Admins Using Windows Server Update Services Up in Arms as Microsoft Deprecates Feature (theregister.com) 77
Microsoft giveth and Microsoft taketh away, as administrators using Windows Server Update Services (WSUS) will soon find out. From a report: Windows Server 2025 remains in preview, but Microsoft has been busy letting users know what is set for removal and what will be deprecated in the release. WSUS fits into the latter category -- still there for now, but no longer under active development. This is a big deal for many administrators who rely on the feature to deploy and manage the distribution of updates and features in an enterprise environment.
It'll even work on a network disconnected from the internet -- download the patches to a connected computer, stick them on some removable media, import the patches to a WSUS server on the disconnected network, and away you go. A tame administrator told El Reg: "We are migrating to Intune. It's a lot more complicated than WSUS, and it takes a lot longer to get set up."
"Such is progress!" he sighed. Microsoft's advice is, unsurprisingly, to migrate to cloud tools. As well as the aforementioned Intune, there is also Windows Autopatch for client update management or Azure Update Manager for server update management. And there are plenty of third-party tools out there too, such as Ansible. Microsoft's announcement has attracted comment. One user said: "Congratulations, you just made centralized automated patching subject to internal politics and budget constraints. "I survived the era of Melissa, SQL Slammer, and other things that were solved when we no longer had to choose between paid patch management or trusting admins of every server to do the right thing. For those of you that did not live through that, buckle up!"
It'll even work on a network disconnected from the internet -- download the patches to a connected computer, stick them on some removable media, import the patches to a WSUS server on the disconnected network, and away you go. A tame administrator told El Reg: "We are migrating to Intune. It's a lot more complicated than WSUS, and it takes a lot longer to get set up."
"Such is progress!" he sighed. Microsoft's advice is, unsurprisingly, to migrate to cloud tools. As well as the aforementioned Intune, there is also Windows Autopatch for client update management or Azure Update Manager for server update management. And there are plenty of third-party tools out there too, such as Ansible. Microsoft's announcement has attracted comment. One user said: "Congratulations, you just made centralized automated patching subject to internal politics and budget constraints. "I survived the era of Melissa, SQL Slammer, and other things that were solved when we no longer had to choose between paid patch management or trusting admins of every server to do the right thing. For those of you that did not live through that, buckle up!"
sudo apt update; sudo apt upgrade (Score:1, Offtopic)
Re: (Score:3)
Re: (Score:2)
Re: (Score:2)
apt-cacher is still maintained, then there's approx and others. Or you can just use squid or some random generic http cache, as apt works well with a standard web server; apt-cacher{,-ng} are merely aware of data lifetimes thus they can make better decisions when to delete obsolete stuff.
Re: (Score:2)
"NG" is for "next generation", or "not good"?
Re: (Score:2)
Re: (Score:2, Interesting)
I think you mean something along the lines of: /opt/debrepo/binary-amd64 /opt/debrepo/binary-amd64/ /opt/debrepo && dpkg-scanpackages binary-amd64/ /dev/null > Release
apt install dpkg-dev
mkdir -p
# cp *.deb
cd
bzip2 -c Release > Release.bz2
# and point a server (rsync, ftp, http, https, etc..) at that directory
And on the client side, just point apt sources to the new server via the /etc/apt/sources* stuff.
Re: (Score:2)
"sudo abort; sudo abort; sudo panic"
It's been like that for decades (Score:4, Insightful)
Microsoft giving little to no notice, breaking things right and left on Patch Tuesday, admins running around like headless chickens trying to fix things while their users scream bloody murder, insecure malware-magnet software, yet for some reasons, decades on, people are still happy to be Microsoft customers. I'll never understand this.
Re: (Score:2, Insightful)
if you don't understand why enterprises use microsoft products to manage thousands if not tens of thousands of desktops, workstations and servers you aren't actually trying to understand
you can disagree but you being an observant person existing in the tech field for decades actually understand right?
Re: (Score:2)
I believe, and maybe I'm wrong, that he's pointing out the fact that there are so many windows users that all of these admins have to deal with. He's wondering why that is.
