Windows Update for Business (WUfB) is a new method of thinking about how updates are done. It is a fundamental switch in how you look at dealing with updates. It can make your life easier if you can just get over the fundamental switch in realizing that you have little to no control, and that you are putting all of your trust in Microsoft (did I not say it was a fundamental switch?)
WUfB is like a Windows Home system, with a little bit more flexibility… not a lot… a little. You put your trust in Microsoft for being your IT patch management department; trust they are doing their job in making sure the updates they release are as free from major issues, minor issues, and don’t cause any adverse issues with your system. In my view, one of the ways how they do this is by using the diagnostic data (telemetry) from all systems all over the planet, that show them about how their systems are working with their updates and all the software on these systems. There are millions of computers around the world running Windows… of these systems, how many do you think run a specific version of 7-zip, WinZip, WinRAR… or even a specific version of your CRM system, or ERP system? What about drivers, and specific versions of network card or video card drivers? The likelihood is that there are thousands, if not hundred of thousands or millions of others running the same software you do. All of that diagnostic data is anonymized and then analyzed for crashes, blue screens (kernel panics), hangs, and more. Microsoft even uses the diagnostic data internally to be proactive and fix issues.
In a Windows Home system, you realize that your system will install patches when Microsoft decides, and restart when Microsoft decides. In a business network however, you want to have a little more control over when updates are actually installed in your system. This is where WUfB policies come into play.
Windows Update for Business Policies
The official documentation for WUfB configuration is a great place to start.
The policies are located in Computer Configuration > Policies > Windows Components > Windows Update > Windows Update for Business
There are 3 policies currently that live there (Windows 10 1809 ADMX Templates). Remember the best practice when applying GPOs – ONLY apply the ones you need. Don’t explicitly disable ones you don’t.
- Select when Preview Builds and Feature Updates are received
- Select when Quality Updates are received
- Manage preview builds
The first policy allows you to delay preview builds (if your device is enrolled in the Insider Program) and/or the Feature Updates (1709, 1803, 1809, etc). It allows you to delay the installation of a feature upgrade for up to 365 days (1 year). If during your testing (you are using a test group right? Even if it’s a system or 2 from each department in a production setting; some testing is better than no testing) you find out that the feature upgrade has a detrimental effect to a business critical program, this policy also has the ability to allow you to pause the roll-out of the feature upgrade. When you set the date, it will pause the upgrade for 35 days.
The second policy does the same as the first policy, except that it’s only for the monthly cumulative updates and it only has a maximum delay of 30 days. It allows you to ‘stay back’ up to a month. Many admins like to ‘wait and see’ a week or two with the monthly cumulative updates, just to make sure there are no issues with the patches that others have reported. To do this using WUfB policies, you would configure this deferral policy for 7-14 days.
The last policy has to do with preview builds. Enabling this policy with ‘disable preview builds’ will forcefully prevent any admin user from opting into the insider program. If you leave this ‘not configured’, then the admin user has the ability to opt into the insider program and use preview builds. If they are not an administrator on their machine, they will not be able to opt into the insider program anyways. If you have systems that you want to be in the insider program, you have 2 options. The first is to simply enable them. This means that each time a new insider build is released, the system will update to it. The last option you have allows your systems to exit the insider program gracefully by disabling preview builds after the next feature upgrade is released. In this scenario, a preview build will upgrade to the next released feature upgrade and stop the enrollment into the insider program.
Why Should I Choose WUfB Over WSUS or Other Patch Management System?
If you are a small business that does not have the resources to dedicate to patch management, or you don’t have any servers on-prem, or you have a very distributed team that uses mostly online services, or you simply are fed up with WSUS or other patch management solutions, WUfB might just be right for you. Using WUfB has it’s advantages and disadvantages; just like every system. Less visibility (reporting – by default – more on that below), trusting that the updates install locally without issues (even if you have testing rings, the update could be failing at the client end, leaving that client exposed and you wouldn’t know). Some of the advantages – this is a set-and-forget method of patch management. You have some control over when your systems are upgraded to each of the feature upgrades, and even the ability to pause the rollout if something detrimental happens.
Combining WUfB, Upgrade Readiness & Update Compliance
WUfB alone does not provide the reporting structure that some need that WSUS provides. Microsoft essentially split WSUS into 2 systems – a patch management system and a reporting system. WUfB takes care of the patch management system, and Update Compliance takes care of the reporting system. Provided through Azure and FREE* to use, Upgrade Readiness and Update Compliance give you the reporting on how your systems are in relation to updates and feature upgrades. They do this by using the Windows diagnostic data (aka telemetry) in combination with a GUID provided to you by Azure’s interface and deployed through GPO, registry edits, or Intune, and take the diagnostic data already being sent from each computer to Microsoft funneling all that GUID associated data into your company’s tenant for analysis and reporting.
* Free but requires credit card for anti-spam verification purposes. Nothing will be charged unless you use other services that incur costs.