0

I recently took my first IT job, at a midsize bank as one of the two IT staff.

We use WSUS to manage updates to the network machines, but the SUS server has been offline since before I started. During my training and acclimatization phase, no one managed updates, so now we face a mountain of updates, far too many to flood our T1-equipped network, with branches in multiple states.

So, we are looking into disabling the updates-only-through-WSUS policy and manually updating the machines, one branch at a time, to minimize and localize network traffic and potential issues.

Our concern, however, is that, even after the machines are manually updated to the latest patches, the WSUS server may not recognize the updates and overwrite them, effectively rendering our efforts pointless.

Does anyone have experience with this, or know whether this would work? Can we force the WSUS server to reaudit the network, and update the needed update list?

We know that going the other way (updates from WSUS, then do manual update) DOESN'T work; the WSUS-issued updates aren't recognized by Windows Update once disconnected from the network, and they get overwritten by manual update. But does that go both ways?

Anthony Fisher
  • 3
  • 1
  • Normally, if a WSUS server isn't available Windows will failback to Windows Update to fetch what's required...but I think that's also controlled via GPO. WSUS will "learn" updates when the client pings it again. – Nathan C Apr 14 '14 at 15:33
  • I believe our WSUS system is set up to only update from WSUS, regardless of whether it's online or not. So, if I'm reading you correctly, WSUS should update dynamically based on the clients' currently installed updates? – Anthony Fisher Apr 14 '14 at 15:36
  • Yes, that's my understanding. Our company had a broken WSUS for a while and we reverted to "MS update"...I fixed it up and left the database alone. It listed all the manual updates fine. – Nathan C Apr 14 '14 at 15:40
  • May I ask which Bank this is, that I can never ever go there? :) – MichelZ Apr 14 '14 at 15:48
  • @MichelZ, I'm rectifying this egregious situation as we speak :-) – Anthony Fisher Apr 14 '14 at 15:48

1 Answers1

3

Updates do not get "Overwritten", Windows recognizes that the Update has already been installed and does not request it from WSUS.

MichelZ
  • 11,008
  • 4
  • 30
  • 58