locked
New WSUS server optimization RRS feed

  • Question

  • Hi,

    I have an opportunity to deploy a new WSUS 3.0 SP2 ( 2008 R2 server) from scratch.

    I enabled the Sync / classifications and Product list that i need to patch.

    (XP , Win 7 , Server 2003 , Server 2008 and server 2008 R2 -- Security , critical and updates)

    Language English

    Now this got me around 6392 Updates that i see as Unapproved and status Any View.

    I need to keep the stuff clean from the offset 

    1.So what should i approve for install

    2.What should i decline 

    3.When should i run server cleanup wizard

    Any strategy 

    Tuesday, December 2, 2014 9:41 AM

Answers

  • 1.So what should i approve for install

    That really depends on the current patch state of the clients of this WSUS server. For starters, you should not approve any updates that are not already reported by clients as NEEDED. Second, you should not approve any superseded updates. Beyond that, however, there may still be additional updates that you should approve.

    2.What should i decline

    When you get to the point that superseded updates are reported as 100% Installed/Not Applicable, then you should decline those updates. In addition, you can also decline anything you'll absolutely never need, such as Itanium updates. Also, if you're synchronizing Windows Server 2008 and Windows Server 2008, you're getting both x86 and x64 updates. You may or may not need updates for any one of those four platforms.

    3.When should i run server cleanup wizard

    At least once a month, but only if performed in conjunction with other required administrative procedures.

    Any strategy

    Removing unneeded update approvals

    Lawrence Garvin, M.S., MCSA, MCITP:EA, MCDBA
    SolarWinds Head Geek
    Microsoft MVP - Software Packaging, Deployment & Servicing (2005-2014)
    My MVP Profile: http://mvp.microsoft.com/en-us/mvp/Lawrence%20R%20Garvin-32101
    http://www.solarwinds.com/gotmicrosoft
    The views expressed on this post are mine and do not necessarily reflect the views of SolarWinds.

    Tuesday, December 2, 2014 2:27 PM
  • Someone more knowledgeable may have a better suggestion, but if it were me I'd probably enable the "Supersedence" column when looking at all updates, then sort by that column.  You could then decline superseded updates, and approve any remaining.  Then run server cleanup wizard.

    The issue I could foresee with this would be if there was a superseded update that still acted as a prerequisite for some other update.  This might be addressed by first approving any updates that don't have a supersedence relationship or are at the top of any supersedence chain, and then see what updates are still marked as "needed" after the initial batch of updates is applied to protected machines.  Approve any that are still "needed", then decline the rest, and after all updates are applied you could run the cleanup wizard.

    Tuesday, December 2, 2014 2:33 PM

All replies

  • 1.So what should i approve for install

    That really depends on the current patch state of the clients of this WSUS server. For starters, you should not approve any updates that are not already reported by clients as NEEDED. Second, you should not approve any superseded updates. Beyond that, however, there may still be additional updates that you should approve.

    2.What should i decline

    When you get to the point that superseded updates are reported as 100% Installed/Not Applicable, then you should decline those updates. In addition, you can also decline anything you'll absolutely never need, such as Itanium updates. Also, if you're synchronizing Windows Server 2008 and Windows Server 2008, you're getting both x86 and x64 updates. You may or may not need updates for any one of those four platforms.

    3.When should i run server cleanup wizard

    At least once a month, but only if performed in conjunction with other required administrative procedures.

    Any strategy

    Removing unneeded update approvals

    Lawrence Garvin, M.S., MCSA, MCITP:EA, MCDBA
    SolarWinds Head Geek
    Microsoft MVP - Software Packaging, Deployment & Servicing (2005-2014)
    My MVP Profile: http://mvp.microsoft.com/en-us/mvp/Lawrence%20R%20Garvin-32101
    http://www.solarwinds.com/gotmicrosoft
    The views expressed on this post are mine and do not necessarily reflect the views of SolarWinds.

    Tuesday, December 2, 2014 2:27 PM
  • Someone more knowledgeable may have a better suggestion, but if it were me I'd probably enable the "Supersedence" column when looking at all updates, then sort by that column.  You could then decline superseded updates, and approve any remaining.  Then run server cleanup wizard.

    The issue I could foresee with this would be if there was a superseded update that still acted as a prerequisite for some other update.  This might be addressed by first approving any updates that don't have a supersedence relationship or are at the top of any supersedence chain, and then see what updates are still marked as "needed" after the initial batch of updates is applied to protected machines.  Approve any that are still "needed", then decline the rest, and after all updates are applied you could run the cleanup wizard.

    Tuesday, December 2, 2014 2:33 PM