Tuesday, March 21, 2017

Deploy and manage Windows as a service

Deploy and manage Windows as a service

Objective

As an administrator of client computers running the Widows 10 operating system in your organization, you can use several tools to manage Windows 10 feature and quality updates. In this lab, you learn how to manage Windows 10 clients by using Windows Server Update Services (WSUS), Microsoft System Center Configuration Manager, and Windows Update for Business. 

Scenario

Deployment rings in Windows 10 are similar to the deployment groups most organizations constructed for previous major revision upgrades. They are simply a method by which to separate machines into a deployment timeline. With Windows 10, you construct deployment rings a bit differently in each servicing tool, but the concepts remain the same. Each deployment ring should reduce the risk of issues derived from the deployment of the feature updates by gradually deploying the update to entire departments. The table below describes the example deployment rings used throughout this lab.
Example deployment rings
Deployment ring                                  Servicing branch                         Machine
WIN10 Ring 1 Pilot IT                                         CB                                          WIN10-01
WIN10 Ring 2 Pilot Business Users                     CB                                          WIN10-02
WIN10 Ring 3 Broad IT                                       CBB                                        WIN10-03
WIN10 Ring 4 Broad Business Users                   CBB                                        WIN10-04

Virtual Machines

  1. CM
  2. DC
  3. WIN10-01
  4. WIN10-02
  5. WIN10-03
  6. WIN10-04
  7. WIN10-LTSB

Exercise 1 : Experience CB and CBB

Windows 10 offers two update release types: feature updates and quality updates. Feature updates account for the functionality previously deployed in major revision upgrades. Quality updates represent traditional Windows updates, previously referred to as servicing updates. To align with this new feature update and quality update delivery model, Windows 10 has three servicing branches, each of which provides different levels of flexibility over when these updates are delivered. Three servicing branches are available to Windows 10 clients: Current Branch (CB), Current Branch for Business (CBB), and the Long-Term Servicing Branch (LTSB).
  1. SIgn in to WIN10-01
    (1) Switch to WIN10-01 by clicking the Switch to Machine icon to the right, next to the Done button. (2) Sign in to WIN10-01 as Mark Hassall (CORP\Mark) with a password of Passw0rd.
  2. Open Update & Security settings
    (1) Click Start, and then click Settings (the gear Icon). (2) In the Settings app, click Update & security.
  3. View the Defer Feature Updates setting
    (1) Review the Knowledge box. (2) On the UPDATE & SECURITY page, click Windows Update in the navigation pane. (3) In the details pane, click the Advanced options link.
    Note the Defer feature updates check box. Selecting this check box puts the device in the CBB servicing branch. You can also defer feature updates by using Group Policy and mobile device management (MDM) solutions through Windows Update for Business.
  4. Close the Settings app
    After reviewing the Advanced options page, close the Settings app.
The Defer feature updates flag specifies if a client is in CB or CBB. If you set that flag, the Windows 10 client will receive feature updates only after Microsoft has released them to CBB. To defer updates further, you can use a variety of servicing tools, including WSUS, System Center Configuration Manager, Windows Update for Business through Group Policy, and MDM solutions such as Microsoft Intune.

Exercise 2 : Experience LTSB

For some organizations, special-purpose devices such as those used to control factory or medical equipment or to run ATMs require a stricter, less frequent feature update cycle than CB or CBB can offer. For those machines, install Windows 10 Enterprise LTSB to avoid feature updates for up to 10 years. Windows 10 Enterprise LTSB lacks many in-box apps built on the Universal Windows Platform and Cortana integration. This exercise compares Windows 10 Enterprise LTSB to Windows 10 Enterprise.
  1. View WIN10-LTSB
    (1) Review the Knowledge box. (2) Switch to WIN10-LTSB by clicking the Switch to Machine icon to the right. (3) Sign in to WIN10-LTSB as Mark Hassall (CORP\Mark) with a password of Passw0rd(4) Click Start, and view the list of applications.
    Notice that the list of applications is short. Also notice that Cortana isn’t available on the task bar.
  2. View WIN10-01
    (1) Review the Knowledge box. (2) Switch to WIN10-01 by clicking the Switch to Machine icon. (3) Sign in to WIN10-01 as Mark Hassall (CORP\Mark) with a password of Passw0rd(4) Click Start, and view the list of applications.
    Notice that the list of applications is much longer and there are several Universal Windows apps. Also notice that Cortana is available on the task bar.
Windows 10 Enterprise LTSB doesn’t have servicing options for feature updates; each time the feature updates are needed, you must use a media-based in-place upgrade procedure. As this lab showed, in addition to that limitation, many other application elements have been removed.

Exercise 3 : Experience Windows Insider

In addition to the CB, CBB, and LTSB servicing branches, the Windows Insider Program enables organizations to experience Windows builds as Microsoft develops them. Windows Insider machines can help with preliminary testing efforts, before the next build of Windows is released. As builds get closer to their CB release, organizations can use the Windows Insider builds to test their critical business applications.
  1. Open Update & Security settings
    (1) Click Start, and then click Settings (the gear Icon). (2) In the Settings app, click Update & security.
  2. View Windows Insider Program settings
    (1) Review the Knowledge box. (2) On the UPDATE & SECURITY page, click Windows Insider Program.
    This is where you configure devices to receive Windows Insider preview builds of the next Windows 10 release. If you aren’t already enrolled in the Windows Insider Program, you can click Get Started to create an account. If you’re already enrolled, simply link your Microsoft Account.
In this exercise, you learned how to sign a Windows 10 device up for Windows Insider preview builds.

Exercise 4 : Using WSUS: Verify Express Updates configuration

Using WSUS to manage Windows 10 updates is simple and familiar. If you’re currently using WSUS to manage Windows updates, you’ll manage Windows 10 updates the same way. In this exercise, you will review express update settings in WSUS. You can use express installation files to limit the bandwidth that is consumed on the local network. However, this is at the costs of additional bandwidth on the Internet connection and additional local disk space. By default, WSUS does not use express installation files. Depending on your requirements, you may want to enable download of express updates.
  1. Sign in to DC
    (1) Switch to DC by clicking the Switch to Machine icon to the right, next to the Done button. (2) Sign in to DC as Mark Hassall (CORP\Mark) with a password of Passw0rd.
  2. Open the WSUS Administration Console
    (1) Click the Server Manager icon on the task bar. (2) When Server Manager opens, click Tools, and then click Windows Server Update Services.
  3. Navigate to Update Files and Languages.
    (1) In the navigation pane, go to DC\Options(2) In the Options section, click Update Files and Languages.
  4. Verify Download express installation files setting
    (1) Review the Knowledge box. (2) In the Update Files and Languages dialog box, verify the Download express installation files checkbox is cleared, and then click Cancel.
    Do not select the Download express installation files checkbox for this lab. If you select this checkbox it can take up to 15 minutes for the WSUS database to process the changes. You will need to wait for this period of time before you can proceed with the lab.
    Updates typically consist of new versions of files that already exist on the computer that is being updated. On a binary level, these existing files might not differ very much from updated versions. The express installation files feature identifies the exact bytes between versions, creates and distributes updates of only those differences, and then merges the existing file together with the updated bytes.

