Is WSUS a dead horse?

Topic

New Reply

A friend of mine wants to know: Does anyone still use WSUS in corporate environment or is it a dead horse? The reason why he’s asking — there’s an ar
[See the full post at: Is WSUS a dead horse?]

2 users thanked author for this post.

GreatAndPowerfulTech, PhotM

Reply | Quote

Replies

Last Updated: Oct 21, 2018

https://support.microsoft.com/en-us/help/4025764/how-to-troubleshoot-wsus

Reply | Quote

Thank you Woody for giving me the chance to discuss the matter with so many experts and users around.

Unfortunately, the MS WSUS blog team did not answer the same questions (1-8) for months now.

Please don’t see this as a rant. For me WSUS is a crucial part of my work and the bloggers and this community here help me a lot to make the “right” decisions on releasing updates or keeping them on hold.
Yet, I hoped that MS will update WSUS with Server 2016 or 2019 but it is nearly unchanged. The only new feature I’ve spotted was “driver packages” based on HW platforms.

So, I questioned myself you can get your job done with WSUS, and without ConfigMgr or Azure based Update management.

Here is some brainstorming I did what I noticed is not working on WSUS if you think about all the changes Microsoft has introduced over time.

1. Import updates does not work in a Remote management MMC of WSUS, e.g. via Server Manager. It will use the correct link but then redirect to a local instance of the update catalog site

2. WSUS remote console (for WSUS 3.2, 2008R2-2012R2) is still not shown in the context menu in Server Manager when you right click a Server with a WSUS role installed.
WSUS on Server 2016 has a completely different name in server manager the console shows up in Server manager in the context menu of the server.

3. Imho WSUS Remotemanagement setup is too complicated for Server manager (IIS Management service, bindings, certs etc.)

4. nothing of this remote management is possible in Windows Admin Center, currently

5. There is still no new architecture for ARM64 and Itanium so we can actively prevent these patches from syncing. It would be awesome if these would be chooseable as separate hardware platform just as x86 or x64.

6. I miss to see any implementation about express updates which are available with 1809, hence there exists an legacy express update switch, but this has a completely different meaning, not releated to Windows 10 express updates.

7. Preview Updates have no own update category, making it impossible to avoid in the auto acknowledgement wizard.

8. Service Stack Updates have no own update category but should have this to make it more transparent whether they are installed or missing.

8. All Windows 10 versions are commonly listed in one product.
It would make much more sense to have a new product for each release just as MS does actually separate it with drivers so we can actively prevent older / unsupported releases from syncing and do no need to decline them.

9. There is no fix for Windows 10 upgrade deployment in WSUS 3.2 (2008 R2) despite it is still supported till 2020, the fix only exists for Server 2012 (R2)

10. there is not any branch logic for Office (365) or Windows 10 that belongs to the auto acknowledgement wizard in WSUS

this would be needed to filter to auto acknowledge or decline updates for:
Office channels (monthly, monthly targeted, etc)
Windows 10 channels (business / consumer, Pro / Ent / N versions etc)
Windows 10 x32 upgrades images
Windows 10 upgrade languages
ARM / Itanium updates (if not via architecture platform)

currently, all these must be declined manually according company needs.

11. there is no deferring logic in WSUS for computer groups, GPO does not do the work as intendend if a user / admin manually clicks on “search for updates” or uses Windows Admin Center or PS.

At least since 2016 I am unable to implement “update test groups” for WSUS while using the auto acknowledgement wizard due to missing parameters and filters and simply don’t have the time to repeat this for any customer environment (at best efforts).

My goal is that WSUS allows auto acknowledgement rules that work with the new iterations / methodology of updates, upgrades and channels altogether.

Please don’t tell me “you can use powershell to filter for update strings etc”,
I already use https://community.spiceworks.com/scripts/show/2998-adamj-clean-wsus to get a bit of work done, but it is not yet perfect, and now a commercial – yet good – solution.

