In this section I will look at WSUS. WSUS,
or Windows Server Update Services provides updates to computers in your organization.
Think of it as your own windows update server. Once you start using WSUS, you will find that
it can be used on small networks and also scalable to an enterprise network.
In this video I will first look at an overview of WSUS and how you can use it in your organization.
Following this I will look at prerequisites required to install WSUS and also the hardware
requirements of WSUS. Following this I will show you how to install and configure WSUS.
A big part of the management of WSUS is groups. I will spend some time looking at how the
groups work in WSUS, then I show how you can configure the clients in your organization
to use WSUS with group policy. There is a lot to WSUS but with careful planning you
can update and audit the computers on your network.
One of the biggest advantages of WSUS is that it allows you to download updates from Microsoft
and store them locally. By using WSUS to store data locally you can vastly reduce the amount
of data that gets transferred over your WAN link. Imagine if one of your branches has
200 computers and each user goes to download a service pack directly from Microsoft. Each
service pack could be up to 100 megabytes in size. You can imagine the load that would
place on your wan connection. When this course was created, service pack
1 for windows 7 had not yet been released. Rumors have it that service pack one for windows
7 is 1.2 Giga bytes in size. Windows Vista service pack 2 is over 300 mega bytes in size.
Whatever mathematics you use, a network with 200 computers downloading the same service
pack is a lot of data. To help use your wan connection better, a
wsus server can be placed on the network. The wsus server will download updates from
Microsoft while the client will download the updates from the wsus server. This means large
downloads like services packs are only downloaded once over the wan connection. When deploying
wsus on a large network, you should try and place your wsus servers with reference to
your network topology. If the company also had a site say in Floria
with 50 computers connected by a high speed link, it would make sense for wsus to get
its updates from the other wsus server in New York rather than from Microsoft. On a
large network it is not un common for only one wsus server to access the internet and
replicate updates to the other wsus servers at other sites.
In some cases it makes more sense for the wsus server to access the windows update server
directly. Consider this. The company has a large office of 100 computers in Canada. The
link back to the main office is a slow wan link, however the office in Canada has its
own high speed internet link. In this case, it makes more sense for the
wsus server at this location to get its updates directly from a local windows update server
if one is available rather than via the slower office wan link. Also consider a very small
office in the UK with only two computers. In this case you would want wsus to determine
which updates the computers can install, but it is simply not worth installing a wsus server
at that location or downloading the updates from head office.
This bring us to the next main reason for installing WSUS is to approve or decline updates
or in other words, control how updates are installed in your organization. In the case
of the UK office, the 2 computers would contact the internet directly to download windows
updates, however they would also communicate back to the New York WSUS server on which
updates they had installed and ask what updates they could install.
In other words, WSUS allows you to optimize downloading of your updates and also control
which updates are installed. To do this, WSUS allows you to create groups. You are free
to create whatever group you require but often originations will create a group for testing
updates, a pilot group and a production group. Even though Microsoft goes to quiet a lot
of effort to test their updates, problems can occur if updates and other software on
your computer have compatibility problems. Creating a pilot groups so you can first test
the updates on your network and hopefully stop, or at least minimize potential problems
on your network. Currently the most recent version of WSUS
is version 3 with service pack 2. In order to install WSUS, you need be running one of
the following server operating system. First windows server 2008 R 2 or window server 2008
with services pack 1. Wsus also supports windows small business
server 2008 and 2003 as well as windows server 2003 with service pack 1. There are also a
number of software prerequisites to run WSUS. First you need to have installed dot net frame
work 2 point 0. To store the data required to run WSUS you
need a database. For small installs of WSUS you can use the windows internal database.
If you need more of an enterprise solution you can use SQL server 2008 or SQL server
2005 with service pack 2. To run the administration of WSUS you require
Microsoft management console 3 point 0. To generate reports wsus requires Microsoft report
viewer redistributable 2008, but this is only required if you want to generate reports.
Wsus will install without this component and you can install the report component at any
time. Lastly wsus requires IIS 6 point 0 or greater.