Re:It's been like that for decades (Score:5, Insightful)
Microsoft has the best marketing team in the world. That's really all you need to understand.
Well, that and maybe peer pressure. People use Microsoft products because everybody else uses Microsoft products, creating the impression that these products must be good, and alleviating fears about possible incompatibilities when trying to integrate with business partners. Also, the popularity of the products means there is more technical talent available for hire in the labor pool. There are actually quite a lot of good business reasons for using the more popular product, just because it is popular, even if competing products are better in some specific technical ways.
And of course, Microsoft is going to do things in ways that make money for Microsoft. When their old tech starts competing against their new tech for revenue, and the new tech makes MORE revenue, of course they are going to kill the old tech. It's the most rational thing to do (especially when you know that people will just switch to your new tech for the reasons stated above).
Re: (Score:2)
Re: It's been like that for decades (Score:2)
Next item to show up at http://www.windowsupdaterestor... [windowsupd...stored.com]
Re: (Score:2)
Microsoft has the best marketing team in the world.
Have you actually paid attention to Microsoft's marketing over the past few decades? It mostly sucks! For a really long time, they had a requirement that any advertising campaign first get separate individual approval from EVERY division head in the company*. Ideas that start out clever and fresh end up completely rewritten multiple times as a new division head adds their "input". I am aware of occasions when a Microsoft division head basically rewrote an entire ad campaign and said "here's what you're goi
Re: (Score:3)
Microsoft has the best marketing team in the world.
Have you actually paid attention to Microsoft's marketing over the past few decades? It mostly sucks! For a really long time, they had a requirement that any advertising campaign first get separate individual approval from EVERY division head in the company*. Ideas that start out clever and fresh end up completely rewritten multiple times as a new division head adds their "input". I am aware of occasions when a Microsoft division head basically rewrote an entire ad campaign and said "here's what you're going to do instead".
No, I'd argue what Microsoft really has been able to build on its first movers advantage - along with a willingness to spend money offering lots of free training to IT people, which builds a fair bit of loyalty in IT people who don't know better; plus an executive team that, when necessary, engages directly with company leaders to drive adoption, bypassing IT decision-making completely.
* I have a sibling who's done ad work for Microsoft in the past. It's possible the company might've stopped doing this more recently.
I would argue that marketing isn't just ads. Their ad game is terrible imho, but they have enough hooks in everything that they're going to market through means other than ads much more effectively. That Michelin Star dinner that their rep took your [insert purchasing agent here] out for? Marketing. That trade show/conference you went to that Microsoft had a huge booth at and maybe even sponsored? Marketing. That donation of [insert whatever product] to charity? Marketing.
M$ does a damned good job of
Re: (Score:2)
Re: It's been like that for decades (Score:2)
Re: (Score:2)
With that much marketing, it's a surprise that they find enough time to break things!
Re:It's been like that for decades (Score:4, Informative)
The problem is that business runs on MS Office. It's possible to do otherwise, but difficult and expensive. We know from the efforts in Germany which have only been partly successful that this often requires more effort and commitment than is affordable either politically or economically.
As long as MS Office needs Windows to work, business is stuck with Windows. (Mind you, that proves the failure to break up M$ into OS and APP companies after the anti-trust verdict was The Big Mistake.)
All M$ customers should ALWAYS have a Linux lab staffed and working to develop and share business-helpful FOSS solutions. And make sure the M$ vampire^H^H^H^H^H^H^H salesperson is fully aware of it. That helps to both: (1) Make FOSS OSes and applications a better path for business and (2) Keep your Microsoft costs down!
Re:It's been like that for decades (Score:5)
I don't think it's as much office as it is Active Directory/Group Policies and ironically tools like WSUS that all tie together into that system. The fact Office also directly can be managed through that fromework makes it an easy sell for companies. "Embrace"
Re: (Score:3)
The funny part there though is it seems to me that Microsoft has been doing everything they can to devalue those tools even as they remain the major sale point.
