View Blog

Dec 2021

Everything you Want to Know about Managing Windows Updates (Part 1)

Managing Windows updates is one of the most important functions for Windows admins today.  The methodologies available to manage and deliver updates to Windows servers, desktops and laptops has changed a lot over the years.  In this 4-part series, we will outline the different management options that are available today and break down how Windows Update Manager works and why it should be the preferred management alternative for today’s enterprises.  Before we get started, define what we mean by Windows updates.

Types of Windows Updates

There are two broad categories of Windows updates.  The first is quality updates.  These are the updates that are mostly released on what we have come to traditionally know as ‘Patch Tuesday.’  Quality updates are referred to cumulative updates or maintenance updates.  Most quality updates are released to either address a security issue or fix a problem to improve the reliability and security of Windows.  These are known as mandatory updates.  Other quality updates may provide some preview enhancements of existing features.  A reboot may be required once all the newly downloaded quality updates are installed. 

Then there are feature updates.  Feature updates are made available twice a year and are known as semi-annual releases.  You can think of a feature update as a new version of Windows.  Feature updates can be deferred for up to 365 days although each new version is only supported by Microsoft for a period of 18 months which is another benefit of updating.  Feature updates can introduce new features as well as visual changes to the operating systems.  The objective here is to constantly improve the Windows operating system.  A feature update may require a series of reboots to complete the update process.   

Now let’s look at the three primary ways of managing Windows updates.


This is the most basic way of all to manage Windows updates.  Here the computer contacts Microsoft Endpoint directly to learn of any available updates.  The local admin of the computer can then choose to either download and install those updates at a designated time or defer them to the automated process.  This one-to-one relationship is shown below.


Obviously, this method is not suitable for enterprise environments as there is no way to centrally manage the updates of multiple machines.  It is designed for personal users or very small SOHO environments. 

Windows Server Update Services


Windows Server Update Services (WSUS) has been around for a long time and used to be the primary way that admins managed Windows updates for enterprise environments.  WSUS was designed back in the days of a totally on-prem world.  Think of the WSUS server as a repository for Windows updates.  Rather than each Windows machine directly contacting Microsoft for updates and using a lot of precious bandwidth in the process, the WSUS server downloads all updates and retains them on local storage.  Besides the WSUS server itself, WSUS also requires a manager which can be one of the following:

  • The WSUS Stand-alone console
  • Group Policy
  • MEM CONFIG Manager
  • A third-party management tool

Regardless of which management tool you choose, you must create policies to govern the Windows update process.  The policy must identify the WSUS server and outline when updates will occur.  These policies can be assigned to either device groups or the devices themselves.  The admin then approves which updates they want to distribute.  The manager then then informs the WSUS server of the newly approved list.  When prompted by their assigned policies, Windows devices then scan their updates against the WSUS server itself.  The WSUS server then offers each device any approved updates that it is missing.  This process is outlined below.

WSUS was an ideal solution for managing Windows updates for enterprise environments at one time.  There are two primary limitations of WSUS currently.  The first is the fact that Microsoft has not provided any enhancements to WSUS in years, and it will eventually be deprecated.  The bigger factor however is that the world has changed in recent years.  WSUS cannot adequately service hybrid work models and remote work strategies as all Windows desktops must be connected in some way to the local network.  For this and other reasons, Windows Update for Business is a better choice in many cases.  In our next blog segment, we will look at the architecture of Windows Update for Business and how to implement it.


Comments (0)

No Comments!