WSUS


Uploaded by itfreetraining on 06.09.2011

Transcript:
In this section I will look at WSUS. WSUS, or Windows Server Update Services provides
updates to computers in your organization. Think of it as your own windows update server.
Once you start using WSUS, you will find that it can be used on small networks and also
scalable to an enterprise network. In this video I will first look at an overview
of WSUS and how you can use it in your organization. Following this I will look at prerequisites
required to install WSUS and also the hardware requirements of WSUS. Following this I will
show you how to install and configure WSUS. A big part of the management of WSUS is groups.
I will spend some time looking at how the groups work in WSUS, then I show how you can
configure the clients in your organization to use WSUS with group policy. There is a
lot to WSUS but with careful planning you can update and audit the computers on your
network. One of the biggest advantages of WSUS is that
it allows you to download updates from Microsoft and store them locally. By using WSUS to store
data locally you can vastly reduce the amount of data that gets transferred over your WAN
link. Imagine if one of your branches has 200 computers and each user goes to download
a service pack directly from Microsoft. Each service pack could be up to 100 megabytes
in size. You can imagine the load that would place on your wan connection.
When this course was created, service pack 1 for windows 7 had not yet been released.
Rumors have it that service pack one for windows 7 is 1.2 Giga bytes in size. Windows Vista
service pack 2 is over 300 mega bytes in size. Whatever mathematics you use, a network with
200 computers downloading the same service pack is a lot of data.
To help use your wan connection better, a wsus server can be placed on the network.
The wsus server will download updates from Microsoft while the client will download the
updates from the wsus server. This means large downloads like services packs are only downloaded
once over the wan connection. When deploying wsus on a large network, you should try and
place your wsus servers with reference to your network topology.
If the company also had a site say in Floria with 50 computers connected by a high speed
link, it would make sense for wsus to get its updates from the other wsus server in
New York rather than from Microsoft. On a large network it is not un common for only
one wsus server to access the internet and replicate updates to the other wsus servers
at other sites. In some cases it makes more sense for the
wsus server to access the windows update server directly. Consider this. The company has a
large office of 100 computers in Canada. The link back to the main office is a slow wan
link, however the office in Canada has its own high speed internet link.
In this case, it makes more sense for the wsus server at this location to get its updates
directly from a local windows update server if one is available rather than via the slower
office wan link. Also consider a very small office in the UK with only two computers.
In this case you would want wsus to determine which updates the computers can install, but
it is simply not worth installing a wsus server at that location or downloading the updates
from head office. This bring us to the next main reason for
installing WSUS is to approve or decline updates or in other words, control how updates are
installed in your organization. In the case of the UK office, the 2 computers would contact
the internet directly to download windows updates, however they would also communicate
back to the New York WSUS server on which updates they had installed and ask what updates
they could install. In other words, WSUS allows you to optimize
downloading of your updates and also control which updates are installed. To do this, WSUS
allows you to create groups. You are free to create whatever group you require but often
originations will create a group for testing updates, a pilot group and a production group.
Even though Microsoft goes to quiet a lot of effort to test their updates, problems
can occur if updates and other software on your computer have compatibility problems.
Creating a pilot groups so you can first test the updates on your network and hopefully
stop, or at least minimize potential problems on your network.
Currently the most recent version of WSUS is version 3 with service pack 2. In order
to install WSUS, you need be running one of the following server operating system. First
windows server 2008 R 2 or window server 2008 with services pack 1.
Wsus also supports windows small business server 2008 and 2003 as well as windows server
2003 with service pack 1. There are also a number of software prerequisites to run WSUS.
First you need to have installed dot net frame work 2 point 0.
To store the data required to run WSUS you need a database. For small installs of WSUS
you can use the windows internal database. If you need more of an enterprise solution
you can use SQL server 2008 or SQL server 2005 with service pack 2.
To run the administration of WSUS you require Microsoft management console 3 point 0. To
generate reports wsus requires Microsoft report viewer redistributable 2008, but this is only
required if you want to generate reports. Wsus will install without this component and
you can install the report component at any time.
