Patching Windows is continuously getting better, even though it may seem like small steps, there is an easier process to keeping your devices up to date. I feel that it’s time to squash the whole “we don’t have time to manage updates” or the “I thought it was working automatically” when it comes to the lack of patching.
I want to help share a quick strategy for those who are able to start adopting a cloud based solution. With Windows 10 being treated as a service, as admins, we are responsible for the end user experience. It’s time to move forward with a more modern way to manage patching. Where bandwidth is no concern, we can start moving away from WSUS on premise solutions. This modern strategy will utilize Windows Update for Business. Where bandwidth is a concern I do recommend looking more into making sure Delivery Optimization is enabled. I won’t be going into detail on that in this post, but feel free to read more on Microsoft’s Delivery Optimzation.
A quick review, Windows Update for Business, WUfB, allows for easier management and automation of Windows patching. Utilizing GPO, MDM (such as Intune), or other policy solutions. We can easily set up how the life cycle of our devices will be patched and managed. I see this automation, reliability, and time savings as the main reasons to start utilizing this service. Most I.T. departments are still stretched thin and our security hat, more often than not, is left off while we’re reacting to other issues.
To succeed at patching, we need to have a process and policy in place to follow every time a patch is released. A good goal in mind is to have patches deployed to our production environment within 30 days of release. This may seem fast paced for your environment, but trust me, you can get it done. Before we open the flood gates on production, we need to make sure that our environment does not experience any negative impacts. Let’s go through a simple scenario. We need to get our environment ready for patching for the upcoming cycle. For Windows, the second Tuesday of every month is deemed Patch Tuesday. We’ll utilize 3 groups for this environment;
A canary ring is the first wave of production to make sure things don’t
go horribly wrong. A few concepts of what to put in a Canary group are; a small
group of I.T. devices which can be closely monitored or troubleshot, Test Lab
Devices, and secondary computers that can be monitored closely.
Pilot Ring: The pilot ring is potentially the
most critical group in your environment. This tests the validity and quality of
the rollout across the entire environment. Devices in this group are not I.T.
computers alone. This should contain a mixture of devices from
standard/champion users across your organization that run daily tasks. Possibly
1-2 devices from each department would be a better pilot.
Production Ring: The Production ring is a full availability to all devices. If you are a part of a larger environment or want to have a slower roll out you can break this into a smaller production rings.
Production 1 as 20%
Production 2 as 40%
Production 3 as the remaining 40 %
One of the main
features that WUfB has over simple uncontrolled Windows updates, is the ability
to defer the date. Part of designing the rings is adjusting each rings deferral
period. Our times can vary for the quality updates and feature updates. In addition
we can control work hours and user experience for reboot.