I expect WSUS acknowledgement or declining of updates to be working using the GUI / wizard, for anyone out there. So maintaining WSUS doesn’t get a full time job and can be handled transparent for anyone without SCCM configmgr, where such rules could be set up.

I appreciate for your comments, corrections and additions!

5 users thanked author for this post.

tommyb0y, JustanotherItGuy, PhotM, GreatAndPowerfulTech, woody

Reply | Quote

Not dead. Still very much necessary in an Enterprise and you can’t use SCCM without it.

1 user thanked author for this post.

ch100

Reply | Quote

One more thing I noticed:

12. Lately a lot of updates and Service Packs in WSUS (based on Server 2016) have no “supersedence” flags anymore, this leads up that Service Packs / CU for products will remain in WSUS forever even when they “should be” clearly superseded by nature.

This belongs to Exchange CUs, SSU, Windows CUs (Windows 7 / 10, and 2008-2016 Servers, aswell as Windows and .net Security Rollups, SQL Service Packs etc.).

If this is new behaviour is by design this would break the WSUS cleanup script and the WSUS cleanup wizard. It randomly affects any products / OS.

Has anyone of you seen similar things happen in your own WSUS?

Reply | Quote

It is true, but this is not specific to WSUS.
The supersedence is the same which is seen in Windows Update, as the updates are the same.
There are multiple layers of supersedence and the explicit one in metadata which you see in WSUS is only one of them.
This was discussed here many times between @abbodi86, @mrbrian and me with good contributions from other posters, getting into a lot of technical detail. Check older posts in relation to this issue.

Reply | Quote

Microsoft’s support has become seriously flawed. It doesn’t look to be getting any better. Their efforts must be going into shoving their corporate customers into Microsoft’s cloud. They are simply not trustworthy these days. There needs to be a strong effort by MS to undo the entropy that they’ve let into the Windows update system.

GreatAndPowerfulTech

Reply | Quote

I still use WSUS on my Win 2012R2 server. I’m not having any problems (that I know of). Not a “corporate” environment though. I only have 10 PCs connecting to it.

Reply | Quote

Large enterprise rarely use WSUS directly, they would rather use SCCM which use WSUS as Software Update Point.
But WSUS can be used directly in any size of environment, from test labs to very large ones.

Reply | Quote

Are you seeing any of the mentioned problems with WSUS?

Reply | Quote

There are bugs in every software. At some point the administrator/user needs to make a judgement call and either use the software working around problems or try to find reasons not to use it because it is imperfect.
You know on which side I am.

The issue about importing updates from the Catalog is there. I encountered that issue a while ago and resolved it according to the mentioned blog.
However, that functionality is a minor one. WSUS is not meant to be used by importing updates from the Catalog, except for very specific situations, like when importing Drivers and the administrator tries to avoid synchronising the whole Microsoft Driver database which is known to cause problems.
If people push buttons just because they are there, then it is normal to find issues due to the inherent complexity of each software product.

3 users thanked author for this post.

tommyb0y, walker, Fmorrow

Reply | Quote

One of the problem with WSUS in SCCM is the timeout delay error when you are downloading mainly with upgrade on Win10 (ie like going from 1709 to 1803), but also if the content is too big. That’s a bug since SCCM 2012 and not fixed with SCCM CB (1806). That’s why I’m doing it in the evening.

Reply | Quote

Upgrades (in place) are an entirely different category.
May I suggest deploying either an entire new image if you do SCCM deployments every time a new version of Windows 10 is required, or if the number of machines is small enough and upgrade in place is still required, use the ISO with setup switches for that purpose and install manually.

Reply | Quote

Why so tabloid title of article?

In linked article is mentioned workaround, so that’s good.

I’m managing multiple Wsus servers on 2012R2 and I don’t see any problems worth mentioning.