    Sometimes this feature is called delta delivery because it downloads only the delta (difference) between two versions of a file. Express installation files are larger than the updates that are distributed to client computers because the express installation file contains all possible versions of each file that is to be updated.

    For the purposes of this lab, you will accept the default value (checkbox cleared) because selecting this checkbox will delay the lab by 15 minutes or more.

    If your local network traffic is being negatively impacted by Windows Update traffic, consider enabling this setting. However, know that if you enable this setting that you will increase the amount of data downloaded from Windows Update and the local storage requirments.
In this exercise, you saw how easy it is to configure express updates in WSUS. Express updates can significantly reduce the time it takes for Windows 10 devices you use WSUS to manage to install quality updates. However, remember that the trade of is increased download file  sizes from Windows Update and more storate requirements on your WSUS servers.

Exercise 5 : Using WSUS: Create a computer group

You can use computer groups to target a subset of machines that require specific installation times for quality and feature updates. These groups represent your deployment rings, as controlled by WSUS. You can populate the groups either manually by using the WSUS Administration Console or automatically through Group Policy. Regardless of the method you choose, you must first create the groups in the WSUS Administration Console. Then, later in this lab, you will be using client-side targeting to populate the group. For more information about the deployment rings discussed in this lab, review the Knowledge box. In the “Using WSUS” exercises, you work with the first deployment ring: WIN10 Ring 1 Pilot IT.
  1. Navigate to All Computers
    In the WSUS Administration Console navigation pane, go to DC\Computers\All Computers.
  2. Create a group
    (1) In the action pane, click Add Computer Group(2) In the dialog box, in Group name, type WIN10 Ring 1 Pilot IT, and then click Add.
You have successfully created the computer group for the WIN10 Ring 1 Pilot IT deployment ring.

Exercise 6 : Using WSUS: Create an automatic approval rule

Within the WSUS Administration Console, you can create automatic approval rules that automatically approve and set a deadline for specific updates targeted at specific machines. This approach is less time-consuming than administrators manually approving quality updates each month or feature updates multiple times per year. In this exercise, you create an automatic approval rule for the WIN10 Ring 1 Pilot IT deployment ring.
  1. Navigate to Automatic Approval Options
    In the WSUS Administration Console navigation pane, go to DC\Options, and then select Automatic Approvals.
  2. Create a new rule
    (1) On the Update Rules tab, click New Rule(2) In the Add Rule dialog box, select the When an update is in a specific classificationWhen an update is in a specific product, and Set a deadline for the approval check boxes.
  3. Edit Classification
    (1) In the Edit the properties area, select the Any classification link (blue text). (2) Clear everything except Upgrades, and then click OK.
  4. Edit Product
    (1) Review the Knowledge box. (2) In the Edit the properties area, click the Any product link (blue text). (3) Clear all check boxes except Windows 10, and then click OK.

    Note   Windows 10 is under All Products\Microsoft\Windows.
  5. Edit Computers
    (1) In the Edit the properties area, click the All computers link (blue text). (2) Clear all the computer group check boxes except WIN10 Ring 1 Pilot IT, and then click OK(3) Leave the deadline set for 7 days after the approval at 3:00 AM.
  6. Name and save the new rule
    (1) In the Step 3: Specify a name box, type Windows 10 Upgrade Auto-approval for WIN10 Ring 1 Pilot IT, and then click OK(2) In the Automatic Approvals dialog box, click OK(3) Review the Knowledge box.
    WSUS doesn’t honor any existing month, week, or day deferral settings for CB or CBB. That said, if you’re using Windows Update for Business for a machine that WSUS is manages updates for, when WSUS approves the update it will be installed on the machine, regardless of whether Group Policy is configured to wait.
You have successfully created an automatic approval rule in WSUS!

Exercise 7 : Using WSUS: Prepare for client-side targeting

The WSUS Administration Console provides a friendly interface from which you can manage Windows 10 quality and feature updates. When you need to add many machines to their correct WSUS deployment ring, however, it can be time-consuming to do so manually in the WSUS Administration Console. For these cases, consider using Group Policy to target the correct clients, automatically adding them to the correct WSUS deployment ring based on an Active Directory security group. This process is called client-side targeting. Before enabling client-side targeting in Group Policy, however, you must configure WSUS to accept Group Policy computer assignment rather than the default manual-assignment method.
  1. Set the computer communication option
    (1) In the navigation pane, go to DC\Options, and then click Computers(2) In the Computers dialog box, select Use Group Policy or registry settings on computers, and then click OK(3) Review the Knowledge box.
    This option is exclusively either-or. When you enable WSUS to use Group Policy for group assignment, you can no longer manually add computers through the WSUS Administration Console until you change the option back.
You have configured WSUS to use client-side targeting. By using client-side targeting, you can quickly add machines in Active Directory groups to computer groups in WSUS rather than adding the computers to groups manually.

