Vision Infosystems (VIS)

Chapter

15

Windows Server Update Service (WSUS)

Topics Covered
Introduction to WSUS WSUS Deployment Scenario Installation of WSUS Configuration of WSUS GPO settings for Client for WSUS

Page No. : 201

Vision Infosystems (VIS)

Windows Server Update Service (WSUS)

Windows Server Update Services (WSUS) is a tool for management and distribution of critical Windows patches, updates, etc. WSUS consists of both client-side and server-side components to provide solution for regular windows updates. At client side we require Window update service and at server side we require WSUS and IIS. WSUS must be installed on Windows 2000 server with SP4 or later or on Windows 2003 and now on Windows 2008 server.

What is WSUS ?
WSUS is software or add-on component which helps for automatic deployment of patches, updates, etc. on client computer through a centralized server called as WSUS server. With the help of WSUS server, each client machine does not have to download any update from Microsoft site. They will get the update directly form WSUS server. So if you want to install a update or patch on 1000 machines and if WSUS server is not available then each machine will have to download the updated independently and directly from Microsoft website and install it. This will create a load on network administrator and will also make heavy utilization of Internet Bandwidth. WSUS is one of the solutions to the above scenario. With WSUS, client machine does not have to download update or patches from Microsoft site. The WSUS server will do the process of downloading the update and automatically deploying when tested or approved update on client computers. So there is no waste of Internet bandwidth as the update is downloaded once on the server and there will also no overhead on network administrator as the updated are deployed automatically via GPO.

Page No. : 202

Vision Infosystems (VIS)

When WSUS is installed on a Windows 2008 server, it downloads updates and patches from Microsoft site and updates all the clients automatically via GPO at regular interval. WSUS requires IIS to be enabled on server other related components. All clients with windows updates enables download updates from WSUS servers. WSUS is free to download tool from www.microsft.com/wsus official website. The current version of WSUS is 3.0 SP1. Requirement for WSUS on Windows 2008 Server Windows 2008 Server Operating Systems ASP.NET Windows Authentication feature enable in IIS Internet Information Service (IIS) IIS 6.0 Management Compatibility IIS 6.0 Metabase Compatibility Microsoft Report Viewer (Optional)

WSUS Deployment Scenario

Single WSUS Server : with Single WSUS server, a single server performs the task of downloading the updates , patches, etc. and also the deployment for the entire network.
Page No. : 203

Vision Infosystems (VIS)

Multiple Independent WSUS Server : This scenario is good for organization with multiple location. A single WSUS server can create a lot of load if you have multiple locations.

Multiple Sever with Child/Parent : In this scenario, one server is designated as Upstream or Parent Server which receives update from Microsoft Update Server or Website and the remaining server called as downstream or child WSUS server synchronize themselves from the upstream server.

Page No. : 204

Vision Infosystems (VIS)

Installation of WSUS Server.

1. Before installation WSUS, we have to install the require component given above using Server Manager console. 2. Next, download the WSUS software from Microsoft Website and start the installation of WSUS server. 3. The first screen for setup prompt you to install full WSUS server or just the administration console of WSUS server and click on Next button to continue.

Page No. : 205

Vision Inf fosystems (V VIS)

Next he g n 4. N accept th license agreement, and click on Next button to continue.

Page No. : 206

Vision Inf fosystems (V VIS)

Next, it will check the r require com mponent and will promp you to in pt nstall the mi issing 5. N co omponent.

6. N it will prompt you t specify th location o where the updates wil be stored w Next p the he of e ll when download fro Microsoft update se om erver. Note : It is reco e ommended to have a N NTFS partition and a separate dr river or hard disk for up d pdates.

Page No. : 207

Vision Inf fosystems (V VIS)

Next, you hav to specify the location of Window Internal W ve y n ws WSUS datab base. 7. N

8. Since WSUS requires IIS it creates a website in IIS for WSU managem and upd S, US ment dates. At A this screen WSUS wil prompt yo to create a new websi or use the existing de n ll ou ite e efault website for cl w lient access.

Page No. : 208

Vision Inf fosystems (V VIS)

Now,setup sta installing WSUS on y art g your Windows 2008 ser rver. 9. N

10. A After comple etion of setu of WSUS server, it will prompt for initial configuratio of up S t on WUS Server. You can ca W . ancel the ini itial configur ration and co ontinue it la or begin with ater n th initial con he nfiguration.

