Admins Using Windows Server Update Services Up in Arms as Microsoft Deprecates Feature (theregister.com) 34
Microsoft giveth and Microsoft taketh away, as administrators using Windows Server Update Services (WSUS) will soon find out. From a report: Windows Server 2025 remains in preview, but Microsoft has been busy letting users know what is set for removal and what will be deprecated in the release. WSUS fits into the latter category -- still there for now, but no longer under active development. This is a big deal for many administrators who rely on the feature to deploy and manage the distribution of updates and features in an enterprise environment.
It'll even work on a network disconnected from the internet -- download the patches to a connected computer, stick them on some removable media, import the patches to a WSUS server on the disconnected network, and away you go. A tame administrator told El Reg: "We are migrating to Intune. It's a lot more complicated than WSUS, and it takes a lot longer to get set up."
"Such is progress!" he sighed. Microsoft's advice is, unsurprisingly, to migrate to cloud tools. As well as the aforementioned Intune, there is also Windows Autopatch for client update management or Azure Update Manager for server update management. And there are plenty of third-party tools out there too, such as Ansible. Microsoft's announcement has attracted comment. One user said: "Congratulations, you just made centralized automated patching subject to internal politics and budget constraints. "I survived the era of Melissa, SQL Slammer, and other things that were solved when we no longer had to choose between paid patch management or trusting admins of every server to do the right thing. For those of you that did not live through that, buckle up!"
It'll even work on a network disconnected from the internet -- download the patches to a connected computer, stick them on some removable media, import the patches to a WSUS server on the disconnected network, and away you go. A tame administrator told El Reg: "We are migrating to Intune. It's a lot more complicated than WSUS, and it takes a lot longer to get set up."
"Such is progress!" he sighed. Microsoft's advice is, unsurprisingly, to migrate to cloud tools. As well as the aforementioned Intune, there is also Windows Autopatch for client update management or Azure Update Manager for server update management. And there are plenty of third-party tools out there too, such as Ansible. Microsoft's announcement has attracted comment. One user said: "Congratulations, you just made centralized automated patching subject to internal politics and budget constraints. "I survived the era of Melissa, SQL Slammer, and other things that were solved when we no longer had to choose between paid patch management or trusting admins of every server to do the right thing. For those of you that did not live through that, buckle up!"
Re: (Score:3)
Re: (Score:2)
Re: (Score:1)
I think you mean something along the lines of: /opt/debrepo/binary-amd64 /opt/debrepo/binary-amd64/ /opt/debrepo && dpkg-scanpackages binary-amd64/ /dev/null > Release
apt install dpkg-dev
mkdir -p
# cp *.deb
cd
bzip2 -c Release > Release.bz2
# and point a server (rsync, ftp, http, https, etc..) at that directory
And on the client side, just point apt sources to the new server via the /etc/apt/sources* stuff.
It's been like that for decades (Score:3)
Microsoft giving little to no notice, breaking things right and left on Patch Tuesday, admins running around like headless chickens trying to fix things while their users scream bloody murder, insecure malware-magnet software, yet for some reasons, decades on, people are still happy to be Microsoft customers. I'll never understand this.
Re: (Score:1)
if you don't understand why enterprises use microsoft products to manage thousands if not tens of thousands of desktops, workstations and servers you aren't actually trying to understand
you can disagree but you being an observant person existing in the tech field for decades actually understand right?
Re:It's been like that for decades (Score:5, Insightful)
Microsoft has the best marketing team in the world. That's really all you need to understand.
Well, that and maybe peer pressure. People use Microsoft products because everybody else uses Microsoft products, creating the impression that these products must be good, and alleviating fears about possible incompatibilities when trying to integrate with business partners. Also, the popularity of the products means there is more technical talent available for hire in the labor pool. There are actually quite a lot of good business reasons for using the more popular product, just because it is popular, even if competing products are better in some specific technical ways.
