Deployment options for Windows Server Update Services -- the application that manages the distribution of Microsoft...
product updates to Windows-based machines on the network -- range from a simple, small build to a powerful multisite distribution.
Administrators who want a simple WSUS server setup can configure a single server with the WSUS role inside the firewall. This WSUS server connects and synchronizes with Microsoft Update, the service that provides updates to the Windows operating system and other Microsoft products. Any new updates will be synchronized with the WSUS server. The WSUS server setup requires an administrator to open port 80 for HTTP traffic and port 443 for HTTPS traffic.
Larger companies with a higher number of client systems may need more than one WSUS server. Administrators can deploy multiple WSUS servers in a hierarchical parent/child setup where a single parent WSUS server -- upstream -- connects to Microsoft Update. Multiple child servers -- downstream -- connect to the parent server to get updates and then distribute that content to the client systems. A multiple WSUS server configuration can benefit organizations with several locations: Administrators place a downstream server at each remote location -- with the BranchCache feature enabled -- to distribute Windows system updates. Generally, hierarchical deployments should be no more than three levels deep to minimize the time to spread new content throughout the WSUS servers.
The IT department can operate the WSUS server setup in autonomous mode in which the upstream server passes updates to the downstream servers but does not approve the updates. The administrators of those WSUS servers execute the testing, approval and application of updates. If the IT department chooses to configure the WSUS server setup in replica mode, the upstream server synchronizes updates and approvals for these patches to downstream servers. IT can configure WSUS servers to operate in both modes, depending on the needs of the organization.
While WSUS is typically used as an online service, administrators can also set up a disconnected, or offline, service. In this scenario, updates download in a small controlled environment for testing. Once administrators verify that the updates will deploy safely in production, they export the content to a DVD or flash drive to import into WSUS servers on the organization's closed network.
Windows Server Update Services can affect proper execution of a Windows Server upgrade. During upgrades to Windows Server 2012 R2 or later -- such as Windows Server 2016 -- the installation may be blocked if WSUS 3.2 is detected. Additionally, there may be post-upgrade problems with WSUS that cannot be fixed without reformatting the local installation drive and reinstalling Windows Server. Remove WSUS 3.2 before embarking on an upgrade to the operating system.
These features in WSUS can simplify the update process
Get the most out of WSUS servers on Windows Server 2012
WSUS servers can help IT control the patching process