Which patch management tool should organizations rely on to patch Windows endpoints in a hybrid working setup? Enterprises looking to continuously update Windows endpoints often end up in a muddle when looking for a solution. In this article, we will compare Windows Server Update Services with Windows Update for Business and explore the best choice to safeguard your environment.
We have all heard repeatedly about the importance of keeping your Windows systems up to date. Keeping your machines patched with the latest security updates is one of the most effective security measures you can take to protect your systems from cyber threats. It also ensures that your users access the latest innovative features and fixes that improve system reliability. All of this leads to the question, what’s the best way to ensure that your fleet of your PCs gets the updates they need?Â
Quality and Feature Updates
Let’s first talk about the Windows updates themselves. There are two broad categories. The vast majority are quality updates. These are the updates released on what has become known as Patch Tuesday. Quality updates address things such as known security vulnerabilities and plaguing problems that contribute to reliability issues. They may also include or preview enhancements of existing features. Then there are feature updates. These are released twice a year and are known as semi-annual releases. A feature update basically upgrades your computer to a new version of Windows, providing new value-added features and possible cosmetic changes. Quality and feature updates may or may not require a reboot to complete their installation, and users can manually defer updates for an extended period. Â
Personal PC users are accustomed to having their Windows computers contact Microsoft Endpoint directly. When updates are announced, users can either:
- Download and install them immediately
- Schedule a time to do so
- Defer them for an extended period
This reliance on users, however, isn’t suitable for enterprise environments as users can’t be relied upon to perform updates diligently. Thus, we need a way for admins to manage the update process for all enterprise machines centrally.Â
See More: Security Baseline for Windows 11: All You Need to Know
WSUS Vs. WUfB – Which Solution Should Enterprises Go For?
Windows Server Update Services
Windows Server Update Services (WSUS) was first released in 2005 and, until recently, has been the primary means of managing the Windows update process for desktop computers. Admins configure a WSUS server on-prem to serve as a repository for Windows updates. Windows machines then contact the WSUS server for updates rather than download them from Microsoft directly, consuming precious internet bandwidth. Network architects can create a hub-and-spoke network of WSUS servers scattered across multiple sites, if need be, to preserve WAN bandwidth as well. Admins can decide which updates they want to allow. Â
With the WSUS in place, Admins then use their preferred management tool to create policies to govern the Windows update process. Available options include:
- The WSUS Stand-alone console
- Group Policy
- MEM CONFIG Manager
- A third-party management tool
Configured policies are used to assign a WSUS server and outline when the updates will be implemented. Policies are then assigned to applicable device groups. Devices then contact their assigned WSUS at their allocated time and scan their updates against the WSUS server itself to fill in the missing gaps. The server then offers each device whatever updates it is currently missing.Â
The screenshot below shows the available configuration settings for WSUS using Group Policy. In this example, a WSUS server has been assigned, and the source has been specified for each Windows update classification.Â
Despite its prominence for many years, WSUS’s shortcomings are becoming apparent. Microsoft has not released any enhancements to WSUS in a while and plans to deprecate it eventually. The reason for this is that the typical enterprise has changed today. The world has transitioned to mobile and remote work strategies that have taken hold. Unfortunately, WSUS wasn’t designed to service hybrid work models and large mobile laptop fleets. The inability of WSUS to adjust to the times has opened the door for another means of managing Windows updates.
Windows Update for Business
Windows Update for Business is the next evolutionary step to managing the Windows update process. Unlike WSUS, Windows 10 and Windows 11 clients connect with Microsoft directly, so no intermediary server is involved. All you need is a management tool to create your updated policies. You can also elect to create multiple rings for tighter control over the deployment of quality and feature updates. These rings determine how and when the application updates are deployed. This is especially pertinent for feature updates. For instance, you can create a fast ring for your IT personnel so they can do proper testing to ensure the updates don’t create issues within your environment. You can then create a second ring for power users that are more adept at implementing new technology and can quickly integrate new features to increase productivity and innovation. A final ring can then be created for your remaining standard users.Â
See More: Moving to Windows 10? Don’t Make This Costly Mistake
These rings are made possible by configuring different deferment periods for installing quality and feature updates. While some security updates have no deferment, quality updates can be deferred up to 30 days, while feature updates can be delayed for a full year before Microsoft enforces it automatically because, at some point, updates cannot be deferred. An example of the ring and deferment configuration process using Microsoft Endpoint Manager is shown below.
You can finetune the update process further with User Experience settings, allowing your users to defer updates on their own when necessary. For instance, you can configure a grace period to ensure that a policy-induced reboot doesn’t occur at a critical time. An example could be a sales executive attending an important sales conference out of town or someone who logs onto their computer after returning home from an extended vacation.
Conclusion
The importance of having some type of system in place to manage and enforce Windows updates for your enterprise cannot be emphasized enough. For organizations that still utilize a traditional on-prem network, WSUS is still a viable option to ensure the job gets done. For those companies with MDM-managed devices or have computers dispersed across a wide geographical area, Windows Update for Business may be a better option.
Does your organization still rely on WSUS to keep the PC fleet updated at all times? Let us know on LinkedInOpens a new window , Facebook,Opens a new window and TwitterOpens a new window . We would love to hear from you!