When you install IIS you will need to make sure that certain components of IIS are also
installed. For the IIS requirements you require the ASP
dot net component. This is a web application framework created by Microsoft. Next you require
windows authentication. This will allow the client to be authentication by WSUS when requesting
updates. WSUS also requires dynamic content compression.
Dynamic content compression allows WSUS to reduce the size of web page by using compression.
Lastly if you are using IIS 7 you will require IIS 6 management compatibility.
Wsus currently has been updated to work directly with IIS 6 so this component provides the
bridge until this occurs. Once you have meet all the software requirements there are also
some hardware requirements to meet. The first requirements is the system and WSUS
partition must be formatted with NTFS. The WSUS partition must also not be a compressed
drive. For the disk space requirements, you require 1 gigabyte free on the system partition.
The database requires 2 gigabytes of space and lastly you need 20 gigabytes free to store
updates. Microsoft does recommend 30 gigabyte of free space for updates. As you will see
later on in the configuration of WSUS, depending on how many products you decide to download
and the updates you choose will determine how much disk space is required.
To install WSUS you can download it for the Microsoft web site. Just go to w w w dot Microsoft
dot com slash wsus for details. WSUS can also be installed from the server manager. If you
find that WSUS is not available in server manager you will need to update server manager
using windows update. Once the necessary update has been obtained
from Windows update, WSUS 3 with service pack 2 will be available in server manager. Remember
that even though it is available in server manager, once you attempt to install WSUS
it will still download wsus from the internet. If you server is not connected to the internet
you will need to obtain the standalone version of WSUS and install it.
Also you need to take some time to consider what type of updates you want to download.
These include critical, definitions, drivers, feature packs, security, service packs, tools,
update roll ups and other updates. As you can see the list is quite large.
Previously with windows updates, only a small amounts of updates were available. Microsoft
has put a lot of work into windows update to provide additional features as well as
more updates. At present, windows updates provides updates for windows operating system
and other Microsoft products. You will see in a moment the list of Microsoft
products you can get updates from is quite large. Remember though, if you are retrieving
updates from anther WSUS server, you can only retrieve the updates that other WSUS server
have. If the upstream server for example decide not to download Microsoft Office updates,
you will not be able to download any Microsoft office updates to the downstream sever. Let’s
have a look at how to install WSUS. In this example I will install WSUS though
the server manager, but as you will see whether you install it through server manager or via
the stand alone install, the install is the same. First of all I will run server manager
from the quick launch. From the roles section select the option add
roles from the right hand side. Once I am passed the welcome screen, select Window Server
Update Services from the component list. Once selected windows will prompt you for additional
IIS components that are required. This is the advantage of installing WSUS through
the server manager is that IIS components are automatically installed for you. If you
are using the Wsus stand alone install, you will need to make sure the IIS components
for WSUS are installed before you start installing WSUS.
Once I press next I will be taken in the configuration for IIS. Once past the IIS welcome screen
you can see the components of IIS that will be installed. You can see that ASP dot Net
has already been selected. Under security windows authentication has
been selected. Under performance dynamic content compression has been selected and lastly under
management tools IIS 6 management capability has been selected.
You can see however that only IIS 6 metabase compatibility is selected out of the IIS 6
management compatibility components. If you plan on performing a manual install of WSUS,
check your existing IIS setup or when installing IIS make sure that these four components are
installed. On the next screen you will be taken into
the WSUS set up. You will see that when I press next there are no options to configure
via server manager. Once I press install the WSUS install will start.
You will notice that under the progress bar it says downloading. In order to install WSUS
via the server manager your server must have access to the internet. Once WSUS has been
download from the internet, server manager will start installing the other components
required for WSUS, in this case IIS. The install may take a few minutes. I have
accelerated time to the end so we don’t have to wait. You will notice that a new set
up program has been launched. This set up program is the stand alone set up for WSUS.