They are not getting rid of them but removing the dependability and manageability of them. In 2003 I could change a group policy setting and there were basically two outcomes 1) The policy would be applied and it would configure the system as directed; 2) Nothing would happen because the machine isn't talking to the domain at all, which you could dis
Re: (Score:2)
It's easy to see why sysadmins would be annoyed. It's also easy to see why M$ would want to take their tools away, if doing so insures that any unlicensed windows system will be shut out of getting p
Re: (Score:2)
Re: (Score:2)
Running business on Office is a choice. There are many alternatives, almost all of them better.
It's not even a particularly compelling one, and is relatively easy to migrate away from for 'net new' things.
Re: (Score:2)
I'll never understand this.
It's not that complicated, but for those folks who (incorrectly) see everything in terms of pure technical merit, I gather you need somebody to explain the network effects to you:
The Internet Con [versobooks.com]
(Snark aside, it's a good book, even if I found most of it rather self-evident, it puts everything in one place)
Re: (Score:2)
Microsoft giving little to no notice, breaking things right and left on Patch Tuesday, admins running around like headless chickens trying to fix things while their users scream bloody murder, insecure malware-magnet software, yet for some reasons, decades on, people are still happy to be Microsoft customers. I'll never understand this.
The same argument can be made for Google and even Apple products.
Re: (Score:2)
Apparently they are giving notification: "still there for now, but no longer under active development.".
So it is still available in 2025 but will not be in the next version. You have 5 years or so to migrate to Azure Update Manager– Patch Management.
I think they are giving you plenty of time to plan and execute the change.
Re: (Score:3)
Re: (Score:3)
IBM would send over a team of suits to stand around and mumble about why things weren't working.
Microsoft sends over Leisure Suit Larry to tell you to shove it in the cloud.
Re:It's been like that for decades (Score:4, Informative)
Well for one thing, you can use WSUS + GPOs to set up canary environments for patches and updates. This is something people have literally been doing for at least a decade to catch all the crap you're talking about before it becomes a paged alert.
And now they're taking that away. Gee, I can't imagine why people would get upset about that.
Re: (Score:2)
That's been standard practice by competent administrators for at least 25 years (about when I first heard about it, and started doing so immediately). I'm sure it was common practice long before that - I'd guess going back to the 70s in many cases.
Re: (Score:2)
And now they're taking that away. Gee, I can't imagine why people would get upset about that.
They are not. They literally have said that WSUS will continue to work as it is. Ceasing further development of something != taking something away.
Re: (Score:2)
Ceasing further development of something != taking something away.
In the era of "Move fast, and break things" it does. No development == It stops working == Taking it away.
Which is exactly what Microsoft wants. To extinguish admin control over the update process even for enterprise level systems. (Right after their automated update system bricked millions of machines worldwide no less.)
Re: (Score:2)
What a naive comment.
In business there is tons of software that is MS only. Eg most CAD packages. Many machine control systems.
Many ERP systems.
Plus show me a decent Linux Active Directory system that just works (tm)
Re: (Score:1)
Marking something deprecated is Microsoft's way of giving people notice. If you look at things like "SQL Server Native Client 11.0," Microsoft deprecated that near the release of SQL Server 2012, only supplying security fixes for it (no new features), and finally stopped distributing it as of SQL Server 2022.
Ten years' notice is pretty good. And two years after they stopped distributing it people are still finding ways to install it (through Choclatey and such) and use it
Re: (Score:2)
Microsoft giving little to no notice
WSUS is part of the Windows 2025 lifecycle, so will be supported until (at least) 2035.
Re: (Score:2)
I'll never understand this.
I'm sure you don't understand it. Let me help you: People are stupid. Not stupid for working with Microsoft, but stupid for not understanding what is going on. You are one of these people. Microsoft depreciated something. That *IS* giving notice. They haven't stopped anything. They haven't broken anything. Anyone who is running around in a panic is an idiot who doesn't know how the world works. WSUS will continue to work, that was literally part of the announcement.
As for malware-magnet, that is a function
More work for admins? (Score:2)
Obviously MS is seeking to force the companies that use it to employ more people out of concern for the numbers being laid off in the tech industry ;)
Re: (Score:2)
Just more Azure. Translating desktop dominance into cloud share. Same thing more or less that was tried with Windows 8, to translate that dominance into ownership of tablets and phones.