And of course, Microsoft is going to do things in ways that make money for Microsoft. When their old tech starts competing against their new tech for revenue, and the new tech makes MORE revenue, of course they are going to kill the old tech. It's the most rational thing to do (especially when you know that people will just switch to your new tech for the reasons stated above).
Re: (Score:2)
Re: It's been like that for decades (Score:2)
Next item to show up at http://www.windowsupdaterestor... [windowsupd...stored.com]
Re: (Score:2)
Microsoft has the best marketing team in the world.
Have you actually paid attention to Microsoft's marketing over the past few decades? It mostly sucks! For a really long time, they had a requirement that any advertising campaign first get separate individual approval from EVERY division head in the company*. Ideas that start out clever and fresh end up completely rewritten multiple times as a new division head adds their "input". I am aware of occasions when a Microsoft division head basically rewrote an entire ad campaign and said "here's what you're goi
Re: (Score:2)
Microsoft has the best marketing team in the world.
Have you actually paid attention to Microsoft's marketing over the past few decades? It mostly sucks! For a really long time, they had a requirement that any advertising campaign first get separate individual approval from EVERY division head in the company*. Ideas that start out clever and fresh end up completely rewritten multiple times as a new division head adds their "input". I am aware of occasions when a Microsoft division head basically rewrote an entire ad campaign and said "here's what you're going to do instead".
No, I'd argue what Microsoft really has been able to build on its first movers advantage - along with a willingness to spend money offering lots of free training to IT people, which builds a fair bit of loyalty in IT people who don't know better; plus an executive team that, when necessary, engages directly with company leaders to drive adoption, bypassing IT decision-making completely.
* I have a sibling who's done ad work for Microsoft in the past. It's possible the company might've stopped doing this more recently.
I would argue that marketing isn't just ads. Their ad game is terrible imho, but they have enough hooks in everything that they're going to market through means other than ads much more effectively. That Michelin Star dinner that their rep took your [insert purchasing agent here] out for? Marketing. That trade show/conference you went to that Microsoft had a huge booth at and maybe even sponsored? Marketing. That donation of [insert whatever product] to charity? Marketing.
M$ does a damned good job of
Re: (Score:3)
The problem is that business runs on MS Office. It's possible to do otherwise, but difficult and expensive. We know from the efforts in Germany which have only been partly successful that this often requires more effort and commitment than is affordable either politically or economically.
As long as MS Office needs Windows to work, business is stuck with Windows. (Mind you, that proves the failure to break up M$ into OS and APP companies after the anti-trust verdict was The Big Mistake.)
All M$ customers shou
Re:It's been like that for decades (Score:5)
I don't think it's as much office as it is Active Directory/Group Policies and ironically tools like WSUS that all tie together into that system. The fact Office also directly can be managed through that fromework makes it an easy sell for companies. "Embrace"
Re: (Score:2)
The funny part there though is it seems to me that Microsoft has been doing everything they can to devalue those tools even as they remain the major sale point.
They are not getting rid of them but removing the dependability and manageability of them. In 2003 I could change a group policy setting and there were basically two outcomes 1) The policy would be applied and it would configure the system as directed; 2) Nothing would happen because the machine isn't talking to the domain at all, which you could dis
Re: (Score:2)
It's easy to see why sysadmins would be annoyed. It's also easy to see why M$ would want to take their tools away, if doing so insures that any unlicensed windows system will be shut out of getting p
Re: (Score:1)
Re: (Score:2)
I'll never understand this.
It's not that complicated, but for those folks who (incorrectly) see everything in terms of pure technical merit, I gather you need somebody to explain the network effects to you:
The Internet Con [versobooks.com]
(Snark aside, it's a good book, even if I found most of it rather self-evident, it puts everything in one place)
Re: (Score:2)
Microsoft giving little to no notice, breaking things right and left on Patch Tuesday, admins running around like headless chickens trying to fix things while their users scream bloody murder, insecure malware-magnet software, yet for some reasons, decades on, people are still happy to be Microsoft customers. I'll never understand this.
