Upload
others
View
5
Download
0
Embed Size (px)
Citation preview
Windows Server Update Services 3.0
Windows Server Update Services 3.0Operations Guide
Windows Server Update Services 3.0 Operations Guide
Prepared by
Microsoft
Version 1.0.0.0 Baseline
First published
16 January 2008
Copyright
This document and/or software (“this Content”) has been created in partnership with the National Health Service (NHS) in EnglRights to this Content are jointly owned by Microsoft and the NHS in England, although both Microsoft and the NHS are entitled to independently exertheir rights of ownership. Microsoft acknowledges the contribution of the NHS in England through their Common User Interface Readers are referred to www.cui.nhs.uk for further information on the NHS CUI Programme.
All trademarks are the property of their respective companies. Microsoft and Windows are either registerCorporation in the United States and/or other countries.
© Microsoft Corporation and Crown Copyright 2008
Disclaimer
At the time of writing this document, Web sites are referenced using active hyperlinks to the correct Web page. Due to the dytime, these links may become invalid. Microsoft is not responsible for the content of external Intern
The example companies, organisations, products, domain names, eassociation with any real company, organisation, product, domain name, e
Windows Server Update Services 3.0Version 1.0.0.0
This document and/or software (“this Content”) has been created in partnership with the National Health Service (NHS) in Englare jointly owned by Microsoft and the NHS in England, although both Microsoft and the NHS are entitled to independently exer
their rights of ownership. Microsoft acknowledges the contribution of the NHS in England through their Common User Interface for further information on the NHS CUI Programme.
All trademarks are the property of their respective companies. Microsoft and Windows are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries.
Crown Copyright 2008
At the time of writing this document, Web sites are referenced using active hyperlinks to the correct Web page. Due to the dytime, these links may become invalid. Microsoft is not responsible for the content of external Internet sites.
The example companies, organisations, products, domain names, e-mail addresses, logos, people, places, and events depicted herein are fictitious. No association with any real company, organisation, product, domain name, e-mail address, logo, person, places, or events is intended or should be inferred.
Windows Server Update Services 3.0 Operations Guide 1.0.0.0 Baseline
Prepared by Microsoft
This document and/or software (“this Content”) has been created in partnership with the National Health Service (NHS) in England. Intellectual Property are jointly owned by Microsoft and the NHS in England, although both Microsoft and the NHS are entitled to independently exercise
their rights of ownership. Microsoft acknowledges the contribution of the NHS in England through their Common User Interface programme to this Content.
ed trademarks or trademarks of Microsoft
At the time of writing this document, Web sites are referenced using active hyperlinks to the correct Web page. Due to the dynamic nature of Web sites, in
mail addresses, logos, people, places, and events depicted herein are fictitious. No on, places, or events is intended or should be inferred.
Page ii
Windows Server Update Services 3.0Version 1.0.0.0
TABLE OF CONTENTS
1 Executive Summary ................................
2 Introduction ................................
2.1 Value Proposition ................................
2.2 Knowledge Prerequisites
2.2.1 Skills and Knowledge
2.2.2 Training and Assessment
2.3 Infrastructure Prerequisites
2.4 Audience ................................
2.5 Assumptions ................................
3 Using This Document ................................
3.1 Document Structure ................................
4 Deploy ................................
4.1 Configuring the WSUS 3.0 Server
4.1.1 Accessing the WSUS 3.0 Console
4.1.2 Configuring Synchronisation Options
4.1.3 Configuring Computer Groups
4.1.4 Enabling Reporting Rollup
4.1.5 Configuring E-mail Notification
4.2 Securing the WSUS 3.0 Deployment
4.2.1 Hardening Windows Server 2003
4.2.2 Adding Authentication for Linked WSUS 3.0 Servers
4.2.3 Securing WSUS 3.0 with SSL
4.3 Configuring the WSUS 3.0 Client
4.3.1 Configuring WSUS 3.0 Clients in an Active Directory Environment
4.3.2 Configuring WSUS 3.0 Clients in a Non
4.3.3 Configuring Background Intelligent Transfer Service
4.3.4 Roaming Clients ................................
5 Operate ................................
5.1 Managing WSUS 3.0 ................................
5.1.1 Managing Computers and Computer Groups
5.1.2 Managing Updates ................................
5.1.3 Managing Databases
5.1.4 Backup and Restore
5.1.5 Personalising the WSUS 3.0 Console
5.2 WSUS 3.0 Reporting ................................
5.2.1 Using Reporting................................
5.3 Troubleshooting WSUS 3.0
Windows Server Update Services 3.0 Operations Guide 1.0.0.0 Baseline
ONTENTS
................................................................................................
................................................................................................................................
................................................................................................
Knowledge Prerequisites ................................................................................................
Skills and Knowledge ................................................................................................
Training and Assessment ................................................................................................
Infrastructure Prerequisites ................................................................................................
................................................................................................................................
................................................................................................
................................................................................................
................................................................................................
................................................................................................................................
Configuring the WSUS 3.0 Server ................................................................
Accessing the WSUS 3.0 Console ................................................................
Configuring Synchronisation Options ................................................................
Configuring Computer Groups ................................................................
Enabling Reporting Rollup ................................................................................................
mail Notification ................................................................
Securing the WSUS 3.0 Deployment ................................................................
Hardening Windows Server 2003 ................................................................
Adding Authentication for Linked WSUS 3.0 Servers ................................
Securing WSUS 3.0 with SSL ................................................................
Configuring the WSUS 3.0 Client ................................................................
Configuring WSUS 3.0 Clients in an Active Directory Environment ................................
Configuring WSUS 3.0 Clients in a Non-Active Directory Environment
Configuring Background Intelligent Transfer Service................................
................................................................................................
................................................................................................................................
................................................................................................
ging Computers and Computer Groups ................................................................
................................................................................................
Managing Databases ................................................................................................
ckup and Restore ................................................................................................
Personalising the WSUS 3.0 Console................................................................
................................................................................................
................................................................................................
Troubleshooting WSUS 3.0 ................................................................................................
Prepared by Microsoft
Page iii
....................................................... 1
.................................... 2
...................................................... 2
.......................................... 2
.......................................... 2
.................................... 2
...................................... 3
................................... 3
............................................................. 3
.................................................... 4
.................................................. 4
............................................. 6
............................................................ 6
...................................................... 7
.................................................. 8
.......................................................... 18
................................ 20
.......................................................... 21
..................................................... 23
..................................................... 23
....................................................... 23
........................................................... 25
........................................................... 28
................................. 28
Active Directory Environment ............................ 31
........................................................ 34
................................................ 39
......................................... 40
.............................................. 40
................................... 40
............................................ 44
........................................ 55
.......................................... 57
............................................... 60
.............................................. 62
................................................. 63
.................................... 66
Windows Server Update Services 3.0Version 1.0.0.0
5.3.1 Troubleshooting WSUS 3.0 Server Issues
5.3.2 Troubleshooting WSUS 3.0 Client Issues
5.4 Update Management with WSUS 3.0
5.4.1 Getting Started with Software Update Management
5.4.2 The Software Update Management Process
5.4.3 Dealing with Emergency Update Releases
APPENDIX A Skills and Training Resources
PART I WSUS 3.0 ................................
APPENDIX B Document Information
PART I Terms and Abbreviations
PART II References ................................
Windows Server Update Services 3.0 Operations Guide 1.0.0.0 Baseline
Troubleshooting WSUS 3.0 Server Issues ................................................................
Troubleshooting WSUS 3.0 Client Issues ................................................................
Update Management with WSUS 3.0 ................................................................
Getting Started with Software Update Management................................
The Software Update Management Process ................................................................
Dealing with Emergency Update Releases ................................................................
Skills and Training Resources ................................................................
................................................................................................
Document Information ..............................................................................................
Terms and Abbreviations ..............................................................................................
................................................................................................
Prepared by Microsoft
Page iv
....................................... 66
......................................... 67
..................................................... 67
......................................................... 67
.................................... 69
....................................... 69
................................................. 72
.......................................................... 72
.............................. 73
.............................. 73
.................................................... 74
Windows Server Update Services 3.0Version 1.0.0.0
1 EXECUTIVE SUMMARY
In April 2007, Microsoft publicly released WSUS 3.0 which provides a number of new features, making WSUS easier to use, deploy, and support. Specifically, WSUS 3.0 in the following areas:
� Ease of use
� Improved deployment options
� Better support for complex server hierarchies
� Better performance and bandwidth optimisation
The scope of this document is to provide updated guidance on the management of WSUS 3.0 within together with its companion document, the which provides guidance on the design and deployment of WSUS
The aim of this document is to assist 3.0 solution. It also covers the tasks required to ensure the continued successful operation of a WSUS 3.0 solution.
1 Windows Server Update Services 3.0 Design Guidehttp://www.microsoft.com/industry/healthcare/technol
Windows Server Update Services 3.0 Operations Guide 1.0.0.0 Baseline
UMMARY
In April 2007, Microsoft publicly released WSUS 3.0 which provides a number of new features, making WSUS easier to use, deploy, and support. Specifically, WSUS 3.0 provides improvements
Improved deployment options
Better support for complex server hierarchies
Better performance and bandwidth optimisation
is to provide updated guidance on the configuration3.0 within a healthcare organisation. This document should be used
together with its companion document, the Windows Server Update Services 3.0 Design Guidewhich provides guidance on the design and deployment of WSUS 3.0.
The aim of this document is to assist healthcare IT professionals with the configuration of a WSUS 3.0 solution. It also covers the tasks required to ensure the continued successful operation of a
Windows Server Update Services 3.0 Design Guide {R1}: http://www.microsoft.com/industry/healthcare/technology/hpo/security/wsus.aspx
Prepared by Microsoft
Page 1
In April 2007, Microsoft publicly released WSUS 3.0 which provides a number of new features, provides improvements
configuration, operation and . This document should be used
Windows Server Update Services 3.0 Design Guide1,
IT professionals with the configuration of a WSUS 3.0 solution. It also covers the tasks required to ensure the continued successful operation of a
Windows Server Update Services 3.0Version 1.0.0.0
2 INTRODUCTION
The purpose of this document is to provide guidance around the implementation of WSUS 3.0 for software update management on desktop procedures necessary to successfully configure, manage and operate WSUS 3.0 servers and clients. The content of this document provides guidance on the initial configuration of WSUS 3.0 servers and clients, and also provides guidance around the ongoing management and operation procedures that are necessary to maintain a functional WSUS 3.0 solutio
The companion document to this guide, the {R1}, provides the information and procedures necessaserver hierarchy and install the WSUS 3.0 servers and clients.
2.1 Value PropositionThis guide will take the healthcareconfigure, operate and manage a WSUS 3.0 environment. This guidance is designed to help:
� Identify potential deployment risks
� Provide rapid knowledge transfer to reduce the learning curve of configuring, operating and managing a WSUS 3.0 softwa
� Provide a consolidation of relevant WSUS 3.0 common best
2.2 Knowledge PrerequisitesTo implement the recommendations made throughout this documentknowledge-based and environmental infraoutlines the knowledge and skills required to use the Operations Guide guidance, while section
Section 2.2.1 details the prerequisite skills and knowledge, and section and suggested training resources or skill assessment.
2.2.1 Skills and Knowledge
The technical knowledge and minimum skills required to use th
� Windows Server® 2003 administration
� Windows® 2000 Professional, Windows
� Creation and administration of Organisational Units (OU) and Group Policy Objects (GPO) when using Microsoft®
� Modification of the Windows registry when using registry keys to settings
� Microsoft® SQL Serverserver database
2.2.2 Training and Assessment
Guidelines on the basic skill sets that are required in detailed in APPENDIX A. These represent the training courses and other resources available. However, all courses mentioned are optional and can be provided by a variety of certified training partners.
Windows Server Update Services 3.0 Operations Guide 1.0.0.0 Baseline
NTRODUCTION
cument is to provide guidance around the implementation of WSUS 3.0 for software update management on desktop computers. This document provides the information and procedures necessary to successfully configure, manage and operate WSUS 3.0 servers and
nts. The content of this document provides guidance on the initial configuration of WSUS 3.0 servers and clients, and also provides guidance around the ongoing management and operation procedures that are necessary to maintain a functional WSUS 3.0 solution.
The companion document to this guide, the Windows Server Updates Services 3.0 Design Guideprovides the information and procedures necessary to design and implement a WSUS 3.0
server hierarchy and install the WSUS 3.0 servers and clients.
Value Proposition healthcare IT professional through the necessary steps to successfully
configure, operate and manage a WSUS 3.0 solution within the healthcare organisation’s environment. This guidance is designed to help:
Identify potential deployment risks
Provide rapid knowledge transfer to reduce the learning curve of configuring, operating and managing a WSUS 3.0 software update management solution
Provide a consolidation of relevant WSUS 3.0 common best-practice guidance
Knowledge Prerequisites To implement the recommendations made throughout this document effectively
based and environmental infrastructure prerequisites should be in place. outlines the knowledge and skills required to use the Windows Server Update Services 3.0
guidance, while section 2.3 details the necessary infrastructure prerequisites.
details the prerequisite skills and knowledge, and section 2.2.2 details the inforand suggested training resources or skill assessment.
Skills and Knowledge
The technical knowledge and minimum skills required to use this guidance are:
2003 administration
2000 Professional, Windows® XP Professional or Windows Vista
Creation and administration of Organisational Units (OU) and Group Policy Objects (GPO) ® Active Directory® to configure WSUS client settings
Modification of the Windows registry when using registry keys to configure WSUS client
SQL Server® 2005 administration when using this product for the WSUS 3.0
Training and Assessment
Guidelines on the basic skill sets that are required in order to make best use of this guidance . These represent the training courses and other resources available.
However, all courses mentioned are optional and can be provided by a variety of certified training
Prepared by Microsoft
Page 2
cument is to provide guidance around the implementation of WSUS 3.0 for . This document provides the information and
procedures necessary to successfully configure, manage and operate WSUS 3.0 servers and nts. The content of this document provides guidance on the initial configuration of WSUS 3.0
servers and clients, and also provides guidance around the ongoing management and operation
Windows Server Updates Services 3.0 Design Guide ry to design and implement a WSUS 3.0
IT professional through the necessary steps to successfully organisation’s network
Provide rapid knowledge transfer to reduce the learning curve of configuring, operating and
practice guidance
effectively, a number of structure prerequisites should be in place. This section
Windows Server Update Services 3.0 details the necessary infrastructure prerequisites.
details the information
are:
ows Vista® administration
Creation and administration of Organisational Units (OU) and Group Policy Objects (GPO) to configure WSUS client settings
configure WSUS client
2005 administration when using this product for the WSUS 3.0
order to make best use of this guidance are . These represent the training courses and other resources available.
However, all courses mentioned are optional and can be provided by a variety of certified training
Windows Server Update Services 3.0Version 1.0.0.0
2.3 Infrastructure PrerequisitesThe following are prerequisites for implementin
� Windows Server 2003 S
� Windows 2000 Professional SP4, Windows XP SP2, or Windows Vista clients
� Windows XP SP2, Windows Vista or Windows Server 2003 SP1 or laterWSUS 3.0 console
� A sufficient number of clients that need to be managed (ideally 2 or more examples of each desktop computer configuration deployed in the live environment)
� An Internet connection allowing access to Microsoft Update for swith sufficient bandwidth for the download of software updates
� Adequate bandwidth between the WSUS 3.0 server and clients for the download of software updates
Recommendation
Microsoft recommends that the latest service pack be app
2.4 Audience The guidance contained in this document is targeted at a variety of roles within the organisation. Table 1 provides a reading guide for this document, illustrating the roles and the sections of the document that are likely to be of most interest. The structure of the sections referred to is described in section 3.1.
Role Document Usage
IT Manager Review of the entire document to understand the justification and drivers, and to develop an understanding of the
IT Architect Review the relevant areas within the document against local architecture strategy and implementation plans
IT Professional/ Administrator
Detailed review and implementation of the guidance to meet local requirements
Table 1: Document Audience
2.5 Assumptions The guidance provided in this document assumes that services and resources between sites already have suitable schemes in place. This is to enable successful siteAddressing schemes assigned to each participating Directory and the underlying Domain Name System schemes at adjoining sites in order for crossof Network Address Translation (NAT) recommended nor supported by Microsoft.
Windows Server Update Services 3.0 Operations Guide 1.0.0.0 Baseline
Infrastructure Prerequisites The following are prerequisites for implementing WSUS 3.0 in a healthcare organisation
Windows Server 2003 Service Pack (SP) 1 or later, to host the WSUS 3.0 server
Windows 2000 Professional SP4, Windows XP SP2, or Windows Vista clients
Windows XP SP2, Windows Vista or Windows Server 2003 SP1 or later
A sufficient number of clients that need to be managed (ideally 2 or more examples of each configuration deployed in the live environment)
An Internet connection allowing access to Microsoft Update for server synchronisation and with sufficient bandwidth for the download of software updates
Adequate bandwidth between the WSUS 3.0 server and clients for the download of
Microsoft recommends that the latest service pack be applied to all deployed products
The guidance contained in this document is targeted at a variety of roles within the provides a reading guide for this document, illustrating the roles and the
sections of the document that are likely to be of most interest. The structure of the sections referred
Document Usage
Review of the entire document to understand the justification and drivers, and to develop an understanding of the implementation requirements
Review the relevant areas within the document against local architecture strategy and implementation plans
Detailed review and implementation of the guidance to meet local requirements
The guidance provided in this document assumes that healthcare organisationsservices and resources between sites already have suitable Internet Protocol (IP)
to enable successful site-to-site communication, that is, unique IP Addressing schemes assigned to each participating healthcare organisation with no overlap.
and the underlying Domain Name System (DNS), require the use of unique IP Addressing schemes at adjoining sites in order for cross-site communication to function successfully. The use
Network Address Translation (NAT) within an Active Directory environment is neither ed by Microsoft.
Prepared by Microsoft
Page 3
a healthcare organisation:
to host the WSUS 3.0 server
Windows 2000 Professional SP4, Windows XP SP2, or Windows Vista clients
Windows XP SP2, Windows Vista or Windows Server 2003 SP1 or later, to host a remote
A sufficient number of clients that need to be managed (ideally 2 or more examples of each
erver synchronisation and
Adequate bandwidth between the WSUS 3.0 server and clients for the download of
products.
The guidance contained in this document is targeted at a variety of roles within the healthcare IT provides a reading guide for this document, illustrating the roles and the
sections of the document that are likely to be of most interest. The structure of the sections referred
Exec
utiv
e Su
mm
ary
Depl
oy
Ope
rate
� � �
�
� � �
healthcare organisations that want to share (IP) Addressing
that is, unique IP with no overlap. Active
(DNS), require the use of unique IP Addressing site communication to function successfully. The use
environment is neither
Windows Server Update Services 3.0Version 1.0.0.0
3 USING THIS D
This document is intended for use by use WSUS 3.0 to manage software updates on desktop computers. The document should be used as a reference guide for the mostguide, the Windows Server Update Services 3.0 Design Guidethe planning and implementation of WSUS 3.0.
3.1 Document StructureAs illustrated in Figure 1, this document contains
� Deploy
� Operate
The Microsoft Solutions Framework (MSF) Process Model typically contains four extra stages, ‘Envision’, ‘Plan’, ‘Develop’ and ‘Stabilise’ however, are not relevant to this document and
Each section is based on the Microsoft IT Project Lifecycle as defined in the MSF Process Model, and the Microsoft Operations Framework (MOF). The IT Project Lifecycle is descdetail in the MSF Process Model White PaperProcess Model and MOF describe a highmanaging IT solutions. Rather than prescribing a specific serenough to accommodate a broad range of IT projects.
The key public documentation resources for developing a Windows Server Update Services solution are:
� Deploying Microsoft Windows Server Update Services
� Microsoft Windows Server Update Services 3.0 Operations Guide
Where appropriate, throughout this document, specific chapters or sections from these documents have been referenced along with sections and white papers will be referenced using footnotes or references.
2 MSF Process Model White Paper {R2 http://www.microsoft.com/downloads/details.aspx?FamilyID=e481cb0b
3 MOF Executive Overview {R3}: http://www.microsoft.com/technet/itsolutions/cits/mo/mof/mofeo.mspx
4 Deploying Microsoft Windows Server Update Services 3.0
5 Microsoft Windows Server Update Service
Windows Server Update Services 3.0 Operations Guide 1.0.0.0 Baseline
DOCUMENT
This document is intended for use by healthcare organisations and IT administrators who wish to use WSUS 3.0 to manage software updates on desktop computers. The document should be used as a reference guide for the most common tasks involved with the use of WSUS 3.0
Windows Server Update Services 3.0 Design Guide {R1}, should be used to assist with the planning and implementation of WSUS 3.0.
Document Structure his document contains two sections that deal with the project lifecycle:
The Microsoft Solutions Framework (MSF) Process Model typically contains four extra stages, ‘Envision’, ‘Plan’, ‘Develop’ and ‘Stabilise’ which come before the Deploy stage
are not relevant to this document and therefore have not been included.
Each section is based on the Microsoft IT Project Lifecycle as defined in the MSF Process Model, and the Microsoft Operations Framework (MOF). The IT Project Lifecycle is desc
MSF Process Model White Paper2 and the MOF Executive OverviewProcess Model and MOF describe a high-level sequence of activities for building, deploying and managing IT solutions. Rather than prescribing a specific series of procedures, they are flexible enough to accommodate a broad range of IT projects.
The key public documentation resources for developing a Windows Server Update Services
Deploying Microsoft Windows Server Update Services 3.04
Windows Server Update Services 3.0 Operations Guide5
Where appropriate, throughout this document, specific chapters or sections from these documents along with relevant public white papers or other documents. All documents,
and white papers will be referenced using footnotes or references.
R2}: http://www.microsoft.com/downloads/details.aspx?FamilyID=e481cb0b-ac05-42a6-bab8-fc886956790e&DisplayLang=en
http://www.microsoft.com/technet/itsolutions/cits/mo/mof/mofeo.mspx
Deploying Microsoft Windows Server Update Services 3.0 {R4}: http://go.microsoft.com/fwlink/?LinkId=86416
Microsoft Windows Server Update Services 3.0 Operations Guide {R5}: http://go.microsoft.com/fwlink/?LinkId=86697
Prepared by Microsoft
Page 4
and IT administrators who wish to use WSUS 3.0 to manage software updates on desktop computers. The document should be used
common tasks involved with the use of WSUS 3.0. Its companion should be used to assist with
ections that deal with the project lifecycle:
The Microsoft Solutions Framework (MSF) Process Model typically contains four extra stages, stage. These stages,
have not been included.
Each section is based on the Microsoft IT Project Lifecycle as defined in the MSF Process Model, and the Microsoft Operations Framework (MOF). The IT Project Lifecycle is described in more
MOF Executive Overview3. The MSF level sequence of activities for building, deploying and
ies of procedures, they are flexible
The key public documentation resources for developing a Windows Server Update Services
Where appropriate, throughout this document, specific chapters or sections from these documents relevant public white papers or other documents. All documents,
fc886956790e&DisplayLang=en
http://www.microsoft.com/technet/itsolutions/cits/mo/mof/mofeo.mspx
http://go.microsoft.com/fwlink/?LinkId=86416
http://go.microsoft.com/fwlink/?LinkId=86697
Windows Server Update Services 3.0Version 1.0.0.0
Figure 1: MSF Process Model Phases and Document Structure
Windows Server Update Services 3.0 Operations Guide 1.0.0.0 Baseline
: MSF Process Model Phases and Document Structure
Prepared by Microsoft
Page 5
Windows Server Update Services 3.0Version 1.0.0.0
4 DEPLOY
During the Deploy phase, the core solution components are deployed for more widespread application and use, and the deployment is stabilised through ongoing monitoring. The solution is then transitioned to operations and support.