My latest WHAT moment was when I was trying import https://support.microsoft.com/en-us/help/4468304 (HP Devices may experience blue screen error WDF_VIOLATION after installing HP Keyboard driver (11.0.3.1) ) update to wsus and I get:

This update cannot be imported into Windows Server Update Services, because it does not have the required applicability information

But it’s probably logical, computers using wsus was not impacted by that problem

 

2 users thanked author for this post.

tommyb0y, ch100

Reply | Quote

@Woody is asking a genuine question, not being an expert in this Windows WSUS role.
The subject has been brought by another poster, likely the anonymous poster at https://www.askwoody.com/forums/topic/is-wsus-a-dead-horse/#post-229689.
Unfortunately that post is full of inaccuracies and based on an out of date WSUS version, likely 3.2 which is installed on Windows 2008 R2, suitable only for managing products up to Windows 7 / 2008 R2 and not later, like the server versions mentioned in that post.

5 users thanked author for this post.

tommyb0y, walker, Fmorrow, NetDef, woody

Reply | Quote

“Unfortunately that post is full of inaccuracies and based on an out of date WSUS version, likely 3.2”

Can you please outline my inaccuracies? I have made clear that most of the limitations still exist in WSUS on Server 2016 / 2019.
The import of updates is not the only issue, Woody did not intentionally brought this up in front

“WSUS is not meant to be used by importing updates from the Catalog, except for very specific situations”

There are even security updates and other updates missing in WSUS. That’s the point. I recall on manual import of Spectre and Wannacry.

Reply | Quote

Yes, we most definitely are using WSUS. With current “QA” at Redmond, Windows OS is not usable without having control over patching. Frankly, it’s soooo bad I’ve set up WSUS server at home. What a relief. Clicking on “Check for updates” is completely safe now (in case you get to GPOs right to disarm the “dual scan”/WUfB.)

1 user thanked author for this post.

Fmorrow

Reply | Quote

“Clicking on “Check for updates” is completely safe now (in case you get to GPOs right to disarm the “dual scan”/WUfB.)”

I will double check this. Even though I followed the GPO guidelines to disable Dualscan I’ve seen 10-2018 patches even when not acknowledged but I will double-check this. Thank you very much.

How do you / others think about the handling of acknowledgement and declining of updates? Do you all do this manually?

1 user thanked author for this post.

Fmorrow

Reply | Quote

Susan Bradley has had several discussions in the last several months about the dual scan.

There may be some information in the Admin IT Lounge and the WSUS, SCCM Forum. See the directory tree at the bottom right of this webpage. You can also search for “WSUS + dual  scan” as some of the information may also be scattered throughout the postings elsewhere.

4 users thanked author for this post.

walker, Fmorrow, ch100, woody

Reply | Quote

There is no need to disable dual-scan if you are on WSUS.
Some people seem to misunderstand the feature delay setting and do it anyway. This is redundant on WSUS as the updates should all be managed by WSUS and not Windows Update online.
Susan would tell me like she did a while ago on patchmanagement.org that Windows Update has become more complex due to mobile users and MDM style of updating in addition to the standard one and she is likely right.
For those users which I mentioned above dual-scan was implemented.
But for regular users, there is no need for it, but it does not harm to implement either.
The SCCM agent does it in local Group Policy in more recent updates.

1 user thanked author for this post.

walker

Reply | Quote

There is indeed a need to disable Dual-scan. Enabling dual-scan will make your clients ignore WSUS and go directly to Microsoft to check for updates. You also need to enable deferral policies to prevent accidental upgrades when your users use the option to check updates directly from Microsoft. Blocking the updates from Internet breaks Windows Store functionality, which is not acceptable.

Reply | Quote

This scenario belong to a loosely managed environment and in this case what you mentioned in your post applies. This is what Susan was telling me a while ago on patchmanagemnt.org.
In a proper corporate environment, users do not have access to Internet updating and as such there is no need for feature delay and workarounds like disabling dual-scanning.

Try the option in the attached screen instead

Reply | Quote

I do this manually for  most, by groups and a few are set for auto approve. WSUS is how I keep my users safe from broken updates!

