Blog Post

Windows IT Pro Blog
5 MIN READ

Security best practices for Windows Server Update Services (WSUS)

Michael_Cureton's avatar
Michael_Cureton
Former Employee
Aug 13, 2020
To help provide additional protection from potential malware attacks, Microsoft recommends using HTTPS with Windows Server Update Services (WSUS). In this post, we will walk you through the steps r...
Updated Aug 13, 2020
Version 2.0
security
servicing and updates
mle_ii's avatar
mle_ii
Copper Contributor
Sep 11, 2020

The_Smart_One Wow, that's a great table, several interesting cons there that hopefully MS will address.  One of those is very bothersome to me.  As someone who maintains 100s of Windows servers for our company this one has me worried.

Support admin approval

No

Yes

 

Please don't tell me that it would automatically download MS SQL CUs, that would be terrible.

We have automation to update our servers and we've done a great job of making sure that our servers can even be patched during the day except for a few SPOF type things like MS SQL and if these were pulled down without admin approval then that's a huge issue for us as we vet significant updates in our test environment first.  Along with the installation of a CU for MS SQL actually causes the SQL service to stop during the install which we cannot do during the middle of the day outside of our smaller maintenance window where we actually have to have services be down for a short period.

While I'm here worried about the direction MS is going with regards to patching.  Another issue which has been made well known to MS Support is that they've added a Scheduled Task to 2016 and 2019 that will automatically reboot boxes that have updates installed in the "outside of hours" time.  Sorry but that definitely doesn't belong in a server product.  Took me a long time to figure out why our newly created servers were automatically rebooting themselves where we're not controlling when they reboot.  This does not exist on 2012 R2 and they've worked fine for years with the patching automation we have in place.

Another issue is that you need to make sure not to remote into a 2016 or 2019 post reboot after installing updates, there is a few minute window of time where if you do this it will cause the updates to fail with error code "0x800f0922".  Adding a 5 minute waiting period to our scripts helped fix an issue that caused me days worth of pain each month having to manually fix these servers.  But definitely should be fixed as well.  Oh and this is another "feature" that 2012 R2 does not have but 2016 and 2019 have.  😞

It becoming more and more difficult as the years/months go by to keep our Windows servers fully up to date.  We're a mix of Windows and *nix OS wise but each month I'm leaning more and more towards making sure we use Windows less and less which is too bad as I've been using Windows professionally for at least 30 years now and this company has probably been using Windows products for that same amount of time.  In fact I used to be part of the Windows team before I moved on to a company where I could live closer to my daughter.

Mike