Figure 2 acts as a high-level checklist, illustrating the critical components which an IT Professional responsible for deploying WSUS 3.0
Figure 2: Sequence for Deploying WSUS 3.0
4.1 Configuring the WSUS 3.0 ServerOnce WSUS 3.0 has been installed following the guidance in the 3.0 Design Guide {R1}, there are a number of configuration tasks that need to be performed. options can be configured using either the Server Configuration Wizard or the WSUS 3.0 console. This section provides information on the various configuration options and how to configure these optionsshould be defined following the installation of the WSUS 3.0 server. should not require any further reconfiguraticonfiguring WSUS 3.0 with the Server Configuration Wizard, see the Services 3.0 Design Guide {R1
Windows Server Update Services 3.0 Operations Guide 1.0.0.0 Baseline
During the Deploy phase, the core solution components are deployed for more widespread n and use, and the deployment is stabilised through ongoing monitoring. The solution is
then transitioned to operations and support.
level checklist, illustrating the critical components which an IT Professional WSUS 3.0, needs to determine.
Configuring the WSUS 3.0 Server has been installed following the guidance in the Windows Server Update Services
, there are a number of configuration tasks that need to be performed. options can be configured using either the Server Configuration Wizard or the WSUS 3.0 console. This section provides information on the various configuration options and shows
these options via the WSUS 3.0 console. The configuration options in this section should be defined following the installation of the WSUS 3.0 server. The majority should not require any further reconfiguration after they have been set. For more information about configuring WSUS 3.0 with the Server Configuration Wizard, see the Windows Server Update
R1}.
Prepared by Microsoft
Page 6
During the Deploy phase, the core solution components are deployed for more widespread n and use, and the deployment is stabilised through ongoing monitoring. The solution is
level checklist, illustrating the critical components which an IT Professional
Windows Server Update Services , there are a number of configuration tasks that need to be performed. These
options can be configured using either the Server Configuration Wizard or the WSUS 3.0 console. shows, step-by-step,
. The configuration options in this section The majority of these settings
more information about Windows Server Update
Windows Server Update Services 3.0Version 1.0.0.0
4.1.1 Accessing the WSUS 3.0 Console
Most WSUS 3.0 configuration is performed through the WSUS 3.0 console. This is a Microsoft Management Console (MMC) that can be accessed on a WSUS 3.0 server by following:
� Click Start > All ProgramsServices
The WSUS 3.0 console can also be installed on any computer on the network, in a domain that has a trust relationship with the domain of the WSUS 3.0 server. Forinformation about installing the WSUS 3.0 console, including the supported operating systems and software prerequisites, see the
Figure 3 shows the WSUS 3.0 console
Figure 3: The WSUS 3.0 Console
Click to expand the <servername>Figure 4 shows the expanded tree structure console.
Figure 4: Expanded Tree Structure of the WSUS 3.0 Console
From each node in the expanded tree structure,available. The basic configuration options available summarised in Table 2, along with references to the sections in which they are covered in more detail.
Windows Server Update Services 3.0 Operations Guide 1.0.0.0 Baseline
the WSUS 3.0 Console
Most WSUS 3.0 configuration is performed through the WSUS 3.0 console. This is a Microsoft Management Console (MMC) that can be accessed on a WSUS 3.0 server by performing
Programs > Administrative Tools > Microsoft Windows Server Update
The WSUS 3.0 console can also be installed on any computer on the network, in a domain that has a trust relationship with the domain of the WSUS 3.0 server. Forinformation about installing the WSUS 3.0 console, including the supported operating systems and software prerequisites, see the Windows Server Update Services 3.0 Design Guide
WSUS 3.0 console when it is first accessed.
<servername> node to navigate through the various configuration pagesexpanded tree structure as it would appear in the left pane of the
Expanded Tree Structure of the WSUS 3.0 Console
in the expanded tree structure, further nodes and/or configuration options become available. The basic configuration options available in each node in the WSUS
, along with references to the sections in which they are covered in more
Prepared by Microsoft
Page 7
Most WSUS 3.0 configuration is performed through the WSUS 3.0 console. This is a Microsoft performing the
Microsoft Windows Server Update
The WSUS 3.0 console can also be installed on any computer on the network, providing it resides in a domain that has a trust relationship with the domain of the WSUS 3.0 server. For more information about installing the WSUS 3.0 console, including the supported operating systems and
Windows Server Update Services 3.0 Design Guide {R1}.
to navigate through the various configuration pages. in the left pane of the WSUS 3.0
configuration options become the WSUS 3.0 console are
, along with references to the sections in which they are covered in more
Windows Server Update Services 3.0Version 1.0.0.0
Nodes Available Options
<servername> Shows the status of the server including update, computer and synchronisation statistics. A ‘To Do List’ shows any outstanding tasks that need to be performed
Updates View and approve updates
Computers View, modify and delete computers and computer groups
Downstream Servers
View downstream servers that are managed by the upstream server
Synchronizations View the synchronisations this server has attempted with an upstream WSUS 3.0 server or Update
Reports Generate reports based on updates, computers, synchronisation results and a summary of the server settings
Options Configure server settings including synchronisation options, computer group assignment optionsautomatic approval options
Table 2: WSUS 3.0 Console Nodes
4.1.2 Configuring Synchronisation Options
Synchronisation is the process of downloading updates from a content source. A content source can either be an upstream WSUS 3.0 server or Microsoft Update. When a WSUS 3.0 server synchronises for the first time, it connThis will be the metadata for all of the update products, classifications and languagesbeen specified for download, whensubsequent synchronisations,made available since the last synchronisation.
4.1.2.1 Configuring a Storage Location for Updates
The storage options define where downloads are stored3.0 server, or remotely on Microsoft Update. If updates are stored locally on the two additional options become available:
� Download update files to this server only when
� Download express installation files
The option Download update files to this server only when the server to only download updates is known as ‘deferred updateson the WSUS 3.0 server.
Recommendation
‘Deferred updates’ is not the is because there may be a delay in distributing updates to downstream clients. Thwhen a server is situated more than one level deep in a hierarchy of WSUS
Windows Server Update Services 3.0 Operations Guide 1.0.0.0 Baseline
Available Options Further Information
Shows the status of the server including update, synchronisation statistics. A ‘To Do
List’ shows any outstanding tasks that need to be
This page displays status information for the server and a ‘To Do List’ which provides the administrator with a list of outstanding tasks
rove updates The configuration options on this page are covered in more detail in section 5.1.2
View, modify and delete computers and computer The configuration options on this page are covered in more detail in section 5.1.1
View downstream servers that are managed by the The view displays all downstream servers, their mode (replica/autonomous) and when they last synchronised
View the synchronisations this server has attempted with an upstream WSUS 3.0 server or with Microsoft
The view displays when the last synchronisation took place and whether or not it was successful
Generate reports based on the status of the updates, computers, synchronisation results and a summary of the server settings
The configuration options on this page are cmore detail in section 5.2
Configure server settings including synchronisation options, computer group assignment options and automatic approval options
The configuration options on this page are covered in more detail in sections 4.1.2, 5.1.1
Configuring Synchronisation Options
Synchronisation is the process of downloading updates from a content source. A content source an upstream WSUS 3.0 server or Microsoft Update. When a WSUS 3.0 server
synchronises for the first time, it connects to an update source and downloads update metadataThis will be the metadata for all of the update products, classifications and languages
when the synchronisation options were configured WSUS 3.0 will determine if any new update metadata
made available since the last synchronisation.
a Storage Location for Updates
The storage options define where downloads are stored. This can either be locally on theon Microsoft Update. If updates are stored locally on the
two additional options become available:
Download update files to this server only when updates are approved
Download express installation files
Download update files to this server only when updates are approvedthe server to only download updates once they have been approved in the WSUS
pdates’. Deferred updates save on both bandwidth and disk
not the recommended option when employing a hierarchy of WSUS is because there may be a delay in distributing updates to downstream clients. This is especially true when a server is situated more than one level deep in a hierarchy of WSUS 3.0 servers.
Prepared by Microsoft
Page 8
This page displays status information for the server and a ‘To Do List’ which provides the administrator with a list of
The configuration options on this page are covered in
The configuration options on this page are covered in
The view displays all downstream servers, their mode (replica/autonomous) and when they last synchronised
when the last synchronisation took place and whether or not it was successful
The configuration options on this page are covered in
The configuration options on this page are covered in 5.1.1 and 5.1.2.6
Synchronisation is the process of downloading updates from a content source. A content source an upstream WSUS 3.0 server or Microsoft Update. When a WSUS 3.0 server
source and downloads update metadata. This will be the metadata for all of the update products, classifications and languages that have
were configured. During metadata has been
locally on the WSUS on Microsoft Update. If updates are stored locally on the WSUS 3.0 server,
are approved configures they have been approved in the WSUS 3.0 console. This
bandwidth and disk storage space
recommended option when employing a hierarchy of WSUS 3.0 servers. This is is especially true
servers.
Windows Server Update Services 3.0Version 1.0.0.0
The option Download express installation filesInternet link, whilst decreasing the bandwidth requiremeand WSUS 3.0 clients. It does this by distributing only the binary differences between updates. The increased Internet bandwidth is due to the fact that express installation files must contain all of the possible variations of each file it
Recommendation
It is recommended that this option be enabled storage space for the (larger) updates.
Though the difference in size between express WSUS 3.0 server are always larger than they would WSUS 3.0 clients are always smaller than they would approximately three to four times the amount normally used.
Note
If this option is enabled and then disabled at a later date, express installation files that have already been downloaded will remain on the server. Updates that are downloaded following subsequent synchronisations however, will not be downloaded in this format.
If the server being configured is a downstream WSUS 3.0 server, a third option becomes available:
� Download files from Microsoft Update; do not download from upstream server
The option Download files from Microsoft Update; do not download from upstream servercan be used to reduce the impact on bandwidth between sites
Recommendation
Downstream WSUS 3.0 serversupstream WSUS 3.0 server over a connection to the internet, should be configured to use this option. bandwidth usage on the upstre
To configure storage options:
1. Open the WSUS 3.0 console,
2. In the centre pane, click
Windows Server Update Services 3.0 Operations Guide 1.0.0.0 Baseline
Download express installation files increases the bandwidth requirements on the Internet link, whilst decreasing the bandwidth requirements internally between WSUS
clients. It does this by distributing only the binary differences between updates. The increased Internet bandwidth is due to the fact that express installation files must contain all of the
iations of each file it needs to update.
this option be enabled for sites with good link speeds to the Internet and plenty of storage space for the (larger) updates.
Though the difference in size between express installation files varies, the files downloaded to the server are always larger than they would be normally and the updates distributed to clients are always smaller than they would be normally. Disk storage space will be
ree to four times the amount normally used.
If this option is enabled and then disabled at a later date, express installation files that have already been downloaded will remain on the server. Updates that are downloaded following subsequent
sations however, will not be downloaded in this format.
If the server being configured is a downstream WSUS 3.0 server, a third option becomes available:
Download files from Microsoft Update; do not download from upstream server
rom Microsoft Update; do not download from upstream servercan be used to reduce the impact on bandwidth between sites.
Downstream WSUS 3.0 servers in a healthcare organisation’s network environment, ver over a slow or congested inter-site network link, but which have a fast direct
should be configured to use this option. Enabling this option willbandwidth usage on the upstream WSUS 3.0 server’s site link.
configure storage options:
console, and navigate to the Options node in the left pane
In the centre pane, click Update Files and Languages.
Prepared by Microsoft
Page 9
increases the bandwidth requirements on the nts internally between WSUS 3.0 servers
clients. It does this by distributing only the binary differences between updates. The increased Internet bandwidth is due to the fact that express installation files must contain all of the
for sites with good link speeds to the Internet and plenty of
installation files varies, the files downloaded to the normally and the updates distributed to
Disk storage space will be
If this option is enabled and then disabled at a later date, express installation files that have already been downloaded will remain on the server. Updates that are downloaded following subsequent
If the server being configured is a downstream WSUS 3.0 server, a third option becomes available:
Download files from Microsoft Update; do not download from upstream server
rom Microsoft Update; do not download from upstream server
network environment, which connect to an site network link, but which have a fast direct
Enabling this option will reduce the
in the left pane.
Windows Server Update Services 3.0Version 1.0.0.0
3. In the Update Files and Languages
4. Depending on the deslocally on this serverMicrosoft Update option
� If the Store update files locally on this serverdownloads are required, select updates are approved
� If express installation files are required, select check box
5. Click OK.
4.1.2.2 Configuring the
Configuring the update source determines whether teither an upstream WSUS 3.0 server for synchronisation, it is also possible to specify a cussynchronisation traffic with Secure Sockets Layer (default ports (80 and 443) are not available on a server (for instance, when another application is using the default ports). When traffic is encrypted using SSL, only the metadata information is encrypted, the updates themselves are not. Updates are
More information on using custom ports can be found in the Design Guide {R1}. More information on using SSL encryption can be found in section document.
Windows Server Update Services 3.0 Operations Guide 1.0.0.0 Baseline
and Languages dialog box, click the Update Files
ign decisions made previously, select either the Store update files locally on this server, or the Do not store update files locally; computers
option.
Store update files locally on this server option is selected, and deferred are required, select the Download update files to this server only when
updates are approved check box
If express installation files are required, select the Download express installation files
the Update Source
Configuring the update source determines whether the WSUS 3.0 server will synchronise with 3.0 server or Microsoft Update. When using an upstream WSUS
server for synchronisation, it is also possible to specify a custom port number and to encrypt the Secure Sockets Layer (SSL). Custom port numbers are used when the
default ports (80 and 443) are not available on a server (for instance, when another application is When traffic is encrypted using SSL, only the metadata information is
encrypted, the updates themselves are not. Updates are, however, digitally signed.
More information on using custom ports can be found in the Windows Server Update Services. More information on using SSL encryption can be found in section
Prepared by Microsoft
Page 10
Update Files tab.
Store update files omputers install from
, and deferred Download update files to this server only when
Download express installation files
synchronise with . When using an upstream WSUS 3.0
tom port number and to encrypt the . Custom port numbers are used when the
default ports (80 and 443) are not available on a server (for instance, when another application is When traffic is encrypted using SSL, only the metadata information is
however, digitally signed.
Windows Server Update Services 3.0 . More information on using SSL encryption can be found in section 4.2.3 of this
Windows Server Update Services 3.0Version 1.0.0.0
To configure the Update Source:
1. Open the WSUS 3.0 console, expand the the Options node.
2. In the centre pane, click
3. In the Update Source
4. Depending on the design decisions made previously, select Microsoft Update, or server option.
� If the Synchronize from another Windows Serverselected, type the
� If SSL encryption is enabled on the upstream when synchroniz
Note
When enabling the SSL encryption option, ensure that this server trusts the certificate on the upstream WSUS 3.0 server or the certification authority that issued it. For an example of using SSL encryption with IIS 6.0 and Microsoft Certificate Services, see Microsoft Certificate Services and SSL
6 Chapter 6 - Managing Microsoft Certificate Services and SSL http://technet.microsoft.com/en-us/library/bb727098.aspx
Windows Server Update Services 3.0 Operations Guide 1.0.0.0 Baseline
Source:
Open the WSUS 3.0 console, expand the <servername> node in the left pane and select
In the centre pane, click Update Source and Proxy Server.
Update Source and Proxy Server dialog box, click the Update Source
Depending on the design decisions made previously, select either the Synchroni, or the Synchronize from another Windows Server Update Services
Synchronize from another Windows Server Update Services serverthe Server name and Port number of the upstream WSUS 3.0 server
If SSL encryption is enabled on the upstream WSUS 3.0 server, select the zing update information check box
e SSL encryption option, ensure that this server trusts the certificate on the upstream WSUS 3.0 server or the certification authority that issued it. For an example of using SSL encryption with IIS 6.0 and Microsoft Certificate Services, see Chapter 6 Microsoft Certificate Services and SSL6.
anaging Microsoft Certificate Services and SSL {R6}: brary/bb727098.aspx
Prepared by Microsoft
Page 11
in the left pane and select
Update Source tab.
Synchronize from Windows Server Update Services
Update Services server is of the upstream WSUS 3.0 server
server, select the Use SSL
e SSL encryption option, ensure that this server trusts the certificate on the upstream WSUS 3.0 server or the certification authority that issued it. For an example of using
Chapter 6 – Managing
Windows Server Update Services 3.0Version 1.0.0.0
� If this server is to be configured in replica mode, select the the upstream server
Note
If multiple downstream WSUS 3.0 server, schedule synchronidownstream replica utilisation.
If a downstream replica WSUS 3.0 server, it will retry the synchroniintervals. If both retries fail, the at the next scheduled time.
5. Click OK.
4.1.2.3 Configuring a
The proxy server settings allow the configuration of a proxy server for use when connecting to an upstream WSUS 3.0 server or Microsoft Update be used when connecting to Microsoft Update for synchronisation and when all be routed via a proxy server. However, if proxy servers are used organisation, it may be necessary to specify proxy settings for connectiservers.
Note
Because the WSUS 3.0 server initiates all synchronisation traffic, it is not necessary to make any configuration changes to the Windows Firewall on a WSUS 3.0 server in order to allow it to connect to Microsoft Update.
The WSUS 3.0 console allows the definition of a proxy server host name or IP address, the port number to use and the credentials
Recommendation
If authentication is required on the proxy server, it other resource access, is created and used for this purpose.
To configure Proxy Server options:
1. Open the WSUS 3.0 console, expand the the Options node.
2. In the centre pane, click
Windows Server Update Services 3.0 Operations Guide 1.0.0.0 Baseline
If this server is to be configured in replica mode, select the This server is a replica of the upstream server check box
downstream replica WSUS 3.0 servers are set up to connect to a single upstreamserver, schedule synchronisation to run at different times on each
replica WSUS 3.0 servers. This practice will prevent sudden surges in bandwidth
replica WSUS 3.0 server tries but fails to synchronise with the upstream server, it will retry the synchronisation twice, at approximately fifteen
intervals. If both retries fail, the downstream replica WSUS 3.0 server will run synchroniduled time.
Proxy Server
The proxy server settings allow the configuration of a proxy server for use when connecting to an or Microsoft Update during synchronisation. Typically,
connecting to Microsoft Update for synchronisation and when all a proxy server. However, if proxy servers are used between sites in
, it may be necessary to specify proxy settings for connections to upstream WSUS
Because the WSUS 3.0 server initiates all synchronisation traffic, it is not necessary to make any configuration changes to the Windows Firewall on a WSUS 3.0 server in order to allow it to connect to
console allows the definition of a proxy server host name or IP address, the port number to use and the credentials needed if authentication is required on the proxy server.
If authentication is required on the proxy server, it is recommended that a low privilege account, with no other resource access, is created and used for this purpose.
erver options:
Open the WSUS 3.0 console, expand the <servername> node in the left pane and select
e centre pane, click Update Source and Proxy Server.
Prepared by Microsoft
Page 12
This server is a replica of
to connect to a single upstream on each of the
udden surges in bandwidth
e with the upstream at approximately fifteen-minute
server will run synchronisation
The proxy server settings allow the configuration of a proxy server for use when connecting to an Typically, this would only
connecting to Microsoft Update for synchronisation and when all Internet traffic must between sites in a healthcare
to upstream WSUS 3.0
Because the WSUS 3.0 server initiates all synchronisation traffic, it is not necessary to make any configuration changes to the Windows Firewall on a WSUS 3.0 server in order to allow it to connect to
console allows the definition of a proxy server host name or IP address, the port if authentication is required on the proxy server.
is recommended that a low privilege account, with no
in the left pane and select
Windows Server Update Services 3.0Version 1.0.0.0
3. In the Update Source and
4. Select the Use a proxy server when synchroniname and Port number
� If the proxy server requires authentication, select to the proxy serversuitable user account
� If basic authentication is required, selectsent in cleartext)
Recommendation
The use of basic authentication should be avoided where ever possible. If basic authentication is required, it is recommended that a low privilege account with no other resource access is created and used for this purpose.
5. Click OK.
4.1.2.4 Configuring Update Filtering for LanguageClassification
Update filtering makes it possible to filter the update metadata that will be downloaded to the WSUS 3.0 server by language, product
� The language option defines which language versions of update metadata will be downloaded to the WSUS 3.0 server.
� The products option defineWindows XP, for which update
Windows Server Update Services 3.0 Operations Guide 1.0.0.0 Baseline
Update Source and Proxy Server dialog box, click the Proxy Server
Use a proxy server when synchronizing check box, and typeort number.
If the proxy server requires authentication, select the Use user credentials to connect to the proxy server check box, and type the User name, Domain suitable user account
If basic authentication is required, select the Allow basic authentication (password is check box
Recommendation
The use of basic authentication should be avoided where ever possible. If basic authentication is required, it is recommended that a low privilege account with no other resource access is
eated and used for this purpose.
Configuring Update Filtering for Languages, Product
Update filtering makes it possible to filter the update metadata that will be downloaded to the WSUS 3.0 server by language, products and classification.
The language option defines which language versions of update metadata will be downloaded to the WSUS 3.0 server.
defines the products or product families, for example, Windows, or for which update metadata will be downloaded.
Prepared by Microsoft
Page 13
Proxy Server tab.
type the Server
Use user credentials to connect and Password of a
tication (password is
The use of basic authentication should be avoided where ever possible. If basic authentication is required, it is recommended that a low privilege account with no other resource access is
, Products and
Update filtering makes it possible to filter the update metadata that will be downloaded to the
The language option defines which language versions of update metadata will be
for example, Windows, or
Windows Server Update Services 3.0Version 1.0.0.0
� The classification option defines the Security Updates of update
In a server hierarchy, the productupstream WSUS 3.0 server. For language options, it is possible for downstream replica WSUS 3.0 servers to select a subset of the languages defined at their upstream WSUS 3.0 server.
Recommendation
Downloading multiple language versions of updateTo save on disk storage space, only download the language versions that are required.
To configure the language option:
1. Open the WSUS 3.0 console, expand the the Options node.
2. In the centre pane, click
3. In the Update Files and Languages
4. Select the Download updates only in these languagesappropriate languages
5. Click OK.
Windows Server Update Services 3.0 Operations Guide 1.0.0.0 Baseline
he classification option defines the classifications, for example, Critical Updates or Security Updates of update metadata downloaded.
, the products and classifications options can only be defined on tFor language options, it is possible for downstream replica WSUS 3.0
servers to select a subset of the languages defined at their upstream WSUS 3.0 server.
Downloading multiple language versions of updates requires disk storage space on the WSUSspace, only download the language versions that are required.
language option:
Open the WSUS 3.0 console, expand the <servername> node in the left pane and select
In the centre pane, click Update Files and Languages.
Update Files and Languages dialog box, click the Update Languages
Download updates only in these languages option and then priate languages.
Prepared by Microsoft
Page 14
for example, Critical Updates or
can only be defined on the highest For language options, it is possible for downstream replica WSUS 3.0
servers to select a subset of the languages defined at their upstream WSUS 3.0 server.
space on the WSUS 3.0 server. space, only download the language versions that are required.
in the left pane and select
Update Languages tab.
then select the
Windows Server Update Services 3.0Version 1.0.0.0
To configure Products and Classifications options:
1. Open the WSUS 3.0 console, expand the the Options node.
2. In the centre pane, click
Note
Initially no product or product family options will be available for Microsoft Office updates. After the first synchronisation of the server, additional products and/or product families will become available as options on the Productsmay become available. This is because Microsoft continues to add support for additional products.
3. In the Products and Classifications
Note
If the WSUS 3.0 server is being used as the distribution server component of a Forefront™ Client Security solution, ensure that the
4. Select the check boxes for the required products or product famili
Recommendation
Select the options that are relevant to the selected, all products in the family beneath it will be automatically selected and this will increase storage requirements on the server.healthcare organisation
Windows Server Update Services 3.0 Operations Guide 1.0.0.0 Baseline
To configure Products and Classifications options:
Open the WSUS 3.0 console, expand the <servername> node in the left pane and select
In the centre pane, click Products and Classifications.
