Learn What IT Pros Need to Know About Windows 11 - August 26th at 1 PM ET! Learn What IT Pros Need to Know About Windows 11 - August 26th at 1 PM ET!
Windows 10

Why You Should Use Windows Update for Business Instead of Windows Server Update Services

As more employees work from home, Windows Update for Business provides a simpler way to update Windows endpoints with the latest patches. In this article, I look at the differences between Windows Server Update Services and Windows Update for Business, and why I believe the latter is the best solution in most cases.

What is Windows Server Update Services?

Windows Server Update Services (WSUS) is a component of Windows Server. WSUS is installed as a server role and you can deploy a single instance. Or it can be configured in a distributed topology to serve endpoints that are separated on different networks or physical locations.

WSUS servers can be set up in different hierarchies, where WSUS receives updates from upstream servers or directly from the Internet. WSUS is a flexible solution that allows organizations to serve thousands of endpoints, many more than a single instance could handle. WSUS also integrates with Microsoft Endpoint Manager, previously System Center Configuration Manager (SCCM), where it handles updating endpoints.

WSUS is complex to deploy and maintain

But with all the flexibility that WSUS provides, including being able to approve individual updates, there are many caveats. The first is complexity. Even if you deploy a single instance of WSUS, there are a few best practices you should follow to make sure WSUS is secure.

Sponsored Content

Read the Best Personal and Business Tech without Ads

Staying updated on what is happening in the technology sector is important to your career and your personal life but ads can make reading news, distracting. With Thurrott Premium, you can enjoy the best coverage in tech without the annoying ads.

Communications between endpoints and WSUS, and between WSUS downstream and upstream servers, are not secured using HTTPS by default. Each WSUS server should be configured to enforce Secure Sockets Layer (SSL)/Transport Layer Security (TLS) encryption, and use HTTPS.

Configuring WSUS to use HTTPS helps protect endpoints from remote compromise and the potential for a hacker to elevate privileges. But the prerequisites for configuring WSUS to use HTTPS are many. First, you need to obtain a certificate. That could mean setting up your own public key infrastructure (PKI), which is not trivial.

Once a certificate has been installed, it needs to be bound in Internet Information Services (IIS) to 5 different applications. WSUS can then be configured to use HTTPS using the wsusutil configuressl command. And finally, endpoints should be configured to require HTTPS, which means updating Group Policy configuration so endpoints connect using HTTPS on the right port.

As you can see, there is a significant local infrastructure requirement even when you have even a single WSUS instance. And what I believe should be the nail in the WSUS coffin for most organizations, is that the software is simply outdated and old. It’s barely been updated in the past 8 years. And it still uses SQL 2012 and Report Viewer 2012. WSUS relies on Internet Explorer and the IIS settings are known to cause problems.

Image # Expand
Why You Should Use Windows Update for Business Instead of Windows Server Update Services (Image Credit: Microsoft)

Windows Update for Business

Microsoft doesn’t seem to care much about bringing WSUS into the modern world. And that’s because of Windows Update for Business (WUfB). While WUfB doesn’t allow organizations to approve individual updates like WSUS, if set up properly using deployment rings, it can provide enough control without all the headaches associated with WSUS.

As I’ve written on Petri before, WUfB is controlled using a series of Group Policy or Mobile Device Management (MDM) settings in Windows 10. WUfB is Microsoft’s preferred update mechanism and it allows organizations to control how quality and feature updates are applied to devices. It uses a peer-to-peer technology, called Delivery Optimization, to distribute updates.

Because no local infrastructure is required to use WUfB, organizations can reduce costs and improve security because everything is configured to be secure out of the box. While WSUS can also use Delivery Optimization, WUfB relies on it as a mechanism to distribute updates without saturating network bandwidth.

Delivery Optimization uses a network of peers to distribute updates to endpoints. So, instead of each endpoint contacting Microsoft’s Internet update servers for approved updates, once a single peer has downloaded an update, other peers can pull the bits from endpoints on the same network or Internet. Delivery Optimization can be configured to restrict devices to pull update bits from peers on the local network only.

Monitoring Windows Updates

If you deploy WUfB using Microsoft Intune, the Microsoft Endpoint Manager admin center now includes reporting so you can check endpoint compliance. As is stands, reporting in Intune is quite basic but Microsoft is working to quickly expand reporting capabilities. Outside of Intune, Update Compliance, which you can find in the Azure marketplace, is the best way to handle WUfB reporting.

WUfB vs. WSUS

Windows Update for Business is designed to be easy to deploy, secure, and to serve endpoints regardless of where they are located. Because Windows doesn’t need to contact a WSUS instance behind a corporate firewall, WUfB lends itself to situations where devices spend more time outside the office.

Setting up Microsoft Endpoint Manager to service Internet endpoints is more complicated because it either requires placing servers in the DMZ or using Microsoft Cloud Management Gateway. If you want to use WUfB with other management solutions, that’s not a problem. WUfB integrates with WSUS. And Microsoft Endpoint Manager can differentiate between computers managed using WSUS and WUfB.

Related Topics:

BECOME A PETRI MEMBER:

Don't have a login but want to join the conversation? Sign up for a Petri Account

Register
Comments (0)

Leave a Reply

IT consultant, Contributing Editor @PetriFeed, and trainer @Pluralsight. All about Microsoft, Office 365, Azure, and Windows Server.

Register for Advanced Microsoft 365 Day!

GET-IT: Advanced Microsoft 365 1-Day Virtual Conference - Live August 24th!

Join us on Tuesday, August 24th and hear from Microsoft MVPs and industry experts about how to take advantage of Microsoft 365 at a technical level and dive deep into the features and functionality that will make your environment more secure and compliant.

RSVP Now

Sponsored By