WaaS Demystified – Part 4 – Servicing Tools

Previous blogs in this series:

Part 1 – Introduction : What is WaaS?
Part 2 – Windows 10 Updates.
Part 3 – Servicing Channels.

Now that we’ve briefly presented Microsoft update types and the update servicing channels, here’s the million-dollar question: How are they sent or deployed to one device, 10 devices, 100, 1000 or 30 000 systems? 

Microsoft has provided over the years four tools to help servicing Windows and each one has its pros and cons, ranging from capabilities and control to simplicity and low administrative requirements. They are: 

  • Windows Update (Stand-Alone): This is the tool that is available on every Windows 10 operating system. It has limited control over the feature updates as you would have to manually configure the device to be in the Semi-Annual Channel. 
  • Windows Update for Business: As part of Windows 10 since build 1511, WUfB allows you to use the cloud-based Windows Update service to deploy and manage Windows updates.  You can use Group Policy or MDM solutions such as Microsoft Intune to configure the WUfB settings that control how and when Windows 10 systems are updated.  The key take-away is that since it is cloud-based, it does not require any on-premises infrastructure. 
  • Windows Server Update Services (WSUS): WSUS is one of the oldest Servicing Tools for deploying Windows updates to a managed environment. It provides extensive control over Windows 10 updates and is natively available in the Windows Server operating system.   
  • Microsoft Endpoint Configuration Manager: Formerly called System Center Configuration Manager, this tool provides the greatest control over servicing Windows as a Service. With Configuration Manager you can defer updates, approve them, and have multiple options for targeting deployments and managing bandwidth usage and deployment times.   

Important: All servicing tools can deploy the new feature update as an update package. Only with Configuration Manager can you also choose to deploy it as an In-Place Task Sequence. With the latter, you have greater control on what happens to the system since you can configure pre and post upgrade tasks.  Additionally, Desktop Analytics (which is discussed in Part 7 of this series) integrates with Configuration Manager and uses In-Place upgrade Task Sequences to deploy the targeted feature update. 

Depending on several factors, such as the number and location of the systems, how they are connected, the available on-hand staff and their expertise, how the environment is managed, etc. an organization chooses the servicing tool that is best suited to its need. For example, although you can opt for Configuration Manager, it might be better to use Windows Update for Business if you have a small company of say 40 or 50 systems because you don’t have an on-premises Active Directory infrastructure for instance; you would manage your environment with Microsoft Intune. Windows Update might be easier for a 2 to 10 employee firm if you don’t have an IT pro to set up WUfB for example.   

However, for large and complex organizations with tens of thousands of systems scattered geographically, with different branch sizes and various network links, Configuration Manager might be the premium choice as it not only allows you to target specific systems but it also can help with packaging updates together, automating their deployments in terms of date, time, threshold (automatically start another deployment depending on the success percentage threshold of a previous one), caching, bandwidth control, etc. 

Additionally, Configuration Manager can work in conjunction with Microsoft Intune to provide a management style called ‘Co-Management’ whereby your systems are managed from Configuration Manager and from Microsoft Intune. When you have co-management enabled, you also get many more additional tools (such as Microsoft Endpoint Defender ATP – Advanced Threat Protection).  But this is beyond the scope of this blog.  

Stay tuned for my next blog: “Getting current and staying current with WaaS” where I’ll discuss Microsoft’s famous ‘Deployment Rings’ and how they fit with the delivery cadence of the feature and quality updates and, how you can leverage this to your business by mapping the tool to your needs.