WSUS - How Tough Is It to Deploy?
-
I have 6 sites in the DFW metroplex and easily 200 devices running Windows. We are on AD functional level of 2003 (which we need to change to 2012 sometime soon). After hearing the presentation on WSUS at Spiceworld, it is something I would really like to deploy. For those who have done it, what was your biggest struggle? And once you setup WSUS, do all machines need some kind of group policy to be managed by WSUS, or is that rather automatic?
I'd love to hear any feedback or tips you can offer.
-
WSUS is relatively easy and provides a lot of value. NTG does not use it because we are so distributed that we use InTune instead (it's basically a Microsoft hosted WSUS system.) But for a site with a large number of machines in one place, WSUS is practically a given. It's free and not complex. Just requires a good amount of storage capacity.
-
It's relatively easy to do. I taught my self.
I use:
One GPO per site
One GPO for my servers
My biggest struggle was a slight misconfiguration that took a while to resolve. There was a WSUS tool from Solarwinds(?) that I used on a test bunny PC to resolve it.Server 2008 + have it as a role that you can install.
Make sure you have the disk capacity. I added a drive purely for patches to my WSUS server. -
Its easy here is a step by step guide you can look over
Also how to configure reporting
-
It will also require some semi regular maintenance for approvals and clean up.
-
Very easy to deploy. First sync with the Microsoft server to WSUS will take some time though.
-
The storage requirement is no joke! I'm currently sitting somewhere around 100 GB. You'll want to make sure you run the cleanup wizard on it monthly or more. The longer you wait to run it, the more it freezes your server and seems to be hung.
-
It sounds like from a VM standpoint it's probably best to make a vHD that is independent and persistent to store all the updates.
-
@Dashrender said:
The storage requirement is no joke! I'm currently sitting somewhere around 100 GB. You'll want to make sure you run the cleanup wizard on it monthly or more. The longer you wait to run it, the more it freezes your server and seems to be hung.
Definitely need to run the server cleanup wizard monthly at least. I have an SBS server that I cannot recover space on because I cannot get the cleanup wizard to complete.
-
@NetworkNerd said:
I have 6 sites in the DFW metroplex and easily 200 devices running Windows. We are on AD functional level of 2003 (which we need to change to 2012 sometime soon). After hearing the presentation on WSUS at Spiceworld, it is something I would really like to deploy. For those who have done it, what was your biggest struggle? And once you setup WSUS, do all machines need some kind of group policy to be managed by WSUS, or is that rather automatic?
I'd love to hear any feedback or tips you can offer.
It's not hard at all once it's up and running. Just be sure to plan the deployments and be sure to not under provision disk space. It also can be run as a virtual machine and GPO's are easy enough to configure. I run mine as a single VHDx that is thick provisioned (yes, even though BPA complains about not having a separate data store, it still works OK). It' s a good idea to plan out the upstream and downstream server layout and how often they sync.
My biggest struggle is getting machines to reboot and report. Seems like getting a report is sometimes not 100% correct on the deployment of a patch so you have to be patient and wait a few days. Other than that WSUS on 2012 R2 is really stable and is the easiest WSUS setup I've ever deployed.
-
@Dashrender said:
The storage requirement is no joke! I'm currently sitting somewhere around 100 GB. You'll want to make sure you run the cleanup wizard on it monthly or more. The longer you wait to run it, the more it freezes your server and seems to be hung.
Yes to this and Jared's points. Run the cleanup wizard regularly. Not to worry though, you can script this with PowerShell of course.
Also only download updates for products actually in your environment. It will save a ton space if you do that.
-
@Bill-Kindle said:
@Dashrender said:
The storage requirement is no joke! I'm currently sitting somewhere around 100 GB. You'll want to make sure you run the cleanup wizard on it monthly or more. The longer you wait to run it, the more it freezes your server and seems to be hung.
Yes to this and Jared's points. Run the cleanup wizard regularly. Not to worry though, you can script this with PowerShell of course.
Also only download updates for products actually in your environment. It will save a ton space if you do that.
That reminds me of an escalation I had from a person from a certain subcontinent.
Hits me up saying that he cannot complete a change, getting an error on install. So read over the notes but since I'm still shaking out my permissions to the environment I asked him to send me a screenshot of the error. He sends me the one for "This update does not apply to this version of Windows" error. He was attempting to install the IA64 version of a Server 2008 R2 patch on an x64 2008 Gold box.
Mind you, this change was supposed to take an hour. He was already on hour three at that point.
F****[moderated] morons.
-
@PSX_Defector I can't believe how many IT people in this era aren't aware of what architectures are and how many confuse IA64 ( Itanium) and AMD64 (PC).
When I worked for a major Wall St firm they actually labeled many of their packages backwards. What a mess that was.