Exercise 8 : Using WSUS: Configure GPOs

When using WSUS to manage updates on Windows client computers, you must configure the Configure Automatic Updates and Intranet Microsoft Update Service Location Group Policy settings for your environment. Doing so forces the affected clients to contact the WSUS server so that it can manage them. Use this process to specify these settings and deploy them to all machines in the WIN10 Ring 1 Pilot IT deployment ring.
  1. Open GPMC
    Open the Group Policy Management Console (GPMC) by clicking the Server Manager icon on the taskbar, and then clicking Tools > Group Policy Management.
  2. Create a new GPO
    (1) In GPMC, expand Forest\Domains\Contoso.com(2) Right-click corp.contoso.com, and then click Create a GPO in this domain, and Link it here(3) In the New GPO dialog box, name the new Group Policy object (GPO) WSUS – Auto Updates and Intranet Update Service Location and then click OK.
  3. Navigate to Windows Update Settings in the new GPO
    (1) Right-click the newly created GPO, and then click Edit(2) In the Group Policy Management Editor, go to Computer Configuration\Policies\Administrative Templates\Windows Components\Windows Update.
  4. Edit Automatic Update settings
    (1) Right-click the Configure Automatic Updates setting, and then click Edit(2) In the Configure Automatic Updates dialog box, select Enable(3) Under Options, select 3 - Auto download and notify for install from the Configure automatic updating list, and then click OK.
  5. Edit the Service Location setting
    (1) Right-click the Specify intranet Microsoft update service location setting, and then click Edit(2) In the Specify intranet Microsoft update service location dialog box, select Enable(3) Under Options, in the Set the intranet update service for detecting updates and Set the intranet statistics server options, type http://DC.corp.contoso.com:8530, and then click OK.
    The server name and port number will likely differ in your environment. 
  6. Close the Group Policy Management Editor
    (1) Review the Knowledge box. (2) Close the Group Policy Editor to return to GPMC.
    Now you’re ready to filter this GPO to the correct computer security group.
  7. Apply security filtering
    (1) In GPMC, select the WSUS – Auto Updates and Intranet Update Service Location policy, and view the Scope tab on the right side of the screen. (2) Under Security Filtering, remove AUTHENTICATED USERS, and add the WIN10 Ring 1 Pilot IT group.
You have now successfully configured the prerequisite GPOs to manage Windows 10 updates in your environment using WSUS. Next, you’ll configure client-side targeting for the WIN10 Ring 1 Pilot IT group.

Exercise 9 : Using WSUS: Enable client-side targeting

The automatic updates and update service location Group Policy settings would typically be deployed broadly to many sets of machines. Unlike those settings, client-side targeting allows administrators to add computers in a specific security group automatically to a single identified computer group in the WSUS Administration Console. Both the security groups and the computer groups in WSUS should align with your identified deployment rings. In this exercise, you target the WIN10 Ring 1 Pilot IT AD security group and add those machines to the WIN10 Ring 1 Pilot IT computer group previously created in the WSUS Management Console.
  1. Create New GPO
    (1) In GPMC, expand Forest\Domains\Contoso.com(2) Right-click corp.contoso.com, and then click Create a GPO in this domain, and Link it here(3) In the New GPO dialog box, name the new GPO WSUS – Client Targeting - WIN10 Ring 1 Pilot IT and then click OK.
  2. Navigate to Windows Update Settings in the new GPO
    (1) Right-click the newly created GPO, and then click Edit(2) In the Group Policy Management Editor, go to Computer Configuration\Policies\Administrative Templates\Windows Components\Windows Update.
  3. Edit the client-side targeting settings
    (1) Right-click Enable client-side targeting, and then click Edit(2) In the Enable client-side targeting dialog box, select Enable(3) In the Target group name for this computer box, type WIN10 Ring 1 Pilot IT, and then click OK.
    This is the name of the deployment ring in WSUS to which these computers will be added.
  4. Close the Group Policy Management Editor
    (1) Review the Knowledge box. (2) Close the Group Policy Editor to return to GPMC.
    Now you’re ready to deploy this GPO to the correct computer security group for the WIN10 Ring 1 Pilot IT deployment ring.
  5. Apply security filtering
    (1) In GPMC, select the WSUS – Client Targeting - WIN10 Ring 1 Pilot IT policy, and view the Scope tab on the right side of the screen. (3) Under Security Filtering, remove the default AUTHENTICATED USERS security group, and then add the WIN10 Ring 1 Pilot IT group.
You have successfully enabled client-side targeting for the WIN10 Ring 1 Pilot IT deployment ring.

Exercise 10 : Using WSUS: Validate the policy

Now that you’ve configured automatic updates, update service location, and client-side targeting for the WIN10 Ring 1 Pilot IT deployment ring, you must verify that the configuration was successful. Ultimately, the affected clients will contact the specified WSUS server during its next update cycle, but for this lab, you’ll force an update so that you can see the machine appear in its correct WSUS computer group automatically.
  1. Sign in to WIN10-01
    (1) Switch to WIN10-01 by clicking the Switch to Machine icon to the right, next to the Done button. (2) Sign in to WIN10-01 as Mark Hassall (CORP\Mark) with a password of Passw0rd.
  2. Open an elevated command prompt
    (1) Right-click Start, and then click Command Prompt (Admin)(2) In the User Account Control box, click Yes.
  3. Update Group Policy
    (1) At the command prompt, type GPUPDATE /FORCE(2) Wait for the update to finish.
  4. Check Group Policy results
    (1) When the policies have updated successfully, at the same command prompt, type gpresult /h results.html /f(2) When the command has run, at the same command prompt, type results.html to view the results in Microsoft Edge. (3) In the results.html file, in the Applied GPOs section, you should see the WSUS – Client Targeting - WIN10 Ring 1 Pilot IT GPO that you created and deployed earlier.
  5. Close Microsoft Edge
    (1) Review the Knowledge box. (2) Close Microsoft Edge, but leave the Command Prompt window open.
    Now that you have verified that the policy was received on WIN10-01 by using the gpresult command, it’s time to force the client to contact the WSUS server so that client-side targeting will add it to the right computer group. 
  6. Force WSUS communication
    (1) Click Start, then click Settings(2) In the Settings app, go to Settings > Update & security > Windows Update. In the details pane, click Check for updates(3) Wait for device to update. (4) Close Settings.
  7. Close the Command Prompt window
    Close the Command Prompt window on the WIN10-01 VM.
WIN10-01 would eventually communicate with the WSUS server, but in this exercise, you forced it to communicate immediately so that you can verify that client-side targeting added WIN10-01 to the WIN10 Ring 1 Pilot IT computer group in WSUS.

