What is the number of computers being managed where the effort and cost of setting up and maintaining and managing a Windows Server Update Services (WSUS) server is the same as individually managing the computers?
In our case, we have about 60 computers, all belonging to the domain, all limited users. However, some are laptops, some are servers (windows 2003 and 2008), a few virtual machines, most XP, and a few Windows 7. Most have common software, like MS Office, but there subsets with various specialized software, such as Quickbooks. My tech guys recommend going to WSUS, but I've been resisting, figuring we were still a bit too small.
My own gross-guesstimate is that 100 computers is the breakeven, but if it's 10, then I've been too conservative. If it's 50 computers, even though we're somewhat over that number, I'll probably leave well enough alone. We currently use various automation tools to manage the computers: group policy, log in scripts, PSExec, and scheduled tasks to crudely do what I imagine WSUS would help us better do with a lot less bandwidth.
I don't think it's a specific number of computers issue, it's an automation and security issue. WSUS gives you a much more fine grained control over what updates are deployed, when they are deployed, and to whom they are deployed. It also allows you to essentially force your users to install the updates (by setting deadlines).
If these kinds of things are important to you, then it's worth the effort no matter how many computers you have to support.
There's also the issue of bandwidth (to the internet) management; with WSUS, the WSUS server downloads the updates from MS, and then pushes them to the client machines. So rather than having 50 computers independantly downloading 50GB worth of updates, you have 1. And you can schedule those, so you can predict your bandwidth usage as well.
Again, if that is something significant to you, then it's worth the effort.
Two. Well, maybe not on the cost perspective, but from the point of making my life easier, the more I can do from my desk the better. WSUS is very, very cheap to deploy though. It's even free to deploy if you have an existing Windows server you can put it on, and if not, it's just the price of another WIndows license.
Sixty is definately well above any "minimum" for WSUS - at that rate there will be machines you'll forget about or miss one day, and perhaps WSUS will find machines or software you didn't even know needed updates.
Of course, doing everything from my desk means that I actually have to make an effort to go outside and exercise when I get home, but that's a price worth paying.
At 60 I think you're well over the size where you ought to be using WSUS. I'd even suggest using it for a network as small as 30 devices. Below 20 might be questionable, but at 60 I'd definitely be using it.
Cheers, Trevor Sullivan
I don't think its about a minimum amount of computers as such (though I take the point that below a certain level it isn't worth the bother however you slice it) but rather about controlling risk.
Is the cost of having a managed environment where you can control what patches are pushed to machines, when the push happens and being able to monitor the results of a push more or less than the cost of having to get everyone to remember to visit Windows Update every now and again and dealing with the consequences if someone forgets and gets exploited / loses work due to a bug that could have been patched?
The advantages of WSUS to me are: the ability to choose when and which updates to install and to get reporting on whether those updates succeeded or failed.
If you are updating your machines via Windows/Microsoft Update, even automatically, it's much harder to test individual packages first.
Wish WSUS, I have my machines in various groups, which stagger the updates. If Microsoft releases a bad update which causes problems, only some machines are affected. I also have a dashboard which shows me which updates have failed.
We also have some applications which still require IE6. This is slowly being fazed out, but shows another ability of WSUS — I can prevent some updates from being installed if I know there will be an issue. With normal updates, you would have to sit at the physical machine, uncheck the updates manually, then check the "Do not display again" box.
We have a ridiculous amount of bandwidth, so that was not a concern for me when I moved to WSUS.
To summarize: selection of updates, reporting, and staged updates. I feel like I have a much better idea on the status of my machines.
Yes, you could probably accomplish the same things with scripting, but this method is much more future proof as long as MS maintains WSUS. The transition from XP to 7 and 2003 to 2008 hasn't changed much in terms of how I manage updating.
If you want a hard number, I would say any time you can't personally visit and check on all the machines within an acceptable time frame, then it's too many. For me, I would guess around 20-30. We have around 70 desktops and 30 servers and it's a huge time saver.
With the time and effort you'll save once you get it all set up you're going to be glad you have WSUS on the job. You're going to have loads of control over what and when you patch and you're provided with reporting capabilities as well. All well worth it.