Remove From My Forums

WSUS in Server 2016

Question
0

Sign in to vote

I am trying to do some research about WSUS installation in Windows Server 2016 and in the organization network there are about 150 servers. Can you pls advise if installing WSUS to patch those servers are sufficient or should we look into any 3rd party tool.

Can you also let me know pros / cons and any other issues in installing wsus in the network that I should know ?

Can you also pls advice in regards to agent vs agentless patching tool installation ? Much appreciated in your assistance.

VT

Sunday, November 4, 2018 8:15 AM

Answers

0

Sign in to vote
Hello VT,

Glad to help.

According to your description about your environment, I think WSUS could work well, and I recommend you to use WSUS instead of 3rd party tool for security reason.

WSUS is easy to install or use, so there is not much to pay attention to in advance. However, You may want to know the following points.

1> WID or SQL?

Both are fine. WID is free and simple but it may increase the load of local system; Remote SQL could have high availability and high scalability but it may increase the load of bandwidth.

2> Group Policy

You need to use GPOs to control the installation and restart behavior of updates on the client. Refer to following link to create your own policies.

https://docs.microsoft.com/en-us/windows-server/administration/windows-server-update-services/deploy/4-configure-group-policy-settings-for-automatic-updates

https://docs.microsoft.com/en-us/windows/deployment/update/waas-restart

3> Test Group

Consider that if you need test group for testing new released updates before approving them to production environment.

4> Do not install WSUS on your DC, and make sure you WSUS server is up to date before deploying updates.

Here are some references may be helpful for you.

Windows Server Update Services (WSUS)
https://docs.microsoft.com/en-us/windows-server/administration/windows-server-update-services/get-started/windows-server-update-services-wsus

Install the WSUS Server
https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc708515(v%3dws.10)

Hope my answer could help you and look forward to your feedback.

Best Regards,
Ray

Please remember to mark the replies as answers if they help.

If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.
- Marked as answer by mywindows Tuesday, November 6, 2018 5:21 PM
Monday, November 5, 2018 6:12 AM
0

Sign in to vote
Hello,

Since WSUS is built by Microsoft, it will not have conflicts with Windows systems and when configured correctly can patch these systems efficiently and safely.

AFAIK, there is no feature packs specifically for Windows Server 2016 recently. You could review the update history for Windows Server 2016 to check the latest update.

Hope my answer could help you.

Best Regards,
Ray
Please remember to mark the replies as answers if they help.

If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.
- Marked as answer by mywindows Tuesday, November 6, 2018 5:21 PM
Tuesday, November 6, 2018 1:01 AM

All replies

0

Sign in to vote
Hello VT,

Glad to help.

According to your description about your environment, I think WSUS could work well, and I recommend you to use WSUS instead of 3rd party tool for security reason.

WSUS is easy to install or use, so there is not much to pay attention to in advance. However, You may want to know the following points.

1> WID or SQL?

Both are fine. WID is free and simple but it may increase the load of local system; Remote SQL could have high availability and high scalability but it may increase the load of bandwidth.

2> Group Policy

You need to use GPOs to control the installation and restart behavior of updates on the client. Refer to following link to create your own policies.

https://docs.microsoft.com/en-us/windows-server/administration/windows-server-update-services/deploy/4-configure-group-policy-settings-for-automatic-updates

https://docs.microsoft.com/en-us/windows/deployment/update/waas-restart

3> Test Group

Consider that if you need test group for testing new released updates before approving them to production environment.

4> Do not install WSUS on your DC, and make sure you WSUS server is up to date before deploying updates.

Here are some references may be helpful for you.

Windows Server Update Services (WSUS)
https://docs.microsoft.com/en-us/windows-server/administration/windows-server-update-services/get-started/windows-server-update-services-wsus

Install the WSUS Server
https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc708515(v%3dws.10)

Hope my answer could help you and look forward to your feedback.

Best Regards,
Ray

Please remember to mark the replies as answers if they help.

If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.
- Marked as answer by mywindows Tuesday, November 6, 2018 5:21 PM
Monday, November 5, 2018 6:12 AM
0

Sign in to vote

Thanks Ray. I appreciate your feedback. I also would like to ask for what security reason you implied to use WSUS instead of 3rd party tools.

Also pls let me know if there is feature update done in Windows Server 2016 ?
VT

Monday, November 5, 2018 7:48 PM
0

Sign in to vote
Hello,

Since WSUS is built by Microsoft, it will not have conflicts with Windows systems and when configured correctly can patch these systems efficiently and safely.

AFAIK, there is no feature packs specifically for Windows Server 2016 recently. You could review the update history for Windows Server 2016 to check the latest update.

Hope my answer could help you.

Best Regards,
Ray
Please remember to mark the replies as answers if they help.

If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.
- Marked as answer by mywindows Tuesday, November 6, 2018 5:21 PM
Tuesday, November 6, 2018 1:01 AM
0

Sign in to vote

Thank you for your reply Ray.
VT

Tuesday, November 6, 2018 5:21 PM
0

Sign in to vote

WSUS can easily handle thousands of clients. WSUS is not a deployment tool - it's a repository for updates. It is the Windows Update Agent on each client machine that does all the heavy lifting to check, apply, and restart the systems.

See my 8 part blog series on How to Setup, Manage, and Maintain WSUS - https://www.ajtek.ca/wsus/how-to-setup-manage-and-maintain-wsus-part-1-choosing-your-server-os/
Adam Marshall, MCSE: Security
https://www.ajtek.ca
Microsoft MVP - Windows and Devices for IT

Thursday, November 8, 2018 6:10 AM
0

Sign in to vote

Thank you Adam for the informative resource. I am looking to wake up .VHDX systems & patch them (those will be turned off in the first instance). I am sure WOL should be configured & I am doing some research about that as well & found that we can use Wake-On-LAN Virtual Machine and also use Wake-On-LAN Sender.

Do you have any other suggestions or good practice that you could suggest ?
VT

Sunday, November 11, 2018 8:57 AM
0

Sign in to vote

I don't have any for that scenario. Sorry.

If they are server 2016 or higher, look into using UsoClient.exe in a deployment scenario (https://omgdebugging.com/2017/10/09/command-line-equivalent-of-wuauclt-in-windows-10-windows-server-2016/) - that may help once the servers are finished with WOL.
Adam Marshall, MCSE: Security
https://www.ajtek.ca
Microsoft MVP - Windows and Devices for IT

Monday, November 12, 2018 2:27 AM

Products

Resources

Solutions

Updates

Trials

Related Sites

Training

Certifications

Other resources

Support options

More support

Not an IT pro?

Answered by:

WSUS in Server 2016

Question

Answers

All replies