Lastly wsus requires IIS 6 point 0 or greater. When you install IIS you will need to make
sure that certain components of IIS are also installed.
For the IIS requirements you require the ASP dot net component. This is a web application
framework created by Microsoft. Next you require windows authentication. This will allow the
client to be authentication by WSUS when requesting updates.
WSUS also requires dynamic content compression. Dynamic content compression allows WSUS to
reduce the size of web page by using compression. Lastly if you are using IIS 7 you will require
IIS 6 management compatibility. Wsus currently has been updated to work directly
with IIS 6 so this component provides the bridge until this occurs. Once you have meet
all the software requirements there are also some hardware requirements to meet.
The first requirements is the system and WSUS partition must be formatted with NTFS. The
WSUS partition must also not be a compressed drive. For the disk space requirements, you
require 1 gigabyte free on the system partition. The database requires 2 gigabytes of space
and lastly you need 20 gigabytes free to store updates. Microsoft does recommend 30 gigabyte
of free space for updates. As you will see later on in the configuration of WSUS, depending
on how many products you decide to download and the updates you choose will determine
how much disk space is required. To install WSUS you can download it for the
Microsoft web site. Just go to w w w dot Microsoft dot com slash wsus for details. WSUS can also
be installed from the server manager. If you find that WSUS is not available in server
manager you will need to update server manager using windows update.
Once the necessary update has been obtained from Windows update, WSUS 3 with service pack
2 will be available in server manager. Remember that even though it is available in server
manager, once you attempt to install WSUS it will still download wsus from the internet.
If you server is not connected to the internet you will need to obtain the standalone version
of WSUS and install it. Also you need to take some time to consider
what type of updates you want to download. These include critical, definitions, drivers,
feature packs, security, service packs, tools, update roll ups and other updates. As you
can see the list is quite large. Previously with windows updates, only a small
amounts of updates were available. Microsoft has put a lot of work into windows update
to provide additional features as well as more updates. At present, windows updates
provides updates for windows operating system and other Microsoft products.
You will see in a moment the list of Microsoft products you can get updates from is quite
large. Remember though, if you are retrieving updates from anther WSUS server, you can only
retrieve the updates that other WSUS server have. If the upstream server for example decide
not to download Microsoft Office updates, you will not be able to download any Microsoft
office updates to the downstream sever. Let’s have a look at how to install WSUS.
In this example I will install WSUS though the server manager, but as you will see whether
you install it through server manager or via the stand alone install, the install is the
same. First of all I will run server manager from the quick launch.
From the roles section select the option add roles from the right hand side. Once I am
passed the welcome screen, select Window Server Update Services from the component list. Once
selected windows will prompt you for additional IIS components that are required.
This is the advantage of installing WSUS through the server manager is that IIS components
are automatically installed for you. If you are using the Wsus stand alone install, you
will need to make sure the IIS components for WSUS are installed before you start installing
WSUS. Once I press next I will be taken in the configuration
for IIS. Once past the IIS welcome screen you can see the components of IIS that will
be installed. You can see that ASP dot Net has already been selected.
Under security windows authentication has been selected. Under performance dynamic content
compression has been selected and lastly under management tools IIS 6 management capability
has been selected. You can see however that only IIS 6 metabase
compatibility is selected out of the IIS 6 management compatibility components. If you
plan on performing a manual install of WSUS, check your existing IIS setup or when installing
IIS make sure that these four components are installed.
On the next screen you will be taken into the WSUS set up. You will see that when I
press next there are no options to configure via server manager. Once I press install the
WSUS install will start. You will notice that under the progress bar
it says downloading. In order to install WSUS via the server manager your server must have
access to the internet. Once WSUS has been download from the internet, server manager
will start installing the other components required for WSUS, in this case IIS.
The install may take a few minutes. I have accelerated time to the end so we don’t
have to wait. You will notice that a new set up program has been launched. This set up
program is the stand alone set up for WSUS. The set up from here onwards is identical
to the install performed by downloading and running the stand alone setup from Microsoft.
