There are two types of methodologies to deploy Windows Updates. One is based on ConfigMgr or WSUS. This method brings high level of control regarding which updates are deployed and when they are installed. The other is based on Windows Update for business where customers can work with deployment rings (group of devices) and simply delay all the updates for a specific number of days per ring. But which option is better and how can I improve this process?
When I demonstrate Desktop Analytics to customers, they are happy to see the benefits they can get. But often I can also feel the need for improvement because the employees do not even have time to really control and test the updates. So, why should they have time to use Desktop Analytics? In these cases I start talking about Windows Update for Business, but this often feels uncomfortable to them because of lack of control. With this blog I would like to highlight why Windows Update for Business is definitively a solution also for large companies.
But first, what is Desktop Analytics exactly?
Desktop Analytics is a really cool service built-in in Microsoft Endpoint Configuration Manager. With this service you can get insights about your application landscape with the main goal to simplify and help to make more informed decisions for the Windows Update Process. The service combines data from all devices connected to the Microsoft cloud and your organization.
If you are using MEMCM to deploy Windows Feature Upgrades, then DA will provide additional insights for example to create pilots that really represent the entire application and driver combinations instead of just a random group or the IT department.
Additionally, DA provides cloud insights about compatibility issues and mitigations suggestions. With these insights, it is possible to only deploy a new feature release to devices which should not have well known compatibility issues. Additionally, it allows an administrator to resolve the compatibility issues on the other devices.
I really recommend DA if you have to deploy Updates and Upgrades in a highly controlled way
How can Windows Update for Business simplify your life?
Windows Update for Business is simplifying your deployment by reducing most of the complexity to two important settings, the deferral period for quality and feature updates:
With just these two settings it’s possible to create different rings to lower risks in case of issues with a specific update. This could look like in this example:
But now, hold on, just two settings are not enough. How can I control reboots? Yes also reboots and specific deadlines can be defined. The user communication works through normal Windows dialogs which are used on all the millions of home devices, so also your users and company should be able to live with them.
Dealing with issues and compatibility when using Windows Update for Business
Just defer the updates on some devises will help test the updates in your dedicated environment, but how do I get insights regarding compatibility like in Desktop Analytics? The answer is simple: it is just built-in. Windows Update for business has built-in safeguards to deploy Upgrades only to devices which shouldn’t have issues with them.
Use Update Compliance Solution to get information about the safeguards. You will see here if the safeguards have blocked installation in your environment. You can also see the specific safeguard ID which helps to find what exactly has blocked the installation.
In case you have an issue, which is not already known and you detect it during your pilot deployments you have the option to pause the updates or to stick on a specific feature update until your compatibility issue is solved.
I saw it in multiple companies that Windows Update for Business works without more issues than you had before, but with nearly zero effort. An additional benefit is that if you are relying on Windows Update for Business also driver and firmware updates are installed automatically. As an example at one customer(over 2000 devices) a feature upgrade was not even detected by the IT department, but on a review they recognized that they have already the newest OS version deployed.
Another great example is my personal notebook, which received the 2004 Windows update not before July 2020 because of driver issues. One day I got the notification to update 2004, and in the history I saw, that the drivers were updated before.
So, overall I think Windows Update for Business can lower your operational overhead drastically and should be the goal for your devices unless you have specific requirements with maintenance windows for example.
- Windows Update for Business simplifies your environment - November 2, 2020
- Deploy Code Signing Certificate with Intune - September 27, 2020
- Automatic Azure AD Conditional Access Documentation - July 28, 2020