Initially no product or product family options will be available for Microsoft Office updates. After the first synchronisation of the server, additional products and/or product families will become available
Products tab, including Microsoft Office. Additionally, over time more products may become available. This is because Microsoft continues to add support for additional products.
Products and Classifications dialog box, click the Products tab.
If the WSUS 3.0 server is being used as the distribution server component of a Client Security solution, ensure that the Forefront Client Security
Select the check boxes for the required products or product families.
Select the options that are relevant to the healthcare organisation only. If the Windows product is selected, all products in the family beneath it will be automatically selected and this will increase storage requirements on the server. Select only those Windows versions which are used in the healthcare organisation’s environment.
Prepared by Microsoft
Page 15
in the left pane and select
Initially no product or product family options will be available for Microsoft Office updates. After the first synchronisation of the server, additional products and/or product families will become available
soft Office. Additionally, over time more products may become available. This is because Microsoft continues to add support for additional products.
tab.
If the WSUS 3.0 server is being used as the distribution server component of a Microsoft® Forefront Client Security product is selected.
only. If the Windows product is selected, all products in the family beneath it will be automatically selected and this will increase
Select only those Windows versions which are used in the
Windows Server Update Services 3.0Version 1.0.0.0
5. In the Products and Classifications
6. Select the check boxes for the required classifications.
7. Click OK.
4.1.2.5 Synchronising the WSUS 3.0 Server
Once all the synchronisation options are configured, the WSUS 3.0 server is ready to be synchronised. Synchronisation can either be performed manually, or on a predefined schedule.
To perform a manual synchronisation, use
� Open the WSUS 3.0 console and select the centre pane, click Synchronize Now
� Open the WSUS 3.0 console, expand the the Synchronizations
To synchronise on a predefined schedule, it is necessary to set the time of the first synchronisation and specify the number of synchronisations to perform per day.
Note
Typically, the first synchronization on a changes to the server's update filters (products, classifications, languages) while the server is being synchronised.
Windows Server Update Services 3.0 Operations Guide 1.0.0.0 Baseline
Products and Classifications dialog box, click the Classifications
Select the check boxes for the required classifications.
ing the WSUS 3.0 Server
Once all the synchronisation options are configured, the WSUS 3.0 server is ready to be synchronised. Synchronisation can either be performed manually, or on a predefined schedule.
To perform a manual synchronisation, use one of the following two options:
Open the WSUS 3.0 console and select the <servername> node in the left pane. In the Synchronize Now.
Open the WSUS 3.0 console, expand the <servername> node in the left pane and select Synchronizations node. In the right pane, click Synchronize Now
To synchronise on a predefined schedule, it is necessary to set the time of the first synchronisation and specify the number of synchronisations to perform per day.
Typically, the first synchronization on a WSUS 3.0 server will take a long time. It is not possible to make changes to the server's update filters (products, classifications, languages) while the server is being
Prepared by Microsoft
Page 16
Classifications tab.
Once all the synchronisation options are configured, the WSUS 3.0 server is ready to be synchronised. Synchronisation can either be performed manually, or on a predefined schedule.
e following two options:
in the left pane. In the
in the left pane and select Synchronize Now.
To synchronise on a predefined schedule, it is necessary to set the time of the first synchronisation
WSUS 3.0 server will take a long time. It is not possible to make changes to the server's update filters (products, classifications, languages) while the server is being
Windows Server Update Services 3.0Version 1.0.0.0
To configure a predefined synchronisation schedule:
1. Open the WSUS adminiand select the Options
2. In the centre pane, click
3. In the Synchronization Scheduleoption and specify the time day.
Recommendation
The Microsoft Security Research Centre (MSRC) releases new security updates and their accompanying bulletins on the second Tuesday of every month at 101 synchronisation per day is selected, then it should be set to occur in the evening 6:00 P.M. Greenwich Mean Time
4. Click OK.
Windows Server Update Services 3.0 Operations Guide 1.0.0.0 Baseline
synchronisation schedule:
Open the WSUS administration console, expand the <servername> nodeOptions node.
In the centre pane, click Synchronisation Schedule.
Synchronization Schedule dialog box, select the Synchronise automatically and specify the time of the First Synchronization and the Sync
The Microsoft Security Research Centre (MSRC) releases new security updates and their accompanying bulletins on the second Tuesday of every month at 10:00 A.M1 synchronisation per day is selected, then it should be set to occur in the evening
Greenwich Mean Time to ensure that new security updates are received promptly.
Prepared by Microsoft
Page 17
node in the left pane
Synchronise automatically Synchronizations per
The Microsoft Security Research Centre (MSRC) releases new security updates and their M. Pacific Time. If only
1 synchronisation per day is selected, then it should be set to occur in the evening sometime after to ensure that new security updates are received promptly.
Windows Server Update Services 3.0Version 1.0.0.0
4.1.3 Configuring Computer Groups
WSUS 3.0 enables updates to be targeted to specific client computers that have been logically organised into computer groups on the WSUS 3.0 server. This capability helps to ensure that the right computers get the right updates.Computers group. They are also assigned to the been assigned to one or more
Client computers are assigned to computer groups using one of two methods: or client-side targeting. With serverComputers node of the WSUS 3.0 consolemore client computers, at a time. With clientgroups automatically using Group Policy or registry entries on the client computers. Clienttargeting only allows computers to be added to one computer group, in addition to the Computers group.
4.1.3.1 Server-Side Targeting
With server-side targeting, the WSUS 3.0 console is used to create groups and then assign computers to the groups. Serverthe client computers into computer groups manually or when there icomputers to be members of more than one computer group.
When there are many WSUS 3.0 clients connecting to a WSUS 3.0 server, and there is a requirement for organising them into groups for improved targeting, this option leads administrative work with assigning computers to
4.1.3.2 Client-Side Targeting
With client-side (or computer-basedclient-side targeting through Group Policy or registry keys, computer groups with which they have been configured. Clientthrough Group Policy (in an Active DirectoryActive Directory environment) oconnect to the WSUS 3.0 server, they will add themselves to the correct computer group.
Note
When using client-side targeting, the computer groups that clients will add themselves to must be manually created in the WSUS 3.0 console. Clients will not be able to add themselves to the groups until this task has been performed.
Client-side targeting is an excellent option when there is a need to reduce the amount of administrative work associated with have the restriction of only allowing computers to be added to one computer group, in addition to the All Computers group.
For information on configuring clients when using clientActive Directory environments, see section
Windows Server Update Services 3.0 Operations Guide 1.0.0.0 Baseline
Configuring Computer Groups
updates to be targeted to specific client computers that have been logically organised into computer groups on the WSUS 3.0 server. This capability helps to ensure that the right computers get the right updates. By default, all computers are always assigne
are also assigned to the Unassigned Computers groupone or more of the other groups.
Client computers are assigned to computer groups using one of two methods: servertargeting. With server-side targeting, the Change Membership task is used in the
node of the WSUS 3.0 console, to modify the computer group membership of one or more client computers, at a time. With client-side targeting, computers are assigned to computer groups automatically using Group Policy or registry entries on the client computers. Clienttargeting only allows computers to be added to one computer group, in addition to the
ide Targeting
side targeting, the WSUS 3.0 console is used to create groups and then assign computers to the groups. Server-side targeting is an excellent option when it is preferable to move the client computers into computer groups manually or when there is a requirement for client computers to be members of more than one computer group.
When there are many WSUS 3.0 clients connecting to a WSUS 3.0 server, and there is a requirement for organising them into groups for improved targeting, this option leads
assigning computers to computer groups.
ide Targeting
based) targeting, client computers that have been configured for side targeting through Group Policy or registry keys, automatically add themselves to the
they have been configured. Client-side targeting can be enabled Active Directory environment) or by editing registry values (in a non
environment) on the WSUS 3.0 client computers. When the client computers connect to the WSUS 3.0 server, they will add themselves to the correct computer group.
side targeting, the computer groups that clients will add themselves to must be lly created in the WSUS 3.0 console. Clients will not be able to add themselves to the groups until
this task has been performed.
side targeting is an excellent option when there is a need to reduce the amount of administrative work associated with assigning computers to computer groups. However, it does have the restriction of only allowing computers to be added to one computer group, in addition to
For information on configuring clients when using client-side targeting in Active Directoryenvironments, see section 4.3.
Prepared by Microsoft
Page 18
updates to be targeted to specific client computers that have been logically organised into computer groups on the WSUS 3.0 server. This capability helps to ensure that the
By default, all computers are always assigned to the All group, until they have
server-side targeting task is used in the
to modify the computer group membership of one or assigned to computer
groups automatically using Group Policy or registry entries on the client computers. Client-side targeting only allows computers to be added to one computer group, in addition to the All
side targeting, the WSUS 3.0 console is used to create groups and then assign side targeting is an excellent option when it is preferable to move
s a requirement for client
When there are many WSUS 3.0 clients connecting to a WSUS 3.0 server, and there is a requirement for organising them into groups for improved targeting, this option leads to increased
targeting, client computers that have been configured for automatically add themselves to the
side targeting can be enabled environment) or by editing registry values (in a non-
n the WSUS 3.0 client computers. When the client computers connect to the WSUS 3.0 server, they will add themselves to the correct computer group.
side targeting, the computer groups that clients will add themselves to must be lly created in the WSUS 3.0 console. Clients will not be able to add themselves to the groups until
side targeting is an excellent option when there is a need to reduce the amount of However, it does
have the restriction of only allowing computers to be added to one computer group, in addition to
Active Directory and non-
Windows Server Update Services 3.0Version 1.0.0.0
4.1.3.3 Configuring Targeting
To configure client-side or server
1. Open the WSUS 3.0 console, expand the the Options node.
2. In the centre pane, click
3. The Computers dialog box
� To configure server
� To configure clientcomputers option
4. Click OK.
Windows Server Update Services 3.0 Operations Guide 1.0.0.0 Baseline
Configuring Targeting
side or server-side targeting:
pen the WSUS 3.0 console, expand the <servername> node in the left pane
lick Computers.
dialog box displays with two options:
To configure server-side targeting, select the Use the Update Services console
To configure client-side targeting, select the Use Group Policy or registry settings on option
Prepared by Microsoft
Page 19
node in the left pane and select
Services console option
r registry settings on
Windows Server Update Services 3.0Version 1.0.0.0
4.1.4 Enabling Reporting Rollup
Computer and update status from upstream WSUS 3.0 server. The reports run information about the entire WSUS 3.0 server hierarchy. Downstream autonomous WSUS 3.0 servers do not roll-up reporting data to their upstream WSUS 3.0 servers.
To enable reporting rollup for replica servers
1. In the WSUS 3.0 console on the upstream server,
2. In the centre pane, click
3. Select the Roll up statu
4. Click OK.
Windows Server Update Services 3.0 Operations Guide 1.0.0.0 Baseline
Enabling Reporting Rollup
Computer and update status from a downstream replica WSUS 3.0 server can be rolledupstream WSUS 3.0 server. The reports run on the upstream WSUS 3.0 server then provide information about the entire WSUS 3.0 server hierarchy. Downstream autonomous WSUS 3.0 servers
p reporting data to their upstream WSUS 3.0 servers.
To enable reporting rollup for replica servers:
In the WSUS 3.0 console on the upstream server, select the Options in the left pane.
lick Reporting Rollup.
Roll up status from replica downstream servers option.
Prepared by Microsoft
Page 20
downstream replica WSUS 3.0 server can be rolled-up to their the upstream WSUS 3.0 server then provide
information about the entire WSUS 3.0 server hierarchy. Downstream autonomous WSUS 3.0 servers
in the left pane.
Windows Server Update Services 3.0Version 1.0.0.0
4.1.5 Configuring E-mail Notification
The WSUS 3.0 server can be configured to send esent when new updates are synchronised to the WSUS 3.0 server. It is also e-mail notification capability to send WSUS 3.0 status reports
To set up e-mail notifications
1. Open the WSUS 3.0 console,
2. In the centre pane, click
3. Click the General tab.
4. To enable e-mail notifications
� Select the Send e-
� In the Recipientsnotification should be sent
� To enable e-mail notifications for status reportsbox
� From the Frequency
� In the Send reports
Windows Server Update Services 3.0 Operations Guide 1.0.0.0 Baseline
mail Notification
The WSUS 3.0 server can be configured to send e-mail notifications. E-mail notifications can be sent when new updates are synchronised to the WSUS 3.0 server. It is also possible to use
to send WSUS 3.0 status reports on a daily or weekly basis.
mail notifications:
console, and navigate to the Options node in the left pane.
pane, click E-Mail Notifications.
notifications for newly synchronised updates:
-mail notification when new updates are synchronized
Recipients: field, type the e-mail addresses of the people should be sent. Separate the names with semi-colons
mail notifications for status reports, select the Send status reports
Frequency: drop-down list, select either Daily or Weekly
Send reports at: field, set the time at which the status reports
Prepared by Microsoft
Page 21
mail notifications can be possible to use the
a daily or weekly basis.
in the left pane.
mail notification when new updates are synchronized check box
mail addresses of the people to whom an update colons
Send status reports check
Weekly
status reports should be sent
Windows Server Update Services 3.0Version 1.0.0.0
� In the Recipientsreports should be sent
� From the Languagereports.
5. Click Apply to save these settings
6. Click OK.
Note
If both the WSUS 3.0 console and the WSUS adjustments, notifications will appear at the correct time. different, then notifications will be off by the difference in the Daylight Savings Time adjustment.
To set up the e-mail server:
1. Open the WSUS 3.0 console,
2. In the centre pane, click
3. Click the E-Mail Server
4. Complete the Server I
a. In the Outgoing e-
b. In the Port number
Windows Server Update Services 3.0 Operations Guide 1.0.0.0 Baseline
Recipients: field, type the e-mail addresses of the people should be sent. Separate the names with semi-colons
Language: drop-down list, select the appropriate language
to save these settings
console and the WSUS 3.0 server have the same settings for Daylight Savings Time adjustments, notifications will appear at the correct time. If the adjustments for Daylight Savings Time are different, then notifications will be off by the difference in the Daylight Savings Time adjustment.
the WSUS 3.0 console, and navigate to the Options node in the left pane.
In the centre pane, click E-Mail Notifications.
Mail Server tab.
Information:
-mail server (SMTP): field, type the name of the
Port number: field, type the server's SMTP port (25 by default)
Prepared by Microsoft
Page 22
mail addresses of the people to whom status
anguage for the status
server have the same settings for Daylight Savings Time If the adjustments for Daylight Savings Time are
different, then notifications will be off by the difference in the Daylight Savings Time adjustment.
node in the left pane.
SMTP server
default)
Windows Server Update Services 3.0Version 1.0.0.0
5. Complete the Sender
a. In the Sender name
b. In the E-mail address
6. If the SMTP server requires
a. Select the My SMTP server requires authenticationRecommendation
If authentication is required on the SMTP server, it is recommended that a low privilege account, with no other resource access, is created and used for this purpose.
b. Type the User name
Note
The authentication credentials may only be changed on a WSUS 3.0 console running locally on the WSUS 3.0 server. It is not possible to change authentication credentials on a remote WSUS 3.0 console.
7. Click Apply to save th
8. Click Test to test the ewere any issues when
9. Click OK.
4.2 Securing the WSUS 3.0 DeploymentThis section covers the options available for adding security to
� Hardening the Windows Server 2003 server hosting the WSUS 3.0 server
� Adding authentication between
� Implementing the SSL prot
4.2.1 Hardening Windows Server 2003
The recommended settings for hardening a Windows Server 2003 server that is hosting a WSUS 3.0 server are documented in Deploying Microsoft Windows Server Update Services 3.0hardening a number of Windows Server 2003 components, as well as Internet Information Services (IIS) 6.0 and SQL Server 2005.
4.2.2 Adding Authenticat
Authentication for server-to-server synchronisation can be added to linked WSUS 3.0 servers. The following prerequisites need to be met in order to use authentication between linked WSUS 3.0 servers:
� All WSUS 3.0 servers that are to be autenvironment
� If the WSUS 3.0 servers are located in different forests, a trust must exist between thforests
When authentication restrictions are added on a WSUS 3.0 server, downstream WSUS 3.0 servers that wish to synchronise with an upstream WSUS 3.0 server, must be authenticated against a list of explicitly allowed servers. The list is contained in a configuration file on the upstream WSUS 3.0 server. The host names of the downstream WSUS 3.0 servers that are amust be manually added to the file.
Windows Server Update Services 3.0 Operations Guide 1.0.0.0 Baseline
Sender Information:
Sender name: field, type the name of the WSUS 3.0 administrator
mail address: field, type the WSUS 3.0 administrator’s e-mail address
If the SMTP server requires authentication, complete the Logon Information
My SMTP server requires authentication check box Recommendation
If authentication is required on the SMTP server, it is recommended that a low privilege account, with no other resource access, is created and used for this purpose.
ser name: and Password: in the respective fields
The authentication credentials may only be changed on a WSUS 3.0 console running locally on the WSUS 3.0 server. It is not possible to change authentication credentials on a remote
nsole.
to save these settings.
to test the e-mail server configuration and check the Event Viewer when sending the e-mail.
Securing the WSUS 3.0 Deployment options available for adding security to a WSUS 3.0 solution
Hardening the Windows Server 2003 server hosting the WSUS 3.0 server
dding authentication between linked WSUS 3.0 servers in an Active Directory
mplementing the SSL protocol on WSUS 3.0 servers
Hardening Windows Server 2003
The recommended settings for hardening a Windows Server 2003 server that is hosting a WSUS 3.0 server are documented in Appendix E: List of Security Settings in the Microsoft White Paper,
Windows Server Update Services 3.0 {R4}. These recommendations include hardening a number of Windows Server 2003 components, as well as Internet Information Services (IIS) 6.0 and SQL Server 2005.
uthentication for Linked WSUS 3.0 Servers
server synchronisation can be added to linked WSUS 3.0 servers. The following prerequisites need to be met in order to use authentication between linked WSUS 3.0
All WSUS 3.0 servers that are to be authenticated must be in an Active Directory
If the WSUS 3.0 servers are located in different forests, a trust must exist between th
When authentication restrictions are added on a WSUS 3.0 server, downstream WSUS 3.0 servers to synchronise with an upstream WSUS 3.0 server, must be authenticated against a list of
The list is contained in a configuration file on the upstream WSUS 3.0 server. The host names of the downstream WSUS 3.0 servers that are allowed to authenticate must be manually added to the file.
Prepared by Microsoft
Page 23
administrator
mail address
nformation:
If authentication is required on the SMTP server, it is recommended that a low privilege account, with no other resource access, is created and used for this purpose.
The authentication credentials may only be changed on a WSUS 3.0 console running locally on the WSUS 3.0 server. It is not possible to change authentication credentials on a remote
Event Viewer to see if there
3.0 solution. They are:
Hardening the Windows Server 2003 server hosting the WSUS 3.0 server
Active Directory environment
The recommended settings for hardening a Windows Server 2003 server that is hosting a WSUS in the Microsoft White Paper,
. These recommendations include hardening a number of Windows Server 2003 components, as well as Internet Information Services
ervers
server synchronisation can be added to linked WSUS 3.0 servers. The following prerequisites need to be met in order to use authentication between linked WSUS 3.0
Active Directory
If the WSUS 3.0 servers are located in different forests, a trust must exist between those
When authentication restrictions are added on a WSUS 3.0 server, downstream WSUS 3.0 servers to synchronise with an upstream WSUS 3.0 server, must be authenticated against a list of
The list is contained in a configuration file on the upstream WSUS 3.0 llowed to authenticate
Windows Server Update Services 3.0Version 1.0.0.0
Recommendation
Enabling this functionality is recommended as it prevents unauthorised servers from being allowed to synchronise content from the WSUSWSUS 3.0 servers. Use a ‘deny all’ wildcard asterisk on the downstream servers at the bottom of the server hierarchy.
To add authentication between linked WSUS 3.0 servers:
1. On the WSUS 3.0 server to which access is to be restricted,
2. Navigate to the C:\Program Filesfolder.
3. Right-click the file web.c
4. In the Windows cannot open this filelist option.
5. Click OK.
6. In the Open With dialog box, choose
7. Click OK.
8. Use the <authorization>authenticate, ensuring the <configuration> and
<?xml version="1.0" encoding="utf
<configuration>
<system.web>
<authorization>
<allow users="
<deny users="*" />
</authorization>
</system.web>
</configuration>
Here, contoso-wsus-srvWSUS 3.0 server. All other servers
Important
Always append a dollar sign to the computer name as in the example above. This is the name the computer will use during authentication.
9. In Notepad, click File, then click file.
The computer names specified in the ‘allow users’ and ‘deny users’ sections must be format domain\computer_name$a member of, and computer_name$dollar sign appended.
The second part of adding authentication between linked WSUS 3.0 servers requires a configuration change to IIS. This involves disabling anonymous access to the ServerSyncWebService virtual directory and enabl
Windows Server Update Services 3.0 Operations Guide 1.0.0.0 Baseline
Enabling this functionality is recommended as it prevents unauthorised servers from being allowed to synchronise content from the WSUS 3.0 server. Consider restricting access to upstream and downstream
servers. Use a ‘deny all’ wildcard asterisk on the downstream servers at the bottom of the
To add authentication between linked WSUS 3.0 servers:
rver to which access is to be restricted, launch Windows
Program Files\Update Services\WebServices\serversyncwebservice
eb.config and select Open.
cannot open this file: dialog box, select the Select the program from a
dialog box, choose Notepad.
<authorization> element to define the list of servers that are allowed to ensuring the <authorization> element is added below the
and <system web> elements, as per the following example
<?xml version="1.0" encoding="utf-8" ?>
<authorization>
<allow users="domain\contoso-wsus-srv1$,domain\contoso
<deny users="*" />
</authorization>
srv1 and contoso-wsus-srv2 will be allowed to synchronise with thserver. All other servers will be denied access to this WSUS 3.0 server
Always append a dollar sign to the computer name as in the example above. This is the name the computer will use during authentication.
, then click Save to save the amendments that have been made to the
The computer names specified in the ‘allow users’ and ‘deny users’ sections must be computer_name$, where domain is the name of the domain the computer_name$ is the host name of the downstream WSUS
The second part of adding authentication between linked WSUS 3.0 servers requires a configuration change to IIS. This involves disabling anonymous access to the ServerSyncWebService virtual directory and enabling integrated Windows authentication.
Prepared by Microsoft
Page 24
Enabling this functionality is recommended as it prevents unauthorised servers from being allowed to server. Consider restricting access to upstream and downstream
servers. Use a ‘deny all’ wildcard asterisk on the downstream servers at the bottom of the
Windows Explorer.
serversyncwebservice
Select the program from a
element to define the list of servers that are allowed to ed below the
, as per the following example:
contoso-wsus-srv2$" />
2 will be allowed to synchronise with this this WSUS 3.0 server.
Always append a dollar sign to the computer name as in the example above. This is the name the
to save the amendments that have been made to the
The computer names specified in the ‘allow users’ and ‘deny users’ sections must be typed in the is the name of the domain the WSUS 3.0 server is
WSUS 3.0 server with a
The second part of adding authentication between linked WSUS 3.0 servers requires a
uthentication.
