Wait too long before applying security updates and you risk exposing your network to attacks through unpatched vulnerabilities. Move too fast and you increase the chances that you'll have to deal with a faulty update at some point, suffering downtime and probably losing business as you scramble to recover.

And as every IT pro knows, the "just right" path is somewhere in the middle.

With the recent November 2015 update for Windows 10, version 1511, Microsoft introduced a new capability called Windows Update for Business. This feature, available in Windows 10 Pro, Enterprise, and Education only, gives IT pros the option to use the public Windows Update mechanism while customizing the schedule to meet their organization's needs.

Also see: Windows 10: The essential guide for business professionals

But before you begin using Windows Update for Business, it's essential that you understand Microsoft's new servicing model for Windows 10. And that starts with the slightly intimidating diagram shown in Figure A. (Not shown on this diagram is the Long Term Servicing Branch, which is intended for mission-critical devices where any downtime is unacceptable.)

Figure A

Figure A

In this update cycle, each new Windows 10 build proceeds through different "branches" on its way to the general public. Testers inside Microsoft (including one group known as Elite Dogfooders) and members of the opt-in Windows Insider program use preview builds to help Microsoft identify bugs and fine-tune features.

After a reasonable amount of polishing and bug-busting, a stable version is released to the general public. That's the Current Branch.

If you just accept the default settings in Windows 10, you're assigned to the Current Branch. Updates work much the same as automatic updates have worked in all modern versions of Windows. One difference is that each new update is cumulative. If you turn on a Windows 10 PC that hasn't been used in months, you should have only a single cumulative update to install, as shown in Figure B. (You might have to install a major version upgrade, such as the November update first, but after that you'll see only a single cumulative update.)

Figure B

Figure B

If you're risk-averse and you'd rather watch and wait as the general population tests new code, there's the Current Branch for Business, which allows you to defer upgrades by an average of four months. The November Update, version 1511, is not a Current Branch for Business build, so if you've chosen the Defer Upgrades option, you won't see that update until sometime next year--after it's gone through more bug-fixing and is declared a Current Branch for Business build.

Also see: Vendor reference worksheet: Business software purchases

A separate feature, Windows Update for Business, lets you delay those cumulative updates by one to four weeks. If an update turns out to be troublesome, there's a strong likelihood it will be fixed by the time your users get around to it.

(I won't go into details of how to use Windows Update for Business here. See my ZDNet article instead: How to take control of Windows 10 updates and upgrades (even if you don't own a business).

Divide and conquer

The best way to use Windows Update in an organization is to divide your users into groups, with a small group on the Current Branch who receive updates via Windows Update as they're released. Those users are your canaries, able to spot potential problems before they reach the majority of your users.

In fact, you can use Group Policy to roll each month's updates out in waves. Figure C, from a Microsoft whitepaper, shows how to divide an organization into three groups, with Group 2 a week behind Group 1 and the third group two weeks behind.

Figure C

Figure C

If you see any problems with updates in that first group, you can hit pause while you investigate.

For mission-critical systems where absolute predictability is essential, there's a Long Term Servicing Branch (available only for customers running Windows 10 Enterprise). If you're tempted to think of it as a way to dodge the whole upgrade/update issue, don't. This option is strictly for organizations that are willing to stick with a single release and forgo future feature updates for its entire supported life.