I was chatting with Microsoft WSUS MVP and SolarWinds Head Geek, LGarvin recently about synchronizing WSUS servers, and I'd like to share his recommendations along those lines. Synchronizing WSUS servers ensures those update points have the most up-to-date update information from the update source -- in most cases, Microsoft Windows Update. With this information, the WSUS servers can appropriately address remote clients when they check in to determine if they need to be patched.
How Often Should I Synchronize a WSUS Server?
The bottom line is that you should synchronize your WSUS servers at least once daily. The following list, however, comprises the entirety of Lawrence's recommendation, in descending priority order.
- Synchronize your WSUS server once every 24 hours at an off-peak time.
- If you are automatically approving Definition Updates, synchronize the server at least 2-3 times daily.
- If possible, schedule an additional synchronization to coincide with Patch Tuesday.
Microsoft WSUS is fully capable of addressing the first two recommendations with its native tools. However, the third recommendation requires extending WSUS with a third-party application like SolarWinds Patch Manager. On its own, WSUS only allows you to schedule synchronizations every so-many hours. So to address the first recommendation, schedule the synchronization for every 24 hours, starting at 3 AM, for example. To address the second and first recommendations together, schedule the synchronization for every 8 hours, say, starting at 6 AM. This would be necessary to get the Definition Updates Microsoft publishes throughout the day for their anti-virus and anti-malware programs like Defender, Forefront and Security Essentials.
With a third-party patch management application, you can schedule the basic, once-daily synchronization using the typical WSUS method, but then schedule additional synchronizations whenever you want. In other words, you could have a monthly synchronization that happens every second Tuesday at noon to ensure you get your Patch Tuesday updates as soon as possible, instead of having to wait until your 3 AM synchronization the following Wednesday.
More granular scheduling like this can even help with more frequent synchronizations in that you wouldn't have to schedule them at specific intervals. So instead of synchronizing for your Definition Updates every 6 hours, you could be more intentional about trying to hit low-traffic times like 2 AM, 6 AM, noon, and 6 PM.
For more patch management tips like these from Lawrence and others in the patching community, check out the PatchZone space here on thwack.