为什么应使用Windows Update for Business代替Windows Server Update Services？灵动公司分布式存储云服务IPFS企业

　　随着越来越多的员工在家工作，Windows Update for Business提供了一种使用最新补丁更新Windows终结点的简便方法。在本文中，我研究了Windows Server Update Services和Windows Update for Business之间的区别，以及为什么我认为后者在大多数情况下是最佳解决方案。

　　什么是Windows Server更新服务？

Windows server-灵动公司IPFS企业云服务

　　Windows Server Update Services（WSUS）是Windows Server的组件。WSUS作为服务器角色安装，您可以部署单个实例。或者可以将其配置为分布式拓扑，以服务在不同网络或物理位置上分离的端点。灵动公司IPFS企业分布式存储云服务

　　可以在不同的层次结构中设置WSUS服务器，在这些层次结构中，WSUS从上游服务器或直接从Internet接收更新。WSUS是一种灵活的解决方案，它允许组织为成千上万个端点提供服务，这远远超出单个实例可以处理的范围。WSUS还与Microsoft端点管理器（以前称为System Center Configuration Manager（SCCM））集成，在其中处理更新端点。

　　WSUS的部署和维护很复杂

　　但是WSUS提供了所有灵活性，包括能够批准单个更新，因此有很多警告。首先是复杂性。即使您部署了一个WSUS实例，也应遵循一些最佳实践，以确保WSUS是安全的。IPFS企业灵动公司分布式存储云服务

　　默认情况下，不使用HTTPS来保护端点与WSUS之间以及WSUS下游和上游服务器之间的通信。每个WSUS服务器应配置为强制执行安全套接字层（SSL）/传输层安全性（TLS）加密，并使用HTTPS。

　　将WSUS配置为使用HTTPS有助于保护端点免受远程破坏，并防止黑客提升特权。但是将WSUS配置为使用HTTPS的前提条件很多。首先，您需要获取证书。这可能意味着要建立自己的公钥基础结构（PKI），这并非易事。

　　证书一旦安装，就需要在Internet信息服务（IIS）中绑定到5个不同的应用程序。然后，可以使用wsusutil configuressl命令将WSUS配置为使用HTTPS 。最后，应该将端点配置为需要HTTPS，这意味着更新组策略配置，以便端点在正确的端口上使用HTTPS进行连接。

　　如您所见，即使您只有一个WSUS实例，也对本地基础结构有很大的要求。我认为对于大多数组织来说，WSUS棺材应该钉上钉子，那就是该软件只是过时且过时的。过去8年几乎没有更新。并且它仍然使用SQL 2012和Report Viewer2012。WSUS依赖Internet Explorer，并且IIS设置已知会引起问题。

　　为什么应将Windows Update用于企业而不是Windows Server Update Services

　　Windows Update for Business

　　微软似乎并不在乎将WSUS带入现代世界。那是因为Windows Update for Business（WUfB）。尽管WUfB不允许组织批准WSUS之类的单个更新，但是如果使用部署环正确设置，它可以提供足够的控制，而不会引起WSUS的所有麻烦。灵动公司分布式存储IPFS企业云服务

　　正如我已经写在皮氏之前，WUfB使用一系列组策略或移动设备管理（MDM）在Windows 10 WUfB设置的是微软的首选更新机制进行控制，并允许企业控制质量和功能更新如何应用于设备。它使用一种称为“交付优化”的对等技术来分发更新。

　　由于不需要使用WUfB的本地基础结构，因此组织可以降低成本并提高安全性，因为所有内容都配置为开箱即用。尽管WSUS也可以使用Delivery Optimization，但WUfB依靠它作为一种分发更新而不会使网络带宽饱和的机制。

　　交付优化使用对等网络将更新分发到端点。因此，一旦每个对等方下载了一个更新，其他的对等方就可以从同一网络或Internet上的终结点中提取比特，而不是使每个终结点都与Microsoft的Internet更新服务器联系以获取批准的更新。可以配置传递优化以限制设备仅从本地网络上的对等方获取更新位。

微软Windows server-灵动公司IPFS企业云服务

　　监视Windows更新

　　如果您使用Microsoft Intune部署WUfB，则Microsoft Endpoint Manager管理中心现在将包括报告，以便您可以检查终结点计算机的合规性。就目前而言，Intune中的报告是非常基本的，但是Microsoft正在努力快速扩展报告功能。在Intune之外，您可以在Azure市场中找到Update Compliance，这是处理WUfB报表的最佳方法。

　　WUfB与WSUS

　　Windows Update for Business旨在易于部署，保护和服务于端点，无论它们位于何处。由于Windows不需要联系公司防火墙后的WSUS实例，因此WUfB可以使设备在办公室外花费更多时间。IPFS企业灵动公司分布式存储云服务

　　设置Microsoft Endpoint Manager来服务Internet端点更加复杂，因为它要么需要将服务器放置在DMZ中，要么使用Microsoft Cloud Management Gateway。如果您想将WUfB与其他管理解决方案一起使用，那不是问题。WUfB与WSUS集成。Microsoft Endpoint Manager可以区分使用WSUS和WUfB管理的计算机。

　　Why You Should Use Windows Update for Business Instead of Windows Server Update Services

　　As more employees work from home, Windows Update for Business provides a simpler way to update Windows endpoints with the latest patches. In this article, I look at the differences between Windows Server Update Services and Windows Update for Business, and why I believe the latter is the best solution in most cases.

