In March of 2021, at its Ignite developers conference, Microsoft announced several new features and functionality designed to better help IT manage Windows. One of those key announcements was about Windows Update for Business Deployment Service (WUfB Deployment Service). Plenty of businesses are still comfortable using 2005’s Windows Server Update Service (WSUS). However, Microsoft views WUfB Deployment Service as an important part of the drive to migrate IT to the cloud.
According to the announcement and details shared, Windows Update for Deployment Service for both drivers and firmware will be available in Microsoft Endpoint Manager. And it will also be available in Microsoft Graph as a public preview from the first half of 2022.
What exactly is WUfB Deployment Service?
The key thing that most IT pros would like to know is what exactly this new service that Microsoft is rolling out is. And the latter describes Windows Update for Business Deployment Service as a cloud service that is a part of the Windows Update for Business product family.
It is a service that will allow control over the approval, scheduling, and safeguarding of updates delivered from Windows Update. And the beauty of it is that Microsoft says it will integrate seamlessly with existing Windows Update for Business policies.
IT pros should look forward to a platform that enables them to meet the goals of their business. They’ll also welcome the ability to meet the needs of end-users, regardless of where they may be. And this is crucially important, given the difficult time the world has been facing recently.
The need for more efficient cloud services is part of what is driving Microsoft to create services like the deployment service. It comes as an enterprise-grade solution that will enhance the existing servicing platform that Microsoft AI provides. And it will impact more than a billion devices across the globe.
Those looking forward to using the new Windows Update for Business Deployment Service for drivers and firmware should expect the public preview to become available starting with the first half of 2022. According to Microsoft, this will be available in Microsoft Endpoint Manager and Microsoft Graph.
In addition, a management reporting system for driver servicing capabilities is also on the way when the new service reaches public preview. This will allow you to access reports as Workbooks using Windows Update for Business: Update Compliance.
The availability of reporting will extend to all recommended and approved updates that require attention. And these include drill-downs designed to reveal individual device impact. Public preview for the service should arrive in January 2022 for Microsoft Graph and the first half of 2022 for Intune.
Built for IT professionals
According to the information that Microsoft has given us, this deployment service takes into consideration feedback from their clients. Below are the capabilities WUfB Deployment Service provides:
IT will maintain control – You get to approve and schedule Windows content delivered from Windows Update. These approvals include feature updates, quality updates, drivers, and firmware. It means the IT pro has the final say. And any content they do not approve will not deploy.
Easy to adopt – Integrating the deployment service with Microsoft Endpoint Manager, either through the cloud-only controls or co-management, allows for easy adoption of content and features. As a result, this can be done at your convenience without having to worry about implementing all these changes at one time.
Responsive to change – Delivering innovation and new features through cloud services makes it easy for users to adopt. Capabilities are also common across OS releases. And you’ll no longer need to install an update to access new update controls.
Compliant and privacy-focused – WUfB deployment service fulfills the necessary compliance regulations. IT professionals will be happy to know the deployment service is ISO 27001, FedRAMP High, HiTRUST, and SOC II certified.
Enhancing deployment processes
Simplifying deployment processes can help your organization operate with greater efficiency. By leveraging Windows Update for Business Deployment Service, IT professionals can significantly extend the management plane available to devices connecting to Windows Update. This should then allow you to:
- Schedule update deployments to begin on any specific, convenient to your organization.
- Stage deployments over a period of time using rich expressions. This enables you to make deployments to a given number of devices each day.
- Bypass pre-configured Windows Update for Business policies to quickly deploy a security update across your organization when emergencies arise.
- Ensure coverage of hardware and software in your organization through deployments. These can be tailored to your unique device population through automatic piloting.
- Leverage Microsoft ML to automatically identify. Also pause deployments to devices that are likely to be impacted by a safeguard hold.
- Manage driver and firmware updates, just like feature updates and quality updates.
What you stand to gain
This new deployment service will present IT admins with plenty of exciting new features. When the service becomes available, it will enable IT, admins, to choose the right drivers for the devices that they are responsible for managing.
They will do so by browsing the entire collection of drivers from independent hardware vendors and original equipment manufacturers available on Windows Update.
Most end-users will be extremely grateful for this option because it relieves them of having to go through the entire Windows catalog to pick drivers themselves. By having IT admins perform this task, organizations will significantly reduce the risk of having incorrect or outdated drivers installed on company devices.
Also, businesses stand to benefit from regular deployment of driver updates from Windows Update. These benefits include that your devices will receive just the right drivers from Windows Update as well as getting new drivers and fixes regularly from the hardware ecosystem. All of this is key in ensuring that security issues are mitigated and your organization operates more efficiently.