The set up from here onwards is identical to the install performed by downloading and
running the stand alone setup from Microsoft. Once I accept the license and move on you
will notice that I get a message telling me that Microsoft report viewer 2008 redistributable
needs to be installed before I can generate any reports. This can be installed later so
I will skip this part and move on. On the next screen you can decide where you
want to install the updates that WSUS downloads. If you deselect this option, WSUS will not
store any updates locally. When an update is requested via a client, WSUS will download
the update directly from windows updates or from anther WSUS server.
If you only want to use WSUS to determine what updates an end user can install, you
can choose not to store any updates locally. In this case, I will store the updates in
the default location on the c drive, but for best performance you should consider storing
the updates on a separate hard disk. On the next screen you can determine where
WSUS will install its database files. By default you can use windows internal database. On
large enterprise environment you may have a SQL server. If I had SQL server installed
on this computer this option would not be grayed out and I would be able to select a
database. If your SQL database is on anther server you
could select the last option to connect to it. In this case I will use windows internal
database and move on. On this screen you can decide which web site you want wsus to use.
If you have no other web site on this server and are not planning on installing an additional
web site in the future you should select the first option use existing IIS default web
site. If you want to use the default web site for something else you should select the second
option and WSUS will not use the default web site.
In this case I am not planning on setting up an additional web sites on this server
so I can select the default option. Once I confirm the install option on the next screen
I can move on and the install will start. The install may take 5 minutes or so to finish,
I have accelerated time to the end of the install. You can see now that IIS and WSUS
have been installed through the server manager, however WSUS is still not configured.
Once the install has completed the WSUS configuration wizard will automatically be started. If I
close server manager install wizard, you will notice that in server manager there is a warning.
This is because WSUS has not been configured yet.
The wsus configuration wizard can be run at any time and is available through the start
menu. You will notice I can close server manger without effecting the WSUS configuration wizard.
Once I am pass the WSUS welcome screen I will get the option to decide if I want to take
part in the Microsoft improvement program. Taking part in the program means that Microsoft
will receive statistics on your network. Since this is a test network, I don’t want to
give Microsoft any mis leading statistics so I will switch this option off.
On the next screen you can decide where this WSUS server will get it’s updates from.
By default WSUS will receive it’s updates from windows update server. If you have anther
WSUS server on the network, you can download updates from this server.
You can choose to enable S S L if you want traffic between the two servers to be encrypted.
If I choose to obtain updates from anther server, I will only be able to download updates
from the server that update server has already downloaded.
For example, just say you had a large company and a central IT department which decided
which updates would be available to the rest of the company. Once these updates are approved
they could be download to other servers and the local administrator could decide which
updates are installed on which computer. This is a good set up when you have two different
IT departments working independently from each other but can only install approved updates.
If both WSUS server are being managed by the same IT department you may want to select
the option “this is a replica of the upstream server”.
You will notice that when this option is selected you can’t configure any options on the server.
What this means is that this server will have all the same settings as the parent server.
This makes administration of multiple WSUS servers a lot easier.
Since this server is a standalone server, I will get my updates from Microsoft and move
on. On this screen I can enter in a proxy server if I need one to access the internet.
In this case I have a direct connection so I can leave it on the default and move on.
Before you can start using the WSUS you need to download a catalog of all the available
updates. To do this, press the start connection button and the catalog will be downloaded.
The time required for this step depends on your internet connection and can take a while.
I have accelerated time to the end of the download. Once complete I can move on to the
next screen and select which languages I want to download updates for. At the top you can
select to download updates for all languages. A word of caution with selecting this option.
Doing so will greatly increase the amount of space required on your local server required
for installing updates and also the amount of data traveling over your WAN link. In this
case I will only download english updates. I will get a warning here reminding me that
any updates that you do not download on this server will also not be available to any downstream
servers that your configure later on. A downstream server is simply anther WSUS
server that is set to retrieve it’s updates from anther WSUS server. On the next screen
I can decide which products that I want to download updates for. There is a huge range
of Microsoft products but WSUS does not allow 3rd party products to be added.
You should choose products that you use in your organization, in this case Microsoft
Office. You will need to take some time going through the list making sure that you have
selected all the products you use. You could selected them all, but this of course will
use more bandwidth and hard disk space. Notice the operation systems at the bottom.
