I've read the posts at https://social.technet.microsoft.com/Forums/en-US/488ba2a8-6f23-4369-ae7c-dc0e661d5869/whats-difference-in-windows-10-products-wsus and the linked URtech article. As many commented there, this really doesn't help us know which to select. Actually, for Windows 10 in our company's case, I think we're OK. It's Windows Server 2016 that does not seem to get all needed updates properly through WSUS.
So one thing we should be able to do is make our Product and Classification selections, update all the systems on the network through WSUS (after testing and confirming all are wanted, of course), then do a test run on Windows Update to update directly from MS (instead of WSUS). This reveals any updates we missed in WSUS, at least on systems in the test, thereby letting us know what Products or Classifications (if any) we've missed that we may want to add to WSUS... except it doesn't.
I have the KB #'s from that process, but then what? I can't find any way to map updates in certain KB #'s back to know which Product or Classification I'm missing in WSUS. As far as I can tell, my Products & Classifications should cover these, but WSUS isn't showing these updates as available for approval.
Specifically, none of our Windows 2016 Servers had the updates defined by KB4091664, KB4493470, or KB4493473, updates that I believe should have been covered by the "Windows Server 2016" Product and the "Update Rollups" Classification. I also have the Critical Updates, Definition Updates, Security Updates, Service Packs, and Upgrades Classifications selected for synchronization. I manually review sync'd updates before approving and don't approve all of them, but I don't review before syncing.
Since it's not coming down with the Product "Windows Server 2016", are there other Products I need? For example, Windows 2016 Server is largely Windows 1607 (Anniversary Update), but that version of Windows is no longer included in WSUS as a Product option, except for drivers ("Windows 10 Anniversary Update and Later Servicing Drivers"). Is that what I need to select? In general, I don't want to drivers through WSUS, so I've avoided that Product, but if that's what I need to keep the Windows 2016 Servers up to date, I'll gladly add it. Or maybe I need Windows 10 LTSB to get these for Server 2016 now?How can I tell?
To ask the question at a higher level: given a KB#, there should be an easy cross reference to see how that KB would be available through WSUS. Is there? That way, even if we can't translate the obscure naming under Products and Classifications, we could still figure it out based on knowing the actual updates we need.
A search on the KB article does reveal this page, but it seems to imply that my existing Product selection of "Windows Server 2016" should have worked as of a month ago based on the release date of the update, which it still did not as of today: http://www.catalog.update.microsoft.com/Search.aspx?q=KB4493473
I think I speak for a lot of WSUS admins in asking these questions. I have never met any WSUS admins who truly know how to select the right options. They either pick them all and accept the huge bandwidth and storage requirements (and those admins often have everything set to auto-approve also) or have only picked a few they hope are right and acknowledge they have no idea if they are keeping their systems properly up to date.
A related question, but I believe the answer is no: is there any way to only sync or auto-approve based on the country (US vs GB, where both are English) or edition of Windows 10 between Pro, Enterprise, Education, "business editions", "consumer editions", etc.?
Colin