Reply | Quote

Still use it, still very important tool for IT managers looking after a corporate environment.

I’ve never used the importing tool, however, so I can’t comment on a lot of the questions. But for what it needs to do for me, it does it (mostly Windows 7 corporate environment).

 

No matter where you go, there you are.

Reply | Quote

anonymous wrote:

Not dead. Still very much necessary in an Enterprise and you can’t use SCCM without it.

Also, even third party like Big Fix need it.

Reply | Quote

Those sitting in Microsoft’s tank and running Windows 10 certainly use Delivery Optimization these days. Unfortunately, DO for clients without Internet access only works with Windows 10 Education/Enterprise SKUs. All other SKUs require Internet access for clients.

Reply | Quote

I can confirm that WSUS 3.2 on Server 2008 R2 is pretty much broken for Windows 10 clients in several ways – key among them that supersedence and major feature control does not work reliably or consistently. (It still works for Windows 7 and 8.1.)

But . . . I am not having any of these problems with WSUS on Server 2012 R2 or 2016.

Cannot imagine not having WSUS in corporate networks to control things.  And I love being able to reverse bad patches from one console without running from cubicle to office like a lab rat.

~ Group "Weekend" ~

2 users thanked author for this post.

ch100, Kirsty

Reply | Quote

We’re running WSUS on Server 2016 in a pretty homogeneous Intel-based environment. We have a mix of Windows 7 & Windows 10 (approx. 100 PCs) and 60+ servers/VMs running 2008 R2, 2012, 2012 R2, and 2016.

WSUS is working fine for us.

Just a data point, not fan/hate mail.

1 user thanked author for this post.

ch100

Reply | Quote

ch100 wrote:

@woody is asking a genuine question, not being an expert in this Windows WSUS role. The subject has been brought by another poster, likely the anonymous poster at https://www.askwoody.com/forums/topic/is-wsus-a-dead-horse/#post-229689. Unfortunately that post is full of inaccuracies and based on an out of date WSUS version, likely 3.2 which is installed on Windows 2008 R2, suitable only for managing products up to Windows 7 / 2008 R2 and not later, like the server versions mentioned in that post.

I am running WSUS Version: 3.2.7600.226  on Windows 2008 R2   and managing all my Windows 10 PC updates  and Servers up to 2012 successfully.  I do not use SCCM

In that article they also mentioned remote access issues. Since ours is a virtual WSUS server, I am able to remote into physical server and access WSUS when needed. I very rarely go to the update catalog manually. I use the WSUS approve/ decline to obtain all updates. Some are set to automatic updates. Nothing is set for automatic install.

 

Reply | Quote

I think that if you have Windows 2012 R2 in the environment, you should use at least this server version for Windows 10 updating, if you cannot use Windows 2016 or its revised edition Windows 2019.
You may still extend the life of 2008 R2 for a little while, but there is so much more in the later versions that it is quite understandable why the old technology built into Windows 7/2008 R2 is left to die slowly.
There might not be such a big deal beyond Windows 8.1/2012 R2, but it really is between 8.1 /2012 R2 and 7/2008 R2.

Reply | Quote

Hello,

Sys admin in a small corporation (about 150 computers running Windows 10 1803) I was living without WSUS only 7 months ago and there it was : each tuesday patch our corporate network link was overloaded during 2 business days because of the updates download.

–> 2 days of complaining users :s each month …

It’s been 7 month since the last network related complaint

So In my opinion no Wsus is clearly not a dead horse to me 🙂

 

 

2 users thanked author for this post.

ch100, Fmorrow

Reply | Quote

Late to the party, I was away last week.

I think a lot of the OP’s issues may be from running WSUS on Server 2008r2. I don’t have any supersedence issues with wsus on server 2012r2. I have 3 servers still running 2008r2 and I just replaced one and will be replacing the other 2 very soon. My personal opinion is it’s time to retire 2008r2.

