URGENT | Windows Update advice

Katos

Hi fellow Metabullets!

I’m seeking some advice on Remote windows update patch management and compliance.
We need to urgently sort a patching solution for REMOTE workers (off-network but domain joined) devices.
These devices will be mostly win10 with some win7 sprinkled in.

We were advised that a public facing WSUS is a big no no and we don’t have our devices in Intune to leverage update compliance.

Any suggestions would be hugely appreciated.
Requirements:

Approval or denial of windows updates
Patch overview and update status / compliance
Ability to service REMOTE off network devices (these CAN join the VPN, but we are phasing this out)

Kind regards

phenomlab

Katos Hi - nice to have you onboard.

It goes without saying that InTune is going to be the best way to manage the updates from a central perspective, but most of this depends on appetite, and of course, budget. Similarly, a public facing WSUS server may not desirable, but in reality, you only need to open a small selection of ports (obviously the notable ones are 443 etc), and that same WSUS server should be placed into a segregated DMZ zone that has no other contact with the internal networks other than what is essential for it to run.

Similarly, if you take this route, this server should be a downstream, whilst you maintain the upstream inside your own network. If you want to "go cheap", and have something quick and effective, you could change the Group Policy (or registry settings) for the remote clients, and have them pull from Windows Update directly. I know several organisations which adopt this approach, and only present the XML that contains the list of centrally approved updates so that remote workstations can install only those that have been approved.

If you're interested in the above mechanisms, let me know.

Katos

phenomlab in the immediate term we are actually using windows updates directly (defined by GPO as you say) - I cannot however see a way of monitor which updates have been applied and to what devices? - unless you can advise on this.

with regards to Intune this is likely to be the route that we take. What would you advise as the quickest and easiest way to get our devices into InTune. Obviously we would use a blank policy set for now to get them on without causing end user disruption

phenomlab

Katos There are a couple of other suggestions here. You could also use LanSweeper (a license is less than GBP 1,000, dependant on how many nodes you have) and this can easily record the Windows Updates that are installed on the machines (remote). In addition, LanSweeper has a remote agent API which you can expose publicly (is uses a hash to communicate), which will then post the list of updates into the Inventory. This is something else my firm is doing to handle remote inventories - in addition, we can also keep a track of software licenses, and any software that shouldn't be there.

If you take the InTune route, you'll need upgraded Office365 licenses (if necessary), and probably Azure for the management portal side.

Katos

phenomlab we have the licenses for Azure and InTune :-)

phenomlab

Katos Good. You'll need to enrol the devices first so they can be managed - https://docs.microsoft.com/en-us/mem/intune/enrollment/quickstart-enroll-windows-device

phenomlab

Katos I'm interested to know how this panned out and the decision you took 👍

Katos

phenomlab So without going too technical;

Enrolled all devices in InTune using GPO (3rd party support company assisted with getting remote users updated over VPN).
InTune holds a BLANK policy set with the only compliance requirement being enabled windows firewall
Removed ESET to be replaced with Crowdstrike
Updates managed through update rings, and reported on in InTune, we will eventually (but not yet) move to a full compliance requirement and manage all updates through update compliance.
-

phenomlab

Katos Sounds great. Let me know if you need any other assistance with this.