June 1, 2020 · Tips

Windows Update Analytics Using Update Compliance

For many years, my team has been using Windows Server Update Services (WSUS) to manage and control distribution of Windows Updates to our endpoints. Recently we decided that given our limited personnel resources, we should move to a more “hands-off” solution for Windows Updates. We set out to migrate our endpoints to Microsoft’s Windows Update For Business product.

Windows Update For Business pulls updates directly from Microsoft without a middleman WSUS server needed for management. “But can you control the flow of updates? Can you still get reports?” Yes, and yes.

Windows Update For Business allows you to develop “deployment rings” that roll out updates to different sets of endpoints over varied periods of time. For example, a set of your endpoints might get updates as soon as they are available (Ring 0), another set 3-5 days later (Ring 1), and another set within 7-10 days (Ring 2). All of these groupings and deferment times can be adjusted, and if there is a problematic monthly rollup released, you can “pause” updates across all rings for an administrator-defined time period.

Perhaps most importantly for us, we wanted similar or better reporting capabilities for getting data about the deployment status of Windows Updates each month. Microsoft offers a free solution for this called “Update Compliance”, which collects the Windows Update telemetry data and organizes it into nice, administrative-friendly dashboards accessible via the Azure portal. It provides default reports on Feature Update status and Security Update status, and additional reports can be created using Azure’s Log Analytics tools.

You can learn more about how to set up Windows Update For Business and how to configure Update Compliance on Microsoft’s documentation site. Rolling out these solutions to our environment was very simple, and was complete within about 2 weeks post-testing. It was satisfying to finally send our WSUS server to the grave!