In March of 2021 at its Ignite developers conference, Microsoft announced several new features and functionality designed to better help IT manage Windows.
One of those key announcements was about Windows Update for Business Deployment Service (WUfB Deployment Service). Although plenty of businesses are still comfortable using 2005’s Windows Server Update Service (WSUS), Microsoft views WUfB Deployment Service as an important part of the drive to migrate IT to the cloud.
According to the information provided, WUfB Deployment Service for drivers and firmware will be available in Microsoft Endpoint Manager and Microsoft Graph as a public preview from the first half of 2022.
What exactly is WUfB Deployment Service?
The key thing that most IT pros would like to know is what exactly this new service that Microsoft is rolling out is. And the latter describes Windows Update for Business Deployment Service as a cloud service that is a part of the Windows Update for Business product family.
It is a service that is going to allow you control over the approval, scheduling, and safeguarding of updates delivered from Windows Update. And the beauty of it is that Microsoft says it will integrate seamlessly with your existing Windows Update for Business policies.
IT pros should look forward to a platform that enables them to meet the goals of their business while also while attending to the needs of end-users regardless of where they may be. And this is crucially important given the difficult time the world has been facing recently.
The need for more efficient cloud services is part of what is driving Microsoft to create services like the deployment service. The latter comes as an enterprise-grade solution that will help to enhance the already-existing servicing platform that Microsoft AI provides to more than a billion devices across the globe.
Those looking forward to using the new Windows Update for Business Deployment Service for drivers and firmware should expect the public preview to become available starting with the first half of 2022. According to Microsoft, this will be available in Microsoft Endpoint Manager and Microsoft Graph.
In addition, a management reporting system for driver servicing capabilities is also on the way when the new service reaches public preview. This will allow you to access these reports as Workbooks using Windows Update for Business: Update Compliance.
The availability of reporting will extend to all recommended and approved updates that require attention. And these include drill-downs designed to reveal individual device impact. Public preview for the service should be expected in January 2022 for Microsoft Graph and the first half of 2022 for Intune.
Built for IT professionals
According to the information that Microsoft has given us, this deployment service has been designed by taking into consideration feedback from their clients. Below are the things that WUfB Deployment Service will enable you to do:
IT will maintain control – you get to approve and schedule any Windows content delivered from Windows Update. This includes feature updates, quality updates, drivers, and firmware. This means that the IT pro has the final say and any content that they do not approve will not deploy.
Easy to adopt – integrating the deployment service with Microsoft Endpoint Manager, either through cloud-only controls or co-management allows for easy adoption of content and features. As a result, this can be done at your convenience without having to worry about implementing all these changes at one time.
Responsive to change – delivering innovation through cloud services makes it easy for you to adopt. Capabilities are common across OS releases and you no longer need to install an update to access new update controls.
Compliant and privacy-focused – WUfB deployment service fulfills the necessary compliance regulations thus giving you peace of mind. IT professionals will be happy to know that the deployment service is ISO 27001, FedRAMP High, HiTRUST, and SOC II certified.
Enhancing deployment processes
Simplifying deployment processes can help your organization to operate with greater efficiency. By leveraging Windows Update for Business Deployment Service, IT professionals can significantly extend the management plane available to devices connecting to Windows Update. This should then allow you to:
- Schedule update deployments to begin on any specific day that is convenient to your organization.
- Stage deployments over a period of days or weeks using rich expressions. This enables you to make deployments to a given number of devices each day.
- Bypass pre-configured Windows Update for Business policies to immediately deploy a security update across your organization when emergencies arise.
- Ensure coverage of hardware and software in your organization through deployments that are tailored to your unique device population through automatic piloting.
- Leverage Microsoft ML to automatically identify and pause deployments to devices that are likely to be impacted by a safeguard hold.
- Manage driver and firmware updates just like feature updates and quality updates.
What you stand to gain
This new deployment service will present IT admins with plenty to be excited about. When the service becomes available, it will enable IT, admins, to choose the right drivers for the devices that they are responsible for.
And this they will do by browsing the entire collection of drivers from independent hardware vendors and original equipment manufacturers available on Windows Update.
Most end-users will be extremely grateful for this option because it relieves them of having to go through the entire Windows catalog to pick drivers themselves. By having IT admins perform this task, organizations will significantly reduce the risk of having incorrect or outdated drivers installed on company devices.
Also, businesses stand to benefit from regular deployment of driver updates from Windows Update. These benefits include that your devices will receive just the right drivers from Windows Update as well as getting new drivers and fixes regularly from the hardware ecosystem. All of this is key in ensuring that security issues are mitigated and your organization operates more efficiently.