Exercise 11 : Using WSUS: Verify that client-side targeting was successful

Now that you have forced WIN10-01 to communicate with WSUS, client-side targeting should have placed that Windows 10 machine in the WIN10 Ring 1 Pilot IT computer group within WSUS. In this exercise, you verify that that addition was successful and that the device appears in the correct computer group.
  1. Sign in to DC
    (1) Switch to DC by clicking the Switch to Machine icon to the right, next to the Done button. (2) Sign in to DC as Mark Hassall (CORP\Mark) with a password of Passw0rd.
  2. Open the WSUS Administration Console
    (1) Click the Server Manager icon on the taskbar. (2) In Server Manager opens, click Tools > Windows Server Update Services to open the WSUS Administration Console.
  3. Navigate to WIN10 Ring 1 Pilot IT
    In the WSUS Administration Console navigation pane, go to DC\Computers\All Computers\WIN10 Ring 1 Pilot IT.
  4. Verify that WIN10-01 exists
    In the WIN10 Ring 1 Pilot IT computer group, set the Status filter to Any, and verify that the win10-01.corp.contoso.com computer is now present.
  5. Close the WSUS Administration Console
    Close the WSUS Administration Console.
In these exercises, you configured WSUS to use Express Update Files. Then, you created a computer group for the WIN10 Ring 1 Pilot IT deployment ring. You also configured an automatic approval rule to deploy feature updates to machines in the WIN10 Ring 1 Pilot IT computer group. Next, you created and deployed the Group Policy settings needed for client-side targeting, automatically adding the WIN10-01 client to the newly created computer group in WSUS that would receive feature updates 7 days after Microsoft released them. Finally, you verified that everything worked as expected.

Exercise 12 : Using Configuration Manager: Create a GPO and target client 2

System Center Configuration Manager provides a simple mechanism for servicing Windows 10 clients in your environment. If you’re currently using System Center Configuration Manager to manage Windows devices, you’ll manage Windows 10 quality updates the same way. To manage Windows 10 feature updates, however, System Center Configuration Manager version 1511 and later include an additional servicing feature called Servicing Plans.
  1. Open GPMC
    Open GPMC by clicking the Server Manager icon on the taskbar, and then clicking Tools > Group Policy Management.
  2. Create a new GPO
    (1) In GPMC, expand Forest\Domains\Contoso.com(2) Right-click corp.contoso.com, and then click Create a GPO in this domain, and Link it here(3) In the New GPO dialog box, name the new GPO Enable Current Branch for Business.
  3. Navigate to Defer Windows Updates settings
    (1) Right-click the newly created GPO, and then click Edit(2) In the Group Policy Management Editor, go to Computer Configuration\Policies\Administrative Templates\Windows Components\Windows Update\Defer Windows Updates.
  4. Edit setting
    (1) Right-click the Select when Feature Updates are received setting, and then click Edit(2) In the Select when Feature Updates are received dialog box, click Enable. (2) Under Options, in Select the branch readiness level for the future updates that you want to receive, select Current Branch for Business, and then click OK.
  5. Close the Group Policy Management Editor
    (1) Review the Knowledge box. (2) Close the Group Policy Management Editor to return to GPMC.
    Now you’re ready to filter this GPO to the correct computer security group.
  6. Apply security filtering
    (1) In GPMC, click the Enable Current Branch for Business policy, and then view the Scope tab on the right side of the screen. (2) Under Security Filtering, remove AUTHENTICATED USERS and add the Windows 10 – Current Branch for Business Machines group.
You successfully created and deployed the GPO specifying which machines should be in the CBB servicing branch.

Exercise 13 : Using Configuration Manager: Create the All CB collection

  1. Sign in to CM
    (1) Switch to CM by clicking the Switch to Machine icon to the right, next to the Done button. (2) Sign in to CM as Mark Hassall (CORP\Mark) with a password of Passw0rd.
  2. Open the Configuration Manager console
    Open the Configuration Manager console by clicking its icon on the taskbar.
  3. Create a new device collection
    (1) In the Configuration Manager console, go to Assets and Compliance\Overview\Device Collections(2) On the Ribbon, in the Create group, click Create Device Collection.
  4. Name the new collection
    (1) In the Create Device Collection Wizard, in the Name box, type Windows 10 – All Current Branch(2) Click Browse to select the limiting collection, and then double-click All Systems(3) Click Next.
  5. Add a new query rule
    (1) In Membership rules, click Add Rule, and then click Query Rule(2) Name the rule CB Detection, and then click Edit Query Statement.
  6. Add a new criterion
    On the Criteria tab, click the New icon.
  7. Provide the criterion properties
    (1) In the Criterion Properties dialog box, leave the Type as Simple Value, and then click Select(2) In the Select Attribute dialog box, from the Attribute class list, select System Resource(3) From the Attribute list, select Operating System Readiness Branch, and then click OK(4) Leave Operator set to is equal to; in the Value box, type 0(5) Click OK
    System Center Configuration Manager discovers clients’ Servicing Branch and stores that value in the OSBranch attribute, which you’ll use to create collections based on Servicing Branch. The values in this attribute can be 0 (Current Branch), 1 (Current Branch for Business), or 2 (Long-Term Servicing Branch).
  8. Add a second criterion
    On the Criteria tab, click the New icon again to add criteria.
  9. Provide the criterion properties
    (1) In the Criterion Properties dialog box, click Select(2) From the Attribute class list, select System Resource(3) From the Attribute list, select Operating System Name and Version, and then click OK(4) Click Value and select Microsoft Windows NT Workstation 10.0, and then click OK(5) Click OK again to finish.
  10. Complete the query rule
    (2) In the Query Statement Properties dialog box, note the two values. (2) Click OK, and then click OK again to continue to the Create Device Collection Wizard.
  11. Complete and close the wizard
    (1) Click Summary, and then click Next(2) Close the wizard.
You have successfully created a collection that contains all managed Windows 10 clients in the CB servicing branch.

Exercise 14 : Using Configuration Manager: Create the CB collection for the deployment ring

Now that you have created the CB collection, you can create collections that align with your deployment rings. In this exercise, you create a collection for the WIN10 Ring 2 Pilot Business Users deployment ring.
  1. Create a new device collection
    (1) In the Configuration Manager console, go to Assets and Compliance\Overview\Device Collections(2) On the Ribbon, in the Create group, click Create Device Collection.
  2. Name the new collection
    (1) In the Create Device Collection Wizard, in the Name box, type WIN10 Ring 2 Pilot Business Users(2) Click Browse to select the limiting collection, and then click All Systems(3) Click Next.
  3. Add a direct query rule
    (1) In Membership rules, click Add Rule, and then click Direct Rule(2) In the Create Direct Membership Rule Wizard dialog box, click Next.
  4. Add WIN10-02
    (1) In the Value field, type WIN10-02, and then click Next(2) Select WIN10-02, and then click Next(3) Click Next, and then click Close.
  5. Complete the wizard
    (1) In the Create Device Collection Wizard dialog box, click Summary(2) Click Next, and then click Close.
You have successfully created a device collection for the WIN10 Ring 2 Pilot Business Users deployment ring.

