question

BillClark-1118 avatar image
0 Votes"
BillClark-1118 asked BillClark-1118 commented

Frequency of checking local WSUS and impact on devices and network

We manage our Windows updates with an internal WSUS server that has all our devices in varying groups. We also have corresponding GPOs for the varying groups depending on what the end devices are and if we want an automatic install & restart, an automatic install w/ manual restart, or just auto-download w/ a manual install(just a few examples). My problem is the frequency of when the clients check for, and download newly released/approved updates through WSUS. When I release/approve an update to a group in WSUS, I want the corresponding client to check often enough that they start downloading the updates ideally within the hour or two at most. If I set the "Automatic Update Detecting Frequency" policy setting to 1 hour, how much extra work and traffic will this generate on the PC/server and the network? We have about 110 virtual servers and roughly 160 Windows 10 PCs and the network is healthy. I messed around with trying to do some batch scripting that could be ran that would tell the end devices to check for updates, but discovered that "wuauclt.exe" has been deprecated and that "usoclient.exe" only works for logged on users.

windows-group-policywindows-server-update-services
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

AJTek-Adam-J-Marshall avatar image
0 Votes"
AJTek-Adam-J-Marshall answered BillClark-1118 commented

The real answer is you won't notice it with that few clients as long as you're performing the proper WSUS maintenance. 1 Hour is common for those who are using Microsoft Defender definition updates. With <500 clients you shouldn't notice anything at all. I recommend 4 hours (https://www.ajtek.ca/wsus/how-to-setup-manage-and-maintain-wsus-part-4-creating-your-gpos-for-an-inheritance-setup/) but you could do every hour. A single WSUS server can handle thousands of clients when given the right resources and maintenance.

Are you performing the proper WSUS maintenance including but not limited to running the Server Cleanup Wizard (SCW), declining superseded updates, running the SQL Indexing script, etc.?

https://www.ajtek.ca/wsus/how-to-setup-manage-and-maintain-wsus-part-8-wsus-server-maintenance/

· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Thanks, this is what I was looking for. I do keep WSUS maintenance on a regular schedule, performing all the options to try and keep it nice and tidy. I'll modify the existing GPOs and then keep an eye on resources and such. Thanks!

0 Votes 0 ·

UPDATE: Doing some testing with this and the "Automatic Updates detection frequency" GPO setting doesn't seem to be applying. On these few test servers I ran a "gpupdate /force", then waited a bit and then ran "gpresult /scope computer /h <filenameANDpath>". Looking at the resulting HTML file, I see the "Automatic Updates detection frequency" listed as 1 hour, which corresponds to the Winning GPO which is the one I'm testing with. The issue is that it is NOT checking for updates every hour, but more along the lines of within 4 hours. For reference, I'm going off the time that shows when I open Windows Update on the server and it says "Last Checked <TIME>". If there is a better way to verify when it actually is checking for available updates, I"m all ears. Thanks!

0 Votes 0 ·
RitaHu-MSFT avatar image
0 Votes"
RitaHu-MSFT answered RitaHu-MSFT edited

@BillClark-1118
Thanks for your posting on Q&A.

Here are my ideas shared with you.

First of the all, the clients will scan for updates at the specified interval not the specified time, even though you have enabled the Automatic Updates detection frequency policy for the client.
136378-13.png

In addition, we could review the actual scan time at the Task Scheduler on the client. Here is a screenshot on my computer for your reference:
136501-14.png

We could also check the size of updates on the WSUS console. Here is a screenshot for you about how to review the size of the updates:
136462-15.png

It is not recommended to run the usoclient.exe command. It is not recommended by MS and there is no such Official Document for reference.

Hope the above will be helpful. Please feel free to keep us in touch if you have any questions.

Thanks for your time and have a great day.

Regards,
Rita


If the response is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.


13.png (31.1 KiB)
14.png (53.9 KiB)
15.png (65.4 KiB)
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

LimitlessTechnology-2700 avatar image
0 Votes"
LimitlessTechnology-2700 answered

Hi there,

Automatic Update Detecting Frequency Specifies the hours that Windows will use to determine how long to wait before checking for available updates.

If the setting is set to Enabled, Windows will check for available updates at the specified interval. If the setting is set to Disabled or Not Configured, Windows will check for available updates at the default interval of 22 hours. So this is not the frequency the Updates are installed but the frequency updates are checked.

You can try Managing additional Windows Update settings through this
https://docs.microsoft.com/en-us/windows/deployment/update/waas-wu-settings



If the reply is helpful, please Upvote and Accept it as an answer

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

BillClark-1118 avatar image
0 Votes"
BillClark-1118 answered

Thanks for the detailed response but that isn't quite what I was asking. I want to know if there is any substantial impact to an end-device or the network if I set my end-devices to check for updates every hour or so. I control the release of updates via WSUS, but need my end-devices to be fairly responsive in checking for new updates. But I don't want the end-devices to generate a huge amount of unnecessary traffic that could impact the network in doing so.
Also, typical Microsoft to deprecate a functional command and replace with something but tell us, the daily users that have to manage systems, "don't touch, it's only for us to use". Irritates me to no end how Microsoft continues to change Windows to steal more and more control away from our systems that run their OS. There, off my soap-box.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

AJTek-Adam-J-Marshall avatar image
0 Votes"
AJTek-Adam-J-Marshall answered
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.