Once I accept the license and move on you will notice that I get a message telling me
that Microsoft report viewer 2008 redistributable needs to be installed before I can generate
any reports. This can be installed later so I will skip this part and move on.
On the next screen you can decide where you want to install the updates that WSUS downloads.
If you deselect this option, WSUS will not store any updates locally. When an update
is requested via a client, WSUS will download the update directly from windows updates or
from anther WSUS server. If you only want to use WSUS to determine
what updates an end user can install, you can choose not to store any updates locally.
In this case, I will store the updates in the default location on the c drive, but for
best performance you should consider storing the updates on a separate hard disk.
On the next screen you can determine where WSUS will install its database files. By default
you can use windows internal database. On large enterprise environment you may have
a SQL server. If I had SQL server installed on this computer this option would not be
grayed out and I would be able to select a database.
If your SQL database is on anther server you could select the last option to connect to
it. In this case I will use windows internal database and move on. On this screen you can
decide which web site you want wsus to use. If you have no other web site on this server
and are not planning on installing an additional web site in the future you should select the
first option use existing IIS default web site. If you want to use the default web site
for something else you should select the second option and WSUS will not use the default web
site. In this case I am not planning on setting
up an additional web sites on this server so I can select the default option. Once I
confirm the install option on the next screen I can move on and the install will start.
The install may take 5 minutes or so to finish, I have accelerated time to the end of the
install. You can see now that IIS and WSUS have been installed through the server manager,
however WSUS is still not configured. Once the install has completed the WSUS configuration
wizard will automatically be started. If I close server manager install wizard, you will
notice that in server manager there is a warning. This is because WSUS has not been configured
yet. The wsus configuration wizard can be run at
any time and is available through the start menu. You will notice I can close server manger
without effecting the WSUS configuration wizard. Once I am pass the WSUS welcome screen I will
get the option to decide if I want to take part in the Microsoft improvement program.
Taking part in the program means that Microsoft will receive statistics on your network. Since
this is a test network, I don’t want to give Microsoft any mis leading statistics
so I will switch this option off. On the next screen you can decide where this
WSUS server will get it’s updates from. By default WSUS will receive it’s updates
from windows update server. If you have anther WSUS server on the network, you can download
updates from this server. You can choose to enable S S L if you want
traffic between the two servers to be encrypted. If I choose to obtain updates from anther
server, I will only be able to download updates from the server that update server has already
downloaded. For example, just say you had a large company
and a central IT department which decided which updates would be available to the rest
of the company. Once these updates are approved they could be download to other servers and
the local administrator could decide which updates are installed on which computer.
This is a good set up when you have two different IT departments working independently from
each other but can only install approved updates. If both WSUS server are being managed by the
same IT department you may want to select the option “this is a replica of the upstream
server”. You will notice that when this option is selected
you can’t configure any options on the server. What this means is that this server will have
all the same settings as the parent server. This makes administration of multiple WSUS
servers a lot easier. Since this server is a standalone server,
I will get my updates from Microsoft and move on. On this screen I can enter in a proxy
server if I need one to access the internet. In this case I have a direct connection so
I can leave it on the default and move on. Before you can start using the WSUS you need
to download a catalog of all the available updates. To do this, press the start connection
button and the catalog will be downloaded. The time required for this step depends on
your internet connection and can take a while. I have accelerated time to the end of the
download. Once complete I can move on to the next screen and select which languages I want
to download updates for. At the top you can select to download updates for all languages.
A word of caution with selecting this option. Doing so will greatly increase the amount
of space required on your local server required for installing updates and also the amount
of data traveling over your WAN link. In this case I will only download english updates.
I will get a warning here reminding me that any updates that you do not download on this
server will also not be available to any downstream servers that your configure later on.
A downstream server is simply anther WSUS server that is set to retrieve it’s updates
from anther WSUS server. On the next screen I can decide which products that I want to
download updates for. There is a huge range of Microsoft products but WSUS does not allow
3rd party products to be added. You should choose products that you use in
your organization, in this case Microsoft Office. You will need to take some time going
through the list making sure that you have selected all the products you use. You could
selected them all, but this of course will use more bandwidth and hard disk space.
