Announcement

Collapse
No announcement yet.

WSUS Classifications - recommendations

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • WSUS Classifications - recommendations

    Although it definitely differs from one environment to another, I'm wondering what recommendations can you offer as far as WSUS Classifications. I'm having a hard time deciding which to select.

    Naturally Critical Updates and Security Updates are selected, but I don't know about Updates, Update Rollups, Service Packs (apart from the big ones for Windows and Office there are a bunch of them for .NET...), Definition Updates.

    I know I don't need/want Drivers, Feature Packs, Tools.

    Also does your recommendation for classifications differ if it's a client, server (I automatically install on clients, just download on servers, but both are controlled through WSUS).
    The environment has about 60 client machines, 10 servers.

    How do you guys do it in your environments?

  • #2
    Re: WSUS Classifications - recommendations

    I tend to accept every classification except drivers, but be picky about what I approve -- MS sometimes sneak things into an unexpected catagory

    I would have 3 WSUS GPOs
    Domain (or site) level pointing everyone at the WSUS server
    Servers OUs (plus DC OU)set to "download but not install"
    Clients OUs set to "auto install"

    I also set up a fairly strict, hierarchical structure of computer groups:
    Servers, sub divided by OS
    Clients, ditto
    Server Roles (DC, Exchange, SQL, TS, Sharepoint etc)
    Client Apps (different Office Versions mainly)

    Each computer will go into an OS group and one or more role / apps groups
    Fiddly to set up initially but the control it gives pays off
    Tom Jones
    MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
    PhD, MSc, FIAP, MIITT
    IT Trainer / Consultant
    Ossian Ltd
    Scotland

    ** Remember to give credit where credit is due and leave reputation points where appropriate **

    Comment


    • #3
      Re: WSUS Classifications - recommendations

      Appreciate your reply Ossian.

      You say you pick every classification except drivers, but only approve some. What do you do with the others, deny? Otherwise you'd probably never see patched machines in WSUS.

      Also aren't there a gazillion updates, how do you even go through all of them?

      Comment


      • #4
        Re: WSUS Classifications - recommendations

        You can minimise the amount of updates you download and therefore the admin overhead by also choosing only the Products you use in your environment.
        I would leave out drivers, feature packs and tools.
        It becomes more managable if you regularely monitor the WSUS server and actively approve the updates.
        Caesar's cipher - 3

        ZKHQ BRX HYHQWXDOOB GHFLSKHU WKLV BRX ZLOO UHDOLVH LW ZDV D ZDVWH RI WLPH!

        SFX JNRS FC U6 MNGR

        Comment


        • #5
          Re: WSUS Classifications - recommendations

          I only have the few products we use selected and there's still quite a bit to approve.

          Comment


          • #6
            Re: WSUS Classifications - recommendations

            Originally posted by CypherBit View Post
            Appreciate your reply Ossian.

            You say you pick every classification except drivers, but only approve some. What do you do with the others, deny? Otherwise you'd probably never see patched machines in WSUS.

            Also aren't there a gazillion updates, how do you even go through all of them?
            Some I deny (e.g. media player new versions), others I ignore.
            I do not need to see a full set of green lights in WSUS -- some yellows are OK

            I have an upstream WSUS server I use to drive the initial synchronisation so it is slightly easier than doing it from scratch (but that is the result of about 3 years work now)
            Tom Jones
            MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
            PhD, MSc, FIAP, MIITT
            IT Trainer / Consultant
            Ossian Ltd
            Scotland

            ** Remember to give credit where credit is due and leave reputation points where appropriate **

            Comment


            • #7
              Re: WSUS Classifications - recommendations

              Ossian how do you then even know which of your machines are patched to the desired standard?

              My desire has always been to have the machine fully patched so when I get an e-mail report it's not among those Computers Needing Updates, same goes for when viewing in WSUS...am I alone in this respect?
              Last edited by CypherBit; 27th July 2010, 13:02.

              Comment


              • #8
                Re: WSUS Classifications - recommendations

                You can use MBSA with WSUS and will show you which clients need attention.
                Caesar's cipher - 3

                ZKHQ BRX HYHQWXDOOB GHFLSKHU WKLV BRX ZLOO UHDOLVH LW ZDV D ZDVWH RI WLPH!

                SFX JNRS FC U6 MNGR

                Comment


                • #9
                  Re: WSUS Classifications - recommendations

                  Originally posted by CypherBit View Post
                  Ossian how do you then even know which of your machines are patched to the desired standard?

                  My desire has always been to have the machine fully patched so when I get an e-mail report it's not among those Computers Needing Updates, same goes for when viewing in WSUS...am I alone in this respect?
                  Look at it the other way round and report by update not by computer
                  More green lights that way

                  Also remember WSUS has a SQL database so you can create your own reports
                  Tom Jones
                  MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
                  PhD, MSc, FIAP, MIITT
                  IT Trainer / Consultant
                  Ossian Ltd
                  Scotland

                  ** Remember to give credit where credit is due and leave reputation points where appropriate **

                  Comment

                  Working...
                  X