Once WSUS has been installed, the organization must decide on how to use WSUS to configure the the updates for the client servers under its control. Organizations which don’t use Active Directory or group policies will have to manually configure every client server’s settings with the location of the WSUS server. This can be done either through using a local policy or manually through the Registry settings.
However, in most circumstances the organization will be using Active Directory and can configure all clients.
Configuring WSUS Clients via Group Policy
A group policy in an Active Directory environment can be used to configure the Automatic Updates client which is included with all current versions of Windows. In Windows Server 2008 R2 the domain controllers automatically contain the correct Windows Update Group Policy extension, and a group policy can be defined by following the below steps :
- Launch Group Policy Management (available at - Start >All Programs > Administrative Tools > Group Policy Management).
- Navigate to the unit in your organization which will have the group policy applied, rightclick on the name of the unit, and then select Create a GPO in This Domain, and Link It Here.
- Add a name for the new GPO (there is also an option to start from the existing settings of a current GPO). Click OK.
- Right-click the your new GPO and then select Edit to start the Group Policy Management Editor and then expand it to Computer Configuration\Policies\Administrative Templates\Windows Components\Windows Update.
- Double-click on the Configure Automatic Updates setting.
- Set the group policy which is to be enabled, and then configure the automatic updating sequence as required. The three options (2, 3, 4) enable different degrees of client intervention. To enable client-independent installation select option 4 (Auto-download and schedule the install)..
- Next, schedule the interval at which updates will be installed and note that some updates will require a reboot.
- Select Next Setting for more configuration options.
- Click Enabled to set the location of your organization’s WSUS server – it is recommended to enter the fully qualified domain name of the server. Enter both settings (normally the same server), and then hit OK to save the Group Policy settings. Then click Next Setting. (Note that organizations who elect to use a custom web IIS website will have to use Port 8530 for client access to WSUS, in which case enter the web location appended with port number, for example http://defr.winserverorg.com:8530, for both settings.
- Set the interval at which the the client will check for updates, and then click Next Setting.
- Review all the remaining option settings and configure them as required. Then click OK.
- Repeat the above 12 steps additional organizational units.
Depending on which settings are chosen by the Registry or group policy, clients which are managed by WSUS will automatically download updates throughout the day and then install the updates at a specified time. Client servers which are configured to use WSUS for updates will not be prompted to configure their Automatic Update settings, which will be grayed out to avoid changes from being made. Users without local admin access will not be able to make any changes to the installation schedule, although local admins users are able to postpone forced installs.
It is normally considered best practice to allow servers to control the download and install schedule, but force all clients to do both download and installation automatically.
A major issue with security on Windows Server installations is the difficulty in keeping all servers up to date with the latest security patches and fixes. The Windows Update service which allowed for automatically download and installation of security fixes is really only suitable for smaller enterprises, large enterprises with numerous Windows Server installations do not wish to run the bandwidth and overhead of having each server run its own individual update. Windows Server Update Services (WSUS) is a free download from Microsoft which effectively gives enterprise their own, independent of the Windows Update server. Clients then connect to the central intranet Windows Server Update Services (WSUS) server for all security patches and OS updates.
Windows Server Update Services (WSUS) Requirements
It is optimal to install WSUS on a dedicated server, but it can also be installed on a Windows Server 2008 R2 server that is running other tasks, provided the server is running Internet Information Services (IIS). The below is the minimum requirements for WSUS:
- Windows Server 2003 SP1 or higher
- Background Intelligent Transfer Service (BITS)
- Internet Information Services (IIS)
- Windows Internal Database role or, alternatively SQL Server 2005 (or higher) installed locally or on a remote server
- .NET Framework 2.0 or higher
Installing WSUS on Windows Server 2008 R2
WSUS installation is a simple process as it is installed as a server role from Server Manager. The below steps install Windows Server Update Services plus all required components.
To complete the initial installation of WSUS, follow these steps:
- Launch the Server Manager.
- On the Roles Summary pane, select Add Roles to launch the wizard and click Next.
- Select Windows Server Update Services, and then click Next.
- Next, the Add Role Services and Features Required for Windows Server Update Services window will prompt you for additional components to be installed, if necessary. The required components are the IIS web server and management tools, the Windows Process Activation Service Process Model, and the .NET framework. Once this is complete, click Add Required Role Services to continue and then lick Next.
- Read the Introduction to Web Server (IIS) overview (if necessary) and then click Next.
- Hit Next to select the default role services to install for IIS.
- Read the Introduction to Windows Server Update Services overview(if necessary) and then click Next.
- After reading the summary of installation selections, click Install.
- The Server Manager will show “Searching for Updates” and “Downloading” while it connects to the Microsoft’s server and downloads WSUS. It will also install IIS and the Windows Process Activation Service, if required.
- The Windows Server Update Services Setup Wizard will be shown displays as the installation progresses. Click Next.
- Read and accept the license agreement for WSUS, and then click Next.
- If alerted that Report Viewer 2005 is not installed just click Next to continue with the installation (note that some reports will be unavailable without Report Viewer installed).
- Select the Store Updates Locally check box, and then enter a location to store them. This location needs be sufficient to hold a large number of downloadable patches. Click Next.
- Select Install the Windows Internal Database on This Computer, or alternatively, Use an Existing Database Server on a Remote Computer if you wish to use a remote SQL Server.
- Select to Use the Existing IIS Web Site and then click Next to continue with the installation.
- Review the security settings on the Ready to Install page and then Click Next.
- The installation then completes in the Server Manager and, once the Finish button is clicked, the WSUS Configuration Wizard is shown. Review the information and then click Next.
- Click Next to sign up to the Microsoft Update Improvement Program.
- Select Synchronize from Microsoft Update, and then click Next.
- If necessary, configure your proxy server settings and then click Next.
- Click on Start Connecting to save your settings and download update information. This process can take several minutes. Then click Next.
- Select the preferred update language(s), and then click Next.
- Select the products which you want to have updates for, and click Next.
- Select the classifications of the updates that you wish to download, and click Next.
- Set the schedule that you want WSUS to automatically synchronize with the Microsoft Update servers or alternatively you can select Synchronize Manually. Click Next.
- Make sure that Begin Initial Synchronization is selected, and then click Finish.
- Finally, review the installation results, click Close, and then close the Server Manager.
Windows Server Update Services is administered from the WSUS MMC which is the main location for all the configuration settings for WSUS and is its only administrative console. WSUS MMC is located at Administrative Tools > Microsoft Windows Server Update Services 3.0 SP1, or can directly accessed from Server Manager.