Notice the operation systems at the bottom. You should deselect the operating systems
that you no longer use in your company. If you are planning on deploying new operating
systems in the future, for example windows 7, I would leave it ticked so that the updates
are ready when you deploy your first computer. On the next screen you can choose which types
of updates you want to download. By default critical updates, definitions and security
updates are selected by default. Some companies don’t like download new drivers as they
may cause an existing operating system to start blue screening.
I like to select things like feature packs and services packs. These can be very large
and in my opinion save a lot of bandwidth when you deploy them to a big group of clients.
Remember however that if you download service packs, the end user may experience a long
day when login in one morning when the service pack installs.
In some companies I have seen them deselect service packs and choose to install them manually
so they can better manage when they are installed. In this case I will select everything. Once
you have decided which updates you want to install you need to download them.
On the next screen you can decide if you want to perform manual synchronizations or set
up a schedule. In this case I will leave it on manual so I can decide when to perform
the synchronization. On the next screen I can decide if I want to perform the initial
synchronization now. The first synchronization takes the longest
to complete so I leave the setting on manual and perform the synchronization later on.
That’s it for the WSUS, the initial install of WSUS and initial configuration are completed.
Now that you have WSUS installed, you need to give some thought on how to configure it.
Depending on your network will determine how you want to deploy WSUS. Consider this network.
Like most companies you have a firewall between your network and the internet.
This particular company has a policy that severs that connect to the internet must be
on a perimeter network or a D M Z. Since the WSUS server needs to access the internet it
is placed on the premier network. For your clients to access a WSUS server, you need
to install anther WSUS server on the production network.
This server is configured as a replica of the WSUS parent. Any changes to the settings
on the parent WSUS server will be mirrored on the replica server. Replica WSUS servers
are common in large organizations. Imagine a large network with 20 sites. If you configured
all the sites as replicas for the WSUS parent, you would only need to make changes on the
one WSUS server. The next option you have for your server is
autonomous. This basically means the server can download updates from the WSUS parent
but administrators on this server are free to make any changes that they wish. Times
when you may use this option is when you have separate IT departments.
For example you may have a secure network that has it’s own administrators but they
still needs to get updates from your server. Using a WSUS server configure as autonomous
they can get the updates from your server, but decide themselves if they want to install
them and the settings they want to use for the their WSUS server. Now that you understand
the way WSUS servers can be used, let’s have a look at how to configure one.
To configure WSUS, run the admin tool, windows server updates services from the start menu.
On the start screen you can see some statistics about the WSUS server. When you starting using
WSUS this provides a quick rundown on how your server and the status of the clients.
Since this WSUS server has just been installed the statistics are all zero.
To configure your WSUS server, expand down in the admin tool until you get to options.
Some of the options are already configured. These were configured by the start up configuration
wizard when I first install WSUS. The first thing you want to set up is the source of
where your updates will be downloaded from. From the install wizard I select windows update.
If I select the second option I can change it to another WSUS server. Notice also I can
select the option “this server is a replica of the upstream server”. This is the same
option that was available in the original WSUS wizard.
Notice that I when I select this option I get a message saying that all other options
have been disabled. This is how you change an existing WSUS server into a replicator.
If I set the option back to windows update and select the proxy tab I can change the
proxy setting used to download updates. The next option allows you to change the products
and classifications you want to download. If you wish, you can select all the products,
however this will increase the size of your downloads. If you don’t have the product
on your network it is a good idea to deselect it.
In a moment I am going to perform the first synchronization. For this reason I will de-select
all the other products. I will also go through and deselect any old operating system not
used on the network. This will help speed up the initial sync. If you are not sure if
a product is being used on your network, you should select it otherwise WSUS will not download
any updates for that product. At any time you can come in and change the
options. On the classification tabs you can decide which types of updates you want to
install. To speed up the initial sync I am going to select security and critical updates.
The type of updates you select is depend on your needs. I have seen some network install
everything other than service packs due to there size and time it takes it install.
