Microsoft Windows Server Update Services (WSUS)

After the recent "patch alarm" sounded by Microsoft I decided that I have had enough of so many machines on all different patch levels. As I have worked in IT for several years I was aware of WSUS and getting one setup in my current environment had long been a goal of mine that just kept getting put off. Having recently setup Sharepoint Services on an underutilized virtual server, I thought it would be a good fit for running WSUS as well. If you pay attention the first time you will notice that because Sharepoint disables the Default website, that WSUS services will be running on port 8530, and it even tells you that in the setup dialogue.

After the WSUS is setup, then you need to create a group policy that points users at your WSUS. I only created one and then manually moved machines to the correct groups after the fact, but you can get as fine grained and fancy as you like here specifying the group for users to join at the OU level. If your like me and couldn't use the default website be sure you include the port in your group policy, and know that when testing that if you gpupdate /force this change will require you to reboot, but won't require a reboot as it propagates naturally.

In any event, if you have been waiting to pull the trigger on WSUS for fear that the setup is complicated, or that you will see little benefit from the exercise, fear not. I achieved 87% compliance on the workstations in my environment with a single group policy and the number is probably higher, as I clean up machines that are no longer on the network in my Computers OU.