locked
Reliable scheduling of installation of Windows Updates using WSUS RRS feed

  • Question

  • We are an SME. We run an old version of WSUS (on Win 2008 R2 Server) which will likely be upgraded to the latest version available within 6 months.

    Our estate consists of a mix of old (2008, 2008 R2) through to new (2016) servers and we are heavily virtualised. We use Windows 7 Desktops.

    Our core objectives for the application of Windows Updates are as follows:

    -Achieve the installation of Updates ASAP post-release but never sooner than one month after release (the time lag is intended to increase the likelihood of evading "bad" Updates)
    -Install of Updates (and reboot for the installation of Updates) only during specified time periods (i.e. Saturday 12PM through to Saturday 8PM) which will always be outside our standard business hours (Mon-Fri 9am-5pm)
    -On a weekend when the Installation of Updates will occur, an engineer must be on call for the following reasons:
    ---1) to check that all systems where Updates have been applied are operating successfully post-Update installation;
    ---2) to manually intervene and remediate where any "bad" Updates have been applied or related Availability issues arise, with a view to ensuring that all systems and services are fully Available for the start of business Monday morning

    To be clear, it isn't always the case that an engineer will be available on a given weekend, and if that is indeed the case, the installation of Updates will be deliberately delayed until the next weekend when an engineer is available to be on-call. The view of the business is that the risk of applying Updates  over a weekend without an on-call engineer outweighs the risk of further delaying Update installations until such time as an engineer can be available.

    Now,

    1)  It is evident that when certain combinations of Updates are Approved, some Windows hosts will not complete installation of all those Approved Updates within the next available installation time period; and in such cases, installation will continue automatically during subsequent time periods. Indeed, if our observations are correct, then full installation of a set of Updates that were Approved at the same time may stretch over as many as 3 or 4 different time periods end-to-end. For example, the chronology of events might look like this:

    Mon Jan 20: Updates 1,2,3,4 and 5 Approved
    Sat Jan 25: Update 1 is successfully installed on host X, with reboot
    Sat Feb 1: Updates 2 & 3 & 4 are successfully installed on host X, without reboot
    Sat Feb 8: Update 5 is successfully installed on host X, with reboot

    With this example, a single set of Update Approvals has resulted in the allocation of Update Installations over three subsequent weekends, not just one.

    We are told this behaviour is by design, but it causes us planning headaches if we are unable to know at the point of approval of the Updates how many weekends of installations we are effectively triggering; because we cannot then plan accordingly for availability of the corresponding human resources.

    We are being told by our IT Support company that it is in fact not possible to know at the time the Updates are Approved how many weekly installation cycles will be triggered as a result of those Approvals. Is this correct?

    We are also told that it is impossible to ensure that all of the Approved Updates are Installed within the scope of the next single time period; in other words, looking at any given host, the determination of how many Approved Updates will be installed within the next time period is entirely non-configurable. Is this correct, or is there a better way of managing this so that we can plan ahead adequately?

    2) Any thoughts as to what extent, if any, is the set of challenges I have described above going to worsen (or lessen) when we migrate from Windows 7 to Windows 10 desktops, and/or to a new version of WSUS?

    Many thanks


    Friday, January 24, 2020 6:18 PM

All replies

  • 1) ......

    We are also told that it is impossible to ensure that all of the Approved Updates are Installed within the scope of the next single time period; in other words, looking at any given host, the determination of how many Approved Updates will be installed within the next time period is entirely non-configurable. Is this correct, or is there a better way of managing this so that we can plan ahead adequately?

    If one update relies on another as a prerequisite, then it is possible that you mentioned this situation.
    In an enterprise environment, I also don't recommend that you add Deadline when approving updates, to avoid such installation and restart situations during working hours. 
      

    So, there doesn't seem to be a particularly good way to match your environment in WSUS. In SCCM, the ADR of the SUP role can determine a time frame for the installation of updates, and you can find out if this applies to your requirements: "How To Configure Deadline Behavior for an ADR in SCCM."
       
    * Please Note: Since the web site is not hosted by Microsoft, the link may change without notice. Microsoft does not guarantee the accuracy of this information.
       

    2) Any thoughts as to what extent, if any, is the set of challenges I have described above going to worsen (or lessen) when we migrate from Windows 7 to Windows 10 desktops, and/or to a new version of WSUS? 

    As far as I know, from a functional point of view, WSUS has not added new features to avoid this situation.
        

    Hope the above can help you.
       

    Regards,
    Yic

    Please remember to mark as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Tuesday, January 28, 2020 2:27 AM
  • Hi,
     

    Any update is welcome here.
    If the issue is resolved, share your solution or find the helpful response "Mark as Answer" to help other community members find the answer.
     

    Thank you for your cooperation, as always.
     

    Regards,
    Yic

    Please remember to mark as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, February 3, 2020 2:19 AM