Page No. : 209

Vision Inf fosystems (V VIS)

Initial configu uration of WSU Serve US er

After the installation of WSUS server, we w now being with the process of configuratio of e n will e f on WSUS se erver on Win ndows 2008 Server. 1. A the start of configu At uration of W WSUS, it w prompt to join M will t Microsoft Up pdate im mprovement program, se t elect yes or n as per you requireme no ur ent.

2. N Next select th server fro which yo want to r he om ou receive the u updates. IF y have a s you single WSUS server select the o W r option to directly update itself from Microsoft u e update server But r. if you have p f parent or ups stream WSU server, the select the option Syn From an US en e nc. nother WSUS server W r.

Page No. : 210

Vision Inf fosystems (V VIS)

Next e i n 3. N specify the proxy server details if your environment is using proxy server to connect to internet. o

Page No. : 211

Vision Inf fosystems (V VIS)

Next select the Start c t connecting button to c connect to Microsoft U Update serv to ver 4. N download the update info e ormation like type of upd e date, product details, lan t nguage, etc.

5. N select th language for updates y want to download. Next he you

Page No. : 212

Vision Inf fosystems (V VIS)

Next he or u wnload the u update 6. N select th product fo which you want to dow

7. N Next, select the type of update yo want to download li f ou ike, critical update, drivers, i definition, ser rvice pack, e etc.
Page No. : 213

Vision Inf fosystems (V VIS)

Next he thod i.e. man or sched nual dule. 8. N select th sync. Met

9. N Next, the init process o WSUS co tial of onfiguration is completed and you can go and launch a th WSUS co he onsole.

Page No. : 214

Vision Inf fosystems (V VIS)

WSUS Conso S ole

Below is the WSU interface which sho US e ows the va arious details like Upd dated which are h download comput to whom updates are assigned, re ded, ter eports and other sync. se ettings.

Page No. : 215

Vision Inf fosystems (V VIS)

Using Group Policy to ap g p y pply approve u updates on cli ient computers

After con nfiguration of WSUS se o erver and download of u updates from Microsoft website, the next m e step is to apply the u o updates on client computers. To a apply the updates on client compute we er have to use Group Policy (i.e GPMC T e. Tool). With the help o GPMC w configure the of we e paramete and setti on clien computers to downlo and app the upda ers ing nt s oad ply ates from W WSUS server. re to g Below ar the steps t configure setting using GPMC 1) L Launch the GPMC Tool a open the default dom Policy or other pol to which you G and e main licy h want w to apply the updates In our case we will use the default domain pol y s. e e t licy. 2) U Under the default dom main policy go to C y Computer C Configuration Policies n Administrativ Templates Window Update. A ve ws 3) U Under the W Windows upd dates you wi see a lot of setting a ill available. W will conf We figure on the required setting f the client to use WSU nly for US. 4) A After configu uration of the setting close GPMC to and resta all client computer to take e ool art o th policy in t effect. he to Now that we have co t onfigure Gro policy fo WSUS let us see the v oup or t various settin we have to do ng in Group Policy for W p WSUS
Page No. : 216

Vision Inf fosystems (V VIS)

Enable Client Side Ta E argeting : T This feature allow you to configu a client side e u ure ta argeting for WSUS W Specify Intra anet Microsoft update service loc e cation : Thi specify th path of W is he WSUS se erver. Eg htt tp://192.10.0 . 0.1 Configure A C Automatic u updates : T This setting allows to e enable autom matic update on es cl lient machin and who the update are downl nes o es loaded and i installed on client comp puter. There are 3 setting ava T ailable for u updates dow wnload. The recommend setting is auto d download and schedule th installatio d he on. No N auto-rest tart for log gged on use for sched er dule autom matic update : This se es etting sp pecifies that not to auto t o-restart a m machine if a user is logg in. The a ged automatic up pdate will w wait unti a user resta his/her c il arts computer. Th setting is good if a us is doing some his s ser cu urial work. But the prob B blem is that i a user nev logs off t if ver then window will not re ws estart an the updat will not t nd tes take in to eff fect. Re-prompt f restart for schedu installat R for ule tion : This setting is sp pecifies the time windows will prompt for restart to us after an u w l ser update is install. Eg : 20 min. After e every 20 min windo will pro ows ompt the user to restart th machine. This setting is good if a user r he g does not logs off. Delay restar for sched D rt dule installa ation : This setting spec cifies the am mount of tim for me au utomatic upd to wait before proce date eeding with the restart sc chedule. Reschedule a R automatic u update schedule installation : This setting spec s cifies the am mount of time to wait after sy w ystem startup before pr p, roceeding th next or m he missing sche edule up pdate.

Page No. : 217