As more employees work from home, Windows Update for Business provides a simpler way to update Windows endpoints with the latest patches. In this article, I look at the differences between Windows Server Update Services and Windows Update for Business, and why I believe the latter is the best solution in most cases.
Windows Server Update Services (WSUS) is a component of Windows Server. WSUS is installed as a server role and you can deploy a single instance. Or it can be configured in a distributed topology to serve endpoints that are separated on different networks or physical locations.
WSUS servers can be set up in different hierarchies, where WSUS receives updates from upstream servers or directly from the Internet. WSUS is a flexible solution that allows organizations to serve thousands of endpoints, many more than a single instance could handle. WSUS also integrates with Microsoft Endpoint Manager, previously System Center Configuration Manager (SCCM), where it handles updating endpoints.
But with all the flexibility that WSUS provides, including being able to approve individual updates, there are many caveats. The first is complexity. Even if you deploy a single instance of WSUS, there are a few best practices you should follow to make sure WSUS is secure.
Communications between endpoints and WSUS, and between WSUS downstream and upstream servers, are not secured using HTTPS by default. Each WSUS server should be configured to enforce Secure Sockets Layer (SSL)/Transport Layer Security (TLS) encryption, and use HTTPS.
Configuring WSUS to use HTTPS helps protect endpoints from remote compromise and the potential for a hacker to elevate privileges. But the prerequisites for configuring WSUS to use HTTPS are many. First, you need to obtain a certificate. That could mean setting up your own public key infrastructure (PKI), which is not trivial.
Once a certificate has been installed, it needs to be bound in Internet Information Services (IIS) to 5 different applications. WSUS can then be configured to use HTTPS using the wsusutil configuressl command. And finally, endpoints should be configured to require HTTPS, which means updating Group Policy configuration so endpoints connect using HTTPS on the right port.
As you can see, there is a significant local infrastructure requirement even when you have even a single WSUS instance. And what I believe should be the nail in the WSUS coffin for most organizations, is that the software is simply outdated and old. It’s barely been updated in the past 8 years. And it still uses SQL 2012 and Report Viewer 2012. WSUS relies on Internet Explorer and the IIS settings are known to cause problems.
Microsoft doesn’t seem to care much about bringing WSUS into the modern world. And that’s because of Windows Update for Business (WUfB). While WUfB doesn’t allow organizations to approve individual updates like WSUS, if set up properly using deployment rings, it can provide enough control without all the headaches associated with WSUS.
As I’ve written on Petri before, WUfB is controlled using a series of Group Policy or Mobile Device Management (MDM) settings in Windows 10. WUfB is Microsoft’s preferred update mechanism and it allows organizations to control how quality and feature updates are applied to devices. It uses a peer-to-peer technology, called Delivery Optimization, to distribute updates.
Because no local infrastructure is required to use WUfB, organizations can reduce costs and improve security because everything is configured to be secure out of the box. While WSUS can also use Delivery Optimization, WUfB relies on it as a mechanism to distribute updates without saturating network bandwidth.
Delivery Optimization uses a network of peers to distribute updates to endpoints. So, instead of each endpoint contacting Microsoft’s Internet update servers for approved updates, once a single peer has downloaded an update, other peers can pull the bits from endpoints on the same network or Internet. Delivery Optimization can be configured to restrict devices to pull update bits from peers on the local network only.
If you deploy WUfB using Microsoft Intune, the Microsoft Endpoint Manager admin center now includes reporting so you can check endpoint compliance. As is stands, reporting in Intune is quite basic but Microsoft is working to quickly expand reporting capabilities. Outside of Intune, Update Compliance, which you can find in the Azure marketplace, is the best way to handle WUfB reporting.
Windows Update for Business is designed to be easy to deploy, secure, and to serve endpoints regardless of where they are located. Because Windows doesn’t need to contact a WSUS instance behind a corporate firewall, WUfB lends itself to situations where devices spend more time outside the office.
Setting up Microsoft Endpoint Manager to service Internet endpoints is more complicated because it either requires placing servers in the DMZ or using Microsoft Cloud Management Gateway. If you want to use WUfB with other management solutions, that’s not a problem. WUfB integrates with WSUS. And Microsoft Endpoint Manager can differentiate between computers managed using WSUS and WUfB.