Windows Update for Business–Use it, lose it or watch it?

I’ve been working recently with Windows Update for Business or WUfB and I wanted to share some hands on experience which I’ve had hanging around in my drafts for some months now pending some progression on specific areas. As a consultant, I travel around the UK working with customers from all sectors and industries so I like to think I get a good representation of a product and a customers experience with those products. Also, as an MVP I get to regularly chat with peers in the industry from other regions who also do the same as me in their respective countries. Sometime we see the same trends, sometimes we see different. Why am I telling you this? I’m telling you this because WUfB is one of those products that has been around for a little while now and I’ve not seen a huge amount of traction in this area, I know peers also have similar experience. After working more closely with the technology recently however, I think we could start to see usage of WUfB increase in the near future and hopefully this blog post will help to explain why.

What is WUfB?

The basic premise of WUfB is quite simple. Get your updates from the internet (Microsoft) rather than putting a whole bunch of infrastructure in between the client and the update. By this, I mean WSUS servers, Configuration Manager servers and whatever else you might have. If your clients miss a patch because your update package didn’t distribute you’d be kicking yourself. I know several folk who run large scale operations who need to think carefully about which patches they distribute to Configuration Manager distribution points as when you multiply the storage requirement by hundreds or even thousands this can really add up. If your client didn’t come into the office or they didn’t VPN, they also didn’t patch as in the real world not everyone manages their clients outside the corp network (they absolutely should, but that’s a different conversation). So, just like we’ve all been doing for years at home we pull down the patches from the internet. I’ve left some huge questions hanging in this which I’m sure you’re already asking, hopefully the rest of the article will answer some of them.

You said WUfB isn’t popular, why not?

To note, I also said I think it could be. To answer the question though, one reason I see is that people have used WSUS since the dawn of time, people have their tailor made Configuration Manager environments and very often people don’t take a step back to consider what’s around. Another reason was the initial implementation was fairly simple and it has grown in features over time. People are not going to jump from their complex feature-rich environments into some thing fairly basic (again another conversation) and so may have ruled that out a year or two ago. Microsoft tell us that they’re cloud-first mobile-first as a reflection of the way we work, for me that depends on the organisation but I do agree we are getting there on that one and mobile working is becoming more and more common (in the UK at least) where it wasn’t previously, we still have some way to go on that though. With that in mind, why would admins pull content from the internet if the device never left the corp network? Reporting is another grey area that I’ve seen, how do you even report on this and why does it not integrate with what I have already? The biggest factor in patching clients is knowing they’ve actually been patched. Have you tried telling the boss you ‘think’ they’ve been patched but you can’t actually prove it 100%? Reporting in WUfB is done outside of WSUS or SCCM predominantly, that doesn’t mean there aren’t solutions but you might see my point here.

You also said WUfB could become popular, why?

As I’ve used this technology more, I can see the progression from simply applying updates to something more managed and enterprise grade. One of the key advantages is actually its simplicity. I don’t need to distribute, I don’t need to maintain a server, I don’t need to keep an eye on the server storage, I don’t need to maintain WSUS, I don’t need to have a SQL database. Enough?

In my experience, no one enjoys patching their devices. It’s just a necessity of enterprise client device management, if you’re looking forward to patch Tuesday or get excited about an out of band then you’re very much in the minority. So, if we can control what’s going down to clients, when it’s going down, when it restarts the devices and work with the logged on user about their preferred restart then what’s not to love? Thousands of clients all squeezing the bandwidth – that’s what’s not to love. But, you may be glad to hear Microsoft have thought about delivery optimisation and if you’re not up to speed on Microsofts work in this area, go have a read as you may be pleasantly surprised. I’ve done testing with customers in real scenarios not just test-labs and we have seen 100% peer to peer traffic.

Back to the reporting too, Microsoft have moved a lot of focus in their products to interact with Azure Log Analytics and Graph API, WUfB is no different and has capability in these areas. Whilst this is a change from the regular reporting areas of the desktop admin and may be another portal or product, the data is there and may just need a little extra magic to get what you want from it.

Enough waffle, let’s take a first look at a high level points as a taster in this article and I’ll drill down in further posts. Here’s some insight of the capability.

image

  1. Choose your feature update channel from Windows Insider through to Semi-Annual Channel. I’m expecting these names to change at some point as Microsoft start to drop the “targeted” labelling in places. To be clear, by opting in to WUfB you are also opting into using this for Feature updates from version to version. This will scare many people, but be aware that Microsoft are getting better with these updates version by version in terms of size of update, speed of install, amount of offline time etc.
  2. You can choose to take your ‘standard’ Microsoft updates and also choose to take the drivers too, or maybe not, it’s up to you. Remember, the point here is to eventually run with updates as BAU whether they be patches or feature packs.
  3. You can choose when they will install, there are various options in here which I’ll cover separately but be aware it’s not a simple point and shoot exercise as some people believe.
  4. We also have options around user engagement in that they can interact with the device and snooze the restart. Again more on this separately.

For this post I will leave it there as a taster to bring people up to date on where WUfB is and how it may have progressed since you last looked at it. I’m following this closely and will elaborate on individual features I’ve mentioned in separate blog posts.

/Peter

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.