question

AhmedEssam-4837 avatar image
1 Vote"
AhmedEssam-4837 asked RitaHu-MSFT commented

Whats the best practice for WSUS

Hello,

We've about 500 user in HQ site and around 20-50 user in 50 small branch and all sites connected through fiber connection, so whats the recommendations and best practice for design WSUS server.

Thanks in advance

windows-server-update-services
· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@AhmedEssam-4837
Is there any updates of the case? Whether the solutions which LeonLaude and Marshall provided below are helpful or not.

Please keep us in touch if there are any updates of the case. Remember to mark the answer if the solutions are helpful.

Thanks for your time and have a nice day.

0 Votes 0 ·
LeonLaude avatar image
1 Vote"
LeonLaude answered

Hi @AhmedEssam-4837,

I'm not certain if there are best practices design-wise as every company/organization are unique and different, there are however common best practices for security and other configurations which you can find over here:

Windows Server Update Services best practices
https://docs.microsoft.com/en-us/troubleshoot/mem/configmgr/windows-server-update-services-best-practices

Security best practices for Windows Server Update Services (WSUS)
https://techcommunity.microsoft.com/t5/windows-it-pro-blog/security-best-practices-for-windows-server-update-services-wsus/ba-p/1587536


If the reply was helpful please don't forget to upvote and/or accept as answer, thank you!


Best regards,
Leon

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

AJTek-Adam-J-Marshall avatar image
1 Vote"
AJTek-Adam-J-Marshall answered

If you're looking at distributed load off the HQ, use replica downstream servers at each site. If you're looking at creating a single point of connection, drawing all updates from HQ, a single WSUS server will work. If you're looking for creating a single WSUS server for HQ, but having all other sites get approvals from WSUS but download directly from Microsoft, use a replica downstream at HQ, but specifying that updates will be approved only on WSUS but downloaded from Microsoft and setup your Location for each of the sites to use this replica downstream WSUS server (similar to the externally facing WSUS server as linked in my guide below).

Some links of interest:

https://www.ajtek.ca/wsus/how-to-setup-manage-and-maintain-wsus-part-1-choosing-your-server-os/
https://www.ajtek.ca/wsus/externally-facing-wsus-servers/
https://www.ajtek.ca/wsus/dual-scan-making-sense-of-why-so-many-admins-have-issues/

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.