Best practices for devices with WSUS configurations

As Microsoft has officially stopped development for Windows Server Update Services (WSUS), you may wish to migrate your endpoint patching process to Datto RMM.

To do so, you'll start by identifying devices that currently have a WSUS configuration. Next, you'll decide how to remove the WSUS configuration. Lastly, you'll need to remove any existing group policies that are setting the WSUS configuration.

IMPORTANT You should thoughtfully plan any migration from WSUS to Datto RMM patching. Consider patch groups, approvals, and reboot settings. Refer to Best practices for Patch Management.

Identifying devices with WSUS configurations

You can leverage PowerShell to check if a Windows device has the WSUS configuration in the registry, then output a YES or NO value to a user-defined field (UDF) for later use in a filter.

In this example, the following PowerShell code will check the registry and then write out YES or NO to UDF 6.

NOTE You can change the UDF output by changing Custom6 to any custom field (1 through 30). Refer to User-defined fields.

New-ItemProperty -Path "HKLM:\Software\Centrastage" -Name "Custom6" -Value 'NO' -Force

$regkey = (Get-ItemProperty -Path HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU).UseWUServer

if ($regkey -eq 0) {
	Write-Host "Local WSUS server not configured"
	New-ItemProperty -Path "HKLM:\Software\Centrastage" -Name "Custom6" -Value 'NO' -Force
} 

if ($regkey -eq 1) {
	Write-Host "Local WSUS server configured"
	New-ItemProperty -Path "HKLM:\Software\Centrastage" -Name "Custom6" -Value 'YES' -Force
}

Create a component as a script so you can run this against devices as a quick job. Refer to Creating a component.

Once you have executed the component against one or more devices, check the chosen UDF for the value you are interested in.

Filtering for devices with WSUS configurations

Now, you can configure the following filter using the custom field value, which will produce a list of all the Windows devices that have WSUS enabled:

Operating System > contains > Windows

AND

WSUS Configured > contains > YES

Refer to Device filters.

Hybrid update system

During the migration process, Datto RMM may perform the Windows Update auditing and reporting while WSUS performs the installation phase. This is considered a hybrid system. Ultimately, you can plan to migrate the installation phase to Datto RMM.

To achieve this, you must configure an audit-only Patch Management policy and apply the policy to the target device filter or group.

Datto RMM dashboards and scheduled reports can then be used to evidence update compliance even though WSUS is currently executing the installation phase.

Removing WSUS configurations from devices

Upon running the Windows Update Toolkit [WIN] component, available from the ComStore, one of the available options is to remove any existing WSUS configuration from an endpoint.

You must also remove any existing group policies that may be applying a WSUS configuration to devices. Otherwise, the WSUS settings will be reapplied to devices during a group policy background refresh performed by the devices.

	Need troubleshooting help? Open the Kaseya Helpdesk.
	Want to talk about it? Head on over to the Kaseya Community!
	Have an idea for a new feature? Want to learn about upcoming enhancements? Visit the Ideas forum!
	Provide feedback for the Documentation team.