locked
WSUS requirements RRS feed

  • Question

  • Hi,

    I just installed WSUS on Windows server 2019. I need help to meet the requirements below.

    1. We want to install security and critical updates immediately as soon as they are released to all computer groups
    2. We want to push to install feature pack quarterly to pilot computer group and one month later rolling out to all computers.
    3. What is the best practice to create WSUS computer groups? Can it be sync with AD computer OU?

    Please advise!

    Any help will be appreciated!

    Friday, January 3, 2020 12:32 AM

All replies

    1. We want to install security and critical updates immediately as soon as they are released to all computer groups

    If your goal is to complete the installation "as fast as possible", my recommendations are:
       

    1. Increase the frequency of WSUS update detection, and let WSUS find any new releases faster. You can consider increasing the number of Synchronizations per day in the WSUS console> Options> Synchronization Schedule.
        

          
    2. In WSUS console> Options> Automatic Approvals, set an automatic approval rule:
      -  Specific Classification: Critical & Security
      -  Deadline: a specific deadline on the same day
      As a result, updates will be installed no later than this deadline after they reach the client. If the client does not arrive before this deadline, the installation will be forced as soon as the update reaches the client.
           

         
      Configuring Deadline will effectively achieve your purpose, but this will cause the client to restart during working hours, so please review your actual situation and use it.
        

    2. We want to push to install feature pack quarterly to pilot computer group and one month later rolling out to all computers.

    I recommend doing this step manually to approve feature updates only to the test group.
    After confirming that it will not have any impact on the production environment, review and approve to other computer groups.
       

    3. What is the best practice to create WSUS computer groups? Can it be sync with AD computer OU?

    Can be realised. Consider the following steps:
       

    1. Located in WSUS console> Options> Computers, change the computer group assignment to "Use group policy or registry settings on computers".
         
    2. Add the following Group Policy for client computers: [Enable client-side targeting], different OUs can be configured as different computers.
         

    Hope the above can help you.
       

    Regards,
    Yic

    Please remember to mark as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    • Proposed as answer by graceyin39 Friday, January 3, 2020 8:49 PM
    Friday, January 3, 2020 3:13 AM
  • Hi Yic,

    Thank you very much for your help! You answered all my questions.

    Appreciated!


    Grace

    Friday, January 3, 2020 8:50 PM
  • Hi Grace,
      

    It is my pleasure to help you.
    If you have more questions about this thread, please continue to reply.
    If this has been resolved, please mark a useful reply in the thread as the answer.
       

    Thank you for your cooperation.
      

    Regards,
    Yic

    Please remember to mark as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Friday, January 10, 2020 5:43 AM