Windows Server Update Services 3.0Version 1.0.0.0
To configure IIS:
1. On the WSUS 3.0 server to which access is Services (IIS) Manager
2. Expand the <servername>
3. Expand the WSUS Web site node
4. Right-click ServerSyncWebService
5. Click the Directory Security
6. In the Authentication and access control
7. In the Authentication Methodsbox and select the Integrated Windows authentication
8. Click OK and then OK
4.2.3 Securing WSUS
It is possible to use SSL to secure a clients to authenticate to WSUS 3.0 serverservers to authenticate to upstream WSUS 3.0 supdate metadata that is passed between
WSUS 3.0 servers will only use SSL for encrypting not sent over the encrypted SSL channel. To provide security for the updates, the updates are digitally signed by Microsoft. Additionally, a hash is computed and sent with the encmetadata for each update.
Recommendation
SSL should be used whenever possible to add an additional layer of security to the WSUS deployment. One of the most important reasons to use SSL is not for encryption, but for server authentication. When a WSUSWSUS 3.0 client can authenticate the identity of the WSUS prevents rogue WSUS 3.0 servers from impersonating a trusted WSUS
Note
Encrypting data using the SSL protocol places an additional processing overhead on the WSUS 3.0 server. Plan for around a 10 percent loss of performance.
When the WSUS 3.0 database is installed on a remote SQL server, the connection between the WSUS 3.0 server and the database server is not secured with SSL. To secure this connection, one of the following methods:
� Move the database to the WSUS 3.0 serve
� Connect the remote SQL server to the WSUS 3.0 server over a private network connected to an additional Network Interface Card (NIC)
� Deploy Internet Protocol Security (IPSec) between the servers to encrypt the network traffic
For further information on deploying IPSec, see
7 Overview of IPSec Deployment {R7}
Windows Server Update Services 3.0 Operations Guide 1.0.0.0 Baseline
server to which access is to be restricted, open the Internet Information Services (IIS) Manager.
<servername> node.
Expand the WSUS Web site node (either Default Web Site or WSUS Administration
ServerSyncWebService, and click Properties.
Directory Security tab.
Authentication and access control frame, click Edit.
Authentication Methods dialog box, clear the Enable anonymous accessIntegrated Windows authentication check box.
OK again.
Securing WSUS 3.0 with SSL
It is possible to use SSL to secure a WSUS 3.0 deployment. SSL can be used to allow WSUS 3.0 clients to authenticate to WSUS 3.0 servers. It can be used to allow downstream WSUS 3.0 servers to authenticate to upstream WSUS 3.0 servers. SSL can also be used
metadata that is passed between WSUS 3.0 clients and WSUS 3.0 servers.
will only use SSL for encrypting update metadata; the updates themselves are not sent over the encrypted SSL channel. To provide security for the updates, the updates are digitally signed by Microsoft. Additionally, a hash is computed and sent with the enc
be used whenever possible to add an additional layer of security to the WSUS . One of the most important reasons to use SSL is not for encryption, but for server
a WSUS 3.0 client is configured to connect to a WSUS 3.0 server using SSL, client can authenticate the identity of the WSUS 3.0 server using the SSL certificate. This
servers from impersonating a trusted WSUS 3.0 server.
Encrypting data using the SSL protocol places an additional processing overhead on the WSUS 3.0 server. Plan for around a 10 percent loss of performance.
When the WSUS 3.0 database is installed on a remote SQL server, the connection between the WSUS 3.0 server and the database server is not secured with SSL. To secure this connection,
Move the database to the WSUS 3.0 server
Connect the remote SQL server to the WSUS 3.0 server over a private network connected to an additional Network Interface Card (NIC)
Deploy Internet Protocol Security (IPSec) between the servers to encrypt the network traffic
ion on deploying IPSec, see Overview of IPSec Deployment
}: http://go.microsoft.com/fwlink/?LinkId=45154
Prepared by Microsoft
Page 25
Internet Information
WSUS Administration).
Enable anonymous access check
. SSL can be used to allow WSUS 3.0 s. It can be used to allow downstream WSUS 3.0
can also be used to encrypt the WSUS 3.0 servers.
metadata; the updates themselves are not sent over the encrypted SSL channel. To provide security for the updates, the updates are digitally signed by Microsoft. Additionally, a hash is computed and sent with the encrypted
be used whenever possible to add an additional layer of security to the WSUS 3.0 . One of the most important reasons to use SSL is not for encryption, but for server
server using SSL, the server using the SSL certificate. This
Encrypting data using the SSL protocol places an additional processing overhead on the WSUS 3.0
When the WSUS 3.0 database is installed on a remote SQL server, the connection between the WSUS 3.0 server and the database server is not secured with SSL. To secure this connection, use
Connect the remote SQL server to the WSUS 3.0 server over a private network which is
Deploy Internet Protocol Security (IPSec) between the servers to encrypt the network traffic
Overview of IPSec Deployment7.
Windows Server Update Services 3.0Version 1.0.0.0
4.2.3.1 Configuring SSL on the
It is not possible to use SSL for the entire traffic is actually encrypted using SSL. require SSL encryption:
� SimpleAuthWebService
� DSSAuthWebService
� ServerSyncWebService
� APIRemoting30
� ClientWebService
Ensure the following virtual roots
� Content
� Inventory
� ReportingWebService
� SelfUpdate
Once IIS 6.0 has been configured necessary to use a different URL. This will be in the format: https://<servername>/custom port number for the SSL port has been configured, append this to the server hostname in the URL, for instance, for port 2424 use the URL: https://<servername>:2424/WSUSAdmin.
Note
When using a custom Web site for WSUS, the SSL port changed manually, but bear in mind that WSUS always uses the port that numerically precedes the SSL port for the clear text HTTP traffic. For example, when using port 2424 for SSL, WSUS will use port 2424 for HTTPS and port 2423 for HTTP.
To configure SSL on a WSUS
1. Install a SSL certificate to the Web site that runs IISSSL certificate will depend on the
2. In IIS Manager, expand the local computer node, and expand the WSUS Web site node.
3. Right-click the first of the
4. Click the Directory Security
5. Click Require secure channel (SSL)
6. Click OK and then OK
7. Repeat steps 3 to 7 for each virtual root for which SSL is to be enabled.
Windows Server Update Services 3.0 Operations Guide 1.0.0.0 Baseline
Configuring SSL on the Upstream WSUS 3.0 Server
It is not possible to use SSL for the entire WSUS 3.0 Web site. This is because only the mtraffic is actually encrypted using SSL. Only the following virtual roots should be configured to
SimpleAuthWebService
ServerSyncWebService
Ensure the following virtual roots are not encrypted using SSL:
has been configured so that SSL is required to access the WSUS necessary to use a different URL. This will be in the format: https://<servername>/custom port number for the SSL port has been configured, append this to the server hostname in the URL, for instance, for port 2424 use the URL: https://<servername>:2424/WSUSAdmin.
When using a custom Web site for WSUS, the SSL port will automatically use port 8531. This can be changed manually, but bear in mind that WSUS always uses the port that numerically precedes the SSL port for the clear text HTTP traffic. For example, when using port 2424 for SSL, WSUS will use port 2424
TTPS and port 2423 for HTTP.
To configure SSL on a WSUS 3.0 server:
Install a SSL certificate to the Web site that runs IIS 6.0. The procedures for installing the SSL certificate will depend on the healthcare organisation’s network environment.
, expand the local computer node, and expand the WSUS Web site node.
first of the virtual roots for which SSL is to be enabled, and click
Directory Security tab and under Secure Communications,
uire secure channel (SSL) and Require 128-bit encryption
OK again.
for each virtual root for which SSL is to be enabled.
Prepared by Microsoft
Page 26
Web site. This is because only the metadata he following virtual roots should be configured to
to access the WSUS 3.0 console, it is necessary to use a different URL. This will be in the format: https://<servername>/WSUSAdmin. If a custom port number for the SSL port has been configured, append this to the server hostname in the URL, for instance, for port 2424 use the URL: https://<servername>:2424/WSUSAdmin.
will automatically use port 8531. This can be changed manually, but bear in mind that WSUS always uses the port that numerically precedes the SSL port for the clear text HTTP traffic. For example, when using port 2424 for SSL, WSUS will use port 2424
. The procedures for installing the network environment.
, expand the local computer node, and expand the WSUS Web site node.
and click Properties.
, click Edit.
bit encryption
for each virtual root for which SSL is to be enabled.
Windows Server Update Services 3.0Version 1.0.0.0
4.2.3.2 Configuring Downstream WSUS 3.0
Downstream WSUS 3.0 servers need to upstream WSUS 3.0 server’s SSL certificate.
� If downstream servers certificate, for instance if an untrusted CA or selfupstream WSUS 3.0 server’s SSL certificate needs to be imported into the Trusted Root CA store of the local computer. In an automatically through Group Policy.
� If an upstream WSUS 3.0 sstore of the current user and not into the Trusted Root CA store of the authentication will fail.
To configure a downstream WSUS
1. Open the WSUS 3.0 console
2. In the centre pane, click
3. In the Update SourceUpdate Services server
a. Type the Server name
b. Type the Port number
c. Select the Use SSL when synchroni
4. Click OK.
4.2.3.3 Configuring SSL on Client Computers
When configuring a WSUS 3.0 following:
� The URL for the secure port must be configured in Automatic Updates on the client. Use the Specify intranet Microsoft Update service locationto enter the modified URLGroup Policy option, see section
� The URL required will be in the format: https://<the SSL port has been configured, append this toexample, if port 2424 has been configured,
� WSUS 3.0 clients need to trust the certificate. If they do not automatically trust the upstream certificate, for instance if an untrusted CA or selfupstream WSUS 3.0 server’s SSL certificate needs to be imported into store of the local computer. In an automatically through Group Policy.
Important
If an upstream WSUS 3.0 server’s SSL certificate is only imported into the Trusted Root current user and not into the Trusted Root
Windows Server Update Services 3.0 Operations Guide 1.0.0.0 Baseline
ownstream WSUS 3.0 Servers to Connect
Downstream WSUS 3.0 servers need to trust the Certification Authority (CA) that issued the upstream WSUS 3.0 server’s SSL certificate.
downstream servers do not automatically trust the upstream WSUS 3.0 server’s SSL certificate, for instance if an untrusted CA or self-signed certificate has been used, the upstream WSUS 3.0 server’s SSL certificate needs to be imported into the Trusted Root CA
omputer. In an Active Directory environment, this can be performed automatically through Group Policy.
If an upstream WSUS 3.0 server’s SSL certificate is only imported into the Trusted Root CA ser and not into the Trusted Root CA store of the l
To configure a downstream WSUS 3.0 server to connect using SSL:
console and select the Options node.
lick Update Source and Proxy Server.
Update Source dialog box, select the Synchronize from another Windows Server Update Services server check box.
Server name of the upstream WSUS 3.0 server.
ort number it uses for SSL connections.
Use SSL when synchronizing update information check box
Configuring SSL on Client Computers
3.0 client to connect to WSUS 3.0 server using SSL,
The URL for the secure port must be configured in Automatic Updates on the Specify intranet Microsoft Update service location Group Policy
o enter the modified URL, or edit the registry directly. For more information on setting this Group Policy option, see section 4.3.1
The URL required will be in the format: https://<servername>. If the custom port numbthe SSL port has been configured, append this to the server hostname in the URL.
has been configured, use the URL: https://<servername
clients need to trust the CA that issued the upstream WSUS 3.0 certificate. If they do not automatically trust the upstream WSUS 3.0 server’s SSL certificate, for instance if an untrusted CA or self-signed certificate has been used, the
server’s SSL certificate needs to be imported into omputer. In an Active Directory environment this can be performed
automatically through Group Policy.
server’s SSL certificate is only imported into the Trusted Root ser and not into the Trusted Root CA store of the local computer, authentication will fail.
Prepared by Microsoft
Page 27
onnect Using SSL
trust the Certification Authority (CA) that issued the
do not automatically trust the upstream WSUS 3.0 server’s SSL as been used, the
upstream WSUS 3.0 server’s SSL certificate needs to be imported into the Trusted Root CA this can be performed
erver’s SSL certificate is only imported into the Trusted Root CA ocal computer,
Synchronize from another Windows Server
check box.
server using SSL, be aware of the
The URL for the secure port must be configured in Automatic Updates on the WSUS 3.0 Group Policy setting
. For more information on setting this
custom port number for the server hostname in the URL. For
servername>:2424
WSUS 3.0 server’s SSL server’s SSL
signed certificate has been used, the server’s SSL certificate needs to be imported into the Trusted Root CA
environment this can be performed
server’s SSL certificate is only imported into the Trusted Root CA store of the omputer, authentication will fail.
Windows Server Update Services 3.0Version 1.0.0.0
4.3 Configuring the WSUS 3.0 ClientThis section provides the information and procedures necessary to configure Automatic Updates. Automatic Updates is the client component of WSUS 3.0.
To configure a WSUS 3.0 client to connect to a WSUS 3.0 server, settings must be applied to Automatic Updates on the client. Automatic Updates comes with a user interface which can be accessed from the Control Panel. However, WSthe user interface; instead they must be applied in one of the following three ways, depending on the healthcare organisation’s environment:
� Group Policy Objects applied through
� Local Group Policy
� Registry keys
When WSUS 3.0 client settings are set by an administrator through Group Policy, they always take precedence over user-defined options. This is true whether using Group Policy in an Directory environment or using the configured, the Automatic Updates user interface becomes disabled on the client computer.
4.3.1 Configuring WSUS 3.0 Environment
To deploy the WSUS 3.0 client settings in use Group Policy. Microsoft does not recommend editing the Default Domain or Default Domain Controller GPOs to add WSUS 3.0 client settings. Instead, create new GPOs for the application of WSUS 3.0 client settings.
Recommendation
It is recommended that a separate GPO should be linked to the OU container that holds the relevant client computers andconfigured to apply the recommended comthe WSUS 3.0 client settings need to be defined differently for different sets of computers.practice on using Group Policy, see
Table 3 shows the commands that Policy refresh:
Operating System Command
Windows Vista
Windows XP
gpupdate.exe /force
Windows 2000 Computer settings
secedit.exe /refreshpolicy machine_policy /enforce
User settings
secedit.exe /refreshpolicy user_policy /enforce
Table 3: Group Policy Refresh Commands
4.3.1.1 Load the WSUS
Before setting Group Policy options for the WSUStemplate has been loaded on the computer used to administer Group Policy. The administrative template that contains WSUS
8 Group Policy for Healthcare Desktop Management http://www.microsoft.com/industry/healthcare/technology/hpo/desktop/grouppolicy.aspx
Windows Server Update Services 3.0 Operations Guide 1.0.0.0 Baseline
Configuring the WSUS 3.0 Client This section provides the information and procedures necessary to configure Automatic Updates.
ent component of WSUS 3.0.
To configure a WSUS 3.0 client to connect to a WSUS 3.0 server, settings must be applied to Automatic Updates on the client. Automatic Updates comes with a user interface which can be
the Control Panel. However, WSUS 3.0 client settings cannot be configured through the user interface; instead they must be applied in one of the following three ways, depending on
environment:
Group Policy Objects applied through Active Directory
When WSUS 3.0 client settings are set by an administrator through Group Policy, they always take defined options. This is true whether using Group Policy in an
environment or using the Local Group Policy editor. When WSUS 3.0 settings are configured, the Automatic Updates user interface becomes disabled on the client computer.
WSUS 3.0 Clients in an Active Directory
To deploy the WSUS 3.0 client settings in a healthcare organisation with Active Directoryuse Group Policy. Microsoft does not recommend editing the Default Domain or Default Domain Controller GPOs to add WSUS 3.0 client settings. Instead, create new GPOs for the application of
a separate GPO is created for the application of WSUS 3.0 GPO should be linked to the OU container that holds the relevant client computers andconfigured to apply the recommended computer configuration settings. Further GPOs can be created if
client settings need to be defined differently for different sets of computers.practice on using Group Policy, see Group Policy for Healthcare Desktop Management
the commands that can be run by the client operating system, to force a
Command
pupdate.exe /force
Computer settings
secedit.exe /refreshpolicy machine_policy /enforce
User settings
ecedit.exe /refreshpolicy user_policy /enforce
Load the WSUS 3.0 Administrative Template
Before setting Group Policy options for the WSUS 3.0 client, ensure that the latest administrative template has been loaded on the computer used to administer Group Policy. The administrative
3.0 settings is named ‘wuau.adm’.
Group Policy for Healthcare Desktop Management {R8}: http://www.microsoft.com/industry/healthcare/technology/hpo/desktop/grouppolicy.aspx
Prepared by Microsoft
Page 28
This section provides the information and procedures necessary to configure Automatic Updates.
To configure a WSUS 3.0 client to connect to a WSUS 3.0 server, settings must be applied to Automatic Updates on the client. Automatic Updates comes with a user interface which can be
US 3.0 client settings cannot be configured through the user interface; instead they must be applied in one of the following three ways, depending on
When WSUS 3.0 client settings are set by an administrator through Group Policy, they always take defined options. This is true whether using Group Policy in an Active
oup Policy editor. When WSUS 3.0 settings are configured, the Automatic Updates user interface becomes disabled on the client computer.
Active Directory
Active Directory deployed, use Group Policy. Microsoft does not recommend editing the Default Domain or Default Domain Controller GPOs to add WSUS 3.0 client settings. Instead, create new GPOs for the application of
client settings. The GPO should be linked to the OU container that holds the relevant client computers and should be
puter configuration settings. Further GPOs can be created if client settings need to be defined differently for different sets of computers. For best
Desktop Management8.
to force a Group
secedit.exe /refreshpolicy machine_policy /enforce
ecedit.exe /refreshpolicy user_policy /enforce
client, ensure that the latest administrative template has been loaded on the computer used to administer Group Policy. The administrative
Windows Server Update Services 3.0Version 1.0.0.0
If the computer that is being used to configure Group Policy has the latest version of is not necessary to load the file to configure settings. The with Windows XP Professional are stored in the %windir%\Inf
Note
The correct version of wuau.adm can be found on any computer that has the WSUSversion of Automatic Updates WSUS 3.0 server. After the client selfwuau.adm can be found in the
To load the administrative template:
1. Open the relevant Group Policy Object.
2. Under Computer ConfigurationTemplates and select
3. Click Add.
4. Select wuau.adm and click
5. In the Add/Remove Templates
4.3.1.2 Configure Automatic Updates
This section details the procedures necessary to implement Group Policy settings for the configuration of the WSUS 3.0 component of Group Policy.
There are twelve Group Policy settings in the computer configuration component of a GPO that can be used for configuring the WSUS recommendation for each setting. more information on each Group Policy setting, refer to the ‘Explain’ tab of the setting within the Group Policy Management Console (
These settings can be found in the following Group Policy location:Administrative Templates > Windows Comp
Table 4 lists the available Automatic Updates settings in the computer configuration component of a GPO, and provides a recom
Setting
Do not display ‘Install Updates and Shut Down’ option in Shut Down Windows dialog box9
Do not adjust default option to ‘Install Updates and Shut Down’ in Shut Down Windows dialog box9
Configure Automatic Updates10:
Configure Automatic Updating
Scheduled install day
Scheduled install time
9 This setting is supported on at least Windows
10 This setting is supported on at least Windows 2000 SP3, Windows XP SP1 and Windows Server 2003.
Windows Server Update Services 3.0 Operations Guide 1.0.0.0 Baseline
If the computer that is being used to configure Group Policy has the latest version of is not necessary to load the file to configure settings. The latest version of wuau.adm is
Professional SP2 and Windows Server 2003 SP1. Administrative template files Inf folder, by default.
uau.adm can be found on any computer that has the WSUSversion of Automatic Updates installed. The old version of wuau.adm can be used to point a client at a
fter the client self-updates the Automatic Updates software, the new version of uau.adm can be found in the %windir%\Inf folder.
To load the administrative template:
relevant Group Policy Object.
Computer Configuration or User Configuration, right-click Administrative and select Add/Remove Templates.
and click Open.
Add/Remove Templates dialog box, click Close.
e Automatic Updates
This section details the procedures necessary to implement Group Policy settings for the 3.0 client. All the settings are configured in the computer configuration
There are twelve Group Policy settings in the computer configuration component of a GPO that can be used for configuring the WSUS 3.0 client. Table 4 lists all the available settings and the recommendation for each setting. Table 5 details the recommended properties for the GPO. For
on each Group Policy setting, refer to the ‘Explain’ tab of the setting within the Group Policy Management Console (GPMC).
These settings can be found in the following Group Policy location: Computer Configuration > Administrative Templates > Windows Components > Windows Update.
lists the available Automatic Updates settings in the computer configuration component of a GPO, and provides a recommendation for each setting.
Recommended Value
Do not display ‘Install Updates and Shut Down’ option in Shut Down Enabled
Do not adjust default option to ‘Install Updates and Shut Down’ in Shut Not Configured (has no effect due to the policy setting above to not display the option)
Enabled
4 – Auto download and schedule the install
0 – Every day
14:00
s setting is supported on at least Windows XP SP2.
This setting is supported on at least Windows 2000 SP3, Windows XP SP1 and Windows Server 2003.
Prepared by Microsoft
Page 29
If the computer that is being used to configure Group Policy has the latest version of wuau.adm, it uau.adm is provided
SP2 and Windows Server 2003 SP1. Administrative template files
uau.adm can be found on any computer that has the WSUS 3.0 compatible uau.adm can be used to point a client at a
the new version of
Administrative
This section details the procedures necessary to implement Group Policy settings for the settings are configured in the computer configuration
There are twelve Group Policy settings in the computer configuration component of a GPO that can lists all the available settings and the
details the recommended properties for the GPO. For on each Group Policy setting, refer to the ‘Explain’ tab of the setting within the
Computer Configuration >
lists the available Automatic Updates settings in the computer configuration component of
(has no effect due to the policy setting above to not display the option)
Auto download and schedule the install
This setting is supported on at least Windows 2000 SP3, Windows XP SP1 and Windows Server 2003.
Windows Server Update Services 3.0Version 1.0.0.0
Setting
Specify intranet Microsoft update service location
Set the intranet update service for detecting updates
Set the intranet statistics server
Enable client-side targeting10
Target group name for this computer
Reschedule Automatic Updates scheduled installations
Wait after system startup (minutes)
No auto-restart for scheduled Automatic Updates installations
Automatic Updates detection frequency10
Allow Automatic Updates immediate installation
Delay Restart for scheduled installations10
Re-prompt for restart with scheduled installations
Wait the following period before prompting again with a scheduled restart (minutes):
Allow non-administrators to receive update notifications
Turn on recommended updates via Automatic Updates
Enabling Windows Update Power Management to automatically wake up the system to install scheduled updates11
Table 4: WSUS 3.0 GPO Settings
Note
The setting Enabling Windows Update install scheduled updates enables management functionality. For operating systems prior to Windows Vista, client machines would typically be left on overnight to enable remote management tasks, such as applying updates, to be carried out. This is no longer required with Windows Vista. Using this setting enables a save energy and therefore reduce
Table 5 details the properties of the Automatic Updates computer configuration GPO.
Property Setting
Block Inheritance Unchecked
Enforced (No Override) Unchecked
GPO Status User Configuration Settings Disabled
Permissions12 Authenticated User:
Creator Owner: (none explicitly set)
Domain Admins (DomainNameChild Objects
Enterprise Admins (DomainNameDelete All Child Objects
System: Read, Write Create All Child Objects, and Delete All Child Objects
Table 5: WSUS 3.0 GPO Properties
11 This setting is supported on at least Windows Vista
12 All permissions detailed here are Allow permissions unless stated otherwise.
Windows Server Update Services 3.0 Operations Guide 1.0.0.0 Baseline
Recommended Value
Specify intranet Microsoft update service location10
Set the intranet update service for detecting updates
Enabled
http://ServerName
http://ServerName
Enabled
GroupName
Reschedule Automatic Updates scheduled installations10 Enabled
30
restart for scheduled Automatic Updates installations10 Enabled
10 Not Configured (default interval of 22 hours will be used)
Allow Automatic Updates immediate installation10 Enabled
10 Not configured (No effect as No auto
prompt for restart with scheduled installations10
Wait the following period before prompting again with a scheduled
Enabled
30
administrators to receive update notifications10 Not Configured
Turn on recommended updates via Automatic Updates11 Enabled
Enabling Windows Update Power Management to automatically wake up 11
Enabled
Enabling Windows Update Power Management to automatically wake up the system to enables healthcare organisations to take advantage of clients’ power
management functionality. For operating systems prior to Windows Vista, client machines would typically e left on overnight to enable remote management tasks, such as applying updates, to be carried out.