Re: (Score:2)
If Azure isn't solving your enterprise problems, then you're not using enough of it.
Re: (Score:2)
That's exactly what Little Debbie said about sugar intake and diabetes!
Oh, calm the F down (Score:5, Informative)
"Deprecated" means "it's going to die eventually". It's still in Server 2025 preview, which means it'll be there when Server 2025 goes RC. Which means that people will have _at least_ until 2035 (when Server 2025 goes EOL) to come up with a solution.
At some companies that's _two_ hardware refresh cycles from now.
AND that assumes that they're going to eliminate it from the NEXT on-prem server release, which isn't a guarantee. For example, they deprecated TLS 1.0 and 1.1 in Server 2022, but it's still in Server 2025 (but disabled by default).
Re:Oh, calm the F down (Score:5, Insightful)
However, if people do just calmly ignore it, then the vendor may think "ok, we can drop this, no problem". Particularly since MS has a business incentive to move people to cloud managed, and anything they can get away with that may advance that agenda, they will be more likely to pull.
Across the industry there's a lot of screwing around by vendors and not enough clients calling them on their BS. Whether it's pricing or removing perpetual licensing or removing features or removing on-premise capability, there needs to be more pushback in the industry to malicious vendor behavior when it runs counter to the client business objectives.
Re: (Score:2)
Sure, but to be fair, I don't think there's been an innovation in WSUS since at least Server 2012. You still need the same Powershell scripts to prevent it from falling over now as you did then. The entire workflow has been almost pointless for years - Microsoft releases what, two cumulative updates a month and maybe an out of sequence security update? We're not approving/rejecting twenty updates individually anymore. The "oh shit the new update breaks something" problem can be solved with rings and def
Re: (Score:2)
I'll confess to not knowing the nuance on the Microsoft side of things, but the story resembled so many other stories that I have experienced that I felt the urge to broadly complain about the state of affairs with vendors, who seem to be getting worse and worse about screwing over their customers/would-be customers as time goes by.
Re: (Score:2)
However, if people do just calmly ignore it, then the vendor may think "ok, we can drop this, no problem".
MS has a captive market. They will force the change on you whether you're calm or vocal about an issue. In the latter case they may play lip service to the issue while doing absolutely nothing to resolve it.
Re: (Score:2)
Indeed.
10 years is a heck of a long time to either find a replacement, or to build one from scratch.
Just take it as advance notice that a patch management solution won't be included for free anymore, and you'll have to do something else.
By the way, WSUS kind of sucks anyways in my experience - at the very least the User Interfaces were needing some kind of rework for a long time. The resource demands of the app were also excessive; It's kind of a bother how massive the implementation gets even if y
cloud does not help for low bandwidth ENV's or loc (Score:2)
cloud does not help for low bandwidth / low cap ENV's or locked down ones where each end point may not be able to get to the cloud to download updates.
Low bandwidth ENV's it's nice to have 1 server on the site pulling the updates vs say 100's of workstations all pulling at the same time.
Re: (Score:2)
cloud does not help for low bandwidth / low cap ENV's
Not that it's invalid to have an environment w/low bandwidth or poor connectivity, but Microsoft can deem it so rare (So few people are running Windows clients with limited bandwidth) that it is Not worth it for them to expend the cost to maintain a solution for this as part of Windows server.
In that case, there are still solutions to this problem without WSUS, But you may end up having to prepare and ship physical burned CDs or thumb drives with yo
Re: (Score:2)
Peer to Peer Windows update distribution with Delivery Optimization.
Because you want to pull updates for an air gapped system from the luser's workstation that was infected with a virus 8 times in the last year......
Re: (Score:2)
from the luser's workstation that was infected with a virus 8 times in the last year
The peer to peer updates are integrity-verified. It doesn't matter how many virus infections they had.
Same as with bittorrent protocol. It does not matter how many viruses your peers might or might not be infected with: the files you are downloading are cryptographically verified. Microsoft services still provide the authenticated metadata on the updates you are downloading - the peer to peer delivery does not me
Re: (Score:2)
That’s going to past sweet sweet retirement for most 6 digit and under /.ers!!