You should deselect the operating systems that you no longer use in your company. If
you are planning on deploying new operating systems in the future, for example windows
7, I would leave it ticked so that the updates are ready when you deploy your first computer.
On the next screen you can choose which types of updates you want to download. By default
critical updates, definitions and security updates are selected by default. Some companies
don’t like download new drivers as they may cause an existing operating system to
start blue screening. I like to select things like feature packs
and services packs. These can be very large and in my opinion save a lot of bandwidth
when you deploy them to a big group of clients. Remember however that if you download service
packs, the end user may experience a long day when login in one morning when the service
pack installs. In some companies I have seen them deselect
service packs and choose to install them manually so they can better manage when they are installed.
In this case I will select everything. Once you have decided which updates you want to
install you need to download them. On the next screen you can decide if you want
to perform manual synchronizations or set up a schedule. In this case I will leave it
on manual so I can decide when to perform the synchronization. On the next screen I
can decide if I want to perform the initial synchronization now.
The first synchronization takes the longest to complete so I leave the setting on manual
and perform the synchronization later on. That’s it for the WSUS, the initial install
of WSUS and initial configuration are completed. Now that you have WSUS installed, you need
to give some thought on how to configure it. Depending on your network will determine how
you want to deploy WSUS. Consider this network. Like most companies you have a firewall between
your network and the internet. This particular company has a policy that
severs that connect to the internet must be on a perimeter network or a D M Z. Since the
WSUS server needs to access the internet it is placed on the premier network. For your
clients to access a WSUS server, you need to install anther WSUS server on the production
network. This server is configured as a replica of
the WSUS parent. Any changes to the settings on the parent WSUS server will be mirrored
on the replica server. Replica WSUS servers are common in large organizations. Imagine
a large network with 20 sites. If you configured all the sites as replicas for the WSUS parent,
you would only need to make changes on the one WSUS server.
The next option you have for your server is autonomous. This basically means the server
can download updates from the WSUS parent but administrators on this server are free
to make any changes that they wish. Times when you may use this option is when you have
separate IT departments. For example you may have a secure network
that has it’s own administrators but they still needs to get updates from your server.
Using a WSUS server configure as autonomous they can get the updates from your server,
but decide themselves if they want to install them and the settings they want to use for
the their WSUS server. Now that you understand the way WSUS servers can be used, let’s
have a look at how to configure one. To configure WSUS, run the admin tool, windows
server updates services from the start menu. On the start screen you can see some statistics
about the WSUS server. When you starting using WSUS this provides a quick rundown on how
your server and the status of the clients. Since this WSUS server has just been installed
the statistics are all zero. To configure your WSUS server, expand down
in the admin tool until you get to options. Some of the options are already configured.
These were configured by the start up configuration wizard when I first install WSUS. The first
thing you want to set up is the source of where your updates will be downloaded from.
From the install wizard I select windows update. If I select the second option I can change
it to another WSUS server. Notice also I can select the option “this server is a replica
of the upstream server”. This is the same option that was available in the original
WSUS wizard. Notice that I when I select this option I
get a message saying that all other options have been disabled. This is how you change
an existing WSUS server into a replicator. If I set the option back to windows update
and select the proxy tab I can change the proxy setting used to download updates.
The next option allows you to change the products and classifications you want to download.
If you wish, you can select all the products, however this will increase the size of your
downloads. If you don’t have the product on your network it is a good idea to deselect
it. In a moment I am going to perform the first
synchronization. For this reason I will de-select all the other products. I will also go through
and deselect any old operating system not used on the network. This will help speed
up the initial sync. If you are not sure if a product is being used on your network, you
should select it otherwise WSUS will not download any updates for that product.
At any time you can come in and change the options. On the classification tabs you can
decide which types of updates you want to install. To speed up the initial sync I am
going to select security and critical updates. The type of updates you select is depend on
your needs. I have seen some network install everything other than service packs due to
there size and time it takes it install. I am sure that none of your end users want
to wait 5 to 10 minutes for the computer to start up one morning because a service pack
was installed. Remember however, unless your approve the update it will not be installed.
