With the release of Windows 10 1511, Microsoft also published a new tool called Windows Update for Business. I can’t remember how long the product was teased to the mass but everybody was expecting it while no one could tell what it was all about! Now the wait is over so let’s see if this new toy can help simplify Windows 10 patch management? read on !!
What is Windows Update for Business (WUB)
As we all should have guessed with its explicit name, WUB is Windows Update (that web service who deliver patch Tuesday) with additional option to be used in the enterprise!
Whoot !!! Windows update in the enterprise? Are you serious? Yes that’s the whole new idea: get ride of your WSUS or your SCCM SUP, stream directly form Microsoft but keep the control over where and when to deploy!
The tools to manage updates are all embedded in Windows 10 1511, the control is done via a set of new GPO and Intune Policies The list of tools embedded to make Windows update “business ready” are:
Deployment by rings:
This function replace the computers Group in WSUS or your collections in SCCM. The management is now done in your GPO and Active Directory consoles where you need to create a bunch of OU representing the different deployment waves that you want for your enterprise.
the GPO in action is the one used to defer updates and upgrades and can be found at Computer Configuration –> Administrative templates –> Windows Components -> Windows Update –> Defer Upgrades and Updates
Activating the GPO is enough to enter into CBB (4 month delay), but you can go further and set it to defer feature upgrades for a 8 months period maximum, and servicing updates for a 4 weeks period maximum.
You can also define a group of machines that won’t receive anything during a limited period: by selecting “Pause upgrades and updates” nothing will be installed during a period of five weeks (35 days). After that time, resume will occurs automatically.
Peer-to-peer distribution:
Aimed at reducing your internal bandwidth consumption by downloading parts of patch files upon your network peers, this feature is enabled by default. With it, you can not only download updates/upgrades, but also Windows store apps.
Peer-to-peer works in two mode: WAN and LAN. Microsoft have not yet explain how the WAN part works and more over how secure it is, but if this one is a concern ,it can be disabled.
The GPO settings are located at Computer Configuration –> Administrative Templates –> Windows Components –> Delivery Optimization
Download Mode has 3 different settings
- Peers on same NAT only
- Local Network / Private Peering (PCs in the same domain by default)
- Internet Peering
Group ID allow to restrict peer-to-peer to machines from the same group.
Other settings allows to fine-tune the impact on disk size and bandwidth.
Deployment during maintenance window:
This feature can be used to set periods when patches must be deployed and when they must not. Actually there is nothing in the GPO settings to configure this option nor in the online documentation. We will probably have to wait for the next Build to see improvement in that space.
Update: while writing this post, I discovered that the dedicated section has mysteriously disappeared from technet… perhaps maintenance window will never see the light of the day…
Integration with SCCM and Intune.
This feature should be used to manage and monitor updates over your infrastructure, but what Microsoft as already delivered is useless at best and more than questionable if you ask me; The online documentation shows an SCCM screencap that rely on SUP to show status of update that are delivered via Windows update..??!!…
The Intune part does not exist yet but I hope Microsoft will put all their effort in it as it’s probably the best alternative to a costly SCCM!
so then again, this is definitely something that should be reevaluated in the future to see if the expected benefits are here or not!
Conclusion
Yes, This is another big shift from Microsoft and the cloud approach is just so cool (Can you imagine using the word “cool” with something like Windows update..!!!??). This new way of managing updates combined with the new cumulative nature of updates/upgrades will for sure change our patch management habits,but let’s be honest, it actually miss too much commodity to be “enterprise ready” !
This release should be tagged as preview ; The functional level is not yet equal to what you can do with WSUS and the lack of management console makes the tool unusable for business:
- Where is that dash board for monitoring deployment progress, Peer-to-peer statistics, machines with problems or amount of compliance??…
- Where is the dedicated console to create/manage deployment groups, force or retire a machine easily… (having to fight between the AD and GPO console is plain boring and time consuming)
- If some machines are paused, There is nothing to be warned before they expire, nothing to automatically put them in differed state after they resume…
Other point, why that beast doesn’t works with WSUS? Maintenance windows and Peer-to-peer would have been a must for this ageing tool…
So, for this time: “Sorry Microsoft, but we are not at it yet”, I really hope that the product is just not born dead, and that future release will deliver what is currently lacking. The idea is damn good but you can’t yet call this a product…
After this conclusion, I want to add a few more words about the fact that updates and upgrades are now cumulative. This means three things:
- No more time wasted to evaluate each patch…
- you’ll have to patch whether it break your critical business application or not!!
- Cumulative updates can only go bigger and bigger… is your network ready for that?