1

Hello Spice folk,

Just taken on extra responsibilities, one being WSUS. In the past it has been managed poorly.

Going forward, im just working out the best way to manage the updates. There are a lot of updates sitting in my WSUS server with release dates from as far back as 2011 < wtf ?. Im presuming later updates will supersede these. Drive space is an issue, so ive just removed ‘drivers’ from the classifications options - hoping this will help.

How do you go about approving/declining updates. How often do you do this? Once a month? How do you manage really old updates ?How do you go about testing updates if you are not 100% if they will have an adverse affect on your clients ?

Im thinking of a monthly process, which looks like the below

  1. Once a month, review updates in WSUS

  2. approve / decline updates as required.

cheers.

9 Spice ups
2

I got rid of WSUS. It’s a lot of work to manage if you want to manage it correctly. If all you want to do is apply updates, create a group policy to update from Microsoft. Have the updates happen automatically and reboot at like 3am.

To do WSUS correctly, you need to review the updates as they come in. Test the updates in a test environment (for each OS you have in production at a minimum), then if the updates pass the testing phase, you approve the updates to be rolled out to your production machines. Even at that, I would roll the updates out to a group of power users first (ones that will give you feedback about problems). Then you need to keep up on maintaining the database. Remove updates that have been superceded, ensure that all updates have been pushed out to all machines. etc.

Most people don’t use WSUS this way, they just auto approve critical and important updates, which is just easier with a group policy.

My $.02

3

There is a script on here somewhere to help with it, I’m sure someone has the link handy.

4

It is only a lot of work, if you procrastinate. If you have WSUS, continue using it. Yes, it will be a chore to get up-to-date, but after that, it should only involve you say, once a month or so, for no more than 15 min. Hardly a PITA. What is a PITA is a stupid patch getting into your systems that screws up your accounting system (they won’t notice when payroll is late) or forbid one that blue screens half your company’s PCs.

So yes, use a test group as that is best practice and make sure you have it resemble a cross-section of your environment. Make sure the folks in the test group understand why they are there and perhaps get them on board.

Cause we all know that MS released patches are generally flawless.

3 Spice ups
5

There’s adamj’s wsus maintenance script that’s only $80 and is brilliant at sorting through the rubbish in your store and dB. Well worth the small fee

1 Spice up
6

It sounds to me like your server needs rebuilding. You should be on SRV2012 (at least) as SRV2008 will be unsupported by 2020. Extra post-configuration are required for Windows 10 updates/upgrades to work correctly too - so you should take that into consideration

Drive space is an issue - The only classifications you really need are critical and security updates - also upgrades if you want to manage Windows 10 builds. Drivers are handled well by Windows 10. Some systems might need manual driver installations during deployment which is fine, for example Windows 7.

How do you go about approving/declining updates - On a weekly basis on “patch Tuesday”, I will approve updates for WSUS, and roll them out, without testing. This is due to company size and small IT Team - it’s not mandatory and really comes down to your environment… Microsoft spend time testing out updates before they release. If you have an issue, you can “rollback thursday”.

I have scheduled “manual” update windows with relevant departments/sites, and do my best to reboot critical servers during office hours, typically over lunch, in case of an issue. These clients are set to automatically download updates, not install. This GPO is applied across the domain.

Automatic updates are configured for servers (automatic update GPO) which aren’t too critical - to reboot at 11PM every tuesday night. This takes off some administrative burden, and tied in with manual updates, helps keep on-top of client updates.

Im thinking of a monthly process, which looks like the below - You should make updates a weekly/bi-weekly thing to keep on-top of them. If you leave updates to run at end of month, you will have a big pile of them to process, and they will take longer to apply.

Hope this helps :slight_smile:

EDIT: I would NEVER pay for a WSUS script. That’s just ridiculous. It seems like AdamJ has only just started to charge for this… If you’re running an older version of WSUS (3.0) - you will likely find the old script floating about…

1 Spice up
7

$60USD/Year :slight_smile: (and $30USD/Year for any downstreams)

Take a look at my 8 part blog series on How to setup, manage, and maintain WSUS.

1 Spice up
8

I wait for about 5 days after patch Tuesday to see if I hear about any major problems then approve updates for a test group. I wait another few days and if no problems, release the updates to everyone else.

As mentioned above, look into Adamj’s WSUS maintenance script. Does a great job of keeping everything healthy and getting rid of unneeded junk.

2 Spice ups
9

Critical and Security patches are not (typically) the updates that you have to worry about crashing your computers. Not doing updates as soon as possible, is old school thinking. In todays environment, your more likely to get a virus from not being patched than BSOD from an update. An update may cause your printer not to work or something relatively minor. Just roll back that particular update.

I’m just telling you like it is. You have great intention now, but in 6 months you will not be managing WSUS. (unless you have a number of employees in your IT department).

10

The worst part of WSUS is that when an update is approved, it will sit in the cache on the WSUS server even after it’s been installed on every machine that will ever need it. If you have an old WSUS installation that’s never been maintained, it will still have downloaded updates for Windows XP, even though you dumped all of your XP machines nine years ago. (You did dump them when Windows 7 came out, right?)

I haven’t seen any WSUS maintenance tools – not even AdamJ’s free scripts – that automatically declines and purges previously approved but unneeded (and not expired) updates. The “WSUS reset” will momentarily purge the updates, but as long as they remain approved they’ll just get downloaded again. You’ll see your drive space suddenly clear up, but in a few days it will be right back to overloaded.

The only way to purge old, unneeded update packages from the cache is to DECLINE them, then run the maintenance, which will purge them. If you think you might ever need those update packages again, you’ll have to change them from declined to unapproved so they’ll show up in the list of needed updates again.

@overdrive

11

If you don’t go through your products options regularly, you have issues like you explain.

Your XP and Windows 7 comments are easily dealt with if you uncheck the box for the Windows XP product and the Windows 7 product. The next sync with Microsoft will expire all of those updates on your WSUS server and the next time the SCW is run it will remove all the data.

You should really take a look at part 8 of my blog series here: How to Setup, Manage, and Maintain WSUS: Part 8 - WSUS Server Maintenance - AJ Tek Corporation

12

thank severyone - all very valid input. Ive made a start already in removing some product options and declined a ton of updates , i have since ran the clean up utility which is reducing the available drive space. More work to be done, but the ball has started to roll.

Cheers folks !