Exercise 15 : Using Configuration Manager: Create the CB Servicing Plan

You can manage Windows 10 updates with System Center Configuration Manager in two ways. You can manage quality updates by using traditional automatic deployment rules (ADRs). Feature updates, however, depend on the servicing branch that the individual managed client is in. You manage feature updates by using a new feature available in System Center Configuration Manager version 1511 and later called Servicing Plans. Those you configure similar to ADRs, but they manage the deployment schedule of features updates. Because feature updates are available to CB and CBB at different times, you configure servicing plans according to the servicing branch the client receiving the plan is in.
  1. Create a new Servicing Plan
    (1) In the Configuration Manager console, go to Software Library\Overview\Windows 10 Servicing, and then click Servicing Plans(2) On the Ribbon, in the Create group, click Create Servicing Plan.
  2. Select the Servicing Plan collection
    (1) Review the Knowledge box. (2) Name the plan Ring 2 Pilot Business Users Servicing Plan, and then click Next(3) On the Servicing Plan page, click Browse(4) Select the WIN10 Ring 2 Pilot Business Users collection, click OK, and then click Next.
    Microsoft added a new protection feature to System Center Configuration Manager that prevents accidental installation of high-risk deployments such as operating system upgrades on site systems. If you select a collection (for example All Systems) that has a site system in it, you may receive a warning message.
  3. Choose a readiness state
    (1) Review the Knowledge box. (2) On the Deployment Ring page, select the Release Ready (Current Branch) readiness state, set the delay to 14 days, and then click Next.
    Doing so deploys CB feature updates to the IT deployment ring immediately after Microsoft release them to CB.
  4. Review upgrade options
    (1) Review the Knowledge box. (2) On the Upgrades page, click Next to leave the criterion blank.
    On the Upgrades page, you specify filters for the feature updates to which this servicing plan is applicable. For example, if you wanted this plan to be only for Windows 10 Enterprise, you could select Title, and then type Enterprise.
  5. Set the deployment schedule and behavior
    On the Deployment Schedule page, click Next to keep the default values of making the content available immediately and requiring installation by the 7-day deadline.
  6. Configure user experience
    (1) Review the Knowledge box. (2) On the User Experience page, from the Deadline behavior list, select Software Update Installation and System restart (if necessary)(3) From the Device restart behavior list, select Workstations, and then click Next.
    Doing so allows installation and restarts after the 7day deadline on workstations only.
  7. Create a deployment package
    (2) Review the Knowledge box. (2) On the Deployment Package page, select Create a new deployment package(3) In Name, type CB Upgrades, select \\CM\Source$\Windows 10 CB Feature Upgrades for the package source location, and then click Next.
    In this example, \\CM\Source$\Windows 10 CB Feature Upgrades is a share on the System Center Configuration Manager server that contains all the Windows 10 feature updates.
  8. Add a distribution point
    (1) On the Distribution Points page, click Add -> Distribution Point(2) Select CM.CORP.CONTOSO.COM as the distribution point, and then click OK.
  9. Review settings and complete the wizard
    Click Summary, click Next to complete the Servicing Plan, and then click Close.
You have now created a Servicing Plan for the WIN10 Ring 2 Pilot Business Users deployment ring. By default, this rule is evaluated each time the software update point is synchronized, but you can modify this schedule by viewing the Service Plan’s properties on the Evaluation Schedule tab.

Exercise 16 : Using Configuration Manager: Create the CBB Servicing Plan

Similar to the way you created the Servicing Plan for the WIN10 Ring 2 Pilot Business Users deployment ring, which was in the CB servicing branch, you’ll now create one for the WIN10 Ring 3 Broad IT deployment ring in the CBB servicing branch.
  1. Create a new servicing plan
    (1) In the Configuration Manager console, go to Software Library\Overview\Windows 10 Servicing, and then click Servicing Plans(2) On the Ribbon, in the Create group, click Create Servicing Plan.
  2. Select a servicing plan collection
    (2) Review the Knowledge box. (2) Name the plan WIN10 Ring 3 Broad IT Servicing Plan, and then click Next(3) On the Servicing Plan page, click Browse. Select the WIN10 Ring 3 Broad IT collection, click OK, and then click Next.
    Microsoft added a new protection feature to System Center Configuration Manager that prevents accidental installation of high-risk deployments such as operating system upgrades on site systems. If you select a collection (for example All Systems) that has a site system in it, you may receive a warning message.
  3. Choose a readiness state
    (1) Review the Knowledge box. (2) On the Deployment Ring page, select the Business Ready (Current Branch for Business) readiness state, leave the delay at 0 days, and then click Next.
    Doing so deploys CBB feature updates to the IT deployment ring immediately after Microsoft releases them to CBB.
  4. Review upgrade options
    On the Upgrades page, click Next to leave the criterion blank.
  5. Set the deployment schedule and behavior
    (1) Review the Knowledge box. (2) On the Deployment Schedule page, click Next to keep the default values of making the content available immediately and requiring installation by the 7-day deadline. 
  6. Configure user experience
    (1) On the User Experience page, from the Deadline behavior list, select Software Update Installation and System restart (if necessary)(2) From the Device restart behavior list, select Workstations, and then click Next.
    Doing so allows installation and restarts after the 7-day deadline on workstations only.
  7. Create the deployment package
    (1) On the Deployment Package page, select Create a new deployment package(2) In Name, type CBB Upgrades, select \\CM\Source$\Windows 10 CBB Feature Upgrades as the package source location, and then click Next.
  8. Add a distribution point
    (1) On the Distribution Points page, click Add -> Distribution Point(2) Select CM.CORP.CONTOSO.COM as the distribution point, and then click OK(2) Click Next to continue.
  9. Review settings and complete the wizard
    Click Summary, click Next to complete the servicing plan, and then click Close.
You have now created a servicing plan for the WIN10 Ring 3 Broad IT deployment ring!

