What do the following have in common for WSUS Administrators?
- Select when Preview Builds and Feature Updates are received (BranchReadinessLevel, DeferFeatureUpdates, DeferFeatureUpdatesPeriodInDays, PauseFeatureUpdatesStartTime)
- Select when Quality Updates are received (DeferQualityUpdates, DeferQualityUpdatesPeriodInDays)
Besides being Windows Update for Business policies (a fundamental change of the way you think about updates), when specified in a WSUS network, they cause havoc because of that pesky little thing called dual scan.
Let’s take a step back.
When utilizing WSUS you are already ‘in control’; or should be. Because of this, in a WSUS network, there is zero reason to enable these policies. They may sound fantastic to the administrator, but the administrator doesn’t know why these policies exist, or how they interact with others (these are not the only policies that I’ve seen WSUS Administrators fumble over either).
An update will only reach a client machine when it is approved; not before. If you don’t want the feature upgrades to install right now, don’t approve them. If you don’t want the cumulative updates to install right away because you want a week or 2 ‘staying’ period to see if others are having issues with them, don’t approve them.
So, What Should I Do?
If you have WSUS, don’t set these polices. If you have them already set, set them to ‘Not configured’. Also make sure that in your WSUS server location settings that you specify ‘Set the alternate download server’ as explained in part 4 of my 8 part blog series on How to Setup, Manage, and Maintain WSUS.