This is no longer required with Windows Vista. Using this setting enables a healthcare organisationsave energy and therefore reduce the total cost of ownership (TCO) of managing a computer.
details the properties of the Automatic Updates computer configuration GPO.
Unchecked
Unchecked
User Configuration Settings Disabled
Authenticated User: Read & Apply Group Policy
Creator Owner: (none explicitly set)
Domain Admins (DomainName\Domain Admins): Read, Write Create All Child Objects, and Delete All Child Objects
Enterprise Admins (DomainName\Enterprise Admins): Read, Write Create All Child Objects, and Delete All Child Objects
Read, Write Create All Child Objects, and Delete All Child Objects
This setting is supported on at least Windows Vista.
All permissions detailed here are Allow permissions unless stated otherwise.
Prepared by Microsoft
Page 30
val of 22 hours will be used)
(No effect as No auto-restart is Enabled)
Power Management to automatically wake up the system to to take advantage of clients’ power
management functionality. For operating systems prior to Windows Vista, client machines would typically e left on overnight to enable remote management tasks, such as applying updates, to be carried out.
healthcare organisation to of managing a computer.
details the properties of the Automatic Updates computer configuration GPO.
Create All Child Objects, and Delete All
Read, Write Create All Child Objects, and
Read, Write Create All Child Objects, and Delete All Child Objects
Windows Server Update Services 3.0Version 1.0.0.0
4.3.2 Configuring WSUS 3.0 Environment
In a non-Active Directory environmentAutomatic Updates client:
� Using the Group Policy Object Editor and editing the Local Group Policy object
� Editing the registry directly by using the registry editor (Regedit.exe)
� Centrally deploying registry entries by using some other automated method
When editing the Local Group Policy object4.3.1.2. Refer to section 4.3.1.2recommended settings.
When editing the registry either directly or through an automated method, the available options are the same. Most of the options server, and the other for the Automatic Updates
4.3.2.1 WSUS 3.0 Server
These registry entries are located in the following subkey:
HKEY_LOCAL_MACHINE\Software
Note
On some operating system versions, the first manually create the key. Additionally, create the
Table 6 details all the available entries, their types.
Entry Name
AcceptTrustedPublisherCerts
DisableWindowsUpdateAccess
ElevateNonAdmins
TargetGroup
TargetGroupEnabled
Windows Server Update Services 3.0 Operations Guide 1.0.0.0 Baseline
WSUS 3.0 Clients in a Non-Active Directory
environment, the following options are available for configuring the
Policy Object Editor and editing the Local Group Policy object
Editing the registry directly by using the registry editor (Regedit.exe)
registry entries by using some other automated method
When editing the Local Group Policy object, the available settings are the same as in section4.3.1.2 for more information on the available options and the
When editing the registry either directly or through an automated method, the available options are the options are organised into two registry locations; one for the WSUS
, and the other for the Automatic Updates client.
3.0 Server Options
These registry entries are located in the following subkey:
Software\Policies\Microsoft\Windows\WindowsUpdate
On some operating system versions, the WindowsUpdate registry key does not exist. If this is the case, first manually create the key. Additionally, create the AU key beneath the WindowsUpdate
details all the available entries, their possible and recommended values
Possible Values Recommended
Values
1 = Enabled. The WSUS 3.0 server will distribute signed third-party updates if available
0 = Disabled. The WSUS 3.0 server will not distribute third-party updates
1
1 = Disables access to Windows Update
0 = Enables access to Windows Update
1
1 = Users in the Users security group are allowed to approve or unapprove updates
0 = Only users in the Administrators user group can approve or unapprove updates
0
Name of the computer group to which the computer belongs, used to implement client-side targeting, for example, ‘TestServers.’ This policy is paired with TargetGroupEnabled
GroupName
1 = Use client-side targeting
0 = Do not use client-side targeting. This policy is paired with TargetGroup
1
Prepared by Microsoft
Page 31
Active Directory
available for configuring the
Policy Object Editor and editing the Local Group Policy object
registry entries by using some other automated method
the available settings are the same as in section s and the
When editing the registry either directly or through an automated method, the available options are one for the WSUS 3.0
ndowsUpdate
registry key does not exist. If this is the case, WindowsUpdate key.
values, and their data
Recommended Values
Data Type
1 REG_DWORD
1 REG_DWORD
0 REG_DWORD
GroupName REG_SZ
1 REG_DWORD
Windows Server Update Services 3.0Version 1.0.0.0
Entry Name
WUServer
WUStatusServer
Table 6: WSUS 3.0 Server Options
4.3.2.2 Automatic Updates C
These registry entries are located in the following subkey:
HKEY_LOCAL_MACHINE\Software
Table 7 details all the available entries, their types.
Entry Name
AUOptions
AutoInstallMinorUpdates
DetectionFrequency
DetectionFrequencyEnabled
NoAUShutdownOption
NoAutoRebootWithLoggedOnUsers
NoAutoUpdate
RebootRelaunchTimeout
Windows Server Update Services 3.0 Operations Guide 1.0.0.0 Baseline
Possible Values Recommended
Values
HTTP(S) URL of the WSUS 3.0 server used by Automatic Updates and (by default) Application Programming Interface (API) callers. This policy is paired with WUStatusServer; both must be set to the same value in order for them to be valid
http://ServerName
The HTTP(S) URL of the server to which reporting information will be sent by client computers. This policy is paired with WUServer; both must be set to the same value in order for them to be valid
http://ServerName
Automatic Updates Client Options
These registry entries are located in the following subkey:
Software\Policies\Microsoft\Windows\WindowsUpdate
details all the available entries, their possible and recommended values
Possible Values Recommended
Values
2 = Notify before download
3 = Automatically download and notify of installation
4 = Automatic download and scheduled installation (Only valid if values exist for ScheduledInstallDay and ScheduledInstallTime)
5 = Automatic Updates is required, but end users can configure it
4
0 = Treat minor updates like other updates
1 = Silently install minor updates
1
Range = n; where n = time in hours (1-22)
Time between detection cycles
Not Configured
0 = Disable custom DetectionFrequency (use default value of 22 hours)
1 = Enable DetectionFrequency
0
0 = The Install Updates and Shut Down option will be available in the Shut Down Windows dialog box
1 = The Install Updates and Shut Down option will not be available in the Shut Down Windows dialog box
1
0 = Automatic Updates notifies user that the computer will restart in five minutes
1 = Logged-on user gets to choose whether or not to restart their computer
1
0 = Enable Automatic Updates
1 = Disable Automatic Updates
0
Range = n; where n = time in minutes (1-1440)
Time between prompting for a scheduled restart
30
Prepared by Microsoft
Page 32
Recommended Values
Data Type
http://ServerName REG_SZ
http://ServerName REG_SZ
WindowsUpdate\AU
s, and their data
Recommended Values
Data Type
4 REG_DWORD
1 REG_DWORD
Not Configured REG_DWORD
0 REG_DWORD
1 REG_DWORD
1 REG_DWORD
0 REG_DWORD
30 REG_DWORD
Windows Server Update Services 3.0Version 1.0.0.0
Entry Name
RebootRelaunchTimeoutEnabled
RebootWarningTimeout
RebootWarningTimeoutEnabled
RescheduleWaitTime
RescheduleWaitTimeEnabled
ScheduledInstallDay
ScheduledInstallTime
UseWUServer
Table 7: Automatic Updates Client Options
4.3.2.3 Additional Registry Settings
The Group Policy setting Remove access to use all Windows Update featuresaccess to Microsoft Update. This setting also hides the Automatic Updates icon in the notification area for WSUS 3.0 clients. This setting can be enabled in the registry in either of the following registry subkeys:
HKEY_CURRENT_USER\Software
HKEY_LOCAL_MACHINE\Software
Windows Server Update Services 3.0 Operations Guide 1.0.0.0 Baseline
Possible Values Recommended
Values
0 = Disable custom RebootRelaunchTimeout (use default value of 10 minutes)
1 = Enable RebootRelaunchTimeout
1
Range = n; where n = time in minutes (1-30).
Length of the restart warning countdown after installing updates with a deadline or installing scheduled updates
Not Configured
0 = Disable custom RebootWarningTimeout (use default value of five minutes)
1 = Enable RebootWarningTimeout
Not Configured
Range = n; where n = time in minutes (1-60).
Time that Automatic Updates should wait at startup before applying updates from a missed scheduled installation time
Note
This policy applies only to scheduled installations, not deadlines. Updates whose deadlines have expired should always be installed as soon as possible
30
0 = Disable RescheduleWaitTime (attempt the missed installation during the next scheduled installation time)
1 = Enable RescheduleWaitTime
1
0 = Every day
1 through 7 = The days of the week from Sunday (1) to Saturday (7)
(Only valid if AUOptions equals 4)
0
Range = n; where n = the time of day in 24-hour format (0-23)
14
The WUServer value is not respected unless this key is set
1
Additional Registry Settings
Remove access to use all Windows Update featuresaccess to Microsoft Update. This setting also hides the Automatic Updates icon in the notification
clients. This setting can be enabled in the registry in either of the following
Software\Microsoft\Windows\CurrentVersion\Policies
Software\Microsoft\Windows\CurrentVersion\Policies
Prepared by Microsoft
Page 33
Recommended Values
Data Type
1 REG_DWORD
Not Configured REG_DWORD
Not Configured REG_DWORD
30 REG_DWORD
1 REG_DWORD
0 REG_DWORD
14 REG_DWORD
1 REG_DWORD
Remove access to use all Windows Update features removes all access to Microsoft Update. This setting also hides the Automatic Updates icon in the notification
clients. This setting can be enabled in the registry in either of the following
Policies\Explorer
Policies\Explorer
Windows Server Update Services 3.0Version 1.0.0.0
Table 8 shows the registry entry that is used to configure the Update features setting.
Entry Name
NoWindowsUpdate
Table 8: NoWindowsUpdate Setting
Important
When this setting is enabled under the HKEY_LOCAL_MACHINE subkey, links to Windows Update are removed, including the links in Internet Explorer and on the Start Menu. However, access is still possible to Windows Update by typing the URL into Internet ExploHKEY_CURRENT_USER subkeyHKEY_CURRENT_USER subkey affects only the currently logged on user.
Recommendation
It is recommended that this senot been through the organisation’s that have not been approved on the WSUS server.
4.3.3 Configuring Background
Background Intelligent Transfer Service (download updates by using idle bandwidth.monitoring the network traffic on the computers local NIC, and using only the idle portion of the available bandwidth for downloading updates.
However, BITS is only aware of the network bandwidth conditions on the computeBITS is not aware of the network conditions beyond the computer itself. If the computer is connected to the network using a fast Ethernet link, but is downloading updates using BITS from a computer on the other side of a slow WAN link, such the bandwidth on the WAN link, potentially causing bandwidth related problems. This is because BITS is not aware of the speed or bandwidth utilisation of the WAN link.
BITS 2.0 can be configured to ensure a clienthrough bandwidth limitation policies. Professional SP4, BITS is upgraded to BITS 2.0 when the client first connects to the WSUS server. BITS 3.0 is part of the Windows Vista operating system and includes additional features not included in earlier versions of BITS, namely peer
Warning
Be aware that when implementing BITS bandwidth limitation policies, all applications that utilise BITS wbe affected by the policy.
Bandwidth limitation policies are implemented through Group Policy or registry entries and limit the amount of bandwidth that BITS is allowed to use. If bandwidth limitation policies are not implemented, BITS may consume larg
Recommendation
When clients download updates from a WSUS appropriate BITS bandwidth limitation policies are implemented.
Windows Server Update Services 3.0 Operations Guide 1.0.0.0 Baseline
shows the registry entry that is used to configure the Remove access to use all Windows
Possible Values Recommended
Values
0 = Users can connect to the Windows Update Web site
1 = Remove access to use all Windows Update features
1
When this setting is enabled under the HKEY_LOCAL_MACHINE subkey, links to Windows Update are removed, including the links in Internet Explorer and on the Start Menu. However, access is still possible
ng the URL into Internet Explorer. Whenever possible, define this entry in the HKEY_CURRENT_USER subkey, which will prevent all access to Windows Update. Be aware that the HKEY_CURRENT_USER subkey affects only the currently logged on user.
this setting is enabled to prevent users from installing software updates that have organisation’s normal software update testing and change control procedures
that have not been approved on the WSUS server.
ackground Intelligent Transfer Service
Background Intelligent Transfer Service (BITS) is used by the WSUS 3.0 serverusing idle bandwidth. BITS calculates how much idle bandwidth to use by
monitoring the network traffic on the computers local NIC, and using only the idle portion of the available bandwidth for downloading updates.
However, BITS is only aware of the network bandwidth conditions on the computeBITS is not aware of the network conditions beyond the computer itself. If the computer is connected to the network using a fast Ethernet link, but is downloading updates using BITS from a computer on the other side of a slow WAN link, such as a 56 Kbps link, BITS may use too much of the bandwidth on the WAN link, potentially causing bandwidth related problems. This is because BITS is not aware of the speed or bandwidth utilisation of the WAN link.
BITS 2.0 can be configured to ensure a client uses no more than a defined amount of bandwidth, through bandwidth limitation policies. BITS 2.0 is installed on Windows XP SP2.
is upgraded to BITS 2.0 when the client first connects to the WSUS 0 is part of the Windows Vista operating system and includes additional features not
included in earlier versions of BITS, namely peer-caching.
Be aware that when implementing BITS bandwidth limitation policies, all applications that utilise BITS w
Bandwidth limitation policies are implemented through Group Policy or registry entries and limit the amount of bandwidth that BITS is allowed to use. If bandwidth limitation policies are not implemented, BITS may consume large amounts of WAN bandwidth.
When clients download updates from a WSUS 3.0 server across a WAN link, it is recommended that appropriate BITS bandwidth limitation policies are implemented.
Prepared by Microsoft
Page 34
Remove access to use all Windows
Recommended Values
Data Type
1 REG_DWORD
When this setting is enabled under the HKEY_LOCAL_MACHINE subkey, links to Windows Update are removed, including the links in Internet Explorer and on the Start Menu. However, access is still possible
rer. Whenever possible, define this entry in the which will prevent all access to Windows Update. Be aware that the
to prevent users from installing software updates that have normal software update testing and change control procedures, and
Intelligent Transfer Service
server and client to how much idle bandwidth to use by
monitoring the network traffic on the computers local NIC, and using only the idle portion of the
However, BITS is only aware of the network bandwidth conditions on the computer’s local NIC; BITS is not aware of the network conditions beyond the computer itself. If the computer is connected to the network using a fast Ethernet link, but is downloading updates using BITS from a
link, BITS may use too much of the bandwidth on the WAN link, potentially causing bandwidth related problems. This is because
t uses no more than a defined amount of bandwidth, 2.0 is installed on Windows XP SP2. On Windows 2000
is upgraded to BITS 2.0 when the client first connects to the WSUS 3.0 0 is part of the Windows Vista operating system and includes additional features not
Be aware that when implementing BITS bandwidth limitation policies, all applications that utilise BITS will
Bandwidth limitation policies are implemented through Group Policy or registry entries and limit the amount of bandwidth that BITS is allowed to use. If bandwidth limitation policies are not
server across a WAN link, it is recommended that
Windows Server Update Services 3.0Version 1.0.0.0
Note
Though BITS bandwidth limitation policies are ofdownload updates across WAN links, it may still be advantageous to set applicable settings in LAN environments. Determine the maximum amount of bandwidth that WSUS clients can use without adversely affecting LAN performance, and apply the settings accordingly.
4.3.3.1 Upgrading to BITS 2.0
The bandwidth limitation features mentioned above were introduced with BITS 2.0. and Windows XP SP2 already 2000 Professional SP4 will need to
To verify the version of BITS installed:
1. Open Windows Explorer and locate
2. Right-click the file and select
3. Click the Version tab.
4. Check the version number and compare with the values in
5. Check for the existence of exists in this location, repeat the preceding steps and use the DLL with the highest version number.
Table 9 can be used to determine the installed version of BITS.
BITS Version
BITS 3.0
BITS 2.5
BITS 2.0
BITS 1.5
BITS 1.2
BITS 1.0
Table 9: Determine BITS Versions
Recommendation
It is recommended that the latest update for the Microsoft Installer be installed, which can help to reduce download sizes. This update SP2 and Windows 2000 Professional SP4 to
The updates for BITS and the Windows Installer are automatically approved for installation by WSUS 3.0. This means no configuration changes need to be made. The first time a client connects to a WSUS 3.0 server it will download and install these updates before downloading any further updates. This ensures that any updates that are downloaded after BITS haversion 2.0 can take advantage of any previously configured BITS bandwidth policies. The updates are:
� Microsoft Windows Installer 3.1 (KB893803)
� Update for Background Intelligent Transfer Service (BITS) 2.0 and WinHTTP 5.1 (KB842773)14
13 Windows Installer 3.1 v2 (3.1.4000.2435)
Windows Server Update Services 3.0 Operations Guide 1.0.0.0 Baseline
Though BITS bandwidth limitation policies are of most use in environments where WSUS clients download updates across WAN links, it may still be advantageous to set applicable settings in LAN environments. Determine the maximum amount of bandwidth that WSUS clients can use without
performance, and apply the settings accordingly.
Upgrading to BITS 2.0
The bandwidth limitation features mentioned above were introduced with BITS 2.0. Windows XP SP2 already include versions of BITS that support bandwidth limitation.
2000 Professional SP4 will need to be updated before it can take advantage of these features.
To verify the version of BITS installed:
Open Windows Explorer and locate qmgr.dll in the %systemroot%\system32
click the file and select Properties.
Check the version number and compare with the values in Table 9.
Check for the existence of qmgr.dll in the %systemroot%\system32\BITSexists in this location, repeat the preceding steps and use the DLL with the highest version
an be used to determine the installed version of BITS.
QMgr.dll File Version Number
7.0.xxxx.xxxx
6.7.xxxx.xxxx
6.6.xxxx.xxxx
6.5.xxxx.xxxx
6.2.xxxx.xxxx
6.0.xxxx.xxxx
It is recommended that the latest update for the Microsoft Installer be installed, which can help to reduce . This update is included in Windows Vista, but will need to be instal
SP2 and Windows 2000 Professional SP4 to take advantage of this improved functionality.
The updates for BITS and the Windows Installer are automatically approved for installation by . This means no configuration changes need to be made. The first time a client connects
it will download and install these updates before downloading any further updates. This ensures that any updates that are downloaded after BITS have been upgraded to version 2.0 can take advantage of any previously configured BITS bandwidth policies. The updates
Microsoft Windows Installer 3.1 (KB893803)13
Update for Background Intelligent Transfer Service (BITS) 2.0 and WinHTTP 5.1
Windows Installer 3.1 v2 (3.1.4000.2435) {R9}: http://support.microsoft.com/kb/893803/
Prepared by Microsoft
Page 35
most use in environments where WSUS clients download updates across WAN links, it may still be advantageous to set applicable settings in LAN environments. Determine the maximum amount of bandwidth that WSUS clients can use without
The bandwidth limitation features mentioned above were introduced with BITS 2.0. Windows Vista that support bandwidth limitation. Windows
t can take advantage of these features.
ystem32 folder.
BITS folder. If the file exists in this location, repeat the preceding steps and use the DLL with the highest version
It is recommended that the latest update for the Microsoft Installer be installed, which can help to reduce installed on Windows XP
take advantage of this improved functionality.
The updates for BITS and the Windows Installer are automatically approved for installation by . This means no configuration changes need to be made. The first time a client connects
it will download and install these updates before downloading any further been upgraded to
version 2.0 can take advantage of any previously configured BITS bandwidth policies. The updates
Update for Background Intelligent Transfer Service (BITS) 2.0 and WinHTTP 5.1
Windows Server Update Services 3.0Version 1.0.0.0
4.3.3.2 Configuring BITS Bandwidth Limitation in an Environment
There are two Group Policy settings in the computer configuration component of a GPO that can be used for configuring BITS. These settings can be found in the following Group PolicyComputer Configuration > Administrative Templates > Network > Background Intelligent Transfer Service.
In this section, Table 10 lists all trecommendation for each setting. more information on each Group Policy setting, refer to the Group Policy MMC.
Note
It is not necessary to create a new policy to apply these settings. These settings can be included in the GPO that is used to configure Automatic Updates settings, or any other GPO that applies computer configuration settings to the relevant computers.
Table 10 lists the available BITS settings in the computer configuration component of a GPO, and provides a recommendation for each setting.
Setting
Maximum network bandwidth that BITS uses
Limit BITS transfer rate (Kbps) to
From
to
OR Limit BITS transfer rate (Kbps) to
Timeout (days) for inactive jobs16
Table 10: BITS GPO Settings
Table 11 details the properties of the recommended BITS settings GPO:
Property Settings
Block Inheritance Unchecked
Enforced (No Override) Unchecked
GPO Status User Configuration Settings Disabled
Permissions17 Authenticated User:
Creator Owner: (none explicitly set)
Domain Admins (DomainNameChild Objects
Enterprise Admins (DomainNameAll Child Objects
System: Read, Write, Create All Child Objects, and Delete All Child Objects
Table 11: BITS GPO Properties
14 An update package that includes BITS 2.0 and WinHTTP 5.1 is available for Windows Server 2003, for Windows XP, and for Windows 2000 {R10}: http://support.microsoft.com/kb/842773
15 The minimum operating system requirement for this setting is Microsoft Windows XP SP2, or computers with BITS 2.0 installed
16 The minimum operating system requirement for this setting is Microsoft Windows XP or Windows Server 2003, or computers with BITS 1.5 installed
17 All permissions detailed here are Allow permissions unless stated otherwise
Windows Server Update Services 3.0 Operations Guide 1.0.0.0 Baseline
Configuring BITS Bandwidth Limitation in an Active Directory
There are two Group Policy settings in the computer configuration component of a GPO that can be These settings can be found in the following Group Policy
Computer Configuration > Administrative Templates > Network > Background Intelligent
lists all the available settings, and provides a brief description and the recommendation for each setting. Table 11 details the recommended properties for the GPmore information on each Group Policy setting, refer to the Explain tab of the setting within the
It is not necessary to create a new policy to apply these settings. These settings can be included in the onfigure Automatic Updates settings, or any other GPO that applies computer
configuration settings to the relevant computers.
lists the available BITS settings in the computer configuration component of a GPO, and provides a recommendation for each setting.
