locked
What should the WSUS Development team work on next? RRS feed

  • General discussion

  • Hello,

    My name is Derk Benisch. I am the Product Manager for WSUS here at Microsoft. I am working on a list of improvements/changes to propose to the software engineering team and really want to hear what you think we should work on.

    I want to understand the scenarios in which you have deployed, configured and run your WSUS implementation.

    Some of the questions that come to mind are:

    • What is causing you the most pain?
    • What is it we are doing right that we shouldn't change?
    • What is missing?
    • How do you use WSUS?

    I want to thank all those that submit your feedback in advance for helping direct the development of WSUS.


    Best Regards,

    Derk Benisch
    Program Manager - Microsoft Corporation


    Monday, March 9, 2015 7:48 PM

All replies

  • Hello

    I would like to see more GUI based tools / thought going into handling exports and imports for disconnected networks. These seems to break far too easily with any major changes like the WU client update in August breaking all of our disconnected networks which Microsoft still has not been able to solve 7 months later.

    If we connect the disconnected WSUS box to the internet for one update everything works again but this is not a practical option and defeats the purpose of disconnected WSUS servers.

    In today's IT security environment, more and more company's are moving sensitive work to disconnected networks so this really should be more of a priority, especially when it comes to testing updates to the update process itself.

    How about building in an option so the disconnected / import WSUS box can create a list of what updates it needs in case the export server does not synchronize these updates. The Export server can have an option to import this list and download the relevant updates even if they are not approved on the export WSUS server. This way when we copy the updates from the export server they are all downloaded and ready on the import box.

    If possible, can we have an disconnected server that does not need another WSUS server to function as an export server. Perhaps using some mechanism that can request updates as requested in the paragraph above, and then a different tool can be connected to download the latest updates online and then moved offline afterwards without the convoluted export we have to perform each time.

    Basically it just needs to be made friendlier and easier to manage this process and it needs to run without the assumption that there is another WSUS server to copy updates, and without the assumption that we want to import the same approvals as the export server..
    Tuesday, March 10, 2015 11:14 AM
  • I would also like to see a method of seeing and setting approvals per Computer Group.

    For example. A new WSUS server is rolled out with two computer groups, A & B. Relevant updates are approved for these two groups but nothing else (ie not All Computers group.)

    2 years later we add another computer group, C. When searching for "Unapproved updates," even though group C has clients which need updates, these do not show up. This is because I am searching for "Unapproved," update and yet, because an "approval," does exists for computer groups A & B, the updates never show up as relevant for group C even though they are required.

    This means that group C can have clients left unpatched because of what appears to be a UI issue not being able to differentiate between groups. This scenario which left us without updates going back several years on some network simply should not be allowed to happen. New computer groups should not be disadvantaged purely because they were not setup at the time the original WSUS server was setup.

    You can avoid this scenario by each month going back and approving the previous months updates for the "All Computers" group and set that to propagate, but this is another manual step that you have to be aware of to implement as a working process, this process should be built into WSUS somehow. I am not stating that all updates should automatically apply to the All Computers group after a set time, but at least a feature built into it that enables with 1 click an option to apply all the previously months approvals to the rest of the hierarchy.

    Overall WSUS is a great product which works perfectly for smaller environments but you really need good processes to have it be effective in the medium / larger environments.
    Tuesday, March 10, 2015 11:56 AM
  • See this:

    Identify New Products Recently Added

    To be able to see the new Products in the console. 


    Rolf Lidvall, Swedish Radio (Ltd)

    Wednesday, March 11, 2015 10:18 AM
  • Two things have always aggravated me about WSUS: The lack of any distinction between "Installed" and "Not applicable", and the inability to decline an update only for certain groups. But I'm pretty sure that neither would be an easy fix.

    The first, I'm thinking, would depend on changes to the client update agent rather than WSUS itself; the second (decline an update for a specific group only) would surely require major changes to the underlying WSUS database. But I can still dream, I guess.

    MikeeMiracle wrote:

    I would also like to see a method of seeing and setting approvals per Computer Group.

    For example. A new WSUS server is rolled out with two computer groups, A & B. Relevant updates are approved for these two groups but nothing else (ie not All Computers group.)

    2 years later we add another computer group, C. When searching for "Unapproved updates," even though group C has clients which need updates, these do not show up.

    Would your problem go away if, each month, you removed approvals for updates that were fully installed, instead of approving them for All Computers? This would allow the cleanup wizard to trim your database down, as well.

    Wednesday, March 11, 2015 4:07 PM
  • Two things have always aggravated me about WSUS: The lack of any distinction between "Installed" and "Not applicable", and the inability to decline an update only for certain groups. But I'm pretty sure that neither would be an easy fix.

    The first, I'm thinking, would depend on changes to the client update agent rather than WSUS itself; the second (decline an update for a specific group only) would surely require major changes to the underlying WSUS database. But I can still dream, I guess.

    MikeeMiracle wrote:

    I would also like to see a method of seeing and setting approvals per Computer Group.

    For example. A new WSUS server is rolled out with two computer groups, A & B. Relevant updates are approved for these two groups but nothing else (ie not All Computers group.)

    2 years later we add another computer group, C. When searching for "Unapproved updates," even though group C has clients which need updates, these do not show up.

    Would your problem go away if, each month, you removed approvals for updates that were fully installed, instead of approving them for All Computers? This would allow the cleanup wizard to trim your database down, as well.

    And then when we add future groups WSUS would download them again? Does it definitely work that way? Regardless, it should be more intelligent in my opinion. So long as you run maintenance on the database frequently, its size should not be an issue, ours is over 4GB.

    Anyway lets not hijack this thread. :)

    Wednesday, March 11, 2015 4:25 PM
  • You should add automatic scheduled maintenance, similar to what this script (link below) accomplishes but built in.

    https://wsus.codeplex.com/releases/view/17612


    -- Al

    Wednesday, March 11, 2015 5:00 PM