Re: (Score:2)
Deprecated also means that they have nobody left who understands how it works.
Microsoft probably has 37% of the world's technical debt.
Re: (Score:2)
It may still run, but won't support Windows 12, Server 2028, etc...
That is not a problem (Score:3)
If it rally was a useful feature, someone will fork the project to keep it alive. /s
Just use standard Windows updates. (Score:2)
WSUS and individual update management does not seem that appropriate or necessary anymore.
And it's kind of a security issue - connections from clients to WSUS do not use TLS security.
So you're better off Not configuring WSUS. Configure Windows Updates directly instead with automatic scheduled installation.
And don't install Windows on critical systems that require 24x7 uptime in the first place.
Microsoft does not even give you a choice of individual patches anymore, even if you have WSUS: It's either App
Re: (Score:2)
I have two networks, neither connected to the internet that I need to patch.
1 is QA and is patched and verified days to weeks before production. How do we do that?
Re: (Score:3)
Sounds like you'll be taking on risk or exiting Windows.
"I am altering the deal - pray I do not alter it further."
Re: (Score:2)
I have two networks, neither connected to the internet that I need to patch.
If you don't have a working internet connection on those networks, then
install a Proxy server; similar to what you would have to do with a WSUS server, but runs Linux, and a program called Squid.
Your proxy server has an Internet connection and you add two additional network cards/ports on that server, then you Plug those two ports into each of your two non-internet-connected networks. Assign those two network interfaces a
Re: (Score:2)
What if they legally or by corporate policy can not have any potential route to the internet? These kind of networks exist.
Re: (Score:2)
What if they legally or by corporate policy can not have any potential route to the internet?
Then try to negotiate a contract with Microsoft. I'm sure for a sufficient 7-figure amount of money they will be happy to organize a private Point to Point circuit to provide you access to Windows update servers without the internet.
The point is because your requirement is so special: your software vendor is in No way required to undertake extraordinary efforts on their own (such as developing and maintaining an
Re: (Score:2)
Re: (Score:2)
Yep it's a regression of existing free functionality from microsoft. All designed to push you into SaaS revenue services with less security and uptime.
https://learn.microsoft.com/en... [microsoft.com]
Re: (Score:2)
You've clearly only run computers on very basic networks and have no idea how the world works. There are many windows machines that by necessity need to have their updates finely controlled. There are many windows machines that by necessity are isolated from networks and need to have patches distributed to them over an airgap. WSUS came *after* Windows Update to address these kinds of issues.
And don't install Windows on critical systems that require 24x7 uptime in the first place.
You don't get to make that decision. Your vendor does. What do you do? Say "Oh I guess we won't actually build this r
Re: (Score:2)
There are many windows machines that by necessity are isolated from networks and need to have patches distributed to them over an airgap.
That is not many at all. And the best solution there is probably to get those machines connectivity to Windows update - that can be through a Proxy server, if for whatever reason establishing a routed network and NAT is impractical.
Windows is designed to have an internet connection. Future versions of Windows might even refuse to boot without an internet connect
Up in arms? Really? (Score:2)
Re: (Score:2)
"Gee, I guess we'll have to move on to the modern, supported, more featureful tools" doesn't exactly seem to be 'up in arms.'
In 2035. Remember this is depreciated. It still will feature in the next Windows Server build and that won't go EOL for another decade. The only people up in arms are idiots who don't know what the announcement was. And there are people like this.
Re: (Score:2)
Why MS and Windows? (Score:1)
Everybody knows how to use the interface.
There is a huge number of old programs still in use that still work. The same cannot be said for, say, Apple.
MS Office is still the best office suite, and everybody knows how to use it.
Proper Linux is a horrible PITA.
Chrome and Android aren't powerful enough for many users.
Ridiclous (Score:2)
What does MS expect the outcome to be for governmental sites, or sites with security concerns which require internal audit of packages prior to any installation?
"Just use a cloud service"
No. We do everything in-house.
As if Crowdstrike wasn't a clear enough indication that you need to control all of your computing resources at the end of the day...
I am deeply confused (Score:2)