Another thing that this service will do for IT admins is to simplify the process of identifying the right drivers for the various devices. This is because of how Windows Update performs an automatic evaluation of all data sent by a device when it scans the service and identifies drivers on the service that are better than those that are already installed. This is possible because of the various factors that Windows Update uses to identify the specific drivers as well as the hardware.
For you to be able to use the deployment service, there are a number of requirements that devices must meet. And those requirements are as follows:
- Must be running Windows 10, version 1709 or later (or Windows 11),
- Must be joined to Azure Active Directory (AD) or Hybrid AD,
- Must have one of the following Windows 10 or Windows 11 editions installed: Pro, Enterprise, Education, Pro Education, or Pro for Workstations.
In addition to the above prerequisites, your organization must have one of the following subscriptions:
· Windows 10/11 Enterprise E3 or E5 (included in Microsoft 365 F3, E3, or E5),
· Windows 10/11 Education A3 or A5 (included in Microsoft 365 A3 or A5),
· Windows Virtual Desktop Access E3 or E5,
· Microsoft 365 Business Premium.
How does Windows Update for Business Deployment Service work?
Microsoft has designed WUfB Deployment Service to complement and work seamlessly with already existing Windows Update for business capabilities such as existing device policies among others. There are three main elements that make up Windows Update for business and these are:
· Client policy to govern update experiences and timing – available through Group Policy and CSPs.
· Deployment service APIs to approve and schedule specific updates – available through the Microsoft Graph and associated SDKs (including PowerShell).
· Update Compliance to monitor update deployment – available through the Azure Marketplace.
One of the key differences between this new deployment service and the existing client policy is that it does not directly interact with devices. With the service being native to the cloud this means that all interactions will take place between the different Microsoft services.
So what you’ll then end up with is a direct communication channel between management tools and the Windows Update service. As a result, the approval and offering of content is something that IT pros will directly control.
For the most part, when using this deployment service things will usually proceed as below:
1) An IT pro leverages a management tool to pick devices and approve content to be deployed. The management tool used can be either PowerShell or a Microsoft Graph app. You can even opt for a more complete management solution such as Microsoft Endpoint Manager.
2) The chosen tool conveys your approval, scheduling, and device selection information to the deployment service.
3) The deployment service processes the content approval and compares it with previously approved content. Final update applicability is determined and conveyed to Windows Update, which then offers approved content to devices on their next check for updates.
Types of updates on offer
Another thing that IT pros should be interested in knowing just what kinds of updates will be available to them. Windows Update for Business manages policies for several types of updates to Windows 10 devices:
· Feature updates – in addition to security and quality revisions, feature updates also provide feature additions and changes. And they are released as soon as they are available.
· Quality updates – this type of update is the traditional OS update that normally becomes available on the second Tuesday of every month. These will include security, critical, and driver updates. Under Windows Update for Business, non-Windows updates such as those for Microsoft Office or Visual Studio have also been considered quality updates. They are defined as Microsoft updates and devices can be programmed to receive them with their Windows updates.
· Driver updates – these updates are for your necessary, non-Microsoft drivers and are on by default. You can, however, use Windows Update for Business policies to turn them off.
· Microsoft product updates – updates for other Microsoft products that are off by default and can be turned on by using Windows Update for Business policies. These other products can include things such as versions of Office that are installed by using Windows Installer (MSI).
To get started using the deployment service, there are a few ways you can go about it. You can use a management tool built on the platform, script common actions using PowerShell, or build your own application.
Microsoft Endpoint Manager – using Microsoft Endpoint Manager gives you the advantage of using a platform that integrates with the deployment service to provide Windows client update management capabilities.
PowerShell – scripting common actions using PowerShell is another way to go. The Microsoft Graph SDK includes a PowerShell extension that you can use to script and automate common update actions.
Building your own application – Microsoft Graph makes deployment service APIs available. There are a couple of learning paths that you can get started with:
1) Learning Path: Microsoft Graph Fundamentals
2) Learning Path: Build apps with Microsoft Graph
And as soon as one is comfortable with Microsoft Graph development, you can find more information in Windows updates API overview in Microsoft Graph.
Enhancing the update process
For years, IT admins and device managers have voiced their displeasure at the lack of control over Windows Updates. And by taking this feedback into consideration, Microsoft is now hoping to address the issues at hand using the Windows Update for Business Deployment Service.
The cloud-based service will provide features that will help IT pros approve, schedule, and monitor updates. The greater control that this provides means that the update process will be a lot smoother for all devices on the network. And this is regardless of where that device may be.
So far the new deployment service can deliver on its multiple promises, it is brining a massive upgrade to the existing update process, and the needed stability and reliability.