BatchPatch Integration with WSUS and Group Policy

One of the questions we commonly receive is what is the best way to use BatchPatch in conjunction with a WSUS server?

First, let me say that BatchPatch works great in conjunction with WSUS, and since WSUS is free and extremely simple to setup, there’s little reason to not have it. However, WSUS is definitely *not* required. BatchPatch will work great without it.

If you don’t already have a WSUS server setup, you can typically get WSUS installed and running in only 30-60 minutes. If you aren’t familiar with WSUS, I would encourage you to install it on a spare VM. It requires little processing power, though it does require a substantial amount of hard drive space, and at a minimum you’ll want to allocate a 20GB data partition to it to store all of the updates. Download it for free from Microsoft: http://technet.microsoft.com/en-us/windowsserver/bb332157.aspx

A few advantages to using a WSUS server

  • Reduced bandwidth consumption: Your WSUS server will download updates from Microsoft, and then your clients will download updates from your WSUS server. Without WSUS, your clients would normally all retrieve updates directly from Microsoft.
    ***Note, BatchPatch also has a feature called Cached Mode, which enables you to reduce bandwidth consumption *without* WSUS by having BatchPatch download updates only on the computer running the BatchPatch console. Once downloaded, BatchPatch can then distribute these updates to your clients. See Cached Mode and Offline Updates for more information.
  • Easily approve or decline which updates will be seen by client machines: You can have WSUS automatically approve updates for you, but if there’s a specific update you want to make sure your machines don’t get, it’s easy to simply decline it.
    ***Note, BatchPatch is also capable of installing only specific updates and/or hiding specific updates without WSUS – see Installing Specific Updates and Hiding Specific Updates for more info
  • Reporting: WSUS will give you some basic reporting functionality.
    ***Note, BatchPatch also provides update history reporting. Please visit Create a Consolidated Report of Windows Update History for more info.

Our recommended approach to using BatchPatch with WSUS

  1. Use Group Policy to have your client machines automatically download updates from the WSUS:
    • Create/edit a group policy that is linked to the OU containing your computers
    • In Group Policy editor (gpedit.msc) go to Computer Configuration > Administrative Templates > Windows Components > Windows Update and make sure to enable the Specify intranet Microsoft update service location setting with your WSUS server as the target. Assuming that you are using the default WSUS configuration, then the value format for this policy would be
      http://MyWSUSServer:8530
    • In the same location, set the Automatic Updates detection frequency to an interval of 1 hour, which will ensure that your machines retrieve updates soon after they are available
    • In the same location, set the Configure Automatic Updates setting to 3 = (Default setting) Download the updates automatically and notify when they are ready to be installed
    • Review this posting, which explains a potential issue that can arise due to the ‘Dual Scan’ functionality that Microsoft introduced to Windows 10 in August 2017.

     
    GroupPolicyEditor_WindowsUpdate

  2. When your maintenance windows begins, use BatchPatch Actions > Windows Updates > Install downloaded updates, which will tell your client machines to install updates that they have already downloaded. They will not reach out to your WSUS unless you instead select BatchPatch Actions > Windows Updates > Download and install updates. However, the whole purpose of using group policy setting number “3” (specified above) is to have your machines download available updates before your maintenance window begins. This way when you are actually ready to install updates on your machines, you can minimize the total time the process takes by having the updates already downloaded. Of course you are welcome to use BatchPatch to initiate the download portion if that’s your preference, but for maximum time savings, we like to have the clients pre-download any available updates. This will also prevent any potential bottlenecks on the WSUS server.
This entry was posted in Blog, General, Tutorials and tagged , . Bookmark the permalink. Both comments and trackbacks are currently closed.