How to manage Windows 10 1903 and 1909 security updates

Your Windows update controls might be out of date if you haven't reviewed them since the 1803 update or earlier. Here are the new settings you need to know.

With the Windows 10 1909 release, Microsoft announced that System Center Configuration Manager (SCCM) and the Microsoft Intune mobile management service will be combined under the name of Microsoft Endpoint Manager. It might be time to revisit how you control updating in Windows 10 and what you use to do it.

Firms rolling out Windows 10 are deciding whether to use Windows Software Update Services (WSUS) or just rely on the settings of Windows Update for Business (a series of Group Policy settings) to control when and how updates are installed. With Office 2019, the need to control Office updates lessens because Office 2019 relies on click-to-run technology. Thus, Office updates are deployed differently from Windows updates. In fact, most users won’t see Office updates being installed and instead be prompted to close and reopen Office as needed.

Windows 10, however, still needs update control. Most prudent businesses still set up testbeds and deploy updates after they are deemed acceptable. If you wait at least a week, any major issues will usually be identified.

Recently a UK National Cyber Security Centre (NCSC) blog post caught my eye. In it they detail how they control updating Windows 10 and it doesn’t include WSUS. They don’t have a traditional workstation/domain infrastructure and thus the choice of Windows Software Update Services was not an option.  

NCSC opted to have a small subset of individuals on the Windows Insider public beta testing program to pretest feature update changes. While participating in the Insider program provides insight into feature update changes, it may not showcase the impact of security updates. With Windows Update for Business settings, you can set the workstation to defer security (called quality updates in the settings) for up to 30 days. You can also pause updates for up to 35 days without installing them. This lets you install the quality—or security—updates on a subset of computers first to ensure that they present no side effects. If there are no issues, you can let the rest of the computers in the office install updates automatically after the deferral period has elapsed.

To continue reading this article register now

The 10 most powerful cybersecurity companies