Recommendation
Maximum network bandwidth that BITS uses15
Enabled
10
8 AM
5 PM
20
Not Configured
details the properties of the recommended BITS settings GPO:
User Configuration Settings Disabled
Authenticated User: Read & Apply Group Policy
Creator Owner: (none explicitly set)
Domain Admins (DomainName\Domain Admins): Read, Write, Create All Child Objects, and Delete All
Enterprise Admins (DomainName\Enterprise Admins): Read, Write, Create All Child Objects, and Delete All Child Objects
Read, Write, Create All Child Objects, and Delete All Child Objects
An update package that includes BITS 2.0 and WinHTTP 5.1 is available for Windows Server 2003, for Windows XP, and http://support.microsoft.com/kb/842773/
The minimum operating system requirement for this setting is Microsoft Windows XP SP2, or computers with BITS 2.0
The minimum operating system requirement for this setting is Microsoft Windows XP or Windows Server 2003, or
All permissions detailed here are Allow permissions unless stated otherwise
Prepared by Microsoft
Page 36
Active Directory
There are two Group Policy settings in the computer configuration component of a GPO that can be These settings can be found in the following Group Policy location:
Computer Configuration > Administrative Templates > Network > Background Intelligent
he available settings, and provides a brief description and the details the recommended properties for the GPO. For
tab of the setting within the
It is not necessary to create a new policy to apply these settings. These settings can be included in the onfigure Automatic Updates settings, or any other GPO that applies computer
lists the available BITS settings in the computer configuration component of a GPO, and
Read, Write, Create All Child Objects, and Delete All
Read, Write, Create All Child Objects, and Delete
An update package that includes BITS 2.0 and WinHTTP 5.1 is available for Windows Server 2003, for Windows XP, and
The minimum operating system requirement for this setting is Microsoft Windows XP SP2, or computers with BITS 2.0
The minimum operating system requirement for this setting is Microsoft Windows XP or Windows Server 2003, or
Windows Server Update Services 3.0Version 1.0.0.0
4.3.3.3 Configuring BITS Bandwidth Limitations in a Environment
In a non-Active Directory environment there are a number of options available for configuring BITS. The following options exist:
� Using the Group Policy Object Editor and editing the Local Group Policy object
� Editing the registry directly by using the registry editor (Regedit.exe)
� Deploying registry entries
When editing the Local Group Policy objectmentioned in section 4.3.3.2. Refer to section the recommended settings.
To configure BITS by editing the registry, modify the key detailed in this section by either manually editing the registry or by using some other automated method.
The registry entries are located in the following subkey:
HKEY_LOCAL_MACHINE\Software
Table 12 details all the available entries for BITS 2.0, thetheir data types.
Entry Name
EnableBITSMaxBandwidth
MaxBandwidthValidFrom
MaxBandwidthValidTo
MaxTransferRateOffSchedule
MaxTransferRateOnSchedule
UseSystemMaximum
Table 12: BITS 2.0 Registry Settings
Windows Server Update Services 3.0 Operations Guide 1.0.0.0 Baseline
Configuring BITS Bandwidth Limitations in a Non-Active
environment there are a number of options available for configuring BITS.
Using the Group Policy Object Editor and editing the Local Group Policy object
directly by using the registry editor (Regedit.exe)
registry entries centrally by using some other automated method
When editing the Local Group Policy object, the available settings are the same as . Refer to section 4.3.3.2 more information on the available options and
To configure BITS by editing the registry, modify the key detailed in this section by either manually editing the registry or by using some other automated method.
cated in the following subkey:
Software\Policies\Microsoft\Windows\BITS
details all the available entries for BITS 2.0, their possible and recommended values, and
Possible Values Recommended
Values
0 = BITS imposes no limit on bandwidth of background jobs
1 = BITS limits bandwidth of background jobs
1
Range = n; where n = the time of day in 24-hour format (0-23)
If missing or invalid, ‘8’ is assumed
8
Range = n; where n = the time of day in 24-hour format (0-23)
If missing or invalid, ‘18’ is assumed
17
Range = n; where n = the maximum rate, measured in kilobits per second (0x0-0xffffffff)
0xffffffff is interpreted as ‘unlimited’
If the key is not present or invalid, ‘unlimited’ is assumed
This value is ignored if UseSystemMaximum is nonzero
20
Range = n; where n = the maximum rate, measured in kilobits per second (0x0-0xffffffff)
0xffffffff is interpreted as ‘unlimited’
If the key is not present or invalid, 50 kbps is assumed
10
0 = The off-schedule maximum is read from MaxTransferRateOffSchedule
Any other value means the off-schedule maximum is unlimited
0
Prepared by Microsoft
Page 37
Active Directory
environment there are a number of options available for configuring BITS.
Using the Group Policy Object Editor and editing the Local Group Policy object
by using some other automated method
the available settings are the same as those formation on the available options and
To configure BITS by editing the registry, modify the key detailed in this section by either manually
ir possible and recommended values, and
Recommended Values
Data Type
1 REG_DWORD
8 REG_DWORD
17 REG_DWORD
20 REG_DWORD
10 REG_DWORD
0 REG_DWORD
Windows Server Update Services 3.0Version 1.0.0.0
4.3.3.4 Configuring BITS
Peer caching is a new feature of BITS 3.0 that allows peers (computers within the same subnet of a network that have the peer caching feature enabled) to share files. If peer caching is enabled on a computer, the Automatic Update agent instructs BITS to make downloaded files available to that computer's peers as well.
When the files have been downloaded, BITS caches them. When another (peer cachingcomputer tries to download the same update, BITS on thall of that computer's peers. If one or more of the peers responds to the request, BITS will download the file from the first computer to respond. If the download from the peer fails or take too long, BITS continues the download from the WSUS server or Microsoft Update.
This feature of BITS can optimi
� Peer caching decreases the amount of data transferred from the WSUS clients, because computers in teach other.
� Peer caching decreases the amount of data transferred across the WAN when some or all of the clients are located
� Peer caching decreases the amount clients in the same subnet are configured to download
Note
BITS peer caching requires computers to be running Windows Vista, and to be part of an domain. For more information about peer caching and peer servers, see
There are four Group Policy settings in the computer configuration component of a GPO that can be used for configuring peer cachinglocation: Computer Configuration > Administrative Templates > NetworkIntelligent Transfer Service.
In this section, Table 13 lists all the available settings, providrecommendation for each setting. more information on each Group Policy setting, refer to the Group Policy MMC.
Note
It is not necessary to create a new policy to apply these settings. TGPO that is used to configure Automatic Updates settings, or any other GPO that applies computer configuration settings to the relevant computers.
Table 13 lists the available peer cachingGPO, and provides a recommendation for each setting.
Setting
Allow BITS Peercaching
Limit age of items in the BITS Peercache
Limit the BITS Peercache size
Maximum network bandwidth used for Peercaching
Table 13: Peer Caching GPO Settings
18 Peer Caching {R11}: http://go.microsoft.com/fwlink/?LinkId=79432
Windows Server Update Services 3.0 Operations Guide 1.0.0.0 Baseline
Configuring BITS Peer Caching on Windows Vista
Peer caching is a new feature of BITS 3.0 that allows peers (computers within the same subnet of a network that have the peer caching feature enabled) to share files. If peer caching is enabled on a
the Automatic Update agent instructs BITS to make downloaded files available to that
When the files have been downloaded, BITS caches them. When another (peer cachingcomputer tries to download the same update, BITS on that computer sends a multicast request to all of that computer's peers. If one or more of the peers responds to the request, BITS will download the file from the first computer to respond. If the download from the peer fails or take too
the download from the WSUS server or Microsoft Update.
This feature of BITS can optimise the bandwidth used by WSUS 3.0 in several ways
Peer caching decreases the amount of data transferred from the WSUS clients, because computers in the same subnet will usually download the updates from
Peer caching decreases the amount of data transferred across the WAN when some or all of the clients are located at different sites to the WSUS 3.0 server.
Peer caching decreases the amount of data transferred across the Internet if WSUS clients in the same subnet are configured to download updates from Microsoft Update.
BITS peer caching requires computers to be running Windows Vista, and to be part of an domain. For more information about peer caching and peer servers, see Peer Caching
Group Policy settings in the computer configuration component of a GPO that can ing peer caching. These settings can be found in the following Group Policy
Computer Configuration > Administrative Templates > Network > Background
lists all the available settings, providing a brief description and the recommendation for each setting. Table 14 details the recommended properties for the GPO. For more information on each Group Policy setting, refer to the Explain tab of the setting within the
It is not necessary to create a new policy to apply these settings. These settings can be included in the GPO that is used to configure Automatic Updates settings, or any other GPO that applies computer configuration settings to the relevant computers.
peer caching settings in the computer configuration component of a GPO, and provides a recommendation for each setting.
Recommendation
Enabled
Peercache Not Configured (uses the default value of 90 days)
Not Configured (uses the default value of 5% of disk space)
Maximum network bandwidth used for Peercaching Not Configured (uses the default value of 104857bps)
http://go.microsoft.com/fwlink/?LinkId=79432
Prepared by Microsoft
Page 38
Peer caching is a new feature of BITS 3.0 that allows peers (computers within the same subnet of a network that have the peer caching feature enabled) to share files. If peer caching is enabled on a
the Automatic Update agent instructs BITS to make downloaded files available to that
When the files have been downloaded, BITS caches them. When another (peer caching-enabled) at computer sends a multicast request to
all of that computer's peers. If one or more of the peers responds to the request, BITS will download the file from the first computer to respond. If the download from the peer fails or take too
the download from the WSUS server or Microsoft Update.
3.0 in several ways:
Peer caching decreases the amount of data transferred from the WSUS 3.0 server to its he same subnet will usually download the updates from
Peer caching decreases the amount of data transferred across the WAN when some or all
of data transferred across the Internet if WSUS 3.0 updates from Microsoft Update.
BITS peer caching requires computers to be running Windows Vista, and to be part of an Active Directory Peer Caching18.
Group Policy settings in the computer configuration component of a GPO that can llowing Group Policy > Background
a brief description and the tails the recommended properties for the GPO. For
tab of the setting within the
hese settings can be included in the GPO that is used to configure Automatic Updates settings, or any other GPO that applies computer
settings in the computer configuration component of a
(uses the default value of 90 days)
(uses the default value of 5% of disk space)
(uses the default value of 104857bps)
Windows Server Update Services 3.0Version 1.0.0.0
Table 14 details the properties of the recommended Peer Caching
Property Settings
Block Inheritance Unchecked
Enforced (No Override) Unchecked
GPO Status User Configuration Settings
Permissions19 Authenticated User:
Creator Owner: (none explicitly set)
Domain Admins (DomainNameChild Objects
Enterprise Admins (DomainNameDelete All Child Objects
System: Read, Write, Create All Child Objects, and Delete All Child Objects
Table 14: Peer Caching GPO Properties
4.3.4 Roaming Clients
This section lists a couple of possible ways tobetween locations in a healthcare organisation
4.3.4.1 Remote Storage
A centrally located WSUS 3.0 server configured to use remote storage is one solution for providing updates to roaming clients. The roaming clients server across the network or via dialup/Vclients would then retrieve the actual update files directly from Microsoft Update
4.3.4.2 DNS Netmask Ordering
The DNS Netmask Ordering function in Windows Server 2003 allows roaming WSUS be directed to the closest WSUS multiple WSUS 3.0 servers – preferably adownstream replica WSUS 3.0 host records in DNS with the same fullyDNS and WSUS 3.0 are correctly configured, all name resolution requests for will return an IP address on the client’s subnet. If a local WSUS Round Robin will choose one at random. More information about DNS Netmask Ordering and Round Robin, see How DNS Works
19 All permissions detailed here are All
20 How DNS Works {R12}: http://technet2.microsoft.com/WindowsServer/en/library/19a63021
Windows Server Update Services 3.0 Operations Guide 1.0.0.0 Baseline
perties of the recommended Peer Caching settings GPO:
Unchecked
Unchecked
User Configuration Settings Disabled
Authenticated User: Read & Apply Group Policy
Creator Owner: (none explicitly set)
Domain Admins (DomainName\Domain Admins): Read, Write, Create All Child Objects, and Delete All Child Objects
Enterprise Admins (DomainName\Enterprise Admins): Read, Write, Create All Child Objects, and Delete All Child Objects
Read, Write, Create All Child Objects, and Delete All Child Objects
Roaming Clients
couple of possible ways to keep mobile computers updated when they roam a healthcare organisation’s network, and onto the public Internet.
Remote Storage
A centrally located WSUS 3.0 server configured to use remote storage is one solution for providing updates to roaming clients. The roaming clients would always connect to the same
or via dialup/Virtual Private Network (VPN), to get update approvals. The clients would then retrieve the actual update files directly from Microsoft Update
DNS Netmask Ordering
The DNS Netmask Ordering function in Windows Server 2003 allows roaming WSUS WSUS 3.0 server (based on IP subnet). This type of design implies
preferably an upstream WSUS 3.0 server at the network hubWSUS 3.0 servers in other locations. All of the WSUS 3.0 servers must have
records in DNS with the same fully-qualified domain name, but different IP addresses. Once are correctly configured, all name resolution requests for a
will return an IP address on the client’s subnet. If a local WSUS 3.0 server does not exist, DNS Round Robin will choose one at random. More information about DNS Netmask Ordering and
How DNS Works20.
All permissions detailed here are Allow permissions unless stated otherwise
http://technet2.microsoft.com/WindowsServer/en/library/19a63021-cc53-4ded-a7a3-abaf82e7fb7c1033.mspx?mfr=true
Prepared by Microsoft
Page 39
settings GPO:
Read, Write, Create All Child Objects, and Delete All
Read, Write, Create All Child Objects, and
Read, Write, Create All Child Objects, and Delete All Child Objects
keep mobile computers updated when they roam , and onto the public Internet.
A centrally located WSUS 3.0 server configured to use remote storage is one solution for providing same WSUS 3.0
, to get update approvals. The clients would then retrieve the actual update files directly from Microsoft Update.
The DNS Netmask Ordering function in Windows Server 2003 allows roaming WSUS 3.0 clients to server (based on IP subnet). This type of design implies
server at the network hub, and servers must have
qualified domain name, but different IP addresses. Once a WSUS 3.0 server
server does not exist, DNS Round Robin will choose one at random. More information about DNS Netmask Ordering and
abaf82e7fb7c1033.mspx?mfr=true
Windows Server Update Services 3.0Version 1.0.0.0
5 OPERATE
During the Operate phase, the deployed solution components are proactively managed to ensure they provide the required levels of solution reliability, availability, supportability, and manageability.
Figure 5 acts as a high-level checklist, illustrating the critical components which an IT professional is responsible for ensuring, in a managed and operational
Figure 5: Sequence for Operating WSUS 3.0
5.1 Managing WSUS 3This section provides information on the various tasks required for the management of a WSUS 3.0 server, and how to perform these tasks.
5.1.1 Managing Computers and Computer Groups
The Computers node in the WSUS 3.0 console is used for the administration of computer groups. This section provides the information and procedures for viewing and managing computers and computer groups.
5.1.1.1 Viewing Computers and Computer Groups
When viewing computers and computer groups it is possible to perform a number
� View the members of a specific group
� View properties for individual computers including: computer group membership, IP address, operating system, service pack, operating system language, last status report date and time, last contacted date and
Windows Server Update Services 3.0 Operations Guide 1.0.0.0 Baseline
During the Operate phase, the deployed solution components are proactively managed to ensure vide the required levels of solution reliability, availability, supportability, and manageability.
level checklist, illustrating the critical components which an IT professional in a managed and operational WSUS 3.0 solution.
Managing WSUS 3.0 This section provides information on the various tasks required for the management of a WSUS 3.0 server, and how to perform these tasks.
Managing Computers and Computer Groups
node in the WSUS 3.0 console is used for the administration of computer groups. This section provides the information and procedures for viewing and managing computers and computer groups.
Viewing Computers and Computer Groups
When viewing computers and computer groups it is possible to perform a number
View the members of a specific group
View properties for individual computers including: computer group membership, IP address, operating system, service pack, operating system language, last status report date and time, last contacted date and time, hardware information and status information
Prepared by Microsoft
Page 40
During the Operate phase, the deployed solution components are proactively managed to ensure vide the required levels of solution reliability, availability, supportability, and manageability.
level checklist, illustrating the critical components which an IT professional
This section provides information on the various tasks required for the management of a WSUS 3.0
node in the WSUS 3.0 console is used for the administration of computers and computer groups. This section provides the information and procedures for viewing and managing
When viewing computers and computer groups it is possible to perform a number of actions:
View properties for individual computers including: computer group membership, IP address, operating system, service pack, operating system language, last status report date
time, hardware information and status information
Windows Server Update Services 3.0Version 1.0.0.0
This information is useful when troubleshooting issues with WSUSimportant information, such as the last status report date and time.
To view computers and computer groups
1. Open the WSUS 3.0 console, Computers node.
2. Expand the All Computersperform the following tasks:
� To view the members of a specific groupappropriate group. The members of the group will be displayed in the centre pane.
� To view properties of an individual computercomputer. The computer properties will be displayed inpane.
5.1.1.2 Managing Computer Groups
The following tasks, covered in this section, are available for managing WSUSgroups:
� Create a computer group
� Remove a computer group
Note
If client-side targeting is usedadministration console. Clients will not be able to add themselves to the groups until this task has been performed. For more information on client
To create a computer group:
1. Open the WSUS 3.0 console and Computers node.
2. In the right pane, click
3. In the Add Computer GroupAdd.
Recommendation
Consider the naming of computer groups and organisation of computers into groups carefully. Attempt to mirror how computers are organised in the organising computers into groups based on the updates they require. This will help to simplify administration.
Windows Server Update Services 3.0 Operations Guide 1.0.0.0 Baseline
This information is useful when troubleshooting issues with WSUS 3.0 clients, as it shows such as the last status report date and time.
To view computers and computer groups:
console, expand the <servername> node, and expand the
All Computers node and then click All Computers. From there it is possible to ollowing tasks:
To view the members of a specific group; under the All Computersappropriate group. The members of the group will be displayed in the centre pane.
To view properties of an individual computer; in the centre pane, select the appropriate . The computer properties will be displayed in the lower part of the centre
Managing Computer Groups
The following tasks, covered in this section, are available for managing WSUS
Create a computer group
Remove a computer group
is used, computer groups must be manually pre-created in the WSUS administration console. Clients will not be able to add themselves to the groups until this task has been performed. For more information on client-side targeting, see section 4.1.3.2.
To create a computer group:
console and navigate to the All Computers node, under the
In the right pane, click Add Computer Group.
er Group dialog box, type a name for the computer group and click
Consider the naming of computer groups and organisation of computers into groups carefully. Attempt to mirror how computers are organised in the healthcare organisation’s network environmentorganising computers into groups based on the updates they require. This will help to simplify
Prepared by Microsoft
Page 41
as it shows
expand the
. From there it is possible to
All Computers node, click the appropriate group. The members of the group will be displayed in the centre pane.
in the centre pane, select the appropriate the lower part of the centre
3.0 computer
created in the WSUS 3.0 administration console. Clients will not be able to add themselves to the groups until this task has been
node, under the
a name for the computer group and click
Consider the naming of computer groups and organisation of computers into groups carefully. Attempt to network environment, whilst also
organising computers into groups based on the updates they require. This will help to simplify
Windows Server Update Services 3.0Version 1.0.0.0
To remove a computer group:
1. Open the WSUS 3.0 console Computers node.
2. In the left pane, under select Delete.
� If the computer group being deleted contains no computersimmediately with no additional dialog
� If the computer group being deleted contains computer membersbox will be displayed:
3. Select the desired option to Remove.
Note
It is not possible to remove the remains a member of the All Computersare members of the Unassigned Computersthe option Remove the computers from this WSUS serverdeleted and it will no longer be possible to manage update distribution for the client computers that were members of the deleted group, nor will these clients be able to receive updates from the WSUS server.
However, if the client is still configured to connect to the WSUS account in the WSUS 3.0 database the next time it receive updates that are approved for the being used and the deleted group was the computers configured group, the computer account will not be re-created. If the deleted group was not the computers configured group, the computer account will be recreated and the computer will be added back into its configured groupapproved for that group. For more information on clientshould not continue to receive updates, ensure the Automatic Updates settings for WSUS removed from the client, or Automatic Updates is disabled on the client.
5.1.1.3 Managing WSUS 3.0 Client Computers
This section details management operations for computermanaging WSUS 3.0 client computers:
� Modify a computer’s group membership (server
� Removing a computer from a WSUS 3.0 server
To modify a computer’s grou
1. Open the WSUS 3.0 console and navigate to the Computers node.
Windows Server Update Services 3.0 Operations Guide 1.0.0.0 Baseline
To remove a computer group:
console and navigate to the All Computers node, under the
nder the All Computers node, right-click the group to be removed
If the computer group being deleted contains no computers, it will be deleted immediately with no additional dialog boxes.
omputer group being deleted contains computer members, the following will be displayed:
option to determine what happens to the members of the group and click
It is not possible to remove the Unassigned Computers or All Computers groups. Every client computer All Computers group in addition to any group it is assigned to. Client computers
Unassigned Computers group only until they are assigned to a computer gthe computers from this WSUS server is selected, the computer accounts will be
deleted and it will no longer be possible to manage update distribution for the client computers that were members of the deleted group, nor will these clients be able to receive updates from the WSUS
the client is still configured to connect to the WSUS 3.0 server, it will re-database the next time it communicates with the server and will be able to
receive updates that are approved for the All Computers group. Additionally, if clientbeing used and the deleted group was the computers configured group, the computer account will not be
created. If the deleted group was not the computers configured group, the computer account will be rethe computer will be added back into its configured group, and will be able to receive updates
approved for that group. For more information on client-side targeting, see section 4.1.3.2should not continue to receive updates, ensure the Automatic Updates settings for WSUS removed from the client, or Automatic Updates is disabled on the client.
Managing WSUS 3.0 Client Computers
ction details management operations for computers. The following tasks are available for managing WSUS 3.0 client computers:
Modify a computer’s group membership (server-side targeting)
Removing a computer from a WSUS 3.0 server
To modify a computer’s group membership:
Open the WSUS 3.0 console and navigate to the All Computers node, under the
Prepared by Microsoft
Page 42
node, under the
click the group to be removed, and
it will be deleted
the following dialog
the members of the group and click
groups. Every client computer group in addition to any group it is assigned to. Client computers
group only until they are assigned to a computer group. If the computer accounts will be
deleted and it will no longer be possible to manage update distribution for the client computers that were members of the deleted group, nor will these clients be able to receive updates from the WSUS 3.0
-create its computer with the server and will be able to
up. Additionally, if client-side targeting is being used and the deleted group was the computers configured group, the computer account will not be
created. If the deleted group was not the computers configured group, the computer account will be re-and will be able to receive updates
4.1.3.2. If a client should not continue to receive updates, ensure the Automatic Updates settings for WSUS 3.0 are
. The following tasks are available for
node, under the
Windows Server Update Services 3.0Version 1.0.0.0
2. Select the computer or computers, whose group membership needs to be modified, from the centre pane.
3. Right-click the selected computer or computers an
4. Select the check boxes of the computer groups that the selected computer or computers should be added to. Clear the check boxes of the computer groups that they should be removed from.
5. Click OK.
Note
If the computer is already a member of a computer group, it will now be moved to the newly specified computer group and will no longer be a member of the original computer group. The computer will still be a member of the All Computers
To remove a computer from a WSUS
1. Open the WSUS 3.0 console and Computers node.
2. Select the computer or computers, which need to be deleted
3. Right-click the selected computer or computers and select
4. The Delete Computer
Windows Server Update Services 3.0 Operations Guide 1.0.0.0 Baseline
Select the computer or computers, whose group membership needs to be modified, from
click the selected computer or computers and select Change Membership
Select the check boxes of the computer groups that the selected computer or computers should be added to. Clear the check boxes of the computer groups that they should be
If the computer is already a member of a computer group, it will now be moved to the newly specified computer group and will no longer be a member of the original computer group. The computer will still be
All Computers group.
omputer from a WSUS 3.0 server:
console and navigate to the All Computers node, under the
Select the computer or computers, which need to be deleted.
click the selected computer or computers and select Delete.
Delete Computer dialog box displays. Click Yes to delete the computer
Prepared by Microsoft
Page 43
Select the computer or computers, whose group membership needs to be modified, from
Change Membership.
Select the check boxes of the computer groups that the selected computer or computers should be added to. Clear the check boxes of the computer groups that they should be
If the computer is already a member of a computer group, it will now be moved to the newly specified computer group and will no longer be a member of the original computer group. The computer will still be
node, under the
to delete the computer or computers.