I agree on the service stack issues. That’s a confusing mess for everyone. If it wasn’t for askwoody I would be completely clueless on that.

It was about a year ago I found that Microsoft Edge is the only browser that works for me for importing updates into wsus from the update catalog. Surprising? NO. It was still working last time I tried. This is where running Server 2012 would resolve that issue.

WSUS is definitely still needed if you still want some control over updates in a corporate environment.

My concern is what direction will occur when “Microsoft 365” fully comes into play. I don’t use sccm so I have no control over Office 365 updates. I see the updates appear in wsus and they are installed before I can even approve or decline them. Fortunately the updates are adhering to the semi annual channel I set in the office 365 admin console. So those are the only ones getting installed. It seems to me that this may be the case for all updates when Microsoft 365 takes hold.

Red Ruffnsore

1 user thanked author for this post.

ch100

Reply | Quote

I hear you Mr.Natural. The lack of support managing O365 updates / branches in WSUS, without using ODT as a defined source is another point missing on my list.

Yet I fail to understand the reason why O365 client updates are listed in the product category because approving them will not dl the O365 monthly update files.
Just for clarification, I did not expect changes to WSUS on 2008R2, I was more talking about any of these features are still missing on Server 2016 / 2019 WSUS roles.

Reply | Quote

Mr. Natural wrote:

It was about a year ago I found that Microsoft Edge is the only browser that works for me for importing updates into wsus from the update catalog. Surprising? NO. It was still working last time I tried. This is where running Server 2012 would resolve that issue.

Your post is all OK, but can you explain how do you run Edge on any server version?!
Do you use a remote console installed on Windows 10 for this purpose?

1 user thanked author for this post.

Mr. Natural

Reply | Quote

D’OH! Good point. I run WSUS remotely on my Windows 10 machine at my desk. Hence using Edge for imports. Install RSAT on Windows 10 and you’ll need report viewer installed as well. Look for the RSAT version made for Windows 10 and the report viewer I’m running is report viewer 2015.

Red Ruffnsore

Reply | Quote

No worries but this is exactly one thing I can point out. latest RWindows Server 2016 Server manager the import of updates is not possible fir remote WSUS because the link is wrong and will not use the correct protocol version (as outlined in the OP) or will then redirect to a local update catalog link that does not import to the remote WSUS altogether, but I am willing to double check this too with October patches applied on both ends. I haven’t tested the behaviour with WSUS 3.2 on 2008R/2012(R2).

Reply | Quote

Hi everyone, thanks for your feedback.

I still miss to see dedicated answers to the shortcomings I see.
https://www.askwoody.com/forums/topic/is-wsus-a-dead-horse/#post-229689

About the limitations of WSUS capabilities of automatic approvals (without ConfigMgr) and the use of deferrals so that one can implement an automatic approval of updates that would be delivered to clients in 2 or more waves. And additionally to decline unneeded updates by rules right away.

I see no further development / improvement in WSUS role since 2012 R2.

Just today I was at another customer that is willing to introduce an automated approval strategy for his Server 2016 based WSUS, serving only Windows 10 Clients and Server 2016

There is no way to use the wizard to reach this goal.

Any deferral policies do not work against WSUS at all – just as described by MS – they are solely intended for WuFB, which means any client does download the updates on his own (or delivery optimization if enabled) without using WSUS approvals . Impractical in terms of bandwith and management.

The statements of Steve Henry (MSFT, WSUS blog) are clear. the IT dept should no longer manage Windows Updates any longer (not even auto-approve them) but let them come in uncontrolled, then monitor for issues. So Woodys wording about WSUS being dead seem fit for this approach. If you think about the major work spent here warning about the same and the recurring issues with updates, it’s clear this approach does not match with MS update quality.

