I was recently having a conversation with one of our new internal IT chaps who asked where our WSUS server was? I said something like "We used to have one but we reconfigured the desktops to get updates directly and install them straight away with an overnight reboot. So, we killed the WSUS server."
It's fair to say that this raised an eyebrow. "What about the bandwidth?" I was asked. Well, in the days of dial-up, ISDN and slow leased lines, that was a genuine concern. But these days, with our GB networks and fast Internet pipes, that's less of an issue. Also, of course, Windows now has the ability to distribute Windows updates from other Windows computers via Windows Update Delivery Optimization, which also saves on bandwidth.
He then went on to ask, "What about testing and staging updates?" The concern is that Microsoft release an update that breaks things. Maybe it breaks the OS itself, or it interacts with an application in an undesirable way. This is a genuine concern. Nevertheless, I responded, one has to ask two questions:
firstly, how often does that actually happen?
Secondly, what is the impact when it does?
Now let's compare that with the risk of a zero-day attack. How often do they happen? And what is the impact when they do happen? My own view was (and still is) that buggy updates are becoming rarer and are usually an irritation rather than catastrophic. However, zero-day attacks are on the increase and they can be catastrophic – especially if they result in data breach and loss. I said that whilst I don't think Microsoft are perfect, I do have faith in their ability to keep the computers safe at short notice and think that letting "Microsoft do their thing" (Windows as a Service) is a less risky and more modern approach – by far. Sure, it may mean less professional services revenue for the over-engineered desktop management solutions often proposed by certain IT outfits, but I, personally, think it's the right approach.
3 days later, WannaCry happened. Enough said.
Mark Thurston – Managing Director