We help IT Professionals succeed at work.

Setup of WSUS 2016 downloads

NEMC
NEMC asked
on
Setting up a new WSUS 2016 Server and can't seem to figure out the correct items to select for autodownload/auto approve.

I'm quickly exceeding the 500 GB drive that I've assigned to the device.

Can someone please guide me as to the best practice here?
Comment
Watch Question

SeanSystem Engineer
Commented:
WSUS is tricky. Especially if the computers haven't been forced to update in a long time. Any computer that is checking in will report it's missing updates and the WSUS server will download them and hold onto that update until it is no longer needed. Best thing i've found to do is to try and limit what is being downloaded, force all computers and servers to do updates (being careful with servers) and comb through and decline any superseeded updates. It takes work but once it's in a clean state it become easier to maintain.

Author

Commented:
Thanks for your reply, Sean.

So what would be that beginning baseline policy you would set for Products/Classifications?
Before getting to your main question, I have to ask how you filled up a 500GB disk partition with WSUS?  That is a very large WSUS folder, so it seems that you must have already downloaded a lot of updates. What product/classification selections have you already made?   Are you seeing a lot of updates in the WSUS console that are very old?

It all depends on your environment.  If you have a lot of workstations that need multiple updates (i.e., operating system plus other Microsoft products like Office, etc.) as well as servers that may also need multiple updates for the operating system and other software, then I'd start with just the operating systems in the Product selections.  Then once you have the OS's up to date, you can add on other software.   Server OS updates are pretty straightforward; just choose the versions you need. Windows 10 OS updates can be complicated.  Here's an article with some advice on how to choose what you need:

https://4sysops.com/archives/selecting-products-in-wsus-for-windows-10/

As for the Classifications, that somewhat depends on how you want to handle your environment. I generally select everything except Drivers and Tools.  However, that's very aggressive. On the other hand, you don't have to approve them; unapproved updates are not downloaded to your WSUS store. Feature Updates are another classification that can be handled several ways, so they don't have to be downloaded if you're not going to installed them through WSUS.  Also, you don't have to install Updates through WSUS since they are not necessarily needed for every piece of equipment you have.

In between, if you need to clear out your WSUS database, there are routines to do that.  I use a self-designed routine, which I'd be glad to share with you, but you can also search "WSUS database cleanup" and find any number of articles and even some power shell or other scripts to use.

Author

Commented:
Deb, that's good advice to start with.  I'll begin with the OS and move out.

One follow up question.  If a machine is pointed at a WSUS server and that server doesn't have a specific update that the Workstation should install . . . will it go to MS download automatically, or will that Workstation never get the updates that you haven't provisioned within WSUS?

Thanks.
That depends on how your WSUS group policies are configured.  There's a group policy option to prevent systems from going out to the Internet to get Windows updates:

Computer Configuration/Administrative Templates/Windows Components/Windows Update/Do not connect to any Windows Update Internet locations

So if this policy is Enabled, your systems will only communicate with your internal WSUS server(s) for updates. I always enable this policy so that updating is completely controlled through WSUS. The reason I do this is that, quite simply, I'm somewhat of a control freak but also, for example, I don't want someone's Windows 10 1809 workstation to go out and get the feature upgrade to 1903 unless I specifically want that to happen.  This can, however, be problematic in some instances because it can stop workstations from downloading other applications as well, for instance a different (i.e., older) .NET version that's needed for 3rd party software, or even in some cases updates from the Windows Store.
ManieyaK_CSSP
Commented:
This depends on where the machines are pointing to get their updates.  In our environment we have our workstations searching our WSUS only.  Run gpedit.msc, Check Computer Management\Administrative Templates\Windows Components\Windows Updates\Specify intranet Microsoft update service location.
David Johnson, CDSimple Geek from the '70s
Distinguished Expert 2019
Commented:
WSUS requires periodic (weekly) maintenance
Goto updates/all updates Approval: any except declined Status: any
make sure you have supercedence showing (if not right click on title bar and check supercedence
Sort on the supercedence column and decline all superseded updates
if you have upgrades selected decline ANY that are not in your system language
GDR updates (search) or sort by title and decline any unneeded
same with language files
now you can run the server cleanup wizard I'm currently using 332 GB

I also don't download drivers and tools

Author

Commented:
Thanks to everyone for their prompt advice.

Nathan