I am sure that none of your end users want to wait 5 to 10 minutes for the computer to
start up one morning because a service pack was installed. Remember however, unless your
approve the update it will not be installed. If you have plenty of hard disk space I would
personally select everything and then you can choose later on which updates you want
to install. If I select the option updates files and languages.
I can choose how the updates will be stored on the server. Download updates files to this
server only when updates are approved means updates will not be downloaded until you approve
them in the admin tool. This does save disk space as updates will
not be downloaded until they are required, however it also means that updates will not
be installed until the next synchronization in performed.
The option download express installation files makes the download files larger, however they
are more intelligence in the way they update the operating system. This means they own
replace files that need to be replaced and thus tend to install faster, however the trade
off is the files are larger. If you select the option do not store updates
locally this will force the clients to download the updates from windows update. If you have
limited hard disk space you may want to select this option or if you have high speed link
to the internet and very few clients. Remember though, if you clients are correctly configured
they won’t be able to download any updates from Microsoft unless you approve them.
On the language screen, you can add additional languages if require additional languages
later on. If I now select the option synchronize schedule, when you can decide when WSUS will
sync, by default once per day. You can set this up to 24 times a day.
When configuring settings like these, keep in mind patch Tuesday. Patch Tuesday is the
second Tuesday of every month when Microsoft releases security updates. Microsoft do release
patches at other times if there is enough need, but try to follow this schedule whenever
possible. Depending on your environment you may have
a lot of time to look through the patches or you may just decide to install any patch
that Microsoft releases. If I select the option automatic approvals I can select the option
“default automatic approval rule”. As you can see down the bottom of the screen,
critical and security updates will be approved on all computers when they are released. Selecting
this option will reduce your WSUS administration, however also means that untested updates will
be deployed on your network. On the advanced tab, WSUS has the ability
to automatically approve updates that are for the WSUS product itself. Also notice the
two options revisions of updates. Sometimes Microsoft will releases revisions for an update.
When this tick box is ticked, a revision of an update will automatically be installed
even though it has not been approved as long as the original update was approved.
Notice also the option “automatically decline updates when a new revision causes them to
expire”. This means if a newer update is released, the old update will automatically
be declined. If I exit out of here and select the option computers, I can set how computers
will be assigned to groups. The default setting means you have to use the WSUS admin tool
to assign computers to groups. The second option uses group policy or registry
settings on computer to determine which group the computer is a member of. On a large network
this is a better way of performing administration on your network. In a moment I will create
a group policy to configure my client computer so I will leave it on the second option and
press o.k. The next option is the server clean up wizard.
The server clean up wizard let’s you perform some maintenance on your server. As you can
see, there are quite a lot of options that you can select in the WSUS cleanup wizard.
The first option allows you to delete unused updates and update revisions that have expired
or have not been approved for more than 30 days. The next option allows you to remove
computers that have not contacted the server in the last 30 days.
Personally I would be careful about using this option because mobile users or users
that take extended holidays may be removed from the server by mistake. 30 days may seem
a long time, but when someone in on extended holidays or in an office that is isolated
from the network, ticking this option may remove their computer when it is still in
service. The next option removes any unneeded update files. These files are not required
by WSUS server or required by any downstream servers.
You also have a tick box which will remove expired updates. These include updates that
you have been declined in the administrative tool or updates that Microsoft has marked
as expired. The next option removes superseded updates which have not been approved but have
been superseded by Microsoft. This simply put means there is a newer update for that
update available. Once I have decided on which maintenance options
that I need, when I press next WSUS will perform maintenance. Depending on how many computers
are removed and added to your network will determine how often you will want to run this
maintenance tool. Given that WSUS has just been installed, there
will not be any updates or computers that need to be remove. If I now exit out, the
next option is a reporting rollup. Reporting rollup essentially means that any downstream
servers will send reporting data to this server which will then be included in this servers
reports. Since I don't have any downstream servers
configured I won't worry about setting any options in here. The option e-mail notifications
allow us to send an administrator e-mails when new updates are available and also you
can configure it to send status reports about the WSUS server. The option Microsoft update
improvement program simply allows you to select whether you want to participate in the program
or not. The personalization option allows you to configure
how information will be displayed in WSUS. For example you could choose to filter out
data reported from your replica servers. You could also choose which "to do" alerts to
generate and which ones to ignore. The last configuration Wizard runs the same wizard
that ran when I first installed WSUS. If you canceled the wizard when you first installed
WSUS or you need to run the wizard again you can select this option.