Windows Server Update Services 3.0Version 1.0.0.0
Note
It will no longer be possible to manage update distribution for the client computer once it is removed from the WSUS 3.0 server, nor will the client be able to recei
However, if the client is still configured to connect to the WSUS account in the WSUS 3.0 database the next time it cable to receive updates that are approved for the targeting is being used, the computer will be added back into its configured group and will be able to receive updates that are approved for that group. For more infsection 4.1.3.2. If a client should not continue to receive updates, ensure the Automatic Updates settings for WSUS 3.0 are removed from the client, or Automatic Updates is disabled on the client.
5.1.2 Managing Updates
In the Updates node of the WSUS 3.0 console, it is possible to do the following:
� View updates – the update overview displays updates that have been synchronithe update source to the
� Filter updates – in the default viewinstallation status. The default some clients, or that have had installation failures on some clients. changed by modifying Refresh
� Create new update viewsproduct, the group for which they have been approved, and synchroni
� Search for updates – adescription, Knowledge Base article, or the Microsoft Security Response Center number for the update
� View details, status, and revision history for each update
� Approve updates
� Decline updates
Note
The list of updates can be sorted possible to customise the columns displayed by rightclearing the names of the columns required.
5.1.2.1 Viewing Updates
To filter the list of updates disp
1. Open the WSUS 3.0 console, expand the
2. In the centre pane next to select the desired installation status.
3. Click Refresh.
Windows Server Update Services 3.0 Operations Guide 1.0.0.0 Baseline
It will no longer be possible to manage update distribution for the client computer once it is removed from server, nor will the client be able to receive updates from the WSUS
However, if the client is still configured to connect to the WSUS 3.0 server, it will re-database the next time it communicates with the WSUS 3.0
eceive updates that are approved for the All Computers group. Additionally, if clienttargeting is being used, the computer will be added back into its configured group and will be able to receive updates that are approved for that group. For more information on client-side targeting, see
If a client should not continue to receive updates, ensure the Automatic Updates settings removed from the client, or Automatic Updates is disabled on the client.
Updates
node of the WSUS 3.0 console, it is possible to do the following:
he update overview displays updates that have been synchronithe WSUS 3.0 server and are available for approval
n the default view, it is possible to filter updates by approval status and installation status. The default filter setting is for unapproved updates that are needed
or that have had installation failures on some clients. This the approval status and installation status filters, and then clicking
Create new update views – new views can be created that filter updates by classification, product, the group for which they have been approved, and synchronisation date
an individual update or set of updates can be searched for description, Knowledge Base article, or the Microsoft Security Response Center number for
View details, status, and revision history for each update
can be sorted by clicking the appropriate column heading in the title bar. It is also possible to customise the columns displayed by right-clicking on the column heading, and selecting or clearing the names of the columns required.
Viewing Updates
To filter the list of updates displayed on the Updates page:
the WSUS 3.0 console, expand the Updates node, and then click
In the centre pane next to Approval, select the desired approval status, and next to select the desired installation status.
Prepared by Microsoft
Page 44
It will no longer be possible to manage update distribution for the client computer once it is removed from ve updates from the WSUS 3.0 server.
-create its computer WSUS 3.0 server and will be
group. Additionally, if client-side targeting is being used, the computer will be added back into its configured group and will be able to
side targeting, see If a client should not continue to receive updates, ensure the Automatic Updates settings
removed from the client, or Automatic Updates is disabled on the client.
node of the WSUS 3.0 console, it is possible to do the following:
he update overview displays updates that have been synchronised from server and are available for approval
filter updates by approval status and setting is for unapproved updates that are needed by
This view can be the approval status and installation status filters, and then clicking
ates by classification, ation date
can be searched for by title, description, Knowledge Base article, or the Microsoft Security Response Center number for
the appropriate column heading in the title bar. It is also clicking on the column heading, and selecting or
node, and then click All Updates.
, select the desired approval status, and next to Status
Windows Server Update Services 3.0Version 1.0.0.0
To create a new update view:
1. Open the WSUS 3.0 console, expand the
2. In the right pane, click
3. In the Add Update Viewrequired for the update view
� Select Updates are in a specific classificationmore update classifications
� Select Updates are for a specific productproducts or product families
� Select Updates are approved for a specific groupone or more computer groups
� Select Updates were synchronized within a specific timesynchronised at a specific time
� Select Updates are WSUS updat
4. Under Step 2: Edit the propertiesto pick the values for the selected filter properties
5. Under Step 3: Specify a name
6. Click OK. The new view will appear in the tree view pane under displayed, like the standard views, in the centr
Windows Server Update Services 3.0 Operations Guide 1.0.0.0 Baseline
To create a new update view:
the WSUS 3.0 console, expand the Updates node, and then click
pane, click New Update View.
Add Update View dialog box, under Step 1: Select properties, select the properties the update view filter:
Updates are in a specific classification to filter on updates belonging to one or more update classifications
Updates are for a specific product to filter on updates for one or more products or product families
Updates are approved for a specific group to filter on updates approved for one or more computer groups
Updates were synchronized within a specific time period to filter on updates ed at a specific time
Updates are WSUS updates to filter on WSUS 3.0 updates
Step 2: Edit the properties (click an underlined value), click the underlined words for the selected filter properties.
Step 3: Specify a name, give the view a unique name.
iew will appear in the tree view pane under Updatesdisplayed, like the standard views, in the centre pane when it is selected
Prepared by Microsoft
Page 45
node, and then click All Updates.
, select the properties
to filter on updates belonging to one or
to filter on updates for one or more
to filter on updates approved for
period to filter on updates
updates
, click the underlined words
Updates. It will be ed.
Windows Server Update Services 3.0Version 1.0.0.0
To search for an update:
1. Select the Updates node (or any node under it).
2. In the Actions pane, click
3. In the Search dialog boxTitle, Description, and Microsoft Knowledge Base (KB) article number fieldsas search criteria. Each of these items is a property listed on the properties.
4. Click Find Now.
To view the properties for an update
1. Open the WSUS 3.0 console, expand the
2. In the list of updates in the centre panecentre pane, the following
� The title bar displays the title of the update; for example, Security Update for Windows Media Player 9 (KB911565)
� The Status section displays
� The installation status of the update
� Computers on which it needs to be installed
� Computers on which it was installed with errors
� Computers on which it has been installed or is not applicable
� Computers that have not reported status for the update
� General information
� KB and MSRC numbers release date,
� The Description section displays a brief description of the update
� The Additional Details
� The installation behaviorestart, requires user input, or must be installed exclusively)
� Whether or not the update has Microsoft Software License Terms
� The products to which the update applies
� The updates that supersede this update
� The updates that are superseded by this
� The languages supported by the update
� The update ID
Windows Server Update Services 3.0 Operations Guide 1.0.0.0 Baseline
node (or any node under it).
pane, click Search.
dialog box, click the Updates tab and type the search criteria. Title, Description, and Microsoft Knowledge Base (KB) article number fields
. Each of these items is a property listed on the Details
To view the properties for an update:
console, expand the Updates node, and then click
in the centre pane, select an update to view. In the lower following property sections will be displayed:
The title bar displays the title of the update; for example, Security Update for Windows Media Player 9 (KB911565)
section displays:
he installation status of the update, showing:
omputers on which it needs to be installed
omputers on which it was installed with errors
omputers on which it has been installed or is not applicable
omputers that have not reported status for the update
eneral information
KB and MSRC numbers release date, and so on
section displays a brief description of the update
Additional Details section displays the following information:
The installation behaviour of the update (whether or not it is removable, rerestart, requires user input, or must be installed exclusively)
Whether or not the update has Microsoft Software License Terms
The products to which the update applies
The updates that supersede this update
The updates that are superseded by this update
The languages supported by the update
Prepared by Microsoft
Page 46
search criteria. Text from the Title, Description, and Microsoft Knowledge Base (KB) article number fields can be entered
ls tab in the update
node, and then click All Updates.
to view. In the lower part of the
The title bar displays the title of the update; for example, Security Update for Windows
omputers on which it has been installed or is not applicable
r of the update (whether or not it is removable, requests a
Whether or not the update has Microsoft Software License Terms
Windows Server Update Services 3.0Version 1.0.0.0
5.1.2.2 Approving Updates for Installation
When an update is approved for installation, the update will be installed on compatible WSUS clients in the selected groups the next time they possible to set a deadline for installation.
Note
The deadline setting forces the update to be installed by a specific date and time. This setting overrides any client settings that allow the install to be preventedcan be specified for a deadline, causing the computer to install the update straight after it next checks in with the WSUS 3.0 server and learns of the installation deadline.
Important
It is not possible to set a deadline for installation for an update if user input is required (for example, accepting a licence agreement). If a deadline is set for such an updatedetermine whether or not an update will require user input, check theInstallation Information in the update properties for an update.Approve Updates dialog box which says "support an installation deadlin
Updates will need to be approved for installation on an onupdates are released on the second Tuesday of each month. However, revisions to updates are released more regularly and may need to be approved. This depsetting: Automatically approve the latest revision of the updatesetting can be found in section
To approve updates:
1. Open the WSUS 3.0 console,
2. In the list of updates, select one or more updates to approveApprove.
3. In the Approve Updatesupdates will be approved
4. Select Approved for Installcomputer group again
Windows Server Update Services 3.0 Operations Guide 1.0.0.0 Baseline
Approving Updates for Installation
When an update is approved for installation, the update will be installed on compatible WSUS clients in the selected groups the next time they communicate with the WSUS 3.0possible to set a deadline for installation.
The deadline setting forces the update to be installed by a specific date and time. This setting overrides any client settings that allow the install to be prevented, or a reboot postponed. Additionally, a past date can be specified for a deadline, causing the computer to install the update straight after it next checks in
server and learns of the installation deadline.
a deadline for installation for an update if user input is required (for example, accepting a licence agreement). If a deadline is set for such an update, the installation will fail. To
an update will require user input, check the May request user input in the update properties for an update. Also check for a message in the
dialog box which says "The selected update requires user input and does not support an installation deadline".
Updates will need to be approved for installation on an on-going basis. Most critical and security updates are released on the second Tuesday of each month. However, revisions to updates are released more regularly and may need to be approved. This depends on the Automatic Approval
Automatically approve the latest revision of the update. More information on this setting can be found in section 5.1.2.6.
the WSUS 3.0 console, expand the Updates node, and then click
In the list of updates, select one or more updates to approve. In the Actions
Approve Updates dialog box, select the computer group for which updates will be approved, and click the arrow next to it.
Approved for Install. To add a deadline, click the arrow next to the s and select Deadline.
Prepared by Microsoft
Page 47
When an update is approved for installation, the update will be installed on compatible WSUS 3.0 3.0 server. It is also
The deadline setting forces the update to be installed by a specific date and time. This setting overrides reboot postponed. Additionally, a past date
can be specified for a deadline, causing the computer to install the update straight after it next checks in
a deadline for installation for an update if user input is required (for example, installation will fail. To
May request user input field under Also check for a message in the
The selected update requires user input and does not
going basis. Most critical and security updates are released on the second Tuesday of each month. However, revisions to updates are
ends on the Automatic Approval . More information on this
node, and then click All Updates.
Actions pane, select
, select the computer group for which the update or
. To add a deadline, click the arrow next to the selected
Windows Server Update Services 3.0Version 1.0.0.0
� One of the standard deadlines (one week, two weeks, one month) can be selected, or to specify a date and time, click
� If an update needs to be installed as soon as the client computers contact the WSUS 3.0 server, click Customone in the past
5. Click OK. The Approval Progressthe approval.
6. When the approval process is complete,
5.1.2.3 Approving Updates for Removal
An option exists that allows the uninstalling of updates that have been installed using WSUSThis option is only available if the updaremoval, including specifying a past datenext checks in with the WSUS
Most updates do not support removal. For those that back an update that has caused some kind of issue in the environment. However, appropriate testing should be performed before approving updates for removal to ensure the un-installation works as expected.
To approve updates for removal
1. Open the WSUS 3.0 console,
2. In the list of updates, select one or more updates that need to be approved for removalthe Actions pane, click
3. In the Approve Updatesneeds to be removed, and click the arrow next to it.
4. Select Approved for Removalcomputer group again and select
� One of the standard deadlines (one week, two weeks, one month) can be selected, orto specify a date and time, click
� If an update needs to be removed as soon as the client computers contact the WSUS 3.0 server, click Custom
5. Click OK. The Approval Progressthe approval.
6. When the process is complete,
5.1.2.4 Unapproving Updates
It is possible to alter the approval status of an Approved necessary if it is decided that an update should no longer be applied, but there is still a need to report client compliance for the update
To unapprove updates:
1. Open the WSUS 3.0 console
2. In the list of updates, select one or more updates that need to be Actions pane, click Approve
3. In the Approve Updatesto be unapproved, and click the arrow next to it.
Windows Server Update Services 3.0 Operations Guide 1.0.0.0 Baseline
One of the standard deadlines (one week, two weeks, one month) can be selected, or specify a date and time, click Custom
If an update needs to be installed as soon as the client computers contact the WSUS Custom, and set the date and time to the current date and time
Approval Progress dialog box will display the progress toward completing
process is complete, click Close.
Approving Updates for Removal
allows the uninstalling of updates that have been installed using WSUSThis option is only available if the update supports removal. It is also possible to set a deadline for
including specifying a past date in order to run the approval action as soon as the client next checks in with the WSUS 3.0 server.
Most updates do not support removal. For those that do, this option may provide the ability to roll back an update that has caused some kind of issue in the healthcare organisationenvironment. However, appropriate testing should be performed before approving updates for
nstallation works as expected.
To approve updates for removal:
the WSUS 3.0 console, expand the Updates node, and then click
In the list of updates, select one or more updates that need to be approved for removal, click Approve.
Approve Updates dialog box, select the computer group from which the update needs to be removed, and click the arrow next to it.
Approved for Removal. To add a deadline, click the arrow next to the selected ain and select Deadline.
One of the standard deadlines (one week, two weeks, one month) can be selected, orspecify a date and time, click Custom
If an update needs to be removed as soon as the client computers contact the WSUS Custom, and set a date in the past
Approval Progress dialog box will display the progress toward completing
When the process is complete, click Close.
Unapproving Updates
alter the approval status of an Approved update to Not Approved.necessary if it is decided that an update should no longer be applied, but there is still a need to report client compliance for the update.
Open the WSUS 3.0 console, expand the Updates node, and then click
In the list of updates, select one or more updates that need to be unapproved. In the Approve.
Approve Updates dialog box, select the computer group for which the update needs , and click the arrow next to it.
Prepared by Microsoft
Page 48
One of the standard deadlines (one week, two weeks, one month) can be selected, or
If an update needs to be installed as soon as the client computers contact the WSUS date and time to the current date and time, or to
s toward completing
allows the uninstalling of updates that have been installed using WSUS 3.0. . It is also possible to set a deadline for
to run the approval action as soon as the client
do, this option may provide the ability to roll healthcare organisation’s network
environment. However, appropriate testing should be performed before approving updates for
node, and then click All Updates.
In the list of updates, select one or more updates that need to be approved for removal. In
, select the computer group from which the update
. To add a deadline, click the arrow next to the selected
One of the standard deadlines (one week, two weeks, one month) can be selected, or
If an update needs to be removed as soon as the client computers contact the WSUS
will display the progress toward completing
update to Not Approved. This may be necessary if it is decided that an update should no longer be applied, but there is still a need to
hen click All Updates.
approved. In the
which the update needs
Windows Server Update Services 3.0Version 1.0.0.0
4. Select Not Approved, and then click the progress toward completing the approval.
5. When the process is complete,
5.1.2.5 Declining Updates
When an update is declined, it is removed from the list of available updates. Once an update has been declined, it will only be visible in the updates list if the criteria under to show either Declined or All updates
This option can be useful when it has beenthe environment, in order to remove it from the console view.
To decline updates:
1. Open the WSUS 3.0 console, expand the
2. In the list of updates, select one orpane, click Decline.
3. In the Decline Updates
5.1.2.6 Configuring Automatic Approvals
A WSUS 3.0 server can be configured to automatically approve certain updatesWhen an update is approved for installation, the update will be available to be installed on a WSUS 3.0 client the next time the client cupdate is required.
Updates can be approved for installation based on membership.
Recommendation
It is recommended that most appropriately tested before theDefinition updates for products like Forefront Client Security creates its own automatic approval rule for dleft in place.
To configure Automatic Approv
1. Open the WSUS 3.0 console,
2. In the centre pane, click
Windows Server Update Services 3.0 Operations Guide 1.0.0.0 Baseline
, and then click OK. The Approval Progress dialog box the progress toward completing the approval.
When the process is complete, click Close.
Declining Updates
it is removed from the list of available updates. Once an update has been declined, it will only be visible in the updates list if the criteria under View
All updates.
This option can be useful when it has been determined that a particular update is not suitable for in order to remove it from the console view.
Open the WSUS 3.0 console, expand the Updates node, and then click
In the list of updates, select one or more updates that need to be declined
Decline Updates dialog box, click Yes.
Configuring Automatic Approvals
A WSUS 3.0 server can be configured to automatically approve certain updatesWhen an update is approved for installation, the update will be available to be installed on a WSUS
client the next time the client communicates with the WSUS 3.0 server, and determines that the
Updates can be approved for installation based on products, classifications and computer group
most updates are not automatically approved for installationappropriately tested before they are approved for installation. The exception to this Definition updates for products like Forefront Client Security are updated multiple times in a single day.
creates its own automatic approval rule for definition updates
Approvals:
console, and navigate to the Options node in the left pane.
click Automatic Approvals.
Prepared by Microsoft
Page 49
dialog box will display
it is removed from the list of available updates. Once an update has have been selected
determined that a particular update is not suitable for
node, and then click All Updates.
declined. In the Actions
A WSUS 3.0 server can be configured to automatically approve certain updates for installation. When an update is approved for installation, the update will be available to be installed on a WSUS
and determines that the
and computer group
installation. Updates should be is definition updates.
are updated multiple times in a single day. efinition updates, which should be
in the left pane.
Windows Server Update Services 3.0Version 1.0.0.0
3. In the Automatic Approvals
4. In the Add Rule dialog box, under classifications or products (or both) as criteria.
5. In Step 2: Edit the propertiesto select the values for
Windows Server Update Services 3.0 Operations Guide 1.0.0.0 Baseline
Automatic Approvals dialog box, click the Update Rules tab and
dialog box, under Step 1: Select properties, select whether to use update classifications or products (or both) as criteria.
Step 2: Edit the properties (click an underlined value), click the underlined properties to select the values for the filtered properties of automatic approval rule
Prepared by Microsoft
Page 50
and click New Rule.
, select whether to use update
underlined properties the filtered properties of automatic approval rule.
Windows Server Update Services 3.0Version 1.0.0.0
6. In Step 3: Specify a name
The Automatic Approvals option also has some additional advanced settings, which are all enabled by default. These additional settings
� Automatically approve
� Automatically decline updates when a new revision causes them to expire
� Automatically approve updates to the WSUS product itself
Recommendation
The option to automatically approve the latest after updates have been approved for installation, minor revisions whichrequire the same level of testing as the original update.
To configure Advanced options for Automatic Approvals
1. Open the WSUS 3.0 console,
2. In the centre pane, click
3. In the Automatic Approvals
4. Select or clear the desired
Windows Server Update Services 3.0 Operations Guide 1.0.0.0 Baseline
Step 3: Specify a name, give the rule a unique name.
option also has some additional advanced settings, which are all These additional settings are:
Automatically approve new revisions of updates that are already approved
Automatically decline updates when a new revision causes them to expire
Automatically approve updates to the WSUS product itself
he option to automatically approve the latest revisions of updates should be left enabled. This is because after updates have been approved for installation, minor revisions which might be maderequire the same level of testing as the original update.
Advanced options for Automatic Approvals:
console, and navigate to the Options node in the left pane.
click Automatic Approvals.
Automatic Approvals dialog box, click the Advanced tab.
desired options, and click OK.
Prepared by Microsoft
Page 51
option also has some additional advanced settings, which are all
s that are already approved
Automatically decline updates when a new revision causes them to expire
enabled. This is because might be made will not normally
in the left pane.
Windows Server Update Services 3.0Version 1.0.0.0
5.1.2.7 Microsoft Update Catalog
The Microsoft Update Catalog site is the Microsoft location from which additional hardware drivers can be imported. In order to import Catalog site must be accessed
To access the Microsoft Update
1. Open the WSUS 3.0 consImport Updates. An Internetsite.
2. In order to access the updates at this site, the Microsoft Update Catalog ActiveX control must be installed. If prompted to install the ActiveX control, follow the instructions on screen.
3. Browse the site for the desiredrequired updates. The
4. When all the desired updates have been import the updates. To download the updates without importing them into WSUS 3.0, clear the Import directly into Windows Server Update Services
5.1.2.8 Preloading Updates on a
In order to save on Internet or network bandwidthfiles on an upstream WSUS 3.0 server to removable media. These can then be imported on the new downstream WSUS 3.0 server prior to the first synchronisation procedure can also be used to update a WSUS 3.0 server on a disconnected network.
There are three steps to exporting and then importing updates:
1. Make sure that the options for express installation files and update languages on the exporting server are compatible with the settings on the importing server
2. Copy updates from the file system of the export server to the file system of the import server.
3. Export update metadata from the database on the export server, and import it into thedatabase on the import server
If the update metadata and files are to be imported on a downstream replica WSUS 3.0 server, the replica setting needs to be turned off before the import can take place. Once the import is complete, the replica setting can be re
To import metadata to a replica server:
1. Open the WSUS 3.0 console,
2. In the centre pane, click
3. In the Update Sourceserver check box, and then click
4. Follow the procedures in the rest of this section for exporting and importing metadata, and copying update files.
5. After completing the import, go back to the Proxy Server option. Select the check box and click OK
6. Navigate to Synchronizations
Windows Server Update Services 3.0 Operations Guide 1.0.0.0 Baseline
Microsoft Update Catalog Site
atalog site is the Microsoft location from which additional hardware drivers can be imported. In order to import updates into WSUS 3.0, the Microsoft Update
ed from a computer that has the WSUS 3.0 console installed.
To access the Microsoft Update Catalog site:
the WSUS 3.0 console, select the Updates node, and in the Actionsn Internet browser window opens the Microsoft Update Catalog Web
In order to access the updates at this site, the Microsoft Update Catalog ActiveX control If prompted to install the ActiveX control, follow the instructions on
the desired Windows updates and hardware drivers updates are added to a basket.
When all the desired updates have been selected, go to the basket and click import the updates. To download the updates without importing them into WSUS 3.0, clear
Import directly into Windows Server Update Services check box.
Preloading Updates on a New WSUS 3.0 Server
nternet or network bandwidth, it may be prudent to export update metadata and files on an upstream WSUS 3.0 server to removable media. These can then be imported on the new downstream WSUS 3.0 server prior to the first synchronisation taking place. This same procedure can also be used to update a WSUS 3.0 server on a disconnected network.
There are three steps to exporting and then importing updates:
Make sure that the options for express installation files and update languages on the exporting server are compatible with the settings on the importing server
Copy updates from the file system of the export server to the file system of the import
Export update metadata from the database on the export server, and import it into thedatabase on the import server.
If the update metadata and files are to be imported on a downstream replica WSUS 3.0 server, the replica setting needs to be turned off before the import can take place. Once the import is
the replica setting can be re-enabled.
To import metadata to a replica server:
the WSUS 3.0 console, and navigate to the Options node in the left pane.
In the centre pane, click Update Source and Proxy Server.
Update Source tab, clear the This server is a replica server of the upstream check box, and then click OK.
Follow the procedures in the rest of this section for exporting and importing metadata, and
After completing the import, go back to the Update Source tab of the Update Source and Select the This server is a replica server of the upstream
OK to save the setting.