The same argument can be made for Google and even Apple products.
Re: (Score:2)
Apparently they are giving notification: "still there for now, but no longer under active development.".
So it is still available in 2025 but will not be in the next version. You have 5 years or so to migrate to Azure Update Manager– Patch Management.
I think they are giving you plenty of time to plan and execute the change.
Re: (Score:3)
Re: (Score:3)
Well for one thing, you can use WSUS + GPOs to set up canary environments for patches and updates. This is something people have literally been doing for at least a decade to catch all the crap you're talking about before it becomes a paged alert.
And now they're taking that away. Gee, I can't imagine why people would get upset about that.
More work for admins? (Score:2)
Obviously MS is seeking to force the companies that use it to employ more people out of concern for the numbers being laid off in the tech industry ;)
Re: (Score:2)
Just more Azure. Translating desktop dominance into cloud share. Same thing more or less that was tried with Windows 8, to translate that dominance into ownership of tablets and phones.
Oh, calm the F down (Score:4, Informative)
"Deprecated" means "it's going to die eventually". It's still in Server 2025 preview, which means it'll be there when Server 2025 goes RC. Which means that people will have _at least_ until 2035 (when Server 2025 goes EOL) to come up with a solution.
At some companies that's _two_ hardware refresh cycles from now.
AND that assumes that they're going to eliminate it from the NEXT on-prem server release, which isn't a guarantee. For example, they deprecated TLS 1.0 and 1.1 in Server 2022, but it's still in Server 2025 (but disabled by default).
Re:Oh, calm the F down (Score:4, Insightful)
However, if people do just calmly ignore it, then the vendor may think "ok, we can drop this, no problem". Particularly since MS has a business incentive to move people to cloud managed, and anything they can get away with that may advance that agenda, they will be more likely to pull.
Across the industry there's a lot of screwing around by vendors and not enough clients calling them on their BS. Whether it's pricing or removing perpetual licensing or removing features or removing on-premise capability, there needs to be more pushback in the industry to malicious vendor behavior when it runs counter to the client business objectives.
Re: (Score:2)
Sure, but to be fair, I don't think there's been an innovation in WSUS since at least Server 2012. You still need the same Powershell scripts to prevent it from falling over now as you did then. The entire workflow has been almost pointless for years - Microsoft releases what, two cumulative updates a month and maybe an out of sequence security update? We're not approving/rejecting twenty updates individually anymore. The "oh shit the new update breaks something" problem can be solved with rings and def
Re: (Score:2)
Indeed.
10 years is a heck of a long time to either find a replacement, or to build one from scratch.
Just take it as advance notice that a patch management solution won't be included for free anymore, and you'll have to do something else.
By the way, WSUS kind of sucks anyways in my experience - at the very least the User Interfaces were needing some kind of rework for a long time. The resource demands of the app were also excessive; It's kind of a bother how massive the implementation gets even if y
cloud does not help for low bandwidth ENV's or loc (Score:2)
cloud does not help for low bandwidth / low cap ENV's or locked down ones where each end point may not be able to get to the cloud to download updates.
Low bandwidth ENV's it's nice to have 1 server on the site pulling the updates vs say 100's of workstations all pulling at the same time.
That is not a problem (Score:2)
If it rally was a useful feature, someone will fork the project to keep it alive. /s
Just use standard Windows updates. (Score:2)
WSUS and individual update management does not seem that appropriate or necessary anymore.
And it's kind of a security issue - connections from clients to WSUS do not use TLS security.
So you're better off Not configuring WSUS. Configure Windows Updates directly instead with automatic scheduled installation.
And don't install Windows on critical systems that require 24x7 uptime in the first place.
Microsoft does not even give you a choice of individual patches anymore, even if you have WSUS: It's either App
Re: (Score:2)
I have two networks, neither connected to the internet that I need to patch.
1 is QA and is patched and verified days to weeks before production. How do we do that?
Up in arms? Really? (Score:2)