Exercise 17 : Using Configuration Manager: Create an upgrade package

Servicing plans are ideal for managing feature updates on Windows 10 machines in the CB or CBB servicing branches, but there may be times when you need to deploy a Windows 10 feature update through a task sequence in System Center Configuration Manager. One of those times is when you’re applying LTSB feature updates to Windows 10 LTSB clients. Because those updates aren’t available in servicing plans, you must deploy them as you would a traditional Windows in-place upgrade—by using the installation media. As with any source content in System Center Configuration Manager, you must distribute upgrade packages to the distribution points before client computers can use them. In this exercise, you simply distribute the newly created upgrade package.
  1. Create new OS Upgrade Package
    (1) In the Configuration Manager console, go to Software Library\Overview\Operating Systems\Operating System Upgrade Packages. (2) On the Ribbon, in the Create group, click Add Operating System Upgrade Package.
  2. Select a data source
    On the Data Source page, type \\CM\Source$\Windows 10, and then click Next.
  3. Complete the wizard
    (1) On the General page, in the Name field, type Windows 10 Enterprise - Version 1607(2) In Version type1607, and then click Next(3) On the Summary page, click Next to create the package. (4) On the Completion page, click Close.
You have now successfully created an upgrade package.

Exercise 18 : Using Configuration Manager: Distribute the upgrade package contents

As with any source content in System Center Configuration Manager, you must distribute upgrade packages to the distribution points before client computers can use them. In this exercise, you simply distribute the newly created upgrade package.
  1. Open the Configuration Manager console
    (1) Sign in to the CM VM as CORP\Mark with a password of Passw0rd(2) Click the Configuration Manager console icon on the taskbar.
  2. Distribute the new task sequence
    (1) In the Configuration Manager console, go to Software Library\Overview\Operating Systems\Operating System Upgrade Packages, and then select the Windows 10 Enterprise – Version 1607 software upgrade package. (2) On the Ribbon, in the Deployment group, click Distribute Content.
  3. Complete the Distribution Content Wizard
    (1) In the Distribute Content Wizard, on the General page, click Next(2) On the Content Destination page, click Add, and then click Distribution Point(3) In the Add Distribution Points dialog box, select CM.CORP.CONTOSO.COM and then click OK(4) On the Content Destination page, click Next.
  4. Review settings and close the wizard
    (1) On the Summary page, review the information, and then click Next to distribute the contents to the selected distribution point. (2) On the Completion page, click Close.
You have successfully distributed the upgrade package contents to the CM distribution point.

Exercise 19 : Using Configuration Manager: Create a task sequence

Task sequences are simply a list of steps that execute in order. They are structured and have the ability to logically determine whether steps execute based on certain conditions. With that in mind, task sequences offer something unique over servicing plans: they can perform additional steps before or after a feature update is performed. Also, unlike servicing plans, task sequences are typically driven from installation media rather than updates. When a new feature update becomes available to Windows 10, the published ISO is updated, as well. You use this updated ISO to apply a feature update to clients by using a task sequence. This is the same process as a traditional in-place upgrade. Also, for special-use devices running Windows 10 Enterprise LTSB, this is the only way to apply feature updates to them. In this exercise, you use the previously created upgrade package within a task sequence to deploy a Windows 10 feature update.
  1. Create a new task sequence
    (1) In the Configuration Manager console, go to Software Library\Overview\Operating Systems\Task Sequences(2) On the Ribbon, in the Create group, click Create Task Sequence.
  2. Select operating system information
    In the Create Task Sequence Wizard, on the Create a new task sequence page, select Upgrade an operating system from upgrade package, and then click Next
  3. Name the task sequence
    On the Task Sequence Information page, in Task sequence name, type Upgrade Windows 10 Enterprise – Version 1607, and then click Next
  4. Select operating system package
    (1) On the Upgrade the Windows operating system page, click Browse, select the Windows 10 Enterprise – Version 1607 en-US deployment package you created in the previous steps, and then click OK(2) Click Next.
  5. Select updates and applications
    (1) On the Include Updates page, select Available for installation – All software updates, and then click Next(2) On the Install Applications page, click Next.
  6. Review details and complete the wizard
    (1) On the Summary page, review the information, and then click Next to create the task sequence. (2) On the Completion page, click Close.
You have successfully created the task sequence!

Exercise 20 : Using Configuration Manager: Deploy the new task sequence

Once you have created the task sequence, you must deploy it to a collection. This step has crippled organizations’ environments in the past because they accidentally forced a required operating system-installing task sequence across an entire organization. So, in System Center Configuration Manager version 1511 and later, a warning box will appear if any task sequence or other high-risk deployment is advertised to a site system. This warning is intended to minimize the negative impact of mistakenly deploying a task sequence to the incorrect devices. In this exercise, you deploy this task sequence specifically to the WIN10 Ring 3 Broad IT deployment ring.
  1. Start the deployment wizard
    (1) In the Configuration Manager console, go to Software Library\Overview\Operating Systems\Task Sequences, and then select the Upgrade Windows 10 Enterprise – Version 1607 task sequence. (2) On the Ribbon, in the Deployment group, click Deploy.
  2. Select the collection and availability
    (1) In the Deploy Software Wizard, on the General page, click Browse to choose a collection. (2) In the Configuration Manager dialog box, click OK(3) Select the WIN10 Ring 3 Broad IT collection, click OK, and then click Next(4) On the Deployment Settings page, for purpose, select Required, and then click Next.
  3. Configure the schedule
    (1) On the Scheduling page, select the Schedule when this deployment will become available check box (it sets the current time by default). (2) For Assignment schedule, click New(3) In the Assignment Schedule dialog box, click Schedule(4) In the Custom Schedule dialog box, select 2 weeks from the current date, and then click OK(5) In the Assignment Schedule dialog box, click OK, and then click Next.
    This schedule will give users two weeks to run the task sequence themselves, before it is automatically installed.
    Note This is only an example schedule.
  4. Configure the user experience
    On the User Experience page, in the When the scheduled assignment time is reached, allow the following activities to be performed outside of the maintenance window section, select Software Installation and System restart (if required to complete the installation), and then click Next.
  5. Complete the wizard
    (1) Click Summary, and then click Next to deploy the task sequence. (2) Click Close.
System Center Configuration Manager provides the maximum control over managing Windows 10 updates in your environment. In these exercises, you created and deployed the necessary GPOs to designate certain machines as CBB. Then, you created the appropriate collections to manage Windows 10 updates for your deployment rings. You created servicing plans to automatically deploy Windows10 feature updates to the appropriate collections when their deployment ring was supposed to receive them. Finally, you learned how to use a media-based approach to deploy Windows 10 feature updates to managed clients by using an upgrade package and task sequence.

