All posts in Configuration Manager

Windows 10 Servicing with ConfigMgr Confusion

What Current Branch and Current Branch for Business are not.

A lot has been written and spoken by Microsoft and in the community of Windows 10 as a service and it’s multiple servicing models, commonly called Windows 10 Servicing. This of course includes Current Branch (CB), Current Branch for Business (CBB), and Long Term Servicing Branch (LTSB). LTSB is special servicing branch of Windows 10 but this post is completely non-applicable to it because, well, eww yuck, it’s best to avoid LTSB altogether.

There are a lot of incorrect and misleading statements floating around about CB and CBB in both official Microsoft documentation, unofficial documentation, and community blog posts to name a few sources. Here’s a summary of these statements which are more or less all related and stem from a faulty understanding of what the service model really is or rather what a customer should use it for. Additionally, these statements seem OK on the surface and in some scenarios may actually appear to be true. But, once you peel back the layers, it’s easy to see that they are not and can be bad for your environment if you treat them as true.

CB and CBB are a “state” of a Windows 10 system that can be determined by the value in the registry. NOT

This specifically refers to the Defer Updates and Upgrades setting (which has now become Pause Feature Updates setting in Windows 10 1703). This is completely incorrect and even dangerous, see Why WSUS and SCCM managed clients are reaching out to Microsoft Online for a lot more details on this. To summarize briefly, this setting (and resulting registry value) are meant to control when feature updates are applied from Windows Update for Business (WUfB) only. Even if you are using WUfB, don’t equate setting this value to somehow magically changing what is installed on a system. This setting defines the intent of an administrator for when it will get a feature update in the future. The exact state of the system right now is completely separate from what the value of this setting is.

If you are using System Center Configuration Manager (ConfigMgr) for updates, you should not be setting this value at all (and if you’re not using ConfigMgr, you’re doing it wrong to begin with). Setting this value, as detailed in the post above, enables dual-scan for Windows Update which in turn has multiple nasty side effects. Don’t do it and delete it ASAP if you have.

CB and CBB are different versions of Windows 10. NOT

CB and CBB are in fact, the exact same version of Windows 10. Many folks like to point out that Microsoft releases new media when a version of Windows 10 is declared CBB and so that means it’s a new version. This is [of course] false. The new media is simply a convenience for those building images and/or deploying new systems. The version does not change and a CB system can easily be updated to the latest build by applying the latest cumulative update.

It’s important to note here that version here refers to 1507, 1511, 1607, and now 1703 because these version numbers refer to a locked in feature set.

CB and CBB have different end of life dates. NOT

Because CB and CBB are really the same version of Windows 10, they go end of life at exactly the same time (which is still variable and based upon the initial CB release of the second version after the version in question).

I need to set the Defer Upgrades setting for Windows 10 Servicing to work in ConfigMgr. NOT

Per the theme of this post, this is also false. ConfigMgr doesn’t care about or rely on this setting in any way. The deployment ring criteria page when creating a servicing plan is for update selection and not targeting. Servicing plans are simply Automatic Deployment Rules (ADR) with a few additional settings and like ADRs, the result of evaluating a servicing plan is an Update group, an update deployment on that update group, and the download of the updates (feature updates in this case) to an update package (known as deployment packages if the console even though they have nothing to do with deployments).

So what are CB and CBB really?

CB are the builds of a Windows 10 version at the time that version is initially released up until the time that version is declared ready for business use. Similarly, CBB are the builds of a Windows 10 version from time that version is declared ready for business until the time that version is retired. That’s it, a simple set of builds.

Notice a key word in both statements above: declared. It’s very important to take note of this word because this is truly the difference between CB and CBB. At some point, Microsoft simply says, it’s ready to be used for our business customers. Nothing has truly changed about the version except a bunch of fixes wrapped up in the latest cumulative update. It’s still the same version though.

If you have a system on a CB build, as noted above, to bring it up to CBB (assuming the version has been declared ready for business) all you need to do is apply the latest cumulative update.

Put simply (and stolen from Mr. Niehaus) CBB = CB + latest CU.

So, how do you determine if a system is on a CB or CBB build? By looking at the actual build numbers. This page has those build numbers although it hasn’t been updated for 1703 yet: Windows 10 release information.

And how should you determine if you want to update your systems to CB or wait for CBB? Well that’s up to you. If you need a tracking mechanism and you are using ConfigMgr, you should do what you’ve always done: build and populate collections. What you put in those collections and how you get them there is completely up to you — just don’t use the Defer Updates and Upgrade setting for this.

Intent vs. Actual

One of the sources of the issue here is defining the intent of what build you want your systems on and the actual build those systems are on. Most documentation intermingles these two concepts without distinguishing between the two. If you have a set of systems that you always want on the latest (non-insider) build, i.e., your intent for these systems, you may call or classify those systems as your CB systems. But at some point, those systems will actually be on a CBB build because the next version hasn’t been released yet and the old/current version is already at CBB. So if you continue to call those systems your CB systems, folks might (rightly) assume that you haven’t updated them to the latest cumulative update and are out of support and/or a security risk.

