I've been working with WSUS for years and over the last couple its become extremely apparent that without continual maintenance it can become un-managable. If I have to click reset server node one more time...
For a while now Microsoft has been talking about Windows Update for Business which isn't exactly a replacement for WSUS but can be used as one.
The idea is to update directly from Microsoft Update with a varying ammount of delay. I went for 3 "rings", Testing which gets updates with no delay and installs them on the same day. Pilot which gets updates 7 days after release and only installs on a Saturday during our scheduled install slot. Default which gets updates 14 days after release and installs on the Saturday in the same install slot.
The staggering is a key part of WUfB, you can think of this as the same as only approving updates to certain groups in WSUS. This allows me and the rest of the IT team to get updates straight away and test them. Our pilot users (IT Teachers) then get the updates a week later to confirm that there are no problems before finally all the computers in school get the updates.
If an update causes problems the workflow becomes:
One of WSUS's main features for us is as a on-site cache of updates, removing the need for computers to hit the internet to download them. Seeing as WUfB pulls directly from Microsoft you might be a little worried that the bandwidth use of updates will go way up.
Delivery Optimisation allows clients on the same network to share the updates they have downloaded. Couple this with the rings and our IT Office PCs will get the updates and then share them out when the pilot ring catches up.
I'm going to make use of Group Policy Precedence to make this job a bit easier. To start with I have
Computer - WUfB (Default) at the top of my workstations OU applying to everything which configures Windows Update to install on a Saturday and applies the default WUfB config. Then there are two specific GPOs for the Pilot and Testing rings. These GPOs are filtered by group membership to ensure only the specific computers get the settings. The Pilot GPO simply changes the delays and doesn't touch the Windows Update settings. The Testing GPO however removes the delays and over-rides the Windows Update settings to prompt the user to install every day.
Pro: Windows updates deploy quickly to every computer.
Con: All updates deploy, no ability to block drivers etc...
Pro: Works off site, allowing devices to update even when they can't see the WSUS server.
Con: Will result in an uptick in bandwidth use as some clients will still download from the internet, and any downloads will occur whilst the computers are actually in use and not overnight as WSUS used to do.
Pro: Easy to manage, once setup the only time any changes are needed is when you want to pause updates.
Overall I think the benefits outweigh the potential issues. It's been a smooth rollout here and that was with a backlog of updates to deploy.
I will concede that we don't have SCCM or Intune so we might not have been giving WSUS a fair go of it. However for us right now this solution is doing a great job and I can rest easy knowing our computers are all getting updates.