If you have plenty of hard disk space I would personally select everything and then you
can choose later on which updates you want to install.
If I select the option updates files and languages. I can choose how the updates will be stored
on the server. Download updates files to this server only when updates are approved means
updates will not be downloaded until you approve them in the admin tool.
This does save disk space as updates will not be downloaded until they are required,
however it also means that updates will not be installed until the next synchronization
in performed. The option download express installation files
makes the download files larger, however they are more intelligence in the way they update
the operating system. This means they own replace files that need to be replaced and
thus tend to install faster, however the trade off is the files are larger.
If you select the option do not store updates locally this will force the clients to download
the updates from windows update. If you have limited hard disk space you may want to select
this option or if you have high speed link to the internet and very few clients. Remember
though, if you clients are correctly configured they won’t be able to download any updates
from Microsoft unless you approve them. On the language screen, you can add additional
languages if require additional languages later on. If I now select the option synchronize
schedule, when you can decide when WSUS will sync, by default once per day. You can set
this up to 24 times a day. When configuring settings like these, keep
in mind patch Tuesday. Patch Tuesday is the second Tuesday of every month when Microsoft
releases security updates. Microsoft do release patches at other times if there is enough
need, but try to follow this schedule whenever possible.
Depending on your environment you may have a lot of time to look through the patches
or you may just decide to install any patch that Microsoft releases. If I select the option
automatic approvals I can select the option “default automatic approval rule”.
As you can see down the bottom of the screen, critical and security updates will be approved
on all computers when they are released. Selecting this option will reduce your WSUS administration,
however also means that untested updates will be deployed on your network.
On the advanced tab, WSUS has the ability to automatically approve updates that are
for the WSUS product itself. Also notice the two options revisions of updates. Sometimes
Microsoft will releases revisions for an update. When this tick box is ticked, a revision of
an update will automatically be installed even though it has not been approved as long
as the original update was approved. Notice also the option “automatically decline
updates when a new revision causes them to expire”. This means if a newer update is
released, the old update will automatically be declined. If I exit out of here and select
the option computers, I can set how computers will be assigned to groups. The default setting
means you have to use the WSUS admin tool to assign computers to groups.
The second option uses group policy or registry settings on computer to determine which group
the computer is a member of. On a large network this is a better way of performing administration
on your network. In a moment I will create a group policy to configure my client computer
so I will leave it on the second option and press o.k.
The next option is the server clean up wizard. The server clean up wizard let’s you perform
some maintenance on your server. As you can see, there are quite a lot of options that
you can select in the WSUS cleanup wizard. The first option allows you to delete unused
updates and update revisions that have expired or have not been approved for more than 30
days. The next option allows you to remove computers that have not contacted the server
in the last 30 days. Personally I would be careful about using
this option because mobile users or users that take extended holidays may be removed
from the server by mistake. 30 days may seem a long time, but when someone in on extended
holidays or in an office that is isolated from the network, ticking this option may
remove their computer when it is still in service. The next option removes any unneeded
update files. These files are not required by WSUS server or required by any downstream
servers. You also have a tick box which will remove
expired updates. These include updates that you have been declined in the administrative
tool or updates that Microsoft has marked as expired. The next option removes superseded
updates which have not been approved but have been superseded by Microsoft. This simply
put means there is a newer update for that update available.
Once I have decided on which maintenance options that I need, when I press next WSUS will perform
maintenance. Depending on how many computers are removed and added to your network will
determine how often you will want to run this maintenance tool.
Given that WSUS has just been installed, there will not be any updates or computers that
need to be remove. If I now exit out, the next option is a reporting rollup. Reporting
rollup essentially means that any downstream servers will send reporting data to this server
which will then be included in this servers reports.
Since I don't have any downstream servers configured I won't worry about setting any
options in here. The option e-mail notifications allow us to send an administrator e-mails
when new updates are available and also you can configure it to send status reports about
the WSUS server. The option Microsoft update improvement program simply allows you to select
whether you want to participate in the program or not.