My recommendation: stop using CB and CBB to define intent and only use these terms to define the actual, current build. Use other terms to define your intent.

Note that the ConfigMgr product team foresaw this confusion when creating the user interface for servicing plans and used the terms “release ready” and “business ready”. Unfortunately, this was and is not enough to prevent the confusion.

Documentation Updates

To be clear here, we are working with the content owners at Microsoft to get the documentation corrected (Niall Brady has been fighting the good fight on this for months and months). But it’s more than just a documentation issue at this point as there are a few lingering technical and strategy based issues as well. Windows 10 is moving so fast (as is ConfigMgr) that sometimes things just don’t happy as quickly as we want then to. That’s not an excuse, it’s just a statement of fact.

The ConfigMgr Servicing Dashboard

As confirmed in the comments below by Mr. Niehaus, the Windows 10 Servicing dashboard in ConfigMgr relies on the Defer Upgrade GPO setting (or really the registry value behind this setting) to show CB and CBB systems. These values are collected and accessible in ConfigMgr using the OSBranch attribute of the System Resource class. What this means is that this dashboard and those values, assuming you have the GPO set for your systems, define intent and not the actual, current build of a Windows 10 system. There’s not a lot of value in that IMO particularly if setting this policy breaks software updates on those client systems. If you want to view, audit, or control your intent, then as noted above, use collections just like you always have in ConfigMgr.

OSD Frontends Series

My OSD Frontends three part series was released on the 1E blog a few months back; check it out:

Office 365 Inventory

With the addition of update channels to Office 365 and the self-controlled update mechanism in Office 365 Click to Run, keeping track of what versions and channels are in use in your environment is an important task. Unfortunately, there’s no registry value that simply says “Current Channel” or “Deferred Channel” or any other simple indicator that I could find. After a fair amount of both Binging and Googling, I stumbled across a forum post that contained exactly what was needed. Read more…

Cross-site Images in ConfigMgr

If you create your OS images using ConfigMgr one potential issue is that the ConfigMgr client agent is embedded in your image. In and of itself, this isn’t a huge deal if you are also deploying the image to systems that will be managed in that same ConfigMgr site or hierarchy. If however, you need to use that image in another site or hierarchy, say for example in a lab environment, then you will run into issues during the deployment task sequence with many tasks. Read more…

Uninstall Software En Masse

Every now and then, you may have the need to uninstall software, not just a single version but all versions of a certain product from your systems; e.g., QuickTime or Adobe Reader. Because these products are common components, you may have many different versions installed across your organization and because of these many different versions, you can’t just use a single command-line to uninstall them all. Read more…

The Unspoken Upgrade Requirement

When upgrading to Configuration Manager (ConfigMgr) Current branch (CB) or even implementing it from scratch, there is an unspoken requirement. It’s not really a requirement for ConfigMgr itself, but more of a requirement for WSUS. This requirement comes into play if you plan to use the new Windows 10 servicing feature in ConfigMgr CB. The servicing feature enables ConfigMgr CB to deploy in-place upgrades to Windows 10 systems using servicing plans which in turn use the software updates feature set behind the scenes. Read more…

Boot Image Backgrounds

To me aesthetics (even if I can’t spell that without the help of a spell-checker) are very important; basically, if it “looks” shoddy, haphazard, or thrown together, it probably is. This goes for things like a GUI (and is the reason I worked hard on making UI++ *look* polished as well as actually working well) and for things like the backgrounds shown during operating system deployment (OSD). For every customer that I’ve ever worked with, I’ve created a custom set of boot image backgrounds for this very reason (some better than others of course). Read more…

Why You Should Disable Automatic Updates

A perfect example of why you should disable automatic updates using group policy, script, compliance settings or any other means at your disposal when using Configuration Manager for Software Updates (aka patching). Note this doesn’t mean disabling the Windows Update service, it means as stated, disable Automatic Updates. Read more…

Remote Systems Management in Configuration Manager

Managing remote systems, i.e., those not directly connected to your internal network, is a challenge best not overlooked for multiple reasons including security. With Microsoft System Center Configuration Manager (ConfigMgr) and Microsoft Intune, you have multiple options to achieving this. Note that all of these of course require an active Internet connection on the client as there’s no magic, universal Ethernet so that is something that could be said for each of these.

The below summarizes the different approaches organizations use or may consider to manage these remote systems using Microsoft’s management technologies. Read more…

Ugh: CCMSETUP Error Codes

One of the things I’ve lamented and heaped scorn onto in the past is the use of non-standard error codes for processes and installers in particular. Why? Well, if a process or installer returns a standard error code, it’s pretty easy to figure out what that error code means using one of the techniques I described in one of my older posts appropriately titled Error Codes. If, however, a non-standard error code is returned, how is anyone supposed to know what it means especially if the codes aren’t documented by the vendor. Read more…

Load More