Why it's time to review Microsoft patch management options

You have several options to manage patching on Microsoft networks: let machines independently update or use a third-party patching tool, Windows Software Update Services (WSUS), or another Microsoft management product.

If you are still using WSUS as your key patching tool, you may want to review your options. Microsoft is developing additional patching tools that will allow you to better manage systems and control administrative access.

Is WSUS on the way out?

Microsoft has long kept the status quo for WSUS, its on-premises patching product. It still supports WSUS, but Microsoft does not appear to be making new investments in the platform. Case in point, if your WSUS server fails on syncing, disable the Windows category of “Windows Insider Dev Channel.”

Selecting this category creates an error message during synchronisation. Microsoft is aware of the issue but has not given any estimated time for a fix. WSUS has not been updated in years. If you are considering using WSUS as your go-to patching platform, budget for a subscription to WSUS Automated Maintenance, which includes scripts and routines to optimise WSUS.

What is Microsoft doing to enhance patch management? After the pandemic, many of us pivoted to hybrid deployments and had to handle patch management both on premises and for remote systems.

Trying to patch hybrid systems put all that Microsoft 365 traffic across the VPN. Microsoft issued recommendations regarding split tunnelling to allow the patching traffic to go across the local network connection while maintaining controls and approvals.

Windows Update for Business

Clearly, we need more options to control patching with a cloud focus. Microsoft has been working on options that would allow more control without having to rely on an on-premises server. First, Microsoft introduced Windows Update for Business. This is a group of Group Policy settings that allow you to set controls for updating without using WSUS, but it lacked reporting – until recently.

Currently in preview, Windows Update for Business Reports have a few requirements. First, your systems must meet the following requirements:

• You must have an Azure subscription with Azure Active Directory (Azure AD).
• Devices must be Azure AD-joined and meet OS, diagnostic, and endpoint access requirements.
• Devices can be Azure AD joined or hybrid Azure AD joined.
• Devices that are Azure AD registered only (Workplace joined) aren't supported with Windows Update for Business reports.
• The Log Analytics workspace must be in a supported region.

Windows Update for Business Reports does not support devices that are Azure AD registered only (Workplace joined).

To enroll into Windows Update for Business Reports go to the Microsoft 365 admin centre, edit configuration settings, display, and edit the workbook, and view the Windows tab in the Software Updates page. Review in that console whether your devices are up to date on their Microsoft 365 deployments, and then from there you can sign up for the report section under “Windows.”

Click on “Windows” and then on “Configure settings”. Choose an Azure subscription and set up a Log Analytics workspace for the reports. It will take approximately 24 hours before reporting will begin.

Windows Autopatch

Microsoft has another patch management service for those with an E3 or E5 subscriptions.

As Microsoft notes, “Windows Autopatch is a service that removes the need for organisations to plan and operate the update process. Windows Autopatch moves the burden from your IT to Microsoft. Windows Autopatch uses Windows Update for Business and other service components to update devices. Both are part of Windows Enterprise E3.”

Like the Windows Update for Business reporting prerequisites, you will need machines that have a pure Azure AD join or a Hybrid AD join to participate.

The prerequisites include:

• Supported Windows 10/11 Enterprise and Professional edition versions
• Azure Active Directory (Azure AD) Premium
• Hybrid Azure AD-Joined or Azure AD-joined only
• A supported version of Configuration Manager
• Switch workloads for device configuration, Windows Update and Microsoft 365 Apps from Configuration Manager to Intune (minimum Pilot Intune). Pilot collection must contain the devices you want to register into Autopatch.

The releases are then rolled out gradually based on “rings” that are selected automatically, from the Test ring to the Broad release ring over a 14-day period.

Microsoft Endpoint Privilege Management

Windows and Office updates are not the only security patches you should be concerned about. In a typical network, you often use remote-control, endpoint and antivirus, and driver management tools. All these tools bring risk to a network if they are not kept up to date.

While Microsoft’s Surface devices offer their drivers from within the Windows Update experience, the same cannot be said for other devices. Keeping these applications up to date requires deployment tools or administrative functions.

Microsoft will be coming out with more advanced management tools in upcoming additions to Intune. A new service called Endpoint Privilege Management will allow admins to automate and manage when an application needs administrative access.

You can set rules so that users can perform tasks such as installing and updating approved applications, printers, or other devices. It’s anticipated that these tools will release in March 2023.