News

Microsoft Offers Windows 10 Management and WSUS Security Advice to IT Pros

• By Kurt Mackie
• 08/14/2020

Microsoft this week described a few perks and best practices for IT pros to follow when managing and deploying Windows 10 updates.

Microsoft has added a new "View optional updates" link in Windows 10's Update and Security panel, which can be tapped when bad drivers cause problems. Also, Microsoft is recommending that HTTPS be turned on for users of the Windows Server Update Services (WSUS) management solution. Lastly, Microsoft recapped its best practices and tools for deploying Windows 10 feature updates.

Windows 10 View Optional Updates
A new View optional update link will appear in the Update and Security panel of Windows 10 after Microsoft's August security updates get applied, a Wednesday Windows IT pro blog post explained.

Drivers regularly get approved by Microsoft and arrive through the Windows Update service. However, when problems arise with them, it's possible to try installing an optional driver update that may contain a fix. Now, it's easier to find these optional updates in Windows 10 with the new link.

"Windows Update will, of course, continue to automatically keep your drivers updated, but installing optional drivers may help if you are experiencing an issue," the announcement explained.

Issues with drivers have been a continuing stumbling block with Windows systems. Device makers and software vendors, especially the makers of anti-malware solutions, have sometimes had to scramble to keep up with Microsoft's faster Windows 10 update pace.

Previously, it had been necessary to search for updated Windows 10 drivers using the Device Manager panel. However, with the August security updates, "you no longer need to utilize Device Manager to search for updated drivers for specific devices," the announcement indicated.

Apparently, Device Manager can no longer be used to search for these drivers after the August security updates get applied. That change caused some readers of Microsoft's announcement to voice complaints.

When driver issues do arise, Microsoft tends to just quietly document them in the "Known Issues" section of its publicly available Message Center document, which lacks an RSS feed. Microsoft also calls this document the "Windows release health dashboard." Notices also appear in the Message Center portal seen by IT pros.

Protect WSUS Using HTTPS
Microsoft this week advised turning on HTTPS for its free WSUS server and client device management service "to help provide additional protection from potential malware attacks," according to a Thursday Windows IT Pro blog post. HTTPS is a similar communication protocol to HTTP, but it adds Transport Layer Security encryption to the browser client and Web server connection, thwarting so-called "man-in-the-middle" attacks.

"At a time when malware attacks are on the rise across industries, configuring WSUS with HTTPS may further reduce the ability of a potential attacker to remotely compromise a client and elevate privileges," Microsoft's announcement argued.

Instructions to add HTTPS to WSUS are rather involved, and also require getting a certificate from a Certificate Authority, which can be an extra cost. Microsoft also noted that "securing your server with TLS may result in a slight loss in performance."

Commenting on Microsoft's post, Karl Wester-Ebbinghaus, a senior IT specialist for Microsoft's on-premises and cloud solutions, argued that Microsoft hasn't put much development effort into WSUS, even though it's not a deprecated product. He suggested IT pros should switch to using Window Update for Business, Microsoft's service for managing Windows 10 updates, rather than use WSUS. He also recommended using Delivery Optimization, a peer-to-peer scheme for addressing the bandwidth hits of Windows 10 feature and quality updates.

Windows 10 Deployment Tools
There's not much that's new in this Thursday Windows IT Pro blog post on Windows 10 deployment tools. James Bell of Microsoft reviewed the tooling and practices that Microsoft recommends organizations use when deploying Windows 10 feature updates.

Here's his list of recommended tools for carrying out Windows 10 deployments:

• Desktop Analytics for checking app compatibility before a Windows 10 upgrade.
• Microsoft Endpoint Manager-Microsoft Intune for client management.
• Windows Update for Business service for Windows 10 feature update deployment and management using Group Policy or mobile device management solutions.
• Windows security baselines for security configurations via "Group Policy, Microsoft Endpoint Configuration Manager or Microsoft Intune."
• Windows 10 Update Baseline for "recommendations on configuration settings, tooling for feature update deployments, guidance on customizing the baselines to meet your organization's specific needs, and best practices."
• Update Staging Lab for software vendors to view application "test results, performance metrics, and crash/hang signals."
• Delivery Optimization in conjunction with "Windows Update, Windows Server Update Services (WSUS), Windows Update for Business, or Microsoft Endpoint Configuration Manager" for reducing the bandwidth hits associated with Windows 10 feature and quality updates.

Windows Update for Business, Delivery Optimization the baselines are free, but other tools incur licensing costs. Bell explained that "to leverage Desktop Analytics, your environment needs to meet certain prerequisites, including network connectivity, a current Configuration Manager license, and, for end user devices, an enterprise-level license."