The personalization option allows you to configure how information will be displayed in WSUS.
For example you could choose to filter out data reported from your replica servers. You
could also choose which "to do" alerts to generate and which ones to ignore. The last
configuration Wizard runs the same wizard that ran when I first installed WSUS. If you
canceled the wizard when you first installed WSUS or you need to run the wizard again you
can select this option. Now that WSUS is configured I will perform
the first synchronization. If I select the option synchronizations on the left I can
select the option synchronization now from the right hand side. If I select the synchronization
job, you can see down the bottom of the screen how much of the process has completed. The
first synchronization will take the longest but synchronizes after this will be completed
a lot faster. To better control the installation of updates
on your network, WSUS allows you to create groups to make administration easier. By default
WSUS contains two groups. The first group is all computers. All the computers that WSUS
in providing updates for will be found in this group.
The next group is unassigned computers. You can create as many groups as you want and
assigned computers to these groups. Wsus will then decide which updates will be deployed
on this computer by the group the computer is in. Microsoft has two different ways of
placing computers into groups. If you perform this process manually it is
called Server side targeting. This is done though the WSUS admin tool. On a large network
with a lot of computers being removed and added to the network this can become a very
time intensive task. To make this process easier and more automated Microsoft offers
what it calls client side targeting. When client side targeting is used the client decides
which group the computer will be assigned to.
Client side targeting is usually done through group policy. Using group policy you can set
the group membership for computers in your domain and also newly created computers in
the domain. Let's have a look at how to perform server side and client side targeting.
To perform server side targeting first of all you need to configure your client to use
your WSUS server. To do this, on my Windows 7 computer, first of all I need to go to my
start menu and then run edit group policy. I will cover group policy in more detail later
on when I go through client side targeting. I need to use group policy to set the WSUS
server that windows update will use. Unfortunately you can’t set this information in the control
panel. Once you are in local group policy, you need to go into computer configuration,
administrative templates, windows components and then Windows update.
The option I need to set is “specify intranet Microsoft update service location”. Once
this is enabled I can set the location for my WSUS server. I can also set the statistics
server which in most cases will be the same as your WSUS server.
Now that I have set my WSUS server all I need to do is close group policy and from the start
menu and open a command prompt. From the command prompt run GP update to update group policy
on the local computer. Windows update will now be changed to connect
to my WSUS server. This computer will eventually register itself with the WSUS server. To speed
up the process I can run the command w u a u c l t with the switch detect now. This will
make windows update register itself with wsus. Now that I have configured my client, I will
switch to my WSUS server. Now that I am logged into my WSUS server,
if I run the admin tool and in the admin tool expand computers, you will notice under computers
the group all computers. If I expand all computers you can see the group unassigned computers.
These are the two default groups that created by WSUS.
To create a new group all I need to do is right-click on all computers and select add
computer group. In this case I will call the group trial group. Computers in his group
will receive updates before the rest of the computers on the network. This allows me to
test the updates for problems before they are deployed to the rest of the network.
In the unassigned computers group there are currently no computers listed. At the top,
notice zero computers of one shown. What has happened is that the client that I just added
is all ready up to date. The filter at the top by default is showing only computers that
have a status of failed or needed. In other words updates have failed to install on the
computer or the computer requires updates to be installed.
To fix this all I need to do is select the drop down box and select any and then press
the refresh button. You can see now that my computer has appeared. If I now right-click
on the computer and select change membership I can assign the computer to the group that
I just created. You can imagine that by doing this method, which Microsoft calls this server
side targeting, could become very time consuming very quickly on large networks.
