Share via

Best Practices with Windows Server Update Services on Windows Server 8 Beta

  • Article

This section provides a list of best practices for managing updates with WSUS. There are four main sections: one on security practices, one on resource usage, one on setting up a WSUS network, and the last on miscellaneous best practices.

Best practices for security

The following practices can help you secure your WSUS network.

  1. Use the Secure Sockets Layer (SSL) with Full Qualified Domain Name (FQDN) for WSUS connections (server to server, server to client) on all computers that download updates via the Internet.
  2. If you do not wish to use SSL, you can deploy Internet Protocol security (IPsec) on your network to secure network traffic. Make sure to use IPSec Auth on the WSUS Server. 
  3. Make sure that the WSUS server that downloads updates from Microsoft Update is secured behind a firewall, and allows access only to the domains needed by WSUS.
  4. Make sure that WSUS servers have only the file and folder permissions that are needed by WSUS.
  5. If a WSUS server is Internet-facing, its database should be located on a different computer that is not reachable from the Internet.
  6. There are two security groups that are set up for WSUS: WSUS Administrators and WSUS Reporters. WSUS Administrators can perform any WSUS task, while WSUS Reporters have read-only access (view server settings, get reports, and so on). Make sure that the only people in the WSUS Administrators group are the ones who need to perform administrative tasks.

Best practices for resource usage

Disk space

The following practices can help you conserve resources on your WSUS server.

  1. Make sure that your WSUS server is configured to download only approved updates. When the server synchronizes updates, it downloads only the update metadata and will download the update files only after the update has been approved.
  2. Use the Cleanup Wizard on a regular basis. This will keep the number of unneeded updates and revisions to a minimum.
  3. If a WSUS server has a small number of clients, or if most of the clients are "roaming" clients with Internet access, you may wish to host update content on Microsoft Update rather than on the local WSUS server. Clients will get update approvals from the server, but can pull the upload files directly from the Internet.
  4. If you are storing update content locally on your WSUS server, make sure you have enough disk space on the storage partition. Monitor disk usage on this partition carefully. One way to do this is to configure the WSUS health monitoring thread to warn you with an event if disk usage exceeds a specified percentage.
  5. Approve only the updates that are really needed on your network. Limit the product updates to the products that are installed on the network. You can also set up separate WSUS servers for computers with different sets of Microsoft products.
  6. Synchronize only the update languages needed on your network. If you need to synchronize more than one language and you are storing updates locally, you should estimate your needed disk space by multiplying the recommended space times the number of update languages.
  7. Make sure that your WSUS server is configured to synchronize all the needed languages, because you will not be notified of needed updates in the unsynchronized languages. These updates will appear as “Not Needed” on clients who require the language. To help avoid that problem, make sure to include all operating system languages in your WSUS server's synchronization options. You can see all the operating system languages by going to the Computers view of the WSUS administration console and sorting the computers by operating system language. However, you may need to include more languages if there are Microsoft applications in more than one language (for example, if Microsoft Word in French is installed on some computers with Windows XP in English).
  8. You should allow WSUS to decline expired updates automatically (click Options, click Automatic Approvals, click the Advanced tab, and then click Automatically decline updates when a new revision causes them to expire). If you do not wish to decline expired updates automatically, you should decline them manually on a periodic basis.
  9. You should not choose to synchronize express installation files unless you have a pressing need to minimize downloads between the WSUS server and its clients. Typically, using express installation files reduces downloads from WSUS servers to clients by a factor of two but increases downloads from Microsoft Update (or an upstream server) to the WSUS server by a factor of four. You should decide which criteria are more important to your network: local network bandwidth or server disk space and Internet bandwidth.

Network bandwidth

The following practices will help you improve the way WSUS uses network bandwidth.

  1. When deploying large updates (such as service packs), you can avoid saturating the network by doing the following:
    1. Use BITS throttling. BITS bandwidth limitations can be controlled by time of day, but apply to all applications using BITS.
    2. Use IIS throttling, which limits throttling to one or more Web services.
    3. Use targeting to control the rollout. You can set up multiple computer groups, then approve large service pack downloads for a subset of these groups at one time.
  2. Use branch caching (available only on Windows 7 and Windows Server 2008 operating systems) to minimize downloads from WSUS servers to clients and maximize the "sharing" of downloads among peer computers on a subnet of the network.
  3. Consider configuring WSUS clients to synchronize more frequently from the WSUS server and configuring downstream WSUS servers to synchronize more frequently from their upstream servers. This will allow updates to be deployed to clients faster, which could be important if you need to deploy an “emergency update” that must be installed as quickly as possible. This will result in smaller downloads from server to client, but will add additional load to the WSUS server. It will also add additional load to the network when updates are deployed, because clients start downloading updates as soon as they synchronize with the server.

Best practices for setting up WSUS networks

The following practices will help you configure WSUS networks.

  1. If possible, set up WSUS networks with a hub-and-spoke topology rather than a hierarchical one. The greater the number of tiers in the network, the greater the latency in downloading updates.
  2. Consider using DNS netmask ordering for roaming clients.
  3. Configure roaming clients, so they get their updates from the Internet-facing WSUS server, if they do not usually connect to your local intranet.

Best practices for maintaining WSUS databases

The following practices will help you get the best performance from your WSUS network.

  1. Have a maintenance plan for your WSUS database that includes regular backups and periodic re-indexing.
  2. Make sure to re-index the WSUS database at least once a month.

Other best practices

Manage restarts

The following practices will help you manage computer restarts.

  1. Client computers (and most servers) often need restarts after an update is installed. The new Windows Update on Windows 8 and Windows Server "8" Beta minimizes that. Review the article Minimizing restarts after automatic updating in Windows Update for more information.
  2. Critical servers cannot generally be restarted daily. If this is the case, you can either configure them for installations at longer intervals (weekly), or configure them to get automatic downloads but manual installations at a time when the servers can be restarted if necessary.
  3. Configure e-mail notification to tell you when updates become available, so you can plan the deployment of these updates in advance.
  4. If you need to deploy an “emergency update” and can’t wait for the next scheduled installation, approve the update with a deadline in the past. This will cause the update to be installed the next time the clients synchronize from the server. If you can’t wait for the next synchronization, create a script to automate installing the updates and then restarting your server.
  5. Configure client computers or WSUS servers to immediately install updates that do not require a restart.

Ensure WSUS availability

The following practices will help you ensure that WSUS servers are always available to their clients.

  1. There are typically two different backup strategies. The first is a standard backup and restore strategy. This strategy requires more work to maintain and requires extra storage for the backup files, but makes it possible to restore the system to a known state without needing to download the update files once more. The other strategy is to rebuild the server. This is a fairly fast operation and is preferred by many customers, because it requires less work and less disk space.
  2. Consider using network load balancing if you have a requirement for high availability. Load balancing involves a more complex configuration and is not typically considered necessary, because new updates are not released very frequently.

Test service packs carefully

You should thoroughly test large bundles of updates such as service packs to ensure that they do not break line-of-business applications. A typical test strategy is to set up test computer groups in which the test computers are configured with the same applications as the production groups, approve installation only to these groups, and then verify that the applications continue to function correctly.

Check overall system health

The following practices will help you monitor the general health of your WSUS network.

  1. You should check the WSUS administration console home page at least once a day to view overall update compliance and network health.
  2. Check application logs frequently, if you suspect problems such as download failures or clients that are failing to report to the WSUS server.
  3. Install the WSUS MOM Pack to monitor overall service health.