ML
    • Recent
    • Categories
    • Tags
    • Popular
    • Users
    • Groups
    • Register
    • Login

    Wsus for remote vpn and on-premise users

    Scheduled Pinned Locked Moved IT Discussion
    patchingwsus
    42 Posts 7 Posters 4.2k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • scottalanmillerS
      scottalanmiller @Dashrender
      last edited by

      @dashrender said in Wsus for remote vpn and on-premise users:

      @irj said in Wsus for remote vpn and on-premise users:

      @pete-s said in Wsus for remote vpn and on-premise users:

      @fredtx

      If you are considering having clients download updates from Microsoft directly then that means that you are going to apply all updates, doesn't it?

      If that is the case, what functionality does WSUS bring to the table?

      95% of WSUS administration is blindly approving updates anyway. Just let them auto update and be done.

      I agree 99.9% of the time - the other .1% is what bites - when you have a bad patch and have to uninstall it.

      WSUS doesn't fix the .1%. It just delays it, which doesn't help things.

      DashrenderD 1 Reply Last reply Reply Quote 1
      • DashrenderD
        Dashrender @scottalanmiller
        last edited by

        @scottalanmiller said in Wsus for remote vpn and on-premise users:

        @dashrender said in Wsus for remote vpn and on-premise users:

        @irj said in Wsus for remote vpn and on-premise users:

        @pete-s said in Wsus for remote vpn and on-premise users:

        @fredtx

        If you are considering having clients download updates from Microsoft directly then that means that you are going to apply all updates, doesn't it?

        If that is the case, what functionality does WSUS bring to the table?

        95% of WSUS administration is blindly approving updates anyway. Just let them auto update and be done.

        I agree 99.9% of the time - the other .1% is what bites - when you have a bad patch and have to uninstall it.

        WSUS doesn't fix the .1%. It just delays it, which doesn't help things.

        WSUS can uninstall the patch - so sure, not fix it, but help with removal.

        1 Reply Last reply Reply Quote 0
        • FredtxF
          Fredtx @scottalanmiller
          last edited by

          @scottalanmiller said in Wsus for remote vpn and on-premise users:

          If you have any hesitation to that policy, it means you are running a platform you don't trust in production. That's valid as a concern. But your IT has committed its trust to Windows, so either you need to embrace that decision or you need to convince them to change.

          With me being in this new role for 2 weeks (first system admin role), and the majority of the computers/servers on Windows, I will have to stick with this solution for now.

          Currently there is no central management for patching, and currently they are logging on each server and running updates that way and hope that workstations are getting patched through the GPO they have in place.

          DashrenderD scottalanmillerS 3 Replies Last reply Reply Quote 0
          • DashrenderD
            Dashrender @Fredtx
            last edited by

            @fredtx said in Wsus for remote vpn and on-premise users:

            @scottalanmiller said in Wsus for remote vpn and on-premise users:

            If you have any hesitation to that policy, it means you are running a platform you don't trust in production. That's valid as a concern. But your IT has committed its trust to Windows, so either you need to embrace that decision or you need to convince them to change.

            With me being in this new role for 2 weeks (first system admin role), and the majority of the computers/servers on Windows, I will have to stick with this solution for now.

            Currently there is no central management for patching, and currently they are logging on each server and running updates that way and hope that workstations are getting patched through the GPO they have in place.

            What is the goal here? to keep the servers up to date? Do you really want WSUS to update your servers 'whenever'? Most people don't, could lead to an unexpected reboot in the middle of the day.

            FredtxF 1 Reply Last reply Reply Quote 1
            • FredtxF
              Fredtx @Dashrender
              last edited by

              @dashrender said in Wsus for remote vpn and on-premise users:

              What is the goal here? to keep the servers up to date? Do you really want WSUS to update your servers 'whenever'? Most people don't, could lead to an unexpected reboot in the middle of the day.

              Of course I would not want the servers to reboot in the middle of the day. I would have to discuss with management on maintenance windows of downtime, since this is a manufacture business where some sites run 24/7.

              The goal is to improve and simplify how patching is handled for both servers and workstations. Currently there is no kind of process in place.

              1 scottalanmillerS 2 Replies Last reply Reply Quote 0
              • 1
                1337 @Fredtx
                last edited by 1337

                @fredtx said in Wsus for remote vpn and on-premise users:

                @dashrender said in Wsus for remote vpn and on-premise users:

                What is the goal here? to keep the servers up to date? Do you really want WSUS to update your servers 'whenever'? Most people don't, could lead to an unexpected reboot in the middle of the day.

                Of course I would not want the servers to reboot in the middle of the day. I would have to discuss with management on maintenance windows of downtime, since this is a manufacture business where some sites run 24/7.