Now that I have a trial group set up, I want to create an automatic approval rule for the
trial group. To do this, select options and then select automatic approvals. To create
a new rule, select the option new rule. You can then specify if you want the rule to apply
to classification and products. The last option allows you to set a deadline. A deadline allows
the user to decline an update if their set up allows it. After the deadline has expired
the update must be installed. At the bottom of the screen, I can change
which classifications I want updates installed for. You could for example only install security
updates and critical updates. The rest of the updates you could set so they have to
be manually approved. The last option is the most important option
as it determines which computer the rule will apply to. Lastly all I need to do is enter
in the name for this new automatic approval rule. Now my WSUS server is set up so that
any computer that is in the trial group will automatically without any administration on
my part have all updates install on it. As you can see ,using server side targeting
can become quite time-consuming. If you want to use client side targeting, what you need
to do is select the option computers. In this option I can choose to use client side targeting
by selecting the option use group policy setting or registry settings on computers.
This means that group membership will be determined by a setting that is found on the local computer
which will be sent to the server when the client registers itself with the WSUS server.
Now that I have switched WSUS to client side targeting, I will now switch to my domain
controller and set up a new group policy for my domain.
On my domain controller I will go to my start menu and open group policy management. In
my domain I have already created an organizational unit or O U that contains my servers. If I
right-click on this O U and select the option crated G P O in this domain and link it here.
I can create a new group policy to apply Windows updates to all my servers. This new group
policy I will call Windows update servers G P O.
Once I have created the G P O I can edit the G P O and then go into computer configuration,
policies, administrative templates, Windows components and then all the way down to the
bottom to Windows update. If I select the standard view you I can see the complete group
policy setting without it being cut off. The option you need to enable for client side
targeting is the one here, enable client side targeting.
Once enabled I can enter in a group name and then any computers that have this group policy
applied to them will automatically be placed in this group on the WSUS server. As I did
before, I need to set the location of the WSUS server so the client knows where to get
it’s updates from. These are the two main settings you need to configure so clients
on your network can access Windows updates from your WSUS server and be placed in to
a group. However there are a lot of other options the
you may want to consider setting. Going through the list from the top. The first option when
enabled removes installed updates from the shut down option from the start menu. In a
moment you will see that you can configure Windows updates to install at scheduled times.
If you are planning on doing this you may want to disable this option.
Enabling this option gives the user the option to install updates when they shut down the
computer. Most users don’t mind doing this as they are generally going home when they
shut down their computer. The next setting determines whether installed updates and shut
down is the default option when the user goes to shut down their computer.
Generally it is a good idea to leave on the default shut down and install updates as when
the user shuts their computer down by default updates will be installed. The next option
allows Windows update to automatically wake-up the system if updates are scheduled to be
installed. This option you may want to enable on desktop
systems. This allows windows update to wake up a computer and install updates on it. If
you have computers that are regularly rebooted and used regularly you may not need this option.
This option is useful when you have computers that may be off for an extended period of
time and you want ensure that updates are installed on them. The next option, configure
automatic updates is the setting that will be set on most networks. When enabled you
have a number of different ways that you can configure automatic updates.
The first option, option number two, notifies the user when a new update is available for
download and also prompts the user when the update is ready to be installed. This gives
the user the maximum amount of user interaction for Windows updates. Option number three will
automatically download windows update and notify the user asking them if they want to
install the update. Option number four is the option that is chosen
on most networks as this will automatically download updates and then schedule the install
without any user interaction. If I select option number four, you will also notice that
I can select down the bottom which days that I want to run scheduled updates on.
I can choose every day or a particular day. I can also set the time that the update will
be installed. The default is three o'clock in the morning. What this essentially means
is that if the computer happens to be on at three o'clock in the morning the updates will
automatically be installed. If the computer is switched off at that time,
when the computer is switched on after a random delay Windows will automatically install the
updates. The reason Microsoft use a delay is so that when the user first starts their
computer it is not slowed down trying to install updates.
Option number five allows the local administrators to choose their own settings. On most networks
you want to select option number four as this provides the most automation way to install
updates with the least amount of user interaction. If you have programmers or developers on your
networks you will probably want to select option number five so they can choose if they
want to install updates. The next option I have already set, it simply
specifies the WSUS server that will be used. The next option allows you to set how often
Windows update will check for updates. The default is 22 hours but having said that the
time always has a randomized delay added in the range of 0 to 20%.
