Windows Update for Business (WUfB) is fantastic for modern day work as it solves so many of our long standing problems. It allows you as an admin to specify how quickly you want to install patches, and when they need to be installed by. But once you have done that, windows kicks in to help the user patch. Large patches are pre-installed in the background so they apply quickly. If a reboot is needed, windows will present a very intuitive popup, letting users choose when and how to patch within the window you allow. In many circumstances windows will automatically patch the machine without user interaction due to it’s off-hours patching logic. If the user avoids patching repeatedly, it will (gracefully) force a patch cycle on the user.
Across our client base, we went from less than 75% patch compliance^ to a 98% patch compliance^ just by swapping to WUfB.
If you want to report on patch health, you’ll need InTune and to setup patch compliance reporting. But honestly unless you have a regulatory reason to do that - I probably wouldn’t bother. So long as the machine has the policy applied, the new patching system is very steady state. That is to say it does what you tell it to do.
As for how to unravel WSUS - it’s relatively straight forward, although takes a bit of work.
The rough sequence is as follows, however whoever you get skilled technical support from should be able to help you through the exact machinations for your environment.
- Separate your WSUS settings into it’s own GPO.
1.If you are going to keep WSUS for servers, then separate out your servers into their own OUs, and build dedicated GPO’s for those OU’s that continue to enforce your current WSUS policies.
- Revert the GPO Policies pushing clients to WSUS to their default values*
- Wait until all workstations have checked in
- Remove the WSUS GPO on the relevant OU(s)
- Using your RMM, or via pushing the app via login script or GPO - push a Windows update registry key reset script to the OU(s) effected by this change.**
- Wait until all workstations have checked in / applied the reset script.
- Build a GPO with your desired WuFB settings and apply it to the network***
- Wait until all workstations have checked in, spot check on a few machines to ensure they have the settings.
It is very much worth the effort. Beyond the whole impending “need” to get off WSUS, it’s just a better solution. It’s much more user friendly, administratively friendly, and end-state determinate.
*do not remove the policies, rather set the entries back to their default configuration
**I don’t typically recommend random scripts to run - you should determine what your estate looks like and push a targeted solution. But if you need an example, check here
*** If you are using InTune, I would recommend you do it there instead of GPO. But assuming you aren’t using intune, GPO works fine. Microsoft has a great jumping off document on this here
^ Compliance as defined by successfully applying patches within 10 days of release of patch. Numbers are sampled monthly, and averaged over 12 months