WSUS Admin Burden?

osaddictosaddict London, UK
edited June 2009 in Science & Tech
We are totally revamping our IT infrastructure, one major change is the introduction of Windows Server 2008, 64bit and the 50 odd PCs being connected to this via a domain. (Yes, we really did have 50 PCs NOT in a domain! - Still do for a couple of weeks actually)

One thing we were keen to take advantage of was WSUS, to reduce our bandwidth and know that all machines are properly patched.

However, one of the consultants helping us with the migration said this will cause an additional admin burden, meaning someone will have to go on and approve every patch manually before deployment can occur.

So, in a typical week / month how much of a time burden would this be? - How much time does it take up for you guys who use it?

Comments

  • kryystkryyst Ontario, Canada
    edited June 2009
    well there are two answers to that question.

    The first answer is that in theory you have a test lab where you install the patches first make sure that they don't mess anything up and then role them out. That process uses up a lot of time.

    The real answer is that once a week or a couple times a month you open up WSUS approve the upgrades and watche them roll out. That takes about 15 minutes.
  • osaddictosaddict London, UK
    edited June 2009
    Thanks kryyst, I had a feeling you might reply :D

    Cool - that's kind of as I thought really.

    It seems we can also deploy the patches to a specific group of machines first too - so us IT guys can have it first and effectively be the test bed before global rollout.
  • kryystkryyst Ontario, Canada
    edited June 2009
    Yes you can do that to. You authorize your IT machines first, then wait a week and authorize the rest. You can also hold back updates as well if for example you wanted to hold off on rolling out .net 3.5 or ie 8 to work machines or a SP upgrade for example.

    I can't really think of reasons why you wouldn't want to use WSUS it's a time saver no matter how you look at it.
  • CycloniteCyclonite Tampa, Florida Icrontian
    edited June 2009
    I'm a heavy proponent of WSUS. We use it here, and it saves a lot of time. You can set auto-approval on particular classes of patches, such as critical updates. Like kryyst said, I open the console once or twice a month and approve updates.

    It also gives you a nice rundown of whether everything is installing properly or not.
  • KwitkoKwitko Sheriff of Banning (Retired) By the thing near the stuff Icrontian
    edited June 2009
    What Cyclonite said. Even in our relatively small organization it's a huge time saver. You can use WSUS in conjunction with group policy to define which machines get patched and when. I have all of our workstations getting auto-approved critical patches and they're set to reboot late at night if needed. The servers download critical patches but I install and reboot manually.
  • osaddictosaddict London, UK
    edited June 2009
    Pretty much my opinion too kryyst - I just wanted to make sure I was along the right path and that it didn't require considerable resources. (time, not system!)

    My orginal plan was basically to deploy most stuff just on a lag - thinking that problems with patches tend to occur when they first come out - and that they would pull them in a couple of days if they caused major problems.
  • kryystkryyst Ontario, Canada
    edited June 2009
    Also consider that generally the patches have been well tested ahead of time by MS before they are released into the wild. I can think of only a very - very few times in my computing experience where a patch actually broke something. The exception being Service Packs, which are generally worth delaying from roll out through WSUS for a good while. They I would recommend testing first. But SP's are a rarity not the norm.
Sign In or Register to comment.