The reason Microsoft do this is because if there was no randomized delay. All the clients
on your network could potentially attempt to connect to your WSUS server at once and
retrieve updates. This would put a huge load on your network and your WSUS server.
This value can be set all the way down to once an hour. On most networks the default
value of 22 hours will work fine. The next option allows a non-administrator like a domain
user to receive update notifications. If you have configured Windows update to run automatically
in the background you may what want to disable this setting.
The next setting determines whether the user will be prompted when features are available
for the operating system. Enabling this option allows the user to decide if they want these
features installed. This setting will automatically install updates immediately that do not require
a restart. For example if you are running Windows defender, definition updates can be
delivered through Windows update and these updates do not require a restart. In most
cases you will want to enable this option. The next setting determines whether recommend
updates will be included. By default, security and critical updates are installed. If you
would like to include updates that Microsoft recommend these will also be download and
installed. The setting disables automatic restarting if a user is logged in. If the
computer is on the login screen and no user is logged in, windows update will automatic
restart the computer if required. The next option is the delay before the user
is prompted to install scheduled updates after they have previously refused to. As you can
see you can set this value quite high. Moving on to the next setting. This setting allows
you to set the delay for how long windows will wait after scheduled updates are install
before asking the user to restart the computer. You can see this value up to 30 minutes. The
next setting determines how long windows update will wait after the computer starts up before
it will attempt to run a missed scheduled update. This value goes all the way up to
1 hour. Having this value set gives the user time to start they computer up and run some
applications before windows installs any updates. You could imagine that a user starting their
computer up in the morning is not going to want their performance of their computer slowed
down due to windows update being installed. Setting this value allows the user time to
start their computer up and launch some applications. The down side is the computer will need to
be on long enough for the updates to be installed. The next setting is client side targeting
which I set previously. The last option allows you to receive signed
updates from an intranet Microsoft update service location. What this essentially means
is that you can receive updates that were not directly signed by Microsoft. As long
as your computer trusts the publisher of the update, the update can be installed on the
computer that is in group policy. Now that I have configured group policy, I
can close all the group policy windows and then switch back to my WSUS server to demonstrate
client side targeting. On my server if I now run the WSUS admin tool.
I first need to create a group to store my servers in. To do this I will right click
on all computers and select add computer group. Given enough time your clients of your wsus
server will start appearing. You may however want to speed up the process.
If I open a command prompt and run the command w u a u c l t with the switches reset authorization
and detect now this will force the client to update itself on the WSUS server right
away. Reset authorization resets any group membership
and detect now forces WSUS to redetect the client. If I now exit the command prompt and
go into the servers group, select any computer and press refresh, you can now see that this
server, WSUS 1 has been added. In time all your servers and clients will
add themselves and place themselves in groups according to your client targeting options.
If I select the root of the WSUS server, I will get a quick overview of the server. You
can see that there are a number of security updates that have not been approved.
If I select approved I can see all the updates that are waiting to be approved. If I right
click on one I can select approve. As you can see, I can now select which groups I want
to approve the update to. WSUS is also a great report tool.
If I select reports there are a number of different reports I can generate. If I select
one I will get an error message telling me that report viewer redistributable is not
installed. I have all ready downloaded report redistributable and place it on the desktop.
If I now close the WSUS admin tool and go to my desktop and run it. You will see the
install for the report viewer is very simple. I have sped up the install but it only takes
a minute or so. Once installed if I now run the admin tool again and then select reports
and select the report I want. All I need to do to generate the report is
select the option run report. Using WSUS you can manage the deployment of your updates
as well as perform reporting on computers in your organization.
In summary, remember that WSUS is primary used to manage updates. It allows you to install,
report and audit updates on your network. Expect in the exam Microsoft to make reference
to server side targeting. This is when group membership is decided with the admin tool.
Client side targeting is when the clients tells the WSUS server which group to put themselves
in. Normally you will use WSUS with computers that are in your domain. If you have a computer
that are not in the domain, use local group policy on that computer to set it to use your
WSUS server. Set up correctly, WSUS can make managing and keeping your computers update
to data a lot easier.