Now that WSUS is configured I will perform the first synchronization. If I select the
option synchronizations on the left I can select the option synchronization now from
the right hand side. If I select the synchronization job, you can see down the bottom of the screen
how much of the process has completed. The first synchronization will take the longest
but synchronizes after this will be completed a lot faster.
To better control the installation of updates on your network, WSUS allows you to create
groups to make administration easier. By default WSUS contains two groups. The first group
is all computers. All the computers that WSUS in providing updates for will be found in
this group. The next group is unassigned computers. You
can create as many groups as you want and assigned computers to these groups. Wsus will
then decide which updates will be deployed on this computer by the group the computer
is in. Microsoft has two different ways of placing computers into groups.
If you perform this process manually it is called Server side targeting. This is done
though the WSUS admin tool. On a large network with a lot of computers being removed and
added to the network this can become a very time intensive task. To make this process
easier and more automated Microsoft offers what it calls client side targeting. When
client side targeting is used the client decides which group the computer will be assigned
to. Client side targeting is usually done through
group policy. Using group policy you can set the group membership for computers in your
domain and also newly created computers in the domain. Let's have a look at how to perform
server side and client side targeting. To perform server side targeting first of
all you need to configure your client to use your WSUS server. To do this, on my Windows
7 computer, first of all I need to go to my start menu and then run edit group policy.
I will cover group policy in more detail later on when I go through client side targeting.
I need to use group policy to set the WSUS server that windows update will use. Unfortunately
you can’t set this information in the control panel. Once you are in local group policy,
you need to go into computer configuration, administrative templates, windows components
and then Windows update. The option I need to set is “specify intranet
Microsoft update service location”. Once this is enabled I can set the location for
my WSUS server. I can also set the statistics server which in most cases will be the same
as your WSUS server. Now that I have set my WSUS server all I need
to do is close group policy and from the start menu and open a command prompt. From the command
prompt run GP update to update group policy on the local computer.
Windows update will now be changed to connect to my WSUS server. This computer will eventually
register itself with the WSUS server. To speed up the process I can run the command w u a
u c l t with the switch detect now. This will make windows update register itself with wsus.
Now that I have configured my client, I will switch to my WSUS server.
Now that I am logged into my WSUS server, if I run the admin tool and in the admin tool
expand computers, you will notice under computers the group all computers. If I expand all computers
you can see the group unassigned computers. These are the two default groups that created
by WSUS. To create a new group all I need to do is
right-click on all computers and select add computer group. In this case I will call the
group trial group. Computers in his group will receive updates before the rest of the
computers on the network. This allows me to test the updates for problems before they
are deployed to the rest of the network. In the unassigned computers group there are
currently no computers listed. At the top, notice zero computers of one shown. What has
happened is that the client that I just added is all ready up to date. The filter at the
top by default is showing only computers that have a status of failed or needed. In other
words updates have failed to install on the computer or the computer requires updates
to be installed. To fix this all I need to do is select the
drop down box and select any and then press the refresh button. You can see now that my
computer has appeared. If I now right-click on the computer and select change membership
I can assign the computer to the group that I just created. You can imagine that by doing
this method, which Microsoft calls this server side targeting, could become very time consuming
very quickly on large networks. Now that I have a trial group set up, I want
to create an automatic approval rule for the trial group. To do this, select options and
then select automatic approvals. To create a new rule, select the option new rule. You
can then specify if you want the rule to apply to classification and products. The last option
allows you to set a deadline. A deadline allows the user to decline an update if their set
up allows it. After the deadline has expired the update must be installed.
