated - i.e. each department can pay for their own stuff like they have before.

It said it's a management nightmare not that it can't. We have separate Keys for each business unit (not the same as a department at all https://en.wikipedia.org/wiki/Strategic_business_unit). Using KMS is harder to keep track of. Microsoft has even admitted KMS is usually bad and how company get in licensing trouble.

It takes all of two seconds for our technicians to enter a key. From a list and at the same time put the computer/user in a database for keeping track of licensing. If you have KMS it will just activate itself.

Sounds like you really have a problem at purchasing. It should be their responsibility to ensure that licensing exists for the purchases you make. Spreading that responsibility around the company, department to department means multiple people have to understand how it works, and track things, etc. When time for an audit comes, you have to talk to everyone, not just a single department for the whole company. that definitely seems like a nightmare.

Jason

@Dashrender said:

Sounds like you really have a problem at purchasing. It should be their responsibility to ensure that licensing exists for the purchases you make. Spreading that responsibility around the company, department to department means multiple people have to understand how it works, and track things, etc. When time for an audit comes, you have to talk to everyone, not just a single department for the whole company. that definitely seems like a nightmare.

Where do you get multiple people do the purchasing? and even if they did there's no problem with that. We can see the amounts in our online portals.

Dashrender

Then where are you getting in trouble? If purchasing is making all the buying - and IT is just deploying what purchasing is supplying, you should never have a license mismatch, and KMS would be fine.