                The goal is to improve and simplify how patching is handled for both servers and workstations. Currently there is no kind of process in place.

                We do some of that and the most mission critical servers are handled manually. Patched, rebooted and verified that everything works.

                Basically there are different categories of servers and workstation and each category is handled differently depending on how mission critical it is.

                DashrenderD scottalanmillerS 2 Replies Last reply Reply Quote 0
                • DashrenderD
                  Dashrender @1337
                  last edited by

                  @pete-s said in Wsus for remote vpn and on-premise users:

                  @fredtx said in Wsus for remote vpn and on-premise users:

                  @dashrender said in Wsus for remote vpn and on-premise users:

                  What is the goal here? to keep the servers up to date? Do you really want WSUS to update your servers 'whenever'? Most people don't, could lead to an unexpected reboot in the middle of the day.

                  Of course I would not want the servers to reboot in the middle of the day. I would have to discuss with management on maintenance windows of downtime, since this is a manufacture business where some sites run 24/7.

                  The goal is to improve and simplify how patching is handled for both servers and workstations. Currently there is no kind of process in place.

                  We do some of that and the most mission critical servers are handled manually. Patched, rebooted and verified that everything works.

                  Basically there are different categories of servers and workstation and each category is handled differently depending on how mission critical it is.

                  Exactly my point - I'm guessing at least some if not all of your servers will still be manual - and are you really looking at having WSUS push to workstations? If you are because you want to know their patch status because of reports from WSUS - great (hope there is budget for someone to manage this) if not, then just turn on automatic updates and be done with it.

                  FredtxF 1 Reply Last reply Reply Quote 1
                  • FredtxF
                    Fredtx @Dashrender
                    last edited by

                    @dashrender said in Wsus for remote vpn and on-premise users:

                    I'm guessing at least some if not all of your servers will still be manual - and are you really looking at having WSUS push to workstations? If you are because you want to know their patch status because of reports from WSUS - great (hope there is budget for someone to manage this) if not, then just turn on automatic updates and be done with it.

                    Is logging in the console of windows servers the best way to install patches? What if there was 100 servers? That seems like a lot of overhead.

                    And yes, I'm looking at getting the report features for patch status for workstations, and was hoping for servers too.

                    DashrenderD scottalanmillerS 2 Replies Last reply Reply Quote 0
                    • DashrenderD
                      Dashrender @Fredtx
                      last edited by

                      @fredtx said in Wsus for remote vpn and on-premise users:

                      @dashrender said in Wsus for remote vpn and on-premise users:

                      I'm guessing at least some if not all of your servers will still be manual - and are you really looking at having WSUS push to workstations? If you are because you want to know their patch status because of reports from WSUS - great (hope there is budget for someone to manage this) if not, then just turn on automatic updates and be done with it.

                      Is logging in the console of windows servers the best way to install patches? What if there was 100 servers? That seems like a lot of overhead.

                      And yes, I'm looking at getting the report features for patch status for workstations, and was hoping for servers too.

                      This is a great question to which I have zero answers.

                      I'm sure you can run update via PowerShell - so for 100's of servers, I'm guessing that's how they would do them. Additionally, if uptime is that big of deal - then it's likely they have multiple servers running the same loads allowing them to take some of those servers offline while not affecting the service in general.

                      1 Reply Last reply Reply Quote 1
                      • scottalanmillerS
                        scottalanmiller @Fredtx
                        last edited by

                        @fredtx said in Wsus for remote vpn and on-premise users:

                        Currently there is no central management for patching, and currently they are logging on each server and running updates that way and hope that workstations are getting patched through the GPO they have in place.

                        I'm not sure that I follow. If WSUS isn't in place today, and RMM isn't in place today... seems like you are at a decision point that both are equally new and untried. Why go down the path of something bad instead of something better?

                        1 Reply Last reply Reply Quote 0
                        • scottalanmillerS
                          scottalanmiller @Fredtx
                          last edited by

                          @fredtx said in Wsus for remote vpn and on-premise users:

                          I will have to stick with this solution for now.

                          Because it's a mandate from before you started that they just didn't get around to yet?

                          1 Reply Last reply Reply Quote 0
                          • scottalanmillerS
                            scottalanmiller @Fredtx
                            last edited by

                            @fredtx said in Wsus for remote vpn and on-premise users:

                            The goal is to improve and simplify how patching is handled for both servers and workstations. Currently there is no kind of process in place.

                            Sure, but our point in the thread is that WSUS isn't a good means to that end. If anything, the purpose of WSUS is to avoid that goal (not exactly, but in practice.)

