locked
WSUS defer updates download after approving them RRS feed

  • Question

  • Hello,

    I was wondering the following about WSUS working, I am a newbie in Windows Server and WSUS.

    1) Is it possible to defer updates download after approving them?

    Due to bandwidth limitation, I would like to approve updates during business hours, but download them from Windows Update servers starting from midnight.

    2) For Windows 10 monthly updates, does WSUS download from Windows Update the whole cumulative update every time?

    Let's say that September cumulative update size is 500 MB and the following one in October is 750 MB. A Windows 10 client would download from Windows Update servers (without WSUS) about 250MB in October (if it already has all files of september update). Could WSUS do the same or it downloads the full size of every update? For instance, 500MB in Sept., plus 750MB in Oct., which totals more than 1GB with a duplication of files contained within the updates and a really big bandwidth consumption.

    Thank you.

    Riccardo


    • Edited by R99photo Sunday, October 21, 2018 2:59 PM
    Sunday, October 21, 2018 2:58 PM

Answers

All replies

  • Hello, 
     
    1> You can't do that through WSUS setting, however, you could limit the bandwidth of BITS during business hours via Group Policy. 

    Computer Configuration | Administrative Templates | Network | Background Intelligent Transfer Service | Limit the maximum network bandwidth for BITS background transfers
     

     
    Another method is setting Automatic Approvals Rules. If you set your WSUS to automatic synchronize with Windows Update in midnight, it would automatic approval updates and download them with Automatic Approvals rules after completing synchronization.
     
     
    2> It download whole update every time. Because when WSUS downloading OCT update, WSUS don't know (or don't care) that if it have download the SEP update and if clients have installed the SEP update, so it need the whole update file. Actually, the clients could install a incremental update package instead of whole update if you enable express update files, but it would consume much more bandwidth.
     

     
    Hope my answer could help you.
     
    Best Regards,
    Ray
     

    Please remember to mark the replies as answers if they help.

    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.


    Monday, October 22, 2018 1:34 AM
  • Thank you Ray for your detailed reply.

    About the first point, for what I understood BITS could reduce bandwidth within local intranet network (traffic from WSUS server to Clients) during business hours (right?), which is not I am looking for. At the same time, an automatic approval following a syncrhonization (at midnight for example) is even no good. I prefer not installing updates as soon as they are available on Windows Update servers. Before going to WSUS server, my clients were setup having CBB with a delay of 14 days for quality updates and 180 for feature upgrades.

    About the second point, thanks for your clarification. This is not great for me by the way, because I should download every month many GBs of data and most of them are duplicated.

    Bye.

    Riccardo

    Monday, October 22, 2018 8:09 AM
  • Hello,
     
    I just take “express installation file" for an example to explain why WSUS download the whole update file every time.
     
    BITS is used not only from WSUS to clients, but also from MU to WSUS. Refer to following post.
     
    https://social.technet.microsoft.com/Forums/windows/en-US/ad6681cb-4301-4c3f-8aef-2806f3a2acfe/bits-configuration-for-wsus-controls-download-of-microsoft-updates
     
    And
     
    https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd939927(v=ws.10) 
     
     "Windows Update and Microsoft Update use the Background Intelligent Transfer Service (BITS) to download updates. You can optimize download performance by configuring BITS through Group Policy."
     
    "BITS bandwidth limitations affect the whole computer system. You cannot limit BITS bandwidth to only selected applications."
     
    According to above article, it should work and you could try it.
     
    Hope above information could help you.
     
    Best Regards,
    Ray
     

    Please remember to mark the replies as answers if they help.

    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.


    Monday, October 22, 2018 12:46 PM
  • First, as a new tech in relation to Windows Server and WSUS, I invite you to read my 8 part blog series on How to Setup, Manage, and Maintain WSUS - https://www.ajtek.ca/wsus/how-to-setup-manage-and-maintain-wsus-part-1-choosing-your-server-os/

    Second, Only approved updates are downloaded. With that being said, setup a GPO policy restriction to limit BITS only on WSUS Servers for downloading during the day and open it up at night.

    https://community.spiceworks.com/how_to/133819-use-gpo-to-limit-wsus-downloads-during-the-day


    Adam Marshall, MCSE: Security
    https://www.ajtek.ca
    Microsoft MVP - Windows and Devices for IT

    Tuesday, October 23, 2018 4:46 AM