Exercise 21 : Using Group Policy: Create a Windows Update for Business policy

You can configure Windows Update for Business in two ways: Group Policy and Microsoft Intune. In this exercise, you use Group Policy to configure Windows Update for Business. You manage feature and quality updates using two different policy settings, so in this example, you configure both.
  1. Sign in to DC
    (1) Switch to DC by clicking the Switch to Machine icon to the right, next to the Done button. (2) Sign in to DC as Mark Hassall (CORP\Mark) with a password of Passw0rd.
  2. Open GPMC
    Open GPMC by clicking the Server Manager icon on the taskbar, and then clicking Tools > Group Policy Management.
  3. Create a new GPO
    (1) In GPMC, expand Forest\Domains\corp.contoso.com(2) Right-click corp.contoso.com, and then click Create a GPO in this domain, and Link it here(3) In the New GPO dialog box, type Windows Update for Business – WIN10 Ring 4 Broad Business Users as the name of the new GPO. (4) In the New GPO dialog box, click OK.
    In this example, you’re linking the GPO to the top-level domain, and you will use security filtering to scope the GPO’s setting impact. This is not a requirement: you can link the Windows Update for Business GPOs to any organizational unit appropriate for your Active Directory Domain Services structure.
  4. Navigate to Defer Windows Updates
    (1) Right-click the newly created GPO, and then click Edit(2) In the Group Policy Management Editor, go to Computer Configuration\Policies\Administrative Templates\Windows Components\Windows Update\Defer Windows Updates.
  5. Edit the GPO’s settings
    (1) Right-click Select when Feature Updates are received, and then click Edit(2) In the Select when Feature Updates are received policy, click Enable(3) In Select a branch readiness level for the feature updates you receive, select Current Branch for Business. (4) In After a feature update is released, defer receiving it for this many days, type 30 , and then click OK.
  6. Edit the second GPO setting
    (1) Right-click Select when Quality Updates are received, and then click Edit(2) In the Select when Quality Updates are received policy, click Enable. (3) In After a quality update is released, defer receiving it for this many days, type 14 , and then click OK.
    Delaying quality updates isn’t required when delaying feature updates. If you would rather not delay quality updates in your environment, only configure the Select when Feature Updates are receivedsetting.
  7. Close the Group Policy Management Editor
    (1) Review the Knowledge box. (2) Close the Group Policy Editor to return to GPMC.
    Now you’re ready to filter this GPO to the correct computer security group.
  8. Apply security filtering
    (1) Review the Knowledge box. (2) In GPMC, click the Windows Update for Business – WIN10 Ring 4 Broad Business Users policy, and then view the Scope tab on the right side of the screen. (2) Under Security Filtering, remove AUTHENTICATED USERS and add the WIN10 Ring 4 Broad Business Users group.
    Because the Windows Update for Business – WIN10 Ring 4 Broad Business Users GPO contains a computer policy and you only want to apply it to computers in the Windows WIN10 Ring 4 Broad Business Users group, use security filtering to scope the policy’s effect.
You can use many servicing tools to manage the Windows 10 devices in your environment. Some of those tools may provide more control, with some additional administrative overhead; others may be simple to use but lack other features or control. Windows Update for Business is intended to be a simple-to-use system for managing the deployment of Windows 10 feature and quality updates in an environment that is not currently using a more advanced solution such as System Center Configuration Manager.

Exercise 22 : Using Intune: Create an Intune subscription

  1. Sign in to WIN10-04
    (1) Switch to WIN10-04 by clicking the Switch to Machine icon to the right, next to the Done button. (2) Sign in to WIN10-04 as Mark Hassall (CORP\Mark) with a password of Passw0rd.
  2. Initiate Intune free trial signup
    (1)  Click Start, type Internet Explorer, and click Internet Explorer in the results.(2) In Internet Explorer, browse to http://www.microsoft.com/en-us/cloud-platform/microsoft-intune(3) On the Simplify management of apps & devices page, in the upper right corner, click Try now.
    If you already have a trial Microsoft Intune tenant, you can use that instead of creating a new one and skip this exercise. Do not use a production or pre-production Microsoft Intune tenant for this lab.
  3. Complete the Welcome, Let’s get to know you page
    (1) On the Welcome, Let’s get to know you page, in Country, select your country. (2) In First name, type Contoso(3) In Last name, type Admin(4) In Business email address, type your_email_address(5) In Business phone number, type your mobile_phone_number(6) In Company name, type Contoso(7) In Your organization size, select 25–49 people(8) Click Next.
    Ensure that you provide an email address and mobile phone number that you have access to while you’re completing this lab. During the lab, you’ll receive emails at your email address, and Intune will send text messages to your mobile phone to provide verification of your authenticity.
  4. Complete the Create your user ID page
    (1) Review the Knowledge box. (2) On the Create your user ID page, in Enter a user name, type admin(3) In Your company, type domain (where domain is a unique domain name). (4) In Create a password and Confirm password, type Passw0rd(5) Click Create my account.
    Typically, you would use your registered, public domain name with Intune. For example, if your public domain name is contoso.com, then you would configure Intune to use contoso.com, as well. Because of the constraints of this lab, however, you’ll use domain.onmicrosoft.com as your domain name.
    Ensure that the domain you enter in Your company is a domain name that you can easily remember for this lab.
  5. Complete the Prove. You’re. Not. A. Robot. page
    (1) Review the Knowledge box. (2) On the Prove. You’re. Not. A. Robot. page, in Phone number, type mobile_phone_number(3) Click Text me(4) In Enter your verification, type verification_code (where verification_code is the verification code that Intune sent you). (4) Click Next.
    Intune creates your subscription and account based on the information you entered. This process can take up to 5 minutes.
  6. Complete the Save this info. page
    (1) Review the Knowledge box. (2) On the Save this info. You’ll need it later. page, record the account name and password. (3) Click You’re ready to go(4) Close Internet Explorer. (4) Stay signed in as CORP\Mark.
    After completing this task, you must close internet explorer before continuing to the next exercise.
In this exercise, you created an Intune trial subscription. As a part of this process, you also provisioned an Office 365 subscription and an Azure AD domain. You’ll use this Intune tenant to enroll your WIN10-04 device for management.

