Rethinking The Need For WSUS

Windows Server Update Services, along with a growing list of other traditional Microsoft server products, seems to be in ‘maintenance mode’ at best. It’s been on my mind as to whether they’re going to release a cloud based version in Azure (unless they already have something like that and I’ve missed it) or if they’re going the route that I think they are: just update from the internet and don’t worry about it, which seems to be the answer when looking at Windows Autopilot. As long as the OS is a modern Windows OS (Windows 10 or Windows Server 2016 based) updates seem to better and more focused on drivers and cumulative updates. The days of Silverlight being installed on your server seem to be over.

A little while ago I saw a comment on reddit about ditching WSUS altogether and going straight to Microsoft Update over the internet – if the bandwidth was available. The commenter suggested that if you had ~500Mbps and up you should be fine, although I would suggest that another factor to consider is how many devices you have that will be getting updates. My previous job had been at a place with only 100Mbps internet for ~1000 devices, so obviously this would have been out of the question. At my current post, the bandwidth is much, much greater and so I started to seriously consider it.

Apple’s OS X Server had an update manager back in the day although I wouldn’t be surprised if that’s not available anymore, and Adobe used to have a product for managing updates too – but again I’m not sure if that’s currently available these days. Google don’t have an on-prem update service for Android devices and so I had to honestly ask myself why continue to use WSUS? Now, I’m not crazy. I accept that generally we have a lot more Windows devices than Google/Apple/or Adobe software and perhaps you do want that control over which updates are deployed and I’m not going to be dropping WSUS on Monday morning, but I have started looking at my deployment process for Windows 10 and Windows Server 2016 to use WU for updates and not my local WSUS. A benefit of this specific case is that driver installation can be done much more easily as Windows Update has a pretty good driver store and this will be a huge time saver for me. Again, I understand problematic drivers do get through into WU and so this isn’t going to work for every device, but if it saves time when preparing for new devices to be deployed then I think it’ll be worth it. For any problematic devices I can still use the ‘total driver control’ method I currently use. Also, consumer devices, Microsoft’s Surface range and another devices which are off site do currently get drivers/firmware etc. from WU and they seem to be doing just fine. Maybe this is the future, at least for some. It’s up to you.

-Mike

Twitter – @Digressive

2 Comments Add yours

  1. Brian Minerly says:

    I’ve been trying to think of a way to eliminate WSUS from my build process as well, but don’t want to turn to Windows Update. Would using PDQ Deploy to apply the latest monthly rollup be sufficient?

    Like

    1. Mike Galvin says:

      Hi Brian,

      Yes I would think so. I’m not familiar with PDQ Deploy of the top of my head, but using any other type of deployment software to assist with updates should work. You may have other updates for additional pieces of Microsoft software that are installed of course, but yes, it should work.

      -Mike

      Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.