Automating Windows Update for Business

Download the script pack here.

We are waving the white flag

The year is 2009, here at Virtual Administrator we are running several on-premise Kaseya servers. These pre-date the Kaseya cloud offerings and since their on-premise servers weren’t originally designed for multi-tenancy we have a unique perk available to us: we can control Windows Updates for our partners.

Those who remember the good’ol days will recall that this was a fantastic service that we have been able to provide over the years and those who are still on our Hosted Kaseya servers (yes, they still are a fantastic option, even now in 2021) have had nothing but great things to say about our Windows Update services.

But here in 2021 with a new major version of Windows coming at the end of June, things have long since soured for RMM management of updates.  

No longer can you pick and choose which “Quality Updates” (aka security and update patches) to apply. Instead, you get one large roll-up patch.  Over the last few years RMM software and MSPs have waged a silent war to wrestle control back from Microsoft.

While the Pro editions of Windows can simply disable Windows update, this opens a whole new can of worms. Disabling Windows updates also means that the “Feature Updates” (aka, version updates) do not get applied, leaving you with a fleet of outdated machines, and the only way to update them is by a script or manually running the Windows 10 Update Assistant.

But, as a part of this back and forth between IT Professionals and Microsoft, a new methodology was released as a sort of olive branch between being forced to completely disable Windows Updates and just allowing Windows Update to automatically apply updates without any control.

Introducing Windows Update for Business (WuFB).

Windows Update for Business sits somewhere between disabling Windows update altogether and allowing the endpoint to use Windows Automatic updates, and the best part is that in recent months they have been fleshing out the features of this new update management process.

So, in typical Virtual Administrator fashion we wrote automation scripts to control and manage WuFB for your MSP.

Because at the end of the day, if you can’t beat’em, join’em!

What Can You Do With WuFB?

User Experience is the point of WuFB (pronounced woof-be). Windows Automatic Updates were built with consumers in mind, but corporate IT providers and users have different needs.  

Every so often you’ll hear of a Windows machine rebooting in the middle of a live stream presentation, or some other critical tasks and the culprit is almost always Windows Automatic Updates. This is obviously unacceptable behavior in almost any business environment.  

Your PCs should be working to earn you money, not cost you money. WuFB is Microsoft’s answer for IT Providers who want more control over that experience.

WuFB allows you to define “rings” where you can control who gets updates and when they get them.  

Rings are admin defined groups that allow you to stage rollouts of Windows updates. We have built out a few specific rings which you can find in our scripts. They are as follows:

  • Insider Release Preview. This is for beta releases of patches and should only be installed on non-production machines.
  • Normal / Targeted. This ring updates as Microsoft releases updates. This is best to be deployed to a small subset of your endpoints. That way you can see how updates interact with your clients as they are released. It is ideal to target more technically savvy people with this normal release schedule.
  • Delayed. This delays updates quality updates for 15 days and feature updates for 30 days. This is best for the majority of your userbase. It gives you time to see if any major problems are cropping up with newly released patches from Microsoft.
  • Slow. For mission critical machines, this delays quality updates for 30 days and feature updates for 60 days. Keep in mind that security becomes more and more of a concern as you delay releasing updates to machines. 

Most of us (IT Providers) have wanted to control when patches are applied, because frankly we don’t trust Microsoft to not blue-screen our network!   This “ring” concept mimics that, where only a small subset gets early patches, giving you enough time to stop the process for the rest of the group, if something bad happens.

If an update is causing trouble you can use another script we released to simply pause updates on your machines until you think it is safe to re-enable. Then use another script to undo the pause.

While you are still limited in how long you can delay updates on machines (up to 35 days for Quality updates or 1 year for feature updates), you can push them off, giving you plenty of time to manually install updates on the machine over the course of the next month and confirm they are functioning properly.

Controlling the Update Experience

The Update experience is much better with a little tweaking. Using some of these new scripts you can remotely deploy a bunch of the following quality of life improvements to your end-users.

Update Schedules

Now it is easier than ever to control  

  • You can control what time of day updates are applied, down to the hour.
  • What day of the week updates are installed.
  • What week of the month updates are installed.

Set active hours via script so clients are not interrupted during their workday to download and install updates.

So, you can create maintenance windows and teach your end-user to expect updates to occur during that time. Instead of Windows Machines constantly bugging your end users to install the latest update, your users will know that 4pm on Monday, on the fourth week of the month is patch day and they can expect patches to be applied at that time. Or whatever schedule works best for you and your clients.

This gives an impressive amount of control, and by scripting these policies we have brought a lot of that control back into Kaseya where we feel it has belonged this whole time.

The Reminder Experience

Another annoying thing about Windows Update that WuFB brings under control is the reminder experience.  

You can control how updates are downloaded and applied. For example, you can have a reminder to begin the download process, but then install automatically. This is great for offices where Internet speed is a limited resource and users do not want Windows Update just sucking up bandwidth whenever it wants to.

Alternatively, you could have updates automatically download, but then prompt to be installed.

Finally, you could make the entire process happen without user input and updates are downloaded and installed without any user feedback. This is how Windows Updates work by default.

You can also leave this control in the hands of the local admin on the machine. If you have a picky end-user who prefers to control this process.

Finally, we create a service setting as well, which will notify on download, install, and restart. To give you tight control over the machine as updates are applied.

User Visibility

In addition to controlling how intrusive updates are to the end user we also found a way to completely hide the Windows Update features from the end users. If you have people who are constantly touching buttons, this is a way to keep prying eyes away from manually executing Windows Update outside of your scheduled window.

Controlling What is Updated

While features are still a bit thin in this department. There are several interesting things you can manage here. Using scripts, it is possible to remotely tell machines to:

  • Enable or disable automatic update of Microsoft 365 applications.
  • Delay Windows Feature Updates.
  • Delay Windows Quality Updates.
  • Disable Automatic Driver Updates.

I can think of a few situations where a driver update led to everyone’s favorite blue screen of death. While it does not happen often, it is nice to know there is a possibility to control that on machines with finicky drivers.

Conclusion

You will need to decide…   Do you continue to disable all Windows Updates, or do you implement a patch plan using WuFB?  Our team has spent the last two months digging through the inner workings of WuFB and trying to plot out the best solutions for our partners and their end-users.  We suggest that you maybe pick one or two customers and do a WuFB beta test.   Continue to use Kaseya to audit, but let Microsoft have control.

We really think that we have landed on something special here with this new lineup of scripts and hope that you feel the same.

By doing this as a series of scripts, you can have a toolset at your fingertips to manage Windows Updates and really control the end-user experience, minimizing the impact of Windows Update on productivity. It can run during off-hours and be less of a bother to your users. They will know when to expect updates and you will have a window to postpone updates should machines be reacting poorly to the latest updates (which has been known to happen with Windows Update).

Do be sure to let us know if you run into trouble with any of these scripts. We have done extensive testing, but things change over time and it is possible we’ll have to make adjustments to keep up.  

Stay tuned for our next endeavor!

Download the script pack here.