                            1 Reply Last reply Reply Quote 0
                            • notverypunnyN
                              notverypunny
                              last edited by

                              If you're starting from scratch I'd suggest taking a serious look at leveraging TacticalRMM (or something paid if you really want to spend money) instead of WSUS. (As mentioned by others)

                              If you do have to go the WSUS route for whatever reason(s) make sure to automate the maintenance scripts that microsoft references / provides in their online documentation. Why they don't integrate those scripts into the core product is something that I'll never understand but hey, they're making $$$ and I'm just a sysadmin.

                              scottalanmillerS 1 Reply Last reply Reply Quote 1
                              • scottalanmillerS
                                scottalanmiller @1337
                                last edited by

                                @pete-s said in Wsus for remote vpn and on-premise users:

                                @fredtx said in Wsus for remote vpn and on-premise users:

                                @dashrender said in Wsus for remote vpn and on-premise users:

                                What is the goal here? to keep the servers up to date? Do you really want WSUS to update your servers 'whenever'? Most people don't, could lead to an unexpected reboot in the middle of the day.

                                Of course I would not want the servers to reboot in the middle of the day. I would have to discuss with management on maintenance windows of downtime, since this is a manufacture business where some sites run 24/7.

                                The goal is to improve and simplify how patching is handled for both servers and workstations. Currently there is no kind of process in place.

                                We do some of that and the most mission critical servers are handled manually. Patched, rebooted and verified that everything works.

                                Basically there are different categories of servers and workstation and each category is handled differently depending on how mission critical it is.

                                Agreed. Critical servers we tend to do by hand, and often.

                                1 Reply Last reply Reply Quote 0
                                • scottalanmillerS
                                  scottalanmiller @Fredtx
                                  last edited by

                                  @fredtx said in Wsus for remote vpn and on-premise users:

                                  Is logging in the console of windows servers the best way to install patches? What if there was 100 servers? That seems like a lot of overhead.

                                  If they are critical, yes it is. In most cases.

                                  But in one post you said that "best" had no place and WSUS, even though it is bad, HAD to be used as you didn't have the option to do something better (or even good.) Is "best" really on the table as a concern? At this point "adequate" is really the point to strive for (I'd consider WSUS the worst case scenario short of just giving up on updates.)

                                  1 Reply Last reply Reply Quote 0
                                  • scottalanmillerS
                                    scottalanmiller @notverypunny
                                    last edited by

                                    @notverypunny said in Wsus for remote vpn and on-premise users:

                                    If you're starting from scratch I'd suggest taking a serious look at leveraging TacticalRMM (or something paid if you really want to spend money) instead of WSUS. (As mentioned by others)

                                    Yup, that's EXACTLY what I was thinking. Free, no licensing overhead, way less effort to configure, maintain and use. Far easier to understand. Isn't limited to Windows should that ever matter. Does tons and tons of stuff outside of just patching and reporting.

                                    This is what we use and as it is free, it always makes me wonder what role something like WSUS would ever play given that Tactical covers the features of WSUS you generally want without all of the cost and limitations.

                                    1 Reply Last reply Reply Quote 1
                                    • ObsolesceO
                                      Obsolesce
                                      last edited by

                                      You can use Windows Update for Business. No need for WSUS.

                                      DashrenderD 1 Reply Last reply Reply Quote 2
                                      • DashrenderD
                                        Dashrender @Obsolesce
                                        last edited by

                                        @obsolesce said in Wsus for remote vpn and on-premise users:

                                        You can use Windows Update for Business. No need for WSUS.

                                        Is there any type of reporting in that?

                                        FredtxF ObsolesceO 2 Replies Last reply Reply Quote 0
                                        • FredtxF
                                          Fredtx @Dashrender
                                          last edited by

                                          @dashrender said in Wsus for remote vpn and on-premise users:

                                          @obsolesce said in Wsus for remote vpn and on-premise users:

                                          You can use Windows Update for Business. No need for WSUS.

                                          Is there any type of reporting in that?

                                          Looks like there's some built-in reporting in Azure.

                                          Monitor Windows Update with Update Compliance

                                          1 Reply Last reply Reply Quote 0
                                          • ObsolesceO
                                            Obsolesce @Dashrender
                                            last edited by

                                            @dashrender said in Wsus for remote vpn and on-premise users:

                                            @obsolesce said in Wsus for remote vpn and on-premise users:

                                            You can use Windows Update for Business. No need for WSUS.

                                            Is there any type of reporting in that?

                                            Yes, multiple methods of reporting... reporting out the ass.

                                            DashrenderD 1 Reply Last reply Reply Quote 1
                                            • 1
                                            • 2
                                            • 3
                                            • 2 / 3
                                            • First post
                                              Last post