Monday, November 30, 2020

Deciphering (and understanding) Microsoft’s patch management options

software update

If you asked a normal user what they dislike most about Windows 10, the answer would likely be related to patching, rebooting and the generally confusing update process. Entire web sites have sections devoted to explaining the updating process and how to manage it — and I’ve written my fair share about the topic. 

In addition to writing about Microsoft patches here (and about Windows security for CSO), I’m also a moderator on the listserve. We have many people who rely on various patching tools to deploy updates and maintain workstations.  There are a number of options, so it’s important to understand how they work (and how they vary) so you can get the most out of them.

Microsoft itself has several:  There is, first, the basic Windows update most consumers and home users use. It allows each workstation to independently reach out to Microsoft’s update servers for needed patches. The advantage? It’s built in, costs nothing (other than bandwidth), and is set up from the get go. The disadvantage? It’s doesn’t give you much control over when and how updates download — and how it behaves has changed over the years.

Microsoft also has a network-based patching platform. I’m old enough to remember when it was called Software Update Services (or SUS).  Originally, it involved a separate download; now it’s a part of Windows Server. But over the years Microsoft has been pushing away from a domain based/on-premises software delivery system and moving instead toward alternative patching platforms such as Intune  (now of Microsoft 365) and Windows Update for Business.  That latter one sounds like a standalone platform; in reality it’s a group of group policies or registry keys that allow you to set rules for when Windows will install updates.

The advantage for Intune is for those who have fully embraced the Microsoft 365 subscription model.  Workstations can be managed and controlled by an online console.  Windows Update for Business is a hybrid compromise: it gives an admin enough group policy controls to let workstations apply updates but little insight into completion and issues.

And let’s not forget Windows update delivery optimization, which builds on the standalone Windows update concept but allows workstations to grab bits of update code from fellow workstations. So if workstation A downloads bit 1, and workstation B downloads bit 2, they share that code between them without having to go back to Microsoft and downloading the same bit twice. Early on it was buggy, very buggy, and I disabled it on my home network because it saturated my bandwidth.  It’s much better  behaved now, but it still doesn’t have a console for reporting.

Copyright © 2020 IDG Communications, Inc.

Source link

Leave a Response