Exercise 23 : Using Intune: Enroll a Windows 10 device in Intune

You can manage Windows Update for Business in two ways. The first, discussed in a previous exercise, is through Group Policy. The second is by using an MDM product such as Intune. Using an interface called the configuration service provider (CSP), these products can manage settings on Windows 10 devices. In the next few exercises, you’ll use this interface to configure Windows Update for Business on a device that Intune manages.
  1. Log in to Intune
    (1) Open Internet Explorer, and navigate to https://manage.microsoft.com(2) Log in to Intune using the credentials previously identified or created.
  2. Verify MDM authority
    (1) Navigate to ADMIN\Mobile Device Management(2) Ensure that Microsoft Intune is set as the MDM authority. If it isn’t, click Set Mobile Device Management Authority.
    Intune must be configured as the MDM authority before you can enroll devices into Intune.
  3. Navigate to Work access
    (1) Minimize Internet Explorer. (2) Click Start, then click Settings > Accounts(3) On the Accounts page, click Access work or school
  4. Enroll WIN10-04 in Intune
    (1) On the Access work or school page, click Enroll only in device management(2) In the Set up a work or school account dialog box, type the email address associated with your Intune tenant (e.g., admin@contosotest.onmicrosoft.com) and click Next(3) When prompted, enter the password for the account, then click Sign in(4) Click Finished.
    If you don’t receive a sign-in page, you may have typed the account address incorrectly.
  5. Force synchronization
    (1) Review the Knowledge box. (2) Under Connect to work or school, select your Contoso MDM account, click Info, and then click Sync to initialize a policy synchronization with your Intune tenant. (3) Verify that the synchronization was initiated and was successful by viewing Last Attempted Sync and Last Attempted Sync Status(4) Sync the device one more time.
    Sometimes you need to sync the machine twice before it will show up in Intune. With that in mind, sync WIN10-04 twice to be sure that it shows up in your Intune tenant right away.
    Devices periodically synchronize with Intune, but you want to force synchronization so that your device shows up right away.
  6. Validate device enrollment
    (1) Restore the Internet Explorer session with your Intune tenant. (2) In Intune, go to Groups\Devices(3) Look for WIN10-04 in the list (it may take a few minutes to appear in Intune).
In this exercise, you verified that Intune was correctly set as the MDM authority. Then, you enrolled WIN10-04 in your Intune tenant and verified that enrollment was successful.

Exercise 24 : Using Intune: Create a deployment group add PC to it

Device groups in Intune provide the same scoping functionality that collections do in System Center Configuration Manager. You create device groups, and then use them as targets for your Intune configuration policies, which specify when each deployment ring should receive its updates. In this exercise, you create a group, and then add WIN10-04 to it because that’s the only device in the WIN10 Ring 4 Broad Business Users deployment ring that you use Intune to manage. This process creates a Direct Membership rule for that particular device.
  1. Log in to Intune
    (1) Open Internet Explorer, and navigate to https://manage.microsoft.com(2) Log in to Intune using the credentials previously identified or created.
  2. Navigate to All Devices
    In Intune, navigate to Groups\Devices.
  3. Go to Microsoft Azure Groups
    Right-click WIN10-04, and then click Create Groups.
  4. Create Group
    (1) Once redirected to Microsoft Azure, click Add(2) In Name, type WIN10 Ring 4 Broad Business Users. (3) In Membership type, select Assigned. (4) Click Members and select WIN10-04 from the list. (5) Click Create.
You have now created the WIN10 Ring 4 Broad Business Users device group containing WIN10-04, which represents the WIN10 Ring 4 Broad Business Users deployment ring. As when using other servicing tools, when using Intune to manage Windows 10 devices, you would typically have a device group for each deployment ring.

Exercise 25 : Using Intune: Create a configuration policy in Intune

You can use configuration policies in Intune to manage many different Windows settings. In this exercise, you use a configuration policy to manage Windows Update for Business settings on PCs in the WIN10 Ring 4 Broad Business Users deployment ring. As when managing these settings in Group Policy, you can independently configure the quality and feature update delays or only one of them. In this example, however, you configure both of them to align with the requirements of the WIN10 Ring 4 Broad Business Users deployment ring.
  1. Log in to Intune
    (1) In Internet Explorer, select the Microsoft Intune tab. (2) If needed, log in to Intune using the credentials previously identified or created.
  2. Create a new configuration policy
    (1) Click the POLICY workspace. (2) In the middle pane, click Configuration Policies, and then click Add in the details pane. (3) In the Create a New Policy Wizard, select Windows\Custom Configuration (Windows 10 Desktop and Mobile and later), and then click Create Policy(4) Name the policy Windows Update for Business – WIN10 Ring 4 Broad Business Users.
  3. Add a branch readiness level
    (1) Within the new policy, in the OMA-URI Settings section, click Add(2) In Setting name, type Enable Clients for CBB, and then select Integer from the Data type list. (3) In the OMA-URI box, type .Vendor/MSFT/Policy/Config/Update/BranchReadinessLevel(5) In the Value box, type 1, and then click OK.
    The OMA-URI settings are case sensitive, so be sure to review Policy CSP for the proper syntax when using these or other OMA-URI settings in your environment.
  4. Add feature update deferment
    (1) Because the WIN10 Ring 4 Broad Business Users deployment ring receives the CB feature updates after 30 days, in the OMA-URI Settings section, click Add to add an additional OMA-URI setting. (2) In Setting name, type Defer feature updates for 30 days, and then select Integer from the Data type list. (3) In the OMA-URI box, type .Vendor/MSFT/Policy/Config/Update/DeferFeatureUpdatePeriodInDays(4) In the Value box, type 30, and then click OK.
  5. Add quality update deferment
    (1) Because the WIN10 Ring 4 Broad Business Users deployment ring receives the CB quality updates after 14 days, in the OMA-URI Settings section, click Add to add an additional OMA-URI setting. (2) In Setting name, type Defer quality updates for 14 days, and then select Integer from the Data type list. (3) In the OMA-URI box, type .Vendor/MSFT/Policy/Config/Update/DeferQualityUpdatePeriodInDays(4) In the Value box, type 14, and then click OK.
  6. Save and deploy the policy
    (1) Click Save Policy(2) In the Deploy Policy: Windows Update for Business – WIN10 Ring 4 Broad Business Users dialog box, click Yes(3) In the Manage Deployment: Windows Update for Business – WIN10 Ring 4 Broad Business Users dialog box, select the WIN10 Ring 4 Broad Business Users group, click Add, and then click OK.
    If you don’t receive a dialog box, select the policy, and then click Manage Deployment.
In these exercises, you created an Intune subscription and enrolled WIN10-04 in it. Then, you created a device group representing the WIN10 Ring 4 Broad Business Users deployment ring and added WIN10-04 to it. Finally, you created a configuration policy for managing Windows Update for Business settings and deployed it to the WIN10 Ring 4 Broad Business Users group.

Click Continue to finish and close this lab.

No comments: