I shut down the WSUS server

We recently upgraded to a 100Mbps WAN link at my current school. Along with the provision for additional/enhanced online learning opportunities, I wanted to see whether the new link could support Windows Updates delivered from Microsoft.

Access the Microsoft Docs article with specific instructions/settings for GPO/MDM(Intune) here.

Long story short… it could (with somewhere around 300 devices). Using the Windows Update for Business options (group policy/Intune) to defer the larger build/feature updates that are more likely to put additional traffic through the link. I used the maximum deferral time of 365 days as most (student) machines will be re-imaged with the latest build at the very least once annually.

There was also a minimal Telemetry setting of 1 – Basic required (we’d previously been under the threshold).

We noticed spikes in internet traffic quantities as everyone came back to school and got the latest updates but overall usage has settled in the last few weeks as the updates have rolled out.

After I was satisfied that all was well, I gladly shut down the WSUS server.

Tweet me @philmargetts_ with your recent Windows Update experience.

Although I’d shutdown the WSUS server a few weeks ago, reading this post from Mike Galvin prompted me to post an update here. Have a read!

Update: given the “cleaner” experience of getting updates direct from Microsoft – and the fact that we share an offsite internet filter/proxy/cache with sister schools – I’m looking into a onsite passive Nginx caching solution like this one. Assuming it can passively pass on unrelated DNS requests (i.e. to our upstream Windows DC’s), this could be a viable solution. More to come…