“Windows 10 encourages a model that allows IT departments to do less–the idea is to monitor rather than tightly manage, and to only step in when issues arise. It’s a paradigm shift from the historical permission-based deployments (i.e., nothing happens unless admins say so), but, once embraced, we think that it will ultimately reduce the cost of servicing. Getting there is certainly an iterative process, as we’re learning more with each release, and we appreciate the feedback as we move Forward.”
https://blogs.technet.microsoft.com/wsus/2017/05/05/demystifying-dual-scan/

“the vision is that Cloud-first management obviates the need to explicitly approve every update that is deployed in your environment. Ideally the updates simply flow while the IT department monitors for issues, at which point it can pause the operations and mitigate as necessary. The policy described in this post is specifically catering to the on-premises admins who are not aligned with this Cloud-first management Philosophy.”
https://blogs.technet.microsoft.com/wsus/2017/08/04/improving-dual-scan-on-1607/

So in regard to my post above, how do you manage your approvals and decline updates automatically, on a scheduled base without with least admin interaction? Any idea is welcome.

1 user thanked author for this post.

Mr. Natural

Reply | Quote

Wow, I can’t believe those comments from Steve Henry. That guy is completely out of touch. No wonder the windows update process and Microsoft in general is such a mess. Can you imagine just allowing all updates to install and address issues as they appear?

With patches coming out every week now…….and in some cases a patch is pulled and re-released within a couple of days. How could anyone manage to troubleshoot and determine the cause of a problem at the rate these things come out?

That my friends is a nightmare scenario and would result in more work and not enough hours in a day and days in a week. Crazy stuff.

I can understand a small business not wanting to manage the update process but I don’t think anyone here would advise allowing auto approval on updates in a business.

Too bad you can’t schedule wsus sync to occur once a week or month. That might reduce the damage on auto approval. Perhaps some tweaking with task manager and/or a script could manage that.

Red Ruffnsore

Reply | Quote

Ya know….you could mention to the customer in question that you offer a monthly retainer fee in which you could manage the update process remotely for them. Set sync and remote access to the server and check for updates once a month. Stay in touch at askwoody and you’ll be golden.  🙂

Red Ruffnsore

Reply | Quote

That’s what I actually do, but the process is to time intensive and seems not very good to be delegated to juniors or apprentices. This is why I asked for ways to improve the quality by automation, yet I learned so far there seems to be no one out here using auto approvals as – what I outlined – the GUI wizard is not sufficient for this complex task with the revised update terminology of Microsoft – my point of view.
The wizard for me did his job at times when updates were not a jeopardy and the original update categories where still fitting as introed with Windows XP or earlier?

Reply | Quote

anonymous wrote:

So in regard to my post above, how do you manage your approvals and decline updates automatically, on a scheduled base without with least admin interaction? Any idea is welcome.

Hello,

Honestly after the past few months of broken updates i dropped the idea of automatically approve updates.

I now delay the updates and regularly come to askwoody to see if monthly patch will be an apocalypse or not

So it means spending a little time to do fast review of updates (with ring deployment for big updates or when you sense it could be a stinky update) and less time to repair broken PCs.

 

Reply | Quote

“Windows 10 encourages a model that allows IT departments to do less–the idea is to monitor rather than tightly manage, and to only step in when issues arise. It’s a paradigm shift from the historical permission-based deployments (i.e., nothing happens unless admins say so), but, once embraced, we think that it will ultimately reduce the cost of servicing.”

Sure, if you don’t count massive outages and high blood pressure as “costs.”

WSUS on 2012R2 is working fine, here, with about 1000 Win10 machines (nearly all 1607, 90% LTSB) and 600 Win7 machines.

Reply | Quote

“Sure, if you don’t count massive outages and high blood pressure as “costs.”

I personally do. It’s wasted lifetime, and I consider this pretty much priceless.

WSUS on 2012R2 is working fine, here, with about 1000 Win10 machines (nearly all 1607, 90% LTSB) and 600 Win7 machines.

