locked
Do we need WSUS? RRS feed

  • Question

  • I've been having a few issues getting WSUS working as we'd like with Windows 10, but nothing too bad.  However, my boss has heard me swearing about it occasionally from across the room and has floated the idea of just getting rid of WSUS, and letting the clients update from each other using delivery optimization.  My arguments against this are:

    1. No visibility of client update status, unless we buy another product to monitor this for us which i'll probably end up swearing at just as much.
    2. No control over updates and no ability to test on sub groups of machines.
    3. How to deal with servers and the pre-Windows 10 machines?
    4. Updates for non-OS items (such as .Net, Office etc), although will these update if we select the 'Allow other Microsoft products' option?

    We've got a total of around 320 clients and 4 SUS servers (one downstream, one upstream and the other two completely separate networks).  We've also got a few users working in remote locations that don't fall under WSUS at the moment anyway.

    Monday, December 11, 2017 3:21 PM

All replies

  • The other 2 completely separate networks.... Are those air gapped?

    I don't know your entire layout, but it would stand to reason that you would have 1 upstream, 1 downstream as you currently have it, and 1 downstream in your DMZ (if you take this step), or have your remote locations site-to-site vpn'd or client VPN'd where they could access your internal existing downstream server.

    If the other 2 completely separate networks are air-gapped, you'd use the wsusutil export command to export from your upstream to your airgapped systems. If they are just not on the same 'domain', and can route over IP to each other, you can just create those 2 as downstream servers with the same single master upstream server (allow firewall and routing).

    WSUS Services are a repository - a website/file system that hosts files and tracks the reports. It's the Windows Update Agents on each system (controlled through registry items or GPO for their settings) that control the how and when a system updates.

    Of course, use my script on all your WSUS Servers - upstream and downstream, and you shouldn't have any issues.

    Most definitely keep WSUS for reporting. WUDO is still a valid option while using WSUS and I recommend using it with the 'LAN Only' setting setup (follows by IP/subnet mask to determine).


    Adam Marshall, MCSE: Security
    http://www.adamj.org
    Microsoft MVP - Windows and Devices for IT


    • Edited by AJTek.caMVP Tuesday, December 12, 2017 3:16 AM
    • Proposed as answer by Elton_Ji Thursday, December 14, 2017 2:35 AM
    Tuesday, December 12, 2017 3:15 AM
  • Hi Adam,  

    Thanks for your response.  Part of your answer (about our layout) doesn't really answer the 'do we need wsus' question, but it does raise some other good points.  One site is completely disconnected from the other sites, with their own SBS server running WSUS so i manage that separately. 

    Is it possible to approve updates on an upstream server and have the downstreams update the approved updates from MS rather than from the upstream server?  This is part of the reason we have separate WSUS servers and would solve some issues if they could do that.   Another reason is a tiny IT team with other priorities and no time to rebuild existing WSUS servers (to get them all to WSUS 4.0 for example)

    Friday, December 15, 2017 1:04 PM
  • Hi Adam,  

    Thanks for your response.  Part of your answer (about our layout) doesn't really answer the 'do we need wsus' question, but it does raise some other good points.  One site is completely disconnected from the other sites, with their own SBS server running WSUS so i manage that separately. 

    Is it possible to approve updates on an upstream server and have the downstreams update the approved updates from MS rather than from the upstream server?  This is part of the reason we have separate WSUS servers and would solve some issues if they could do that.   Another reason is a tiny IT team with other priorities and no time to rebuild existing WSUS servers (to get them all to WSUS 4.0 for example)

    I think what you're asking is that if the approved updates on the upstream server can flow their status of approved to downstream systems, but the downstream WSUS systems download the files directly from Microsoft instead of downloading them from the Upstream server? If that's the question, the answer is no. If you tell the WSUS Downstream that it's a replica, but do not store update files locally each client will use the Downstream WSUS System for approvals, but then go out to Microsoft and download the update from them. If this is about limiting bandwidth during the day, you can solve that by using GPOs - see https://community.spiceworks.com/how_to/133819-use-gpo-to-limit-wsus-downloads-during-the-day

    WSUS is a repository and a website, not a push-agent system. So you can direct your WSUS on a different network to your upstream system so long as they can communicate with each other.


    Adam Marshall, MCSE: Security
    http://www.adamj.org
    Microsoft MVP - Windows and Devices for IT

    Friday, December 15, 2017 1:39 PM