The Case for Windows Update for Business (WUfB)
When working with customers we often get asked the question, why should we use Windows Update for Business as opposed to using a WSUS box to control everything? I believe the answer to that has 5 components to it:
- The administrative overhead associated with managing a WSUS server
- Security
- Granularity and control
- Quality Control
- Risk Mitigation
Administrative Overhead
Moving to the cloud i.e., getting rid of the existing legacy server overhead and letting the cloud do the work for you and free up those resources — is enticing and promises a healthy ROI. Not only that, eliminating the time and money spent on maintaining, patching, and troubleshooting issues associated with a WSUS server — excites executive leadership.
The modern management component takes care of patches from the standpoint of approval and un-approval. Fixing “rogue” patches is left to Microsoft, they are responsible for fixing those patches before they get released per the new modern management paradigm. Customers are expected to pause the deployment of patches per Microsoft’s built-in Policy CSP, i.e. for quality patches pause a patch for 30 days before it is republished. The expectation here is that Microsoft will fix the patch before the 30 day period ends, this falls in line with the agility that the cloud offers, and customers are expected to take advantage of off-loading this workload to Microsoft because IT administrators are no longer expected to vet each patch as and when it was released.
Security
Vetting every patch before release resulted in machines staying behind the latest Feature Pack release, and in some cases, the latest security patch release. Exposing the Windows 10 fleet to security loopholes: a nightmarish scenario for the CIO’s office. The evolving threat landscape, especially for highly distributed remote workforces, necessitates the need to deploy security patches to machines as soon as possible, if not immediately. Modern management addresses this effectively: over-the-air deployment of patches, immediately via Microsoft’s update servers, with a minimal negative impact on the company’s network bandwidth.
Why move to modern management and lose control of the way we do things currently?
Granularity and Control Comparison
Quality control and risk mitigation with (WUfB vs WSUS)
The consequences of a rogue Microsoft update installing on machines and breaking legacy applications can be mitigated by putting in place effective mechanisms to control the negative impact of security/feature updates — within 30 days. An incentive to build more agile business processes perhaps?
