Patch management with Windows Server Update Services (WSUS)
* Windows Server Update Services (WSUS) is an enterprise tool to manage updates for Microsoft products including the Windows OS, SQL and exchange
* The architecture consists of a master wsus server, called upstream server, which connects to Microsoft update to fetch the latest updates. Automatic updates available by default on all windows machines is the client of wsus. Administration console is used to manage server. It can be installed on any client computer to connect to the server. Updates are only downloaded on the server after they are approved. Another option is to avoid downloading updates and use Microsoft Update itself at the cost of performance hit. All network traffic is initiated by wsus itself.
* Installation requirements include NTFS formatted system and installation partition, 20 GB of free space on installation volume/partition for storing content and 2 GB for storing windows internal database. Members of local administrators group can install wsus on a server. Installation wizard asks questions like update source, database options (existing database server or SQL server 2005 embedded edition) and website selection (website to be used for wsus) on IIS.
* Configuration wizard will be launched after the installation wizard finishes. Preparation items before this tasks includes configuring the firewall to open port 80 and 443 to Microsoft Update. Configuration wizard allows to choose upstream update server, configuring replica server, proxy server to communicate to internet. Options page of administration console also brings this wizard. Permission to use all wsus features is restricted to wsus administrators group. Configuring updates require choosing products to update, classification of updates and synchronization schedule (manual or automatic). Synchronization with the upstream source can be initiated after the completion of configuration wizard. wsus setup configures IIS on the server to push updates to clients that connect to it. Automatic update on client end can be configured with a domain based GPO or local GPO. For domain GPO, create a new one for wsus settings and link it to the domain. wsus administrative template file, wuau.adm should be added to the GPO editor. GPO is created by going to Computer Configuration --> Administrative Templates --> Windows Components --> Windows Update --> Configure Automatic Updates. Here one can define the option for update notification and installation or choose to leave it to the local administrator. Connection to wsus server in the GPO is done via Computer Configuration --> Administrative Templates --> Windows Components --> Windows Update --> Specify intranet Microsoft update service location. Client appear in wsus administration console after successful connection to the server. Domain based GPO takes 20 minutes to refresh. Manual refresh of group policy can be done via gpudate/force command on the client computer. Alternatively the command 'wuauclt.exe /detectnow command on client computer force it to connect to the wsus server immediately.
* Computer groups help to target updates to specific computers. All computers and unassigned computers are two default groups. Computers can be placed in different groups manually through administration console or automatically through GPO and registry keys. A test group can be created with test machines in it to verify the functioning of the updates before pushing them to the production machines.
* Administration console allows approving updates for a particular computer group. Approval options include, 'Approved for install', 'Approved for removal', 'Not approved', 'deadline', 'same as parent' and 'apply to children'. Reports in the console confirm, which computers have installed the approved updates.
* The architecture consists of a master wsus server, called upstream server, which connects to Microsoft update to fetch the latest updates. Automatic updates available by default on all windows machines is the client of wsus. Administration console is used to manage server. It can be installed on any client computer to connect to the server. Updates are only downloaded on the server after they are approved. Another option is to avoid downloading updates and use Microsoft Update itself at the cost of performance hit. All network traffic is initiated by wsus itself.
* Installation requirements include NTFS formatted system and installation partition, 20 GB of free space on installation volume/partition for storing content and 2 GB for storing windows internal database. Members of local administrators group can install wsus on a server. Installation wizard asks questions like update source, database options (existing database server or SQL server 2005 embedded edition) and website selection (website to be used for wsus) on IIS.
* Configuration wizard will be launched after the installation wizard finishes. Preparation items before this tasks includes configuring the firewall to open port 80 and 443 to Microsoft Update. Configuration wizard allows to choose upstream update server, configuring replica server, proxy server to communicate to internet. Options page of administration console also brings this wizard. Permission to use all wsus features is restricted to wsus administrators group. Configuring updates require choosing products to update, classification of updates and synchronization schedule (manual or automatic). Synchronization with the upstream source can be initiated after the completion of configuration wizard. wsus setup configures IIS on the server to push updates to clients that connect to it. Automatic update on client end can be configured with a domain based GPO or local GPO. For domain GPO, create a new one for wsus settings and link it to the domain. wsus administrative template file, wuau.adm should be added to the GPO editor. GPO is created by going to Computer Configuration --> Administrative Templates --> Windows Components --> Windows Update --> Configure Automatic Updates. Here one can define the option for update notification and installation or choose to leave it to the local administrator. Connection to wsus server in the GPO is done via Computer Configuration --> Administrative Templates --> Windows Components --> Windows Update --> Specify intranet Microsoft update service location. Client appear in wsus administration console after successful connection to the server. Domain based GPO takes 20 minutes to refresh. Manual refresh of group policy can be done via gpudate/force command on the client computer. Alternatively the command 'wuauclt.exe /detectnow command on client computer force it to connect to the wsus server immediately.
* Computer groups help to target updates to specific computers. All computers and unassigned computers are two default groups. Computers can be placed in different groups manually through administration console or automatically through GPO and registry keys. A test group can be created with test machines in it to verify the functioning of the updates before pushing them to the production machines.
* Administration console allows approving updates for a particular computer group. Approval options include, 'Approved for install', 'Approved for removal', 'Not approved', 'deadline', 'same as parent' and 'apply to children'. Reports in the console confirm, which computers have installed the approved updates.
posted by Usman Wahid at
2:27 PM
|
0 comments