Can you please elaborate you you currently manage the follwing aspects:

automated declining of updates:
of not used Windows 10 editions (builds 1511, 1607)

declining upgrades of Windows 10 upgrades if used any
referring to now different available images
business / consumer, Pro / Ent / N versions etc
Windows 10 x32 upgrades images
Windows 10 upgrade languages

declining of ARM / Itanium updates
do you use automated approval for limited groups in your enviroment and how do you manage deferals?

Thanks a lot!

Reply | Quote

anonymous wrote:

Can you please elaborate you you currently manage the follwing aspects:

automated declining of updates:
of not used Windows 10 editions (builds 1511, 1607)

I don’t have any automatic declination of anything, I do it manually. I do run Adamj’s maintenance script (google it), with most automatic declines and approvals disabled.

I don’t see 1511 updates much any more, and we are still using 1607.

declining upgrades of Windows 10 upgrades if used any

I leave them unapproved until we decide we need them.

referring to now different available images
business / consumer, Pro / Ent / N versions etc
Windows 10 x32 upgrades images
Windows 10 upgrade languages
declining of ARM / Itanium updates

We don’t use N, so I decline them. The rest all get approved when I deem them ready, ARM/Itanium and x86 along with the rest.
We don’t use any languages besides English and Spanish, the rest are disabled in Update Files and Languages.

do you use automated approval for limited groups in your enviroment and how do you manage deferals?

No automatic approvals, I don’t trust them. Some updates never get approved.

Deferrals are handled manually by not approving them, and letting them sit unapproved until deemed ready (thanks Woody and Patch Lady!) or declined permanently, usually because they are superseded by something that got approved.

I don’t spend what I’d consider a lot of time on this, just call me a control freak. We have no issues with bad patches getting installed, knock on wood.

Reply | Quote

As mentioned before, WSUS is the ONLY way short of disabling updates altogether to prevent horrendously broken patches from borking your environment every month.

Definitely not a dead horse, but does require flogging, as the saying goes.

I too have set up a WSUS server at home because I’m terrified of things like losing data out of Documents or Pictures folders (Microsoft, what the expletive).

I’ve set up a system to control approvals and declines via PowerShell and limit that to nothing after a specific date that I change each month in the script, that date being, for example, the end of August for the last patch run I did, and I also have an explicit deny list of bad patches that break things that get auto declined. I did use script logic to determine the patch Tuesday of the month before but when MS patches became worse and worse I’ve gone to manually setting the date that I want as a hard limit so I’m not left restoring snapshots of dead machines.

I have had patches get through from someone unwittingly clicking the check for updates button which called home to MS and left a server in a permanent blue screen loop (microcode update).

In my opinion, WSUS is vital but you have to accompany it with strict GPOs and carefully thought out scripts.

My major gripe is when using GPO based WSUS group membership, it takes some clients forever to check in with WSUS server (many hours even) and others almost straight away, and nothing seems to help manually speed this up.

I too have experienced problem importing update from catalog but changing two characters in a URI isn’t the end of the world.

MS patch reliability is a s***show and it feels like I’m gambling with my entire environment every month.

Not a rant but just to illustrate experience with Azure support, MS support for cloud customers isn’t much better – they “fix problems” in your environment randomly when there was nothing wrong and it actually breaks things, then it takes > 12hrs to resolve as your support case follows the horizon around the globe and you have to explain over and over that you didn’t do anything Microsoft did.

Without WSUS I would have to rely on MS to put out working patches first time every time. That’s just not going to happen.

Reply | Quote

thank you very much, also your perspective about Azure.
What I haven’t tried yet is to try out the Azure based update management that is now included for on-prem via Admin Center.

This was a quite helpful reply for me. Would you be willing to share these script? Cannot imagine how much hours you’ve spent into them. Do you use the standard PS module for WSUS or an alternative one like PSWindowsUpdate or PoshWSUS?

Thanks again!

Reply | Quote

Forgot to mention, running WSUS latest version on Server 2016

Reply | Quote