Another benefit of this service for IT admins is to simplify the process of identifying the right drivers for the various devices. This is because of how Windows Update performs an automatic evaluation of all data. The device sends the update when it scans the service and identifies drivers on the service that are better than those that are already in place. This is possible because of the various factors Windows Update uses to identify the specific drivers, as well as the hardware.
For you to be able to use the deployment service, there are a number of requirements that devices must meet. And those requirements are as follows:
- You must be running Windows 10, version 1709 or later (or Windows 11),
- Must be joined to Azure Active Directory (AD) or Hybrid AD,
- You must have one of the following Windows 10 or Windows 11 editions installed: Pro, Enterprise, Education, Pro Education, or Pro for Workstations.
In addition to the above prerequisites, your organization must have one of the following subscriptions:
- Windows 10/11 Enterprise E3 or E5 (included in Microsoft 365 F3, E3, or E5)
- Subscription to Windows 10/11 Education A3 or A5 (included in Microsoft 365 A3 or A5),
- The Windows Virtual Desktop Access E3 or E5
- Microsoft 365 Business Premium.
How does Windows Update for Business Deployment Service work?
Microsoft intends for WUfB Deployment Service to complement and work seamlessly with existing Windows Update for business capabilities. This includes existing device policies among others. There are three main elements that make up Windows Update for business and these are:
1. Client policy to govern update experiences and timing – available through Group Policy and CSPs.
2. Deployment service APIs to approve and schedule specific updates – available through the Microsoft Graph and associated SDKs (including PowerShell).
3. Update Compliance to monitor update deployment – available through the Azure Marketplace.
One of the key differences between this new deployment service and the existing client policy is that it does not directly interact with devices. With the service being native to the cloud this means that all interactions will take place between the different Microsoft services.
So what you’ll then end up with is a direct communication channel between management tools and the Windows Update service. As a result, the approval and offering of content is something that IT pros will directly control.
For the most part, when using this deployment service things will usually proceed as below:
1) An IT pro leverages a management tool to pick devices and approve content to be deployed. The management tool used can be either PowerShell or a Microsoft Graph app. You can even opt for a more complete management solution such as Microsoft Endpoint Manager.
2) The chosen tool conveys your approval, scheduling, and device selection information to the deployment service.
3) The deployment service processes the content approval and compares it with previously approved content. Final update applicability is determined and conveyed to Windows Update, which then offers approved content to devices on their next check for updates.
Types of updates on offer
Another thing that IT pros should be interested in knowing just what kinds of updates will be available to them. Windows Update for Business manages policies for several types of updates to Windows 10 devices:
· Feature updates – in addition to security and quality revisions, feature updates also provide feature additions and changes. And they are released as soon as they are available.
· Quality updates – this type of update is the traditional OS update that normally becomes available on the second Tuesday of every month. These will include security, critical, and driver updates. Under Windows Update for Business, non-Windows updates such as those for Microsoft Office or Visual Studio have also been considered quality updates. They are defined as Microsoft updates and devices can be programmed to receive them with their Windows updates.
· Driver updates – these updates are for your necessary, non-Microsoft drivers and are on by default. You can, however, use Windows Update for Business policies to turn them off.
· Microsoft product updates – updates for additional Microsoft products that are off by default and can be turned on by using Windows Update for Business policies. These other products can include things such as versions of Office that are installed by using Windows Installer (MSI).
To get started using the deployment service, there are a few ways to go about it. You can use a management tool built on the platform, script common actions using PowerShell, or build your own application.
Microsoft Endpoint Manager – using Microsoft Endpoint Manager gives you the advantage of using a platform that integrates with the deployment service to provide Windows client update management capabilities.
PowerShell – scripting common actions using PowerShell is another way to go. The Microsoft Graph SDK includes a PowerShell extension that you can use to script and automate common update actions.
Building your own application – Microsoft Graph makes deployment service APIs available. There are a couple of learning paths that you can get started with:
1) Learning Path: Microsoft Graph Fundamentals
2) Learning Path: Build apps with Microsoft Graph
And as soon as one is comfortable with Microsoft Graph development, you can find more information in Windows updates API overview in Microsoft Graph.
Enhancing the update process
For years, IT admins and device managers have voiced their displeasure at the lack of control over Windows Updates. And by taking this feedback into consideration, Microsoft is now hoping to address the issues at hand using the Windows Update for Business Deployment Service.
The cloud-based service will provide features that will help IT pros approve, schedule, and monitor updates. The greater control that this provides means that the update process will be a lot smoother for all devices on the network. And this is regardless of where that device may be.
So far the new deployment service can deliver on its multiple promises, it is brining a massive upgrade to the existing update process. And the needed stability and reliability.