At the bottom of the screen, I can change which classifications I want updates installed
for. You could for example only install security updates and critical updates. The rest of
the updates you could set so they have to be manually approved.
The last option is the most important option as it determines which computer the rule will
apply to. Lastly all I need to do is enter in the name for this new automatic approval
rule. Now my WSUS server is set up so that any computer that is in the trial group will
automatically without any administration on my part have all updates install on it.
As you can see ,using server side targeting can become quite time-consuming. If you want
to use client side targeting, what you need to do is select the option computers. In this
option I can choose to use client side targeting by selecting the option use group policy setting
or registry settings on computers. This means that group membership will be determined
by a setting that is found on the local computer which will be sent to the server when the
client registers itself with the WSUS server. Now that I have switched WSUS to client side
targeting, I will now switch to my domain controller and set up a new group policy for
my domain. On my domain controller I will go to my start
menu and open group policy management. In my domain I have already created an organizational
unit or O U that contains my servers. If I right-click on this O U and select the option
crated G P O in this domain and link it here. I can create a new group policy to apply Windows
updates to all my servers. This new group policy I will call Windows update servers
G P O. Once I have created the G P O I can edit the
G P O and then go into computer configuration, policies, administrative templates, Windows
components and then all the way down to the bottom to Windows update. If I select the
standard view you I can see the complete group policy setting without it being cut off. The
option you need to enable for client side targeting is the one here, enable client side
targeting. Once enabled I can enter in a group name and
then any computers that have this group policy applied to them will automatically be placed
in this group on the WSUS server. As I did before, I need to set the location of the
WSUS server so the client knows where to get it’s updates from. These are the two main
settings you need to configure so clients on your network can access Windows updates
from your WSUS server and be placed in to a group.
However there are a lot of other options the you may want to consider setting. Going through
the list from the top. The first option when enabled removes installed updates from the
shut down option from the start menu. In a moment you will see that you can configure
Windows updates to install at scheduled times. If you are planning on doing this you may
want to disable this option. Enabling this option gives the user the option
to install updates when they shut down the computer. Most users don’t mind doing this
as they are generally going home when they shut down their computer. The next setting
determines whether installed updates and shut down is the default option when the user goes
to shut down their computer. Generally it is a good idea to leave on the
default shut down and install updates as when the user shuts their computer down by default
updates will be installed. The next option allows Windows update to automatically wake-up
the system if updates are scheduled to be installed.
This option you may want to enable on desktop systems. This allows windows update to wake
up a computer and install updates on it. If you have computers that are regularly rebooted
and used regularly you may not need this option. This option is useful when you have computers
that may be off for an extended period of time and you want ensure that updates are
installed on them. The next option, configure automatic updates is the setting that will
be set on most networks. When enabled you have a number of different ways that you can
configure automatic updates. The first option, option number two, notifies
the user when a new update is available for download and also prompts the user when the
update is ready to be installed. This gives the user the maximum amount of user interaction
for Windows updates. Option number three will automatically download windows update and
notify the user asking them if they want to install the update.
Option number four is the option that is chosen on most networks as this will automatically
download updates and then schedule the install without any user interaction. If I select
option number four, you will also notice that I can select down the bottom which days that
I want to run scheduled updates on. I can choose every day or a particular day.
I can also set the time that the update will be installed. The default is three o'clock
in the morning. What this essentially means is that if the computer happens to be on at
three o'clock in the morning the updates will automatically be installed.
If the computer is switched off at that time, when the computer is switched on after a random
delay Windows will automatically install the updates. The reason Microsoft use a delay
is so that when the user first starts their computer it is not slowed down trying to install
updates. Option number five allows the local administrators
to choose their own settings. On most networks you want to select option number four as this
provides the most automation way to install updates with the least amount of user interaction.
If you have programmers or developers on your networks you will probably want to select
option number five so they can choose if they want to install updates.
The next option I have already set, it simply specifies the WSUS server that will be used.
