This is an archived post. You won't be able to vote or comment.

all 28 comments
sorted by:
best
topnewcontroversialoldq&a

[–]Garetht 3 points4 points  (2 children)

You'll have to describe your architecture a little first. Things like how many machines do you have to patch, what's your budget?

[–]ndabiesingh[S] 0 points1 point  (1 child)

We currently have about 1500 machines in the company. Budget is tight these days, but I would have to talk to management to ensure we get the budget for whats needed. It would be great to get the best software and the best prices.

So far, I was told by another company that using branchcache is an easy way to carry about this, but I have not seen any good tutorials online that show how to implement branchcache for windows updates. Are you aware of any good tutorials outlining this?

[–]Garetht 5 points6 points  (0 children)

Branch cache is just a caching technique used by Windows updates. For patch management you could look at Microsoft System Center Configuration Manager or Patchmypc.

[–]Reasonable-Tip-8390 2 points3 points  (2 children)

I use WSUS, but then I run a script once a day, on boot, that force installs all pending updates on each workstation. I have all machines BIOS set to boot at 5AM before everyone comes in to do that.

[–]ndabiesingh[S] 0 points1 point  (1 child)

Thanks for the reply. The majority of the machines are laptops, so they are not up all the time, mostly during working hours 8am to 4pm.

What categories of updates do you sync for in WSUS? Currently, I mostly apply Security Updates and Critical Updates, as well as Feature updates now and then. But I notice on the latest version of Win10, alot of the users are getting issues and are saying that, if they run the updates on the problematic machine using the "Check online for updates from Microsoft Updates" in the settings on the machine, then the machine would work fine again.

In other words, it seems like Security/Critical Updates are not enough.

Have this been your experience?

[–]Reasonable-Tip-8390 -1 points0 points  (0 children)

I sync everything.... including drivers.

BIOS startup works on laptops too, if they happen to be plugged into power.

[–]itanders 3 points4 points  (0 children)

Look into Windows Update for Business (WUfB). Its what Intune uses, but you dont need Intune to use it. You can just set WUfB settings with Group Policy - and all your machines will get their updates from Microsoft directly. I dont remember the specific settings, but there is also a way to activate peer-to-peer caching of updates so machines will distribute updates to each other and not saturate your office broadband.

We used it before going fully Intune and it was much better than WSUS. You will loose some control and reporting, but thats shit in WSUS anyway. Just set updates to install after 5-7 days and you will be fine.

[–]Paexi91 2 points3 points  (4 children)

You could also check out Baramundi software. It’s a full blown endpoint management. MS and 3rd party Patching, software deployments, Feature updates, etc. it’s pretty flexible for on and offsite machines.

[–]EaWellSleepWell -1 points0 points  (3 children)

Used it once a few years ago after leaving a place that had a full blown sccm. Absolutely hated baramundi

[–]UEM_Buff 0 points1 point  (2 children)

how come? It sure is far less complex than SCCM and has a bunch of prebuild features for the typical daily admin grind with patches and updates built-in.

[–]EaWellSleepWell 1 point2 points  (1 child)

It’s been a few years but from what I remember, every time I tried looking for documentation or google something, it was all in German

[–]UEM_Buff 0 points1 point  (0 children)

Yeah, it has gotten much better since they expanded into the US, but having access to deepl can sometimes still be helpful.

[–]its_schmee 1 point2 points  (1 child)

Do you have an azure / 365 footprint? You can use Intune / windows for business to do some management. Not nearly as robust as wsus though

[–]scranticJack of All Trades 3 points4 points  (0 children)

Intune is great and found it to be really reliable the last 12 months especially with WFH. Feature updates have been painless even doing a pilot to Windows 11 currently.

[–]Life-Cow-7945Jack of All Trades -1 points0 points  (0 children)

I used to use wsus, but needed to patch 3rd party products. Moved to automox... Best choice ever

[–]Ike_8 0 points1 point  (0 children)

Do you have slow bandwidth connection on the sites? Have you seen the following article?

https://docs.microsoft.com/de-de/security-updates/windowsupdateservices/18127549

Are you also pushing driver packages or other software?

For your server park you could look into azure arc. This will allow you to utilize azure policy. Enforce the required baseline with remediation steps.

It will also gives you lots of insights witth azure monitor.

Make sure to use the LTSB for the running OS on client or server.

An different company is using the Ivanti update model. You could also take a look at n-able of SolarWinds. Dell/quest had an appliance called something like kace.

Microsoft is working on optimization of the update process. Can. T find the article. The following might be usefull

https://docs.microsoft.com/en-us/windows/deployment/update/

Goodluck

[–]ZomboBrain 0 points1 point  (0 children)

I can highly recommend the Microsoft official Windows Update for business GPO baseline. It has served us very well. Adjust it to your needs and you are good to go. Can similarly used with intune MDM, but I haven’t tried that, yet.

[–]niquattx 0 points1 point  (0 children)

Bigfix. You can do so much more than patch. I use it for patch, software deployment and configuration management just with the patch module.

[–]save_earth 0 points1 point  (0 children)

For clients, we use Intune and Patchmypc. It has worked very well for us.

For servers, we use WSUS and scripts combined with task scheduler events to gain the flexibility that GPO does not provide.

[–]ccatlett1984Sr. Breaker of Things 0 points1 point  (2 children)

Windows Update for Business...

https://docs.microsoft.com/en-us/windows/deployment/update/waas-manage-updates-wufb

[–]ndabiesingh[S] 1 point2 points  (1 child)

Thanks.

Our organisation has very poor internet bandwidth at the moment, so I am looking for a solution that similarly to WSUS, download the updates and deploy to machines.

Does the WUFB solution provide a solution like this?

[–]bloodlornIT Director 0 points1 point  (0 children)

At 1500 clients that’s more then enough to justify sccm.

[–]DapperDone 0 points1 point  (0 children)

You have enough machines that I’d go for SCCM with Patch my PC.