Windows Server Update Services has been around for a long time and is the tool that many administrators rely on to manage Windows updates. Windows Update for Business (WUfB) is a relatively new technology that does the same job but takes a different approach. Is one better suited to your organisation than the other?
Microsoft launched Windows Server Update Services (WSUS) in 2005 to replace Software Update Services (SUS). WSUS is still fully supported and many companies still use it. Instead of having all Windows clients go to the Internet to download updates, you have one or more WSUS servers that centralise the updates. They allow you to control which updates are distributed to clients.
System Center Configuration Manager (SCCM) – recently renamed Microsoft Endpoint Configuration Manager – has arrived and offered even more control over Windows updates. SCCM ingests updates downloaded via WSUS and uses its own client to deploy them, using rules defined in ConfigMgr.
WSUS allows to automate the tedious work of Windows updates
For a long time, many administrators used WSUS in an essentially automated way. They would allow all updates as they came in, or they would allow critical and security updates immediately and delay others for testing. Some administrators would document each update, deploy it to a test group, and then roll it out to the main fleet. Later, they would apply the patches to older, more sensitive devices. This is a manual and time-consuming process to go through, especially at a time when Microsoft releases multiple updates at different times of the month.
IT administrators sometimes experience bugs in Microsoft’s updates on Windows devices. These problems range from minor inconveniences to BSODs. While monthly updates offer better stability, administrators have less control over the patching process. Microsoft moved to a cumulative update model in late 2016 which removed the ability to choose which updates to install by releasing multiple patches in one large update.
To further complicate the update process, Microsoft releases two feature updates for Windows 10 each year – one in the spring and one in the fall – that introduce new features. These feature updates also include all previous updates, which are the monthly security updates and bug fixes.
How Windows Update for Business works
Windows Update for Business (WUfB) boils down to a few registry settings on a PC to provide some additional rules for the customer to connect directly to Windows Update.
You control these registry settings using a management tool, such as Intune or by GPO, or by other methods of modifying registry settings, including a script. The controls provided by WUfB are quite minimal, but this may be sufficient for some administrators who prefer not to manage Windows updates regularly.
Comparison between WUfB and WSUS
When it comes to applying patches to Windows machines, should you stick with WSUS – and Endpoint Manager for updates, which requires WSUS – or should you move to WUfB?
If you’re trying to go to the cloud as much as possible – which includes using cloud-based management tools such as Intune – then the choice is WUfB, unless you decide to run WSUS on an Azure VM. Let’s look at the two possibilities and why you might want to keep your current WSUS configuration or decide to move to WUfB and shut down those servers.
What is possible in WUfB?
WUfB has four main settings in Group Policy. Let’s take a closer look at each setting and explain what each offers to control the deployment of updates. For more details on working with WUfB and Group Policy, see Microsoft’s documentation.
Selecting when to receive builds and feature updates
These settings allow you to select one of four update rings for Windows 10 clients:
- Preview Build – Fast. This setting provides builds with the latest features that are not yet available to the public, with the ability to report bugs and request improvements from Microsoft.
- Preview Build – Slow. This setting provides builds with the latest features at a slower speed than the Fast Ring and includes fixes for issues in previous builds.
- Release Preview. This setting provides official versions of Windows before they are available to the public.
- Semi-annual channel. This setting allows you to release Windows builds when they are available to the public.
You have the ability to defer a feature update for up to one year. This practice can help your organisation avoid problems with the build by not being on the cutting edge and letting other organisations find bugs and report them to Microsoft. Pushing back the release date to your customers by several days can be the ideal solution to avoid unnecessary troubleshooting work until Microsoft offers fixes.
Another option allows you to pause the deployment of preview builds. You enter a date and for 35 days from that date, no customers will install previews or feature updates. This can be handy when a bad update has been released and you want to freeze it. After 35 days, Microsoft will have to
Choose when customers receive quality updates
Like the previous option but related to quality updates, this section offers the possibility to delay the receipt of a quality update by customers for up to 30 days before customers download and install the update. You can also choose to set a start date to stop delivery of quality updates for 35 days or until you clear the start date.
Manage preview builds
This menu gives you the ability to disable or enable preview builds with some more granular controls.
You can prevent users from participating in the Windows Insider Program when you select disable preview builds.
You can choose to disable preview builds when Microsoft releases a public build. This is a good way to roll back a preview build that has already been released. Some people may leave this option off entirely or allow it for certain IT staff who may need early access to Windows 10 preview builds for testing purposes.
The Enabled option gives users the right to install preview builds on their machines.
Select the target version for the feature upgrade
In this section, you choose a target for the feature upgrade version, such as 1909, 2004, or 20H2 to upgrade the client machine to a newer major version of Windows 10. If you need to control this delivery, you can enter a target version, which is the only version of Windows 10 that will be installed. This means that if the client is on 1903 and the WUfB feature update setting is 1909, the client will not receive the new versions if they are available via Windows Updates.
From these settings, you can configure different policies for different PCs, for example by configuring driver PCs that receive updates first to detect any problems introduced by an update. You can also control when PCs are upgraded to the next feature update and create another driver group before continuing upgrades to other clients.
WUfB vs. WSUS: Difference with the upgrade process
Windows 10 has a feature called delivery optimization that gives PCs on the local network a way to share updates. There used to be a strong argument in favour of WSUS, which downloads all updates once and then distributes them locally, saving a lot of bandwidth. Delivery optimisation comes close to this feature if you use WUfB. You can check the performance of this feature on each PC in the Delivery Optimisation activity monitor section, which shows statistics on sharing and receiving updates via the Internet and on PCs in the local network.
Another feature of Microsoft via Windows Updates is the Backup Queue. If Microsoft detects a problem with a new feature update, it places a hold to block the deployment of the feature update until it can resolve the problem. For WUfB clients, this is transparent. However, WSUS customers need to be aware of these outstanding issues and make the decision to deploy the update or prevent it. Microsoft is often aware of these issues before you are, so it is up to you to decide whether you want this level of control or whether you want Microsoft to deal with it.
For some organisations, WSUS may be a wise choice
WSUS has some advantages that WUfB does not. For example, it is relatively easy to set an update to be uninstalled if the version supports it, making it easy to remove a troublesome update. This is not possible in WUfB; you have to use PowerShell to remove the update in question and then deploy to your estate.
WSUS also prevents computers from connecting over the Internet to Microsoft to get updates. For a bandwidth-sensitive site, this gives you more reliability by using a single download path for updates on a schedule you configure to avoid disruption.
If you are an administrator who always wants or needs to review each update in detail and release it when you are ready, WSUS is for you. With WUfB, your control is limited; you can delay updates but not stop them completely as with WSUS.
This level of control comes at a price: you need a server or even several server workloads to run WSUS, which adds to your administration costs, whereas WUfB is a set of parameters.
So there is not really a duel between WUfB and WSUS, as there is no right or wrong choice. Each patch management tool serves a different purpose. WUfB aligns closely with the update deployment options of Office 365 and its rings, so if you are already using or studying this technology, what WUfB brings will not be new to you. You can even run WSUS and WUfB simultaneously with some registry settings. If you want to try WUfB in a pilot group for a few months, it is easy to set up with very little work.
WUfB offers a low-cost management option with no resources required and no fees. You can configure updates to be released as slowly as you like. WSUS still offers greater control over the deployment and management of updates, which is essential for those who wish to continue using Endpoint Manager.