Whats the best practice for WSUS

Question

Hello,

We've about 500 user in HQ site and around 20-50 user in 50 small branch and all sites connected through fiber connection, so whats the recommendations and best practice for design WSUS server.

Thanks in advance

Answer 1

Hi @Ahmed Essam ,

I'm not certain if there are best practices design-wise as every company/organization are unique and different, there are however common best practices for security and other configurations which you can find over here:

Windows Server Update Services best practices
https://learn.microsoft.com/en-us/troubleshoot/mem/configmgr/windows-server-update-services-best-practices

Security best practices for Windows Server Update Services (WSUS)
https://techcommunity.microsoft.com/t5/windows-it-pro-blog/security-best-practices-for-windows-server-update-services-wsus/ba-p/1587536

----------

If the reply was helpful please don't forget to upvote and/or accept as answer, thank you!

Best regards,
Leon

Answer 2

If you're looking at distributed load off the HQ, use replica downstream servers at each site. If you're looking at creating a single point of connection, drawing all updates from HQ, a single WSUS server will work. If you're looking for creating a single WSUS server for HQ, but having all other sites get approvals from WSUS but download directly from Microsoft, use a replica downstream at HQ, but specifying that updates will be approved only on WSUS but downloaded from Microsoft and setup your Location for each of the sites to use this replica downstream WSUS server (similar to the externally facing WSUS server as linked in my guide below).

Some links of interest:

https://www.ajtek.ca/wsus/how-to-setup-manage-and-maintain-wsus-part-1-choosing-your-server-os/
https://www.ajtek.ca/wsus/externally-facing-wsus-servers/
https://www.ajtek.ca/wsus/dual-scan-making-sense-of-why-so-many-admins-have-issues/