The next option allows you to set how often Windows update will check for updates. The
default is 22 hours but having said that the time always has a randomized delay added in
the range of 0 to 20%. The reason Microsoft do this is because if
there was no randomized delay. All the clients on your network could potentially attempt
to connect to your WSUS server at once and retrieve updates. This would put a huge load
on your network and your WSUS server. This value can be set all the way down to
once an hour. On most networks the default value of 22 hours will work fine. The next
option allows a non-administrator like a domain user to receive update notifications. If you
have configured Windows update to run automatically in the background you may what want to disable
this setting. The next setting determines whether the user
will be prompted when features are available for the operating system. Enabling this option
allows the user to decide if they want these features installed. This setting will automatically
install updates immediately that do not require a restart. For example if you are running
Windows defender, definition updates can be delivered through Windows update and these
updates do not require a restart. In most cases you will want to enable this option.
The next setting determines whether recommend updates will be included. By default, security
and critical updates are installed. If you would like to include updates that Microsoft
recommend these will also be download and installed. The setting disables automatic
restarting if a user is logged in. If the computer is on the login screen and no user
is logged in, windows update will automatic restart the computer if required.
The next option is the delay before the user is prompted to install scheduled updates after
they have previously refused to. As you can see you can set this value quite high. Moving
on to the next setting. This setting allows you to set the delay for how long windows
will wait after scheduled updates are install before asking the user to restart the computer.
You can see this value up to 30 minutes. The next setting determines how long windows update
will wait after the computer starts up before it will attempt to run a missed scheduled
update. This value goes all the way up to 1 hour. Having this value set gives the user
time to start they computer up and run some applications before windows installs any updates.
You could imagine that a user starting their computer up in the morning is not going to
want their performance of their computer slowed down due to windows update being installed.
Setting this value allows the user time to start their computer up and launch some applications.
The down side is the computer will need to be on long enough for the updates to be installed.
The next setting is client side targeting which I set previously.
The last option allows you to receive signed updates from an intranet Microsoft update
service location. What this essentially means is that you can receive updates that were
not directly signed by Microsoft. As long as your computer trusts the publisher of the
update, the update can be installed on the computer that is in group policy.
Now that I have configured group policy, I can close all the group policy windows and
then switch back to my WSUS server to demonstrate client side targeting.
On my server if I now run the WSUS admin tool. I first need to create a group to store my
servers in. To do this I will right click on all computers and select add computer group.
Given enough time your clients of your wsus server will start appearing.
You may however want to speed up the process. If I open a command prompt and run the command
w u a u c l t with the switches reset authorization and detect now this will force the client
to update itself on the WSUS server right away.
Reset authorization resets any group membership and detect now forces WSUS to redetect the
client. If I now exit the command prompt and go into the servers group, select any computer
and press refresh, you can now see that this server, WSUS 1 has been added.
In time all your servers and clients will add themselves and place themselves in groups
according to your client targeting options. If I select the root of the WSUS server, I
will get a quick overview of the server. You can see that there are a number of security
updates that have not been approved. If I select approved I can see all the updates
that are waiting to be approved. If I right click on one I can select approve. As you
can see, I can now select which groups I want to approve the update to. WSUS is also a great
report tool. If I select reports there are a number of
different reports I can generate. If I select one I will get an error message telling me
that report viewer redistributable is not installed. I have all ready downloaded report
redistributable and place it on the desktop. If I now close the WSUS admin tool and go
to my desktop and run it. You will see the install for the report viewer is very simple.
I have sped up the install but it only takes a minute or so. Once installed if I now run
the admin tool again and then select reports and select the report I want.
All I need to do to generate the report is select the option run report. Using WSUS you
can manage the deployment of your updates as well as perform reporting on computers
in your organization. In summary, remember that WSUS is primary
used to manage updates. It allows you to install, report and audit updates on your network.
Expect in the exam Microsoft to make reference to server side targeting. This is when group
membership is decided with the admin tool. Client side targeting is when the clients
tells the WSUS server which group to put themselves in. Normally you will use WSUS with computers
that are in your domain. If you have a computer that are not in the domain, use local group
policy on that computer to set it to use your WSUS server. Set up correctly, WSUS can make
managing and keeping your computers update to data a lot easier.