In this post, we will take a look at the basics of Windows Server Update Services (WSUS), and I'll throw in some recollections of my personal experience.
I have been a Windows administrator for eight years and currently focus on Group Policy, backup, and IIS/Apache administration.
The WSUS server downloads updates from Microsoft Update and distributes the updates to servers and clients in your network. For some administrators, this alone is reason enough to use WSUS—you save on update bandwidth by a factor of the number of clients.
Note that WSUS servers cannot force updates to clients. You can only configure the Windows Update agent on workstations and servers to use WSUS instead of Microsoft’s Update service. Think of WSUS as an update repository for Microsoft products.
Windows Server Update Services (WSUS)
Most deployments use Group Policy to set WSUS agent policies. You can set a uniform update policy that cannot be superseded by users, which ensures that updates occur in a timely fashion.
- Here is how a typical WSUS configuration goes:
- The Windows Update agent on workstations and servers is configured via Group Policy to use the WSUS server as an update server.
- The clients download the new policy and apply the new settings.
- An admin approves the updates that clients are allowed to install in the WSUS console.
- The Windows Update agent determines that an update is available and applies the installation.
In a perfect world, this would be all you have to know. Unfortunately, many things can go wrong. What follows are the main issues I encountered when working with WSUS.
In my experience, the WSUS server can be subject to interference by a variety of other programs and services, so it is best to install the WSUS server in its own virtual machine living on a highly available host or, better yet, dedicate a separate physical machine to WSUS.
The first thing to do if updates are not installed on clients is to check if the Group Policy settings replicate properly. If you have a domain controller that you typically use to set Group Policy, you might want to keep it on the same physical link as the WSUS server, which will make things much smoother.
WSUS servers distribute updates via web services. You will always need to make sure that edge firewalls do not block WSUS traffic. The ports are either 80/443 (HTTP/S) or 8530/8531, depending on your configuration.
When using WSUS over WAN, you must be aware that downloads over the link effectively eliminate the performance advantages of WSUS. It might make sense to configure clients in remote offices to use the Microsoft Update service instead of a WSUS server.
Some clients in your network might not receive updates because they have been offline for some time or because mobile users haven’t connected to the corporate network in a while. Ensure that you have a policy in your organization that takes care of these cases.
If you have some old, outdated machines in your network, you may run into a typical chicken and egg problem. You want WSUS to make your clients compatible, but they are not compatible with WSUS. In some cases, you have to deploy the latest Windows Update client by other means before you can work with WSUS.
Some old machines in your network may not have enough disk space for the updates. You will need a third-party tool to delete superfluous data.
Did you encounter other issues with WSUS? I am curious to learn about your troubleshooting tips.