　　What is Windows Server Update Services?

　　Windows Server Update Services (WSUS) is a component of Windows Server. WSUS is installed as a server role and you can deploy a single instance. Or it can be configured in a distributed topology to serve endpoints that are separated on different networks or physical locations.

Windows server 2020-灵动公司云服务企业、

　　WSUS servers can be set up in different hierarchies, where WSUS receives updates from upstream servers or directly from the Internet. WSUS is a flexible solution that allows organizations to serve thousands of endpoints, many more than a single instance could handle. WSUS also integrates with Microsoft Endpoint Manager, previously System Center Configuration Manager (SCCM), where it handles updating endpoints.灵动公司分布式存储云服务IPFS企业

　　WSUS is complex to deploy and maintain

　　But with all the flexibility that WSUS provides, including being able to approve individual updates, there are many caveats. The first is complexity. Even if you deploy a single instance of WSUS, there are a few best practices you should follow to make sure WSUS is secure.

　　Communications between endpoints and WSUS, and between WSUS downstream and upstream servers, are not secured using HTTPS by default. Each WSUS server should be configured to enforce Secure Sockets Layer (SSL)/Transport Layer Security (TLS) encryption, and use HTTPS.

　　Configuring WSUS to use HTTPS helps protect endpoints from remote compromise and the potential for a hacker to elevate privileges. But the prerequisites for configuring WSUS to use HTTPS are many. First, you need to obtain a certificate. That could mean setting up your own public ey infrastructure (PKI), which is not trivial.

　　Once a certificate has been installed, it needs to be bound in Internet Information Services (IIS) to 5 different applications. WSUS can then be configured to use HTTPS using the wsusutil configuressl command. And finally, endpoints should be configured to require HTTPS, which means updating Group Policy configuration so endpoints connect using HTTPS on the right port.

　　As you can see, there is a significant local infrastructure requirement even when you have even a single WSUS instance. And what I believe should be the nail in the WSUS coffin for most organizations, is that the software is simply outdated and old. It’s barely been updated in the past 8 years. And it still uses SQL 2012 and Report Viewer 2012. WSUS relies on Internet Explorer and the IIS settings are known to cause problems.IPFS企业灵动公司分布式存储云服务

　　Why You Should Use Windows Update for Business Instead of Windows Server Update Services (Image Credit: Microsoft)

　　Windows Update for Business

　　Microsoft doesn’t seem to care much about bringing WSUS into the modern world. And that’s because of Windows Update for Business (WUfB). While WUfB doesn’t allow organizations to approve individual updates like WSUS, if set up properly using deployment rings, it can provide enough control without all the headaches associated with WSUS.

　　As I’ve written on Petri before, WUfB is controlled using a series of Group Policy or Mobile Device Management (MDM) settings in Windows 10. WUfB is Microsoft’s preferred update mechanism and it allows organizations to control how quality and feature updates are applied to devices. It uses a peer-to-peer technology, called Delivery Optimization, to distribute updates.

windows server 2020-灵动公司分布式存储云服务

　　Because no local infrastructure is required to use WUfB, organizations can reduce costs and improve security because everything is configured to be secure out of the box. While WSUS can also use Delivery Optimization, WUfB relies on it as a mechanism to distribute updates without saturating network bandwidth.IPFS企业灵动公司分布式存储云服务

　　Delivery Optimization uses a network of peers to distribute updates to endpoints. So, instead of each endpoint contacting Microsoft’s Internet update servers for approved updates, once a single peer has downloaded an update, other peers can pull the bits from endpoints on the same network or Internet. Delivery Optimization can be configured to restrict devices to pull update bits from peers on the local network only.

　　Monitoring Windows Updates

　　If you deploy WUfB using Microsoft Intune, the Microsoft Endpoint Manager admin center now includes reporting so you can check endpoint compliance. As is stands, reporting in Intune is quite basic but Microsoft is working to quickly expand reporting capabilities. Outside of Intune, Update Compliance, which you can find in the Azure marketplace, is the best way to handle WUfB reporting.

　　WUfB vs. WSUS

　　Windows Update for Business is designed to be easy to deploy, secure, and to serve endpoints regardless of where they are located. Because Windows doesn’t need to contact a WSUS instance behind a corporate firewall, WUfB lends itself to situations where devices spend more time outside the office.灵动公司分布式存储IPFS企业云服务

　　Setting up Microsoft Endpoint Manager to service Internet endpoints is more complicated because it either requires placing servers in the DMZ or using Microsoft Cloud Management Gateway. If you want to use WUfB with other management solutions, that’s not a problem. WUfB integrates with WSUS. And Microsoft Endpoint Manager can differentiate between computers managed using WSUS and WUfB.