FAQ: Microsoft preps Windows Update for Business as go-to enterprise servicing tool

The changes, which would replace WSUS and are part of an effort by Microsoft to pull IT to the cloud, are due out by the end of June.

software update
GOCMEN / Getty Images

At its Ignite developers conference in March, Microsoft issued a host of announcements — some new, some more akin to status updates — about new features and functionality for IT to manage Windows, enough that it required a recorded list all its own just to keep everyone clear.

One of those announcements was of what Microsoft dubbed Windows Update for Business Deployment Service, which seemingly came and went with nary a ripple.

That's a shame, really.

Windows Update for Business (WUfB) Deployment Service is part of an overarching bid by Microsoft to drag IT, whether or not kicking and screaming, to the cloud and the cloud only. While many enterprises still rely on 2005's Windows Server Update Services (WSUS) to manage Windows' updates and upgrades — the nearly constant servicing that Microsoft harps on as a big boon from Windows 10 — the Redmond, Wash. company would rather, for reasons both customer-friendly and self-serving, have everyone manage from the high ground of the cloud.

WUfB Deployment Service is more important to IT, long term, than the short shrift it received would signal. We're here to change that.

Here are the questions — and answers — that spell out why WUfB Deployment Service deserves respect.

Remind me...what's Windows Update for Business again?

Not a service on its own, WUfB is a control layer atop the better-known Windows Update (WU), Microsoft's cloud-based service that distributes patches, updates, and feature upgrades to consumer devices directly — and via Windows Server Update Services (WSUS) — to business systems. WUfB provides IT admins a small set of group policies that currently are limited to ones that defer updates for admin-set periods of time.

WUfB had lost some of its sheen after Microsoft upended Windows 10 servicing several years ago, when it gave consumers and very small businesses the ability to choose when to receive and deploy bi-annual feature upgrades. At the same time, Microsoft retained some of its former powers, saying it would automatically upgrade devices as they neared end of support from the Windows 10 version then installed.

(Typically, Microsoft starts this automatic upgrade process about four months before a soon-to-retire edition is set to expire.)

That change allowed smaller organizations to cede control of feature upgrades, now that those upgrades are deployed near the end of a previous edition's support — in other words, roughly once each year — rather than, as Microsoft did previously, every six months.

With Microsoft essentially deferring updates with its new practice of automatically upgrading Windows 10, there was less need for firms to rely on WUfB to postpone those same updates.

What, exactly, is this new WUfB deployment service?

It is an expansion of WUfB that will let IT administrators do more with the service than defer updates and upgrades. Admins will be able to approve and schedule security updates, feature upgrades, and (in the future) driver and firmware updates for specific groups of devices or even individual devices.

Not coincidentally, those tasks are now typically relegated to on-premises infrastructure, notably WSUS. WUfB, on the other hand, is cloud-based, and thus aligns with Microsoft's goal of moving customers, one way or another, sooner or later, from on-premises to the cloud for virtually everything.

Sounds interesting. How about some specifics?

Microsoft put it best in its announcement of WUfB Deployment Service when it said the new offering will let IT "approve and schedule any Windows content delivered from Windows Update, including feature updates, quality updates, drivers, and firmware" and pledged: "As the IT professional responsible for your organization, if you have not approved the content, it won't deploy."

That capability is not available in the current iteration of WUfB: Administrators are not able to approve/reject updates and upgrades, only defer their arrival.

Give me something concrete if I'm to uproot my servicing practices.

Okay, okay.

Here are some of the bullet points Microsoft touted. Unfortunately, the company gave customers no idea whether they all will launch together or if some may precede others.

  • Admins can schedule a specific update's deployment to begin on a given date with a selected group of systems. For instance, IT could slate Windows 10 20H2 (last fall's feature upgrade) to hit Department Y's PCs on April 28.
  • IT can also craft more complex update and upgrade deployment orders in WUfB that, say, instruct the service to offer Windows 10 20H2 to 500 devices each day starting April 28, continuing that tempo until all eligible machines have been upgraded.
  • In a security emergency — such as when Microsoft issues an out-of-band patch for a vulnerability currently being exploited by criminals — WUfB Deployment Service can be told to ignore the already-configured policies and immediately deploy the security update to all devices.
  • Microsoft will make available to enterprise IT the same recommendations it uses for deploying updates and upgrades via Windows Update to unmanaged machines. Specifically, Microsoft said that WUfB will "identify and pause deployments which are likely to be impacted by a safeguard hold." Such holds are triggered when Microsoft identifies an issue, maybe a third-party problem or device configuration, that is likely to cause a feature upgrade to fail.
  • WUfB Deployment Service will also be able to deliver driver and firmware updates — as always, after IT approval — as well as quality and feature updates. This new driver/firmware update functionality, which Microsoft trumpeted at March's Ignite, will be carried out by the WUfB Deployment Service (even though Microsoft did not name it as such in its announcement or its more-in-depth on-demand session).

What Windows SKUs will have access WUfB Deployment Service?

Devices must be covered by a Microsoft 365 E3 (or higher) or Windows 10 E3 (or higher) license. These subscription plans include licenses for Windows 10 Enterprise.

The devices must also be joined to Azure Active Directory or Hybrid Azure Active Directory.

When will Microsoft launch WUfB Deployment Service?

The company said a preview of the service will debut to Windows Enterprise customers in the first half of 2020, or before the end of June.

Do we have to switch everything to the cloud and WUfB Deployment Service?

No.

Microsoft will integrate the WUfB service with Endpoint Manager (where Configuration Manager now lives) so that customers can continue to use their on-premises infrastructure — notably WSUS — for some updates or even the bulk of them. This will let admins "adopt content and features at [their] own pace," Microsoft contended. "[There is] no need to 'lift and shift' your organization at one time."

The flexibility will almost certainly extend further, letting IT deal with some devices using Configuration Manager co-management and WUfB Deployment Service, others using Intune and WUfB, as they may already do.

What's Microsoft up to with WUfB Deployment Service?

Good question. Maybe you can tell us?

Seriously, as the introduction intimated, Microsoft's objective is to take Windows' management to the cloud, which necessitates replacing the venerable WSUS with something at least comparable. WUfB was the service Microsoft drafted for the job.

But as originally imagined more than five years ago, WUfB was a raggedy spin-off of the better-known Windows Update, which did little more than give Windows 10 Pro and Windows 10 Enterprise customers ways to separate systems that would receive immediate updates from those that would get the updates later. At its best, WUfB let IT admins defer updates ˘— again only on Pro and Enterprise ˘— but without the granular control of WSUS, nor with the latter's opt-in approach that didn't deploy a bit without admins say so, explicit or not.

At some point, Microsoft will bury WSUS, just as it will the perpetually-licensed Office. Because WSUS's retirement date is a long way out, Microsoft has the time to take WUfB and the Deployment Service on a slow build-up. And it has time to decide, say, whether the pairing will support the small business-oriented Windows 10 Pro (it won't  initially) or how tightly it will integrate other bits from the maintenance and servicing toolbox. (The mentions given to compliance elements tying into Deployment Service hint that integration with be a priority.)

Keep an eye on WUfB and the first steps of Deployment Service. We think it's going to be more important to IT than Microsoft let on last month. Expect us to return to this...frequently.

Copyright © 2021 IDG Communications, Inc.

7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon