Creating Windows Update for Business – Rings

Introduction:

Companies want to make sure that when doing deployments of Microsoft Updates, they go out through the organisation in a randomized facion. The reasoning behind it needing to be randomized is, you dont want to have the “entire IT” department as ring 1, because if the “shit hits the fan” your entire IT has been shut down, and they then need to only focus on fixing the “possibly broken update” instead of taking care of the users.
So what you want to do instead is, having one or 2 in Ring 1, and then have the others in other rings.
Besides the needs to have a randomized Ring methology you also need to be able to circumvent the Ring methology, because it is randomized.

Of course, you can use AutoPatch – this solves this problem, but in case you dont have the licenses to support this, you need to create this yourself.

Solution:

The solution to this really is not that hard, because you can use the same approach as you have historically in Configuration Manager, use the GUID. So, every ressource in Entra ID has a GUID, this GUID seems randomized, but it is in fact not that randomized as one would think. It consists of hexadicimal symbols which means we have 16 characters at our disposal, meaning 1 symbol represent approximently 6.25%.
This knowledge we can use to our advantage, and create rings based on this. We can fx. create 4 rings, using these queries:

WUfB – Windows – Ring 1 – Pilot

Breaking down this query:

deviceOSType – this of course is the OS type
deviceManagementAppId – this ID means that the device is co-managed, you can also use Intune managed, or not have it at all, and cover all devices.
deviceCategory – This category is a category one needs to create yourself, and name what you want.
deviceId – This is where the fun starts, this is the hexadicimal unique identifier.

WUfB – Windows – Ring 2

(device.deviceOSType -eq "Windows") -AND (device.deviceManagementAppId -eq "54b943f8-d761-4f8d-951e-9cea1846db5a") -AND (device.deviceOwnership -eq "Company") -AND ( (device.deviceCategory -eq "Client group 2") -OR (device.deviceId -startsWith "2") -OR (device.deviceId -startsWith "3") -OR (device.deviceId -startsWith "4") ) -AND ( (device.deviceCategory -ne "Client group 1") -AND (device.deviceCategory -ne "Client group 3") -AND (device.deviceCategory -ne "Client group 4") )

WUfB – Windows – Ring 3

(device.deviceOSType -eq "Windows") -AND (device.deviceManagementAppId -eq "54b943f8-d761-4f8d-951e-9cea1846db5a") -AND (device.deviceOwnership -eq "Company") -AND ( (device.deviceCategory -eq "Client group 3") -OR (device.deviceId -startsWith "5") -OR (device.deviceId -startsWith "6") -OR (device.deviceId -startsWith "7") -OR (device.deviceId -startsWith "8") ) -AND ( (device.deviceCategory -ne "Client group 1") -AND (device.deviceCategory -ne "Client group 2") -AND (device.deviceCategory -ne "Client group 4") )

WUfB – Windows – Ring 4

(device.deviceOSType -eq "Windows") -AND (device.deviceManagementAppId -eq "54b943f8-d761-4f8d-951e-9cea1846db5a") -AND (device.deviceOwnership -eq "Company") -AND ( (device.deviceCategory -eq "Client group 4") -OR (device.deviceId -startsWith "9") -OR (device.deviceId -startsWith "A") -OR (device.deviceId -startsWith "B") -OR (device.deviceId -startsWith "C") -OR (device.deviceId -startsWith "D") -OR (device.deviceId -startsWith "E") -OR (device.deviceId -startsWith "F") ) -AND ( (device.deviceCategory -ne "Client group 1") -AND (device.deviceCategory -ne "Client group 2") -AND (device.deviceCategory -ne "Client group 3") )

And that my dear friends, is how you can create groups to be used to assign your Windows Update for Business policies. It can also be used to deploy your feature updates.

Categories Uncategorized

Creating Windows Update for Business – Rings

Leave a Comment Cancel reply

Links

Contact