Synchronizations and select Synchronize Now in the Actions
Prepared by Microsoft
Page 52
atalog site is the Microsoft location from which additional updates and into WSUS 3.0, the Microsoft Update
from a computer that has the WSUS 3.0 console installed.
Actions pane click the Microsoft Update Catalog Web
In order to access the updates at this site, the Microsoft Update Catalog ActiveX control If prompted to install the ActiveX control, follow the instructions on
and hardware drivers and select the
selected, go to the basket and click Import to import the updates. To download the updates without importing them into WSUS 3.0, clear
box.
it may be prudent to export update metadata and files on an upstream WSUS 3.0 server to removable media. These can then be imported on the
taking place. This same procedure can also be used to update a WSUS 3.0 server on a disconnected network.
Make sure that the options for express installation files and update languages on the exporting server are compatible with the settings on the importing server.
Copy updates from the file system of the export server to the file system of the import
Export update metadata from the database on the export server, and import it into the
If the update metadata and files are to be imported on a downstream replica WSUS 3.0 server, the replica setting needs to be turned off before the import can take place. Once the import is
node in the left pane.
s server is a replica server of the upstream
Follow the procedures in the rest of this section for exporting and importing metadata, and
Update Source and This server is a replica server of the upstream server
Actions pane.
Windows Server Update Services 3.0Version 1.0.0.0
Make sure that the options for express installation files and languages on the exporting server match the settings on the importing server. exporting server is not selected,possible to distribute updates have been synchronised. A mismatch of language sett
There is no need to match the server. The setting for deferred download of updates has no
To ensure that express installation and language options on the exporting server match settings on the importing ser
1. In the WSUS 3.0 console of the expoUpdate Files and Languages
2. In the Update Files tab, check the setting for
3. In the Update Languages
4. In the WSUS 3.0 consoleUpdate Files and Languages
5. Make sure the settings for match the selections on the exporting
The procedures described below use the Windows Backup or Restore Wizard, use any utility that facilitates the copying of the required datathe importing server, the folder structure for almaintained. Make sure that the updates appear in the folder on the importing server that has been designated to store updates; this designation is typically
To back up updates from the
1. On the exporting WSUS
2. In the Run dialog box, type
3. The Backup or Restore Wizard
4. The Backup Utility page
a. Click the Backup tab, and then select the folder where updates are stored on the exporting server. By default, WSUSWSUSInstallationDrivedrive on which WSUS
b. In the Backup media or file name(.bkf) file.
c. Click Start Backup
5. The Backup Job Informationoperation.
6. Once the backup operation is complete, cimporting server.
Windows Server Update Services 3.0 Operations Guide 1.0.0.0 Baseline
tions for express installation files and languages on the exporting server match the settings on the importing server. If the option for express installation files on the
is not selected, but on the importing server it is selected, then it would not be on the importing server, because no express installation files would
. A mismatch of language settings can have a similar effect.
There is no need to match the settings for schedule, products and classifications, source, or proxy server. The setting for deferred download of updates has no effect on the importing server.
To ensure that express installation and language options on the exporting server match settings on the importing server:
3.0 console of the exporting server, navigate to Options and then Update Files and Languages.
tab, check the setting for Download express installation files
Update Languages tab, check the settings for the update languages.
3.0 console of the importing server, navigate to Options and then select Update Files and Languages.
Make sure the settings for Download express installation files and languages options match the selections on the exporting server.
The procedures described below use the Windows Backup or Restore Wizard, use any utility that facilitates the copying of the required data. When the update
importing server, the folder structure for all folders under the content directory. Make sure that the updates appear in the folder on the importing server that has been
designated to store updates; this designation is typically made during the setup process.
the file system of the exporting server to a file:
exporting WSUS 3.0 server, click Start, and then click Run.
dialog box, type ntbackup and click OK.
Backup or Restore Wizard displays. Click the Advanced Mode link
page displays.
tab, and then select the folder where updates are stored on the exporting server. By default, WSUS 3.0 stores updates at WSUSInstallationDrive\WSUS\WSUSContent\, where WSUSInstallationDrivedrive on which WSUS 3.0 is installed.
Backup media or file name dialog box, type a path and file name for the backup
Start Backup.
Backup Job Information page displays. Click Start Backup to start the backup
operation is complete, copy the backup file that was created to the
Prepared by Microsoft
Page 53
tions for express installation files and languages on the exporting server the option for express installation files on the
then it would not be express installation files would
ings can have a similar effect.
products and classifications, source, or proxy effect on the importing server.
To ensure that express installation and language options on the exporting server match
and then select
Download express installation files.
e update languages.
and then select
anguages options
The procedures described below use the Windows Backup or Restore Wizard, but it is possible to the update files are copied to
l folders under the content directory must be . Make sure that the updates appear in the folder on the importing server that has been
made during the setup process.
link.
tab, and then select the folder where updates are stored on the
WSUSInstallationDrive is the
box, type a path and file name for the backup
to start the backup
created to the
Windows Server Update Services 3.0Version 1.0.0.0
To restore updates from a file to the file system of the importing server
1. On the importing WSUS
2. In the Run dialog box, type
3. The Backup or Restore Wizard
4. The Backup Utility page
a. Click the Restore and Manage Mediaon the exporting server. If the file does notCatalog File to add the location of the file.
b. In the Restore files topreserves the folder structure of the updates; all folders and subfolders will appear in the folder designate
c. Under Alternate locationserver. By default, WSUS WSUSInstallationDrivedrive on which WSUS
d. Click Start Restorerestore operation.
Only import metadata on the importing server finds metadata for an update that is not in the file system, the WSUS update failed to be downloaded.
Export update metadata from the database on the exporting serveron the importing server using the WSUSUtil.exe utility program.
Note
You must be a member of the local Administrators group on the WSUS 3.0 server to export or import metadata; both operations can only be run on a WSUS 3.0 server.
To export metadata from the database of the exporting
1. On the exporting WSUS 3.0 server, click
2. In the Run dialog box, type
3. At the command prompt(usually U\Program Filescd\Program Files\Update Services
4. Type the following: wsusutil.exe export
For example: wsusutil.exe export export.cab export.log
The package name (.cab file) and log file name must be unique. WSUSutil.exe creates these two files as it exports metadata from the WSUS
5. Move the export package
Windows Server Update Services 3.0 Operations Guide 1.0.0.0 Baseline
To restore updates from a file to the file system of the importing server:
importing WSUS 3.0 server, click Start, and then click Run.
dialog box, type ntbackup and click OK.
Backup or Restore Wizard displays. Click the Advanced Mode link.
page displays.
Restore and Manage Media tab, and select the backup file on the exporting server. If the file does not appear, right-click File, and then click
to add the location of the file.
Restore files to drop-down box, select Alternate location. This option preserves the folder structure of the updates; all folders and subfolders will appear in he folder designated.
Alternate location, specify the folder where updates are stored on the importing server. By default, WSUS 3.0 stores updates at WSUSInstallationDrive\WSUS\WSUSContent\, where WSUSInstallationDrivedrive on which WSUS 3.0 is installed.
Start Restore. When the Confirm Restore page displays, click
on the importing server after the update files have been copied.finds metadata for an update that is not in the file system, the WSUS 3.0 console shows that the update failed to be downloaded.
Export update metadata from the database on the exporting server, and import it into the database the WSUSUtil.exe utility program.
You must be a member of the local Administrators group on the WSUS 3.0 server to export or import metadata; both operations can only be run on a WSUS 3.0 server.
To export metadata from the database of the exporting server:
On the exporting WSUS 3.0 server, click Start, and then click Run.
dialog box, type cmd and click OK.
the command prompt, change directory to the folder that contains WSUSutil.exe am Files\Update Services\Tools):
Update Services\Tools
wsusutil.exe export <packagename> <logfile>
wsusutil.exe export export.cab export.log
(.cab file) and log file name must be unique. WSUSutil.exe creates these two files as it exports metadata from the WSUS 3.0 database.
Move the export package that was created to the importing server.
Prepared by Microsoft
Page 54
link.
tab, and select the backup file that was created , and then click
. This option preserves the folder structure of the updates; all folders and subfolders will appear in
, specify the folder where updates are stored on the importing
WSUSInstallationDrive is the
, click OK to start the
after the update files have been copied. If WSUS 3.0 console shows that the
and import it into the database
You must be a member of the local Administrators group on the WSUS 3.0 server to export or import
to the folder that contains WSUSutil.exe
(.cab file) and log file name must be unique. WSUSutil.exe creates
Windows Server Update Services 3.0Version 1.0.0.0
To import metadata to the database of the importing ser
1. On the importing WSUS 3.0 server, click
2. In the Run dialog box, type
3. At the command prompt(usually U\Program Filescd\Program Files\Update Services
4. Type the following: wsusutil.exe import
For example: wsusutil.exe import export.cab import.log
WSUSutil.exe imports the metadata from the exporting server and creates a log file of the operation.
Note
After the metadata has been imported itIf the importing server is a downstream replica WSUS 3.0 server, remember to enable the replica setting and then force a synchronisation with the
5.1.3 Managing Databases
The WSUS 3.0 database stores the metadata that describes each update, WSUS 3.0 server configuration information and information about WSUS 3.0 client computers, updates and client interaction with updates.
Generally, most tasks that are performed to manage the database are performed through the WSUS 3.0 console. There are a few tasks, however, that may need to be performed on the database system itself; these depend on the database system that was chosen for the
5.1.3.1 Using the Server Cleanup Wizard
The Server Cleanup Wizard is integrated into the WSUS 3.0 console, and can be used to help manage disk storage space. This wizard can do the following things:
� Remove unused updates and update revisionsupdate revisions that have not been approved for thirty days or more
� Delete computers not contacting the serverhave not contacted the server in thirty days or more
� Delete unneeded update filesupdates or by downstream servers
� Decline expired updatesMicrosoft
� Decline superseded updates. The wizard criteria:
� The superseded update is not mandatory
� The superseded update has been on the server for thirty days or more
� The superseded update is not currently reported as needed by any client
� The superseded update has not been explicitly deployed to a computer group for ninety days or more
� The superseding update must be approved for install to a computer group
Windows Server Update Services 3.0 Operations Guide 1.0.0.0 Baseline
To import metadata to the database of the importing server:
On the importing WSUS 3.0 server, click Start, and then click Run.
dialog box, type cmd and click OK.
At the command prompt, change directory to the folder that contains WSUSutil.exe Program Files\Update Services\Tools):
Update Services\Tools
wsusutil.exe import <packagename> <logfile>
wsusutil.exe import export.cab import.log
WSUSutil.exe imports the metadata from the exporting server and creates a log file of
After the metadata has been imported it can take three to four hours for the database to validate content.importing server is a downstream replica WSUS 3.0 server, remember to enable the replica setting
and then force a synchronisation with the upstream WSUS 3.0 server.
Managing Databases
The WSUS 3.0 database stores the metadata that describes each update, WSUS 3.0 server configuration information and information about WSUS 3.0 client computers, updates and client
ally, most tasks that are performed to manage the database are performed through the WSUS 3.0 console. There are a few tasks, however, that may need to be performed on the database system itself; these depend on the database system that was chosen for the
Using the Server Cleanup Wizard
The Server Cleanup Wizard is integrated into the WSUS 3.0 console, and can be used to help manage disk storage space. This wizard can do the following things:
Remove unused updates and update revisions – the wizard will remove all updates and update revisions that have not been approved for thirty days or more
Delete computers not contacting the server – the wizard will delete all client computers that have not contacted the server in thirty days or more
nneeded update files – the wizard will delete all update files that are not needed by updates or by downstream servers
Decline expired updates – the wizard will decline all updates that have been expired by
Decline superseded updates. The wizard will decline all updates that meet all the following
The superseded update is not mandatory
The superseded update has been on the server for thirty days or more
The superseded update is not currently reported as needed by any client
d update has not been explicitly deployed to a computer group for ninety
The superseding update must be approved for install to a computer group
Prepared by Microsoft
Page 55
to the folder that contains WSUSutil.exe
WSUSutil.exe imports the metadata from the exporting server and creates a log file of
hours for the database to validate content. importing server is a downstream replica WSUS 3.0 server, remember to enable the replica setting
The WSUS 3.0 database stores the metadata that describes each update, WSUS 3.0 server configuration information and information about WSUS 3.0 client computers, updates and client
ally, most tasks that are performed to manage the database are performed through the WSUS 3.0 console. There are a few tasks, however, that may need to be performed on the database system itself; these depend on the database system that was chosen for the deployment.
The Server Cleanup Wizard is integrated into the WSUS 3.0 console, and can be used to help
ard will remove all updates and
he wizard will delete all client computers that
he wizard will delete all update files that are not needed by
he wizard will decline all updates that have been expired by
will decline all updates that meet all the following
The superseded update has been on the server for thirty days or more
The superseded update is not currently reported as needed by any client
d update has not been explicitly deployed to a computer group for ninety
The superseding update must be approved for install to a computer group
Windows Server Update Services 3.0Version 1.0.0.0
Note
If unneeded content is removed with the Server Cleanup Wizard, all the private update files tbeen downloaded from the Microsoft Update be re-imported after running the Server Cleanup Wizard.
To run the Server Cleanup Wizard:
1. Open the WSUS 3.0 console,
2. In the centre pane, click
3. By default this wizard will remove unneeded content and computers that have not contacted the server for 30 days or more. Select all possible options, and click
4. The wizard will begin the cleanup process, and will present a summary when has finished. Click Finish
Note
In some cases, particularly if downstream WSUS 2.0 servers, discrepancies may be seen in update metadata on upstream and downstream servers. If this is the case, the problem can be resolved by running iisreset on the upstream server to refresh the Web cache.
Windows Server Update Services 3.0 Operations Guide 1.0.0.0 Baseline
If unneeded content is removed with the Server Cleanup Wizard, all the private update files tMicrosoft Update Catalog site will be removed as well. These files will need to
imported after running the Server Cleanup Wizard.
To run the Server Cleanup Wizard:
the WSUS 3.0 console, and navigate to the Options node.
click Server Cleanup Wizard.
By default this wizard will remove unneeded content and computers that have not contacted the server for 30 days or more. Select all possible options, and click Next
The wizard will begin the cleanup process, and will present a summary when Finish to close the wizard.
if the Server Cleanup Wizard is run on an upstream WSUS 3.0 server that has SUS 2.0 servers, discrepancies may be seen in update metadata on upstream and
downstream servers. If this is the case, the problem can be resolved by running iisreset on the upstream server to refresh the Web cache.
Prepared by Microsoft
Page 56
If unneeded content is removed with the Server Cleanup Wizard, all the private update files that have ite will be removed as well. These files will need to
By default this wizard will remove unneeded content and computers that have not contacted Next.
The wizard will begin the cleanup process, and will present a summary when the process
the Server Cleanup Wizard is run on an upstream WSUS 3.0 server that has SUS 2.0 servers, discrepancies may be seen in update metadata on upstream and
downstream servers. If this is the case, the problem can be resolved by running iisreset on the upstream
Windows Server Update Services 3.0Version 1.0.0.0
5.1.3.2 Reindexing the
In order to keep a WSUS 3.0 server functioning correctly, a maintenance plan place that includes re-indexing the database on a regular basis, pr
The WsusDBMaintenance.sql It allows the re-indexing of the that is, either SQL Server 2005 or Windows Internal Database.
If Windows Internal Database sqlcmd utility can be downloaded from information about the sqlcmd
To use this script with Windows Internal Database, run the following <scriptLocation> is the folder to which the WsusDBMaintenance.sql script has been copied
sqlcmd -S np:\\.\pipe\MSSQL$MICROSOFT##SSEE<scriptLocation>\WsusDBMaintenance.sql
5.1.4 Backup and Restore
5.1.4.1 Backing up WSUS
WSUS 3.0 can be backed up by backup programs that are compatible with Windows Server 2003. As WSUS 3.0 does not provide its own backup tool, backup consists of backing up file locations where important WSUS 3.0 information is stored.
Recommendation
The WSUS 3.0 server should be depends largely on how much change there is in the environment. For instance, if computer groups are regularly created, or new computers are added to or moved between groups regularlbe lost if the server has not been backed up since changes have been made. The servers configuration, update approval status and reporting information will also be lost if the server has not been backed up since changes have been made. In most environments it is sufficient to backup the server around once a week.
Note
The backup procedures in this section need to be performed manually. However, any automated backup program that has the ability to back up open files, or that uses a back up WSUS 3.0. Whatever backup program is used, ensure the the backup procedure below are selected for backup.
The following information needs to be backed up:
� The WSUS 3.0 database
� If Windows Internal Database is being used, t<drive>\WSUS\UpdateServicesDbFiles folder
� If SQL Server 2005 is being usedFiles\Microsoft SQL Server
Regardless of the database
� Update metadata, including information about updates (for example, properties). Metadata is also whe
21 Re-index the WSUS 3.0 Database {
22 Feature Pack for Microsoft SQL Server
23 sqlcmd Utility {R15}: http://go.microsoft.com/fwlink/?LinkId=81183
Windows Server Update Services 3.0 Operations Guide 1.0.0.0 Baseline
Reindexing the Database
server functioning correctly, a maintenance plan should be put in indexing the database on a regular basis, preferably at least once a month.
script can be downloaded from Re-index the WSUS 3.0 Dof the WSUS 3.0 database, regardless of the version of database software,
either SQL Server 2005 or Windows Internal Database.
is being used, the sqlcmd utility is required to executcan be downloaded from Feature Pack for Microsoft SQL Server
utility, see the sqlcmd Utility23 Web page.
To use this script with Windows Internal Database, run the following command, where is the folder to which the WsusDBMaintenance.sql script has been copied
MSSQL$MICROSOFT##SSEE\sql\query –i WsusDBMaintenance.sql
Backup and Restore
Backing up WSUS 3.0
backed up by backup programs that are compatible with Windows Server 2003. does not provide its own backup tool, backup consists of backing up file locations
information is stored.
should be backed up on a regular basis. How often the backup is performed depends largely on how much change there is in the environment. For instance, if computer groups are
or new computers are added to or moved between groups regularlbe lost if the server has not been backed up since changes have been made. The servers configuration, update approval status and reporting information will also be lost if the server has not been backed up
ade. In most environments it is sufficient to backup the server around once a
The backup procedures in this section need to be performed manually. However, any automated backup program that has the ability to back up open files, or that uses a SQL Agent, can be used to automatically
. Whatever backup program is used, ensure the folder locations detailed in step elow are selected for backup.
The following information needs to be backed up:
database
If Windows Internal Database is being used, the database will be located UpdateServicesDbFiles folder
If SQL Server 2005 is being used, the database will be located in the Microsoft SQL Server folder.
database software used, the database contains:
Update metadata, including information about updates (for example, properties). Metadata is also where EULAs are stored
{R13}: http://go.microsoft.com/fwlink/?LinkId=87027
Feature Pack for Microsoft SQL Server 2005 {R14}: http://go.microsoft.com/fwlink/?LinkId=70728
http://go.microsoft.com/fwlink/?LinkId=81183
Prepared by Microsoft
Page 57
should be put in eferably at least once a month.
index the WSUS 3.0 Database21. regardless of the version of database software,
is required to execute the script. The ck for Microsoft SQL Server 200522. For more
, where is the folder to which the WsusDBMaintenance.sql script has been copied:
backed up by backup programs that are compatible with Windows Server 2003. does not provide its own backup tool, backup consists of backing up file locations
backed up on a regular basis. How often the backup is performed depends largely on how much change there is in the environment. For instance, if computer groups are
or new computers are added to or moved between groups regularly, this information will be lost if the server has not been backed up since changes have been made. The servers configuration, update approval status and reporting information will also be lost if the server has not been backed up
ade. In most environments it is sufficient to backup the server around once a
The backup procedures in this section need to be performed manually. However, any automated backup SQL Agent, can be used to automatically
locations detailed in step 9 in
e located in the
the database will be located in the <drive>\Program
Update metadata, including information about updates (for example, properties).
http://go.microsoft.com/fwlink/?LinkId=70728
Windows Server Update Services 3.0Version 1.0.0.0
� WSUS 3.0 server configuration information, which includes all the settings for the WSUS 3.0 server (that is, options that were specified through the WSUS and settings configured by WSUS
� Information about client computers, updates, and client interaction with updates. This information can be accessed through the WSUS running reports on update status and client computer status
� The folder where the update filinstall an update on a computer. By default, update files are stored in the <drive>\WSUS\WSUSContent folder on the WSUS utilised (files are stored on Microstorage folder on the WSUS
Note
If Microsoft SQL Server 2005 backup the WSUS 3.0 database information. For The backup procedures detailed in this document utilise the NT Backup Utility (ntbackup.exe).
To back up a WSUS 3.0 server
1. On the WSUS 3.0 server, click
2. In the Run dialog box, type
3. In the Services console find the the MSSQLSERVER service
4. Next, click Start, and then click
5. In the Run dialog box, type
6. The Backup or Restore Wizard
7. The Backup or Restoreselected, and click Next
8. The What to Back Upand click Next.
9. The Items to Back UpNext.
10. The Backup Type, Destination, and Namelocation to store the backup
11. To set advanced options including selecting the type of backup (Normal, Copy, Incremental, Differential, Daily), click
12. When the wizard is finished, click
13. When the backup is complete, click
14. Restart the service stopped in
24 SQL Server TechCenter – Microsoft SQL Server
Windows Server Update Services 3.0 Operations Guide 1.0.0.0 Baseline
server configuration information, which includes all the settings for the server (that is, options that were specified through the WSUS
and settings configured by WSUS 3.0 automatically during setup)
mation about client computers, updates, and client interaction with updates. This information can be accessed through the WSUS 3.0 console by viewing ‘status’running reports on update status and client computer status
The folder where the update files are stored – update files are the actual files required to install an update on a computer. By default, update files are stored in the
WSUSContent folder on the WSUS 3.0 server. If remote storage has been utilised (files are stored on Microsoft Update), it is not necessary to back up the update file storage folder on the WSUS 3.0 server
If Microsoft SQL Server 2005 is being used for the database, the SQL administration tools can be used to database information. For more information, refer to the SQL
The backup procedures detailed in this document utilise the NT Backup Utility (ntbackup.exe).
3.0 server:
server, click Start, and then click Run.
, type services.msc and click OK.
console find the Windows Internal Database (MICROSOFT##SSEE)service. Right-click the service and select Stop.
then click Run.
box, type %windir%\system32\ntbackup.exe and click
Backup or Restore Wizard displays. Click Next.
Backup or Restore page displays. Verify that Back up files and settingsNext.
What to Back Up page displays. Select the Let me choose what to back up
Items to Back Up page displays. Select the WSUS folder (<drive>
Backup Type, Destination, and Name page displays. Click Browseto store the backup and click Save. Type a name for the backup and click
To set advanced options including selecting the type of backup (Normal, Copy, Incremental, Differential, Daily), click Advanced and then follow the instructions in the wizard.
hen the wizard is finished, click Finish.
When the backup is complete, click Close.
Restart the service stopped in step 3 above.
Microsoft SQL Server {R16}: http://technet.microsoft.com/en-gb/library/bb545450.aspx
Prepared by Microsoft
Page 58
server configuration information, which includes all the settings for the server (that is, options that were specified through the WSUS 3.0 console
mation about client computers, updates, and client interaction with updates. This console by viewing ‘status’, and
pdate files are the actual files required to install an update on a computer. By default, update files are stored in the
server. If remote storage has been soft Update), it is not necessary to back up the update file
being used for the database, the SQL administration tools can be used to more information, refer to the SQL Server TechCenter24.
The backup procedures detailed in this document utilise the NT Backup Utility (ntbackup.exe).
Windows Internal Database (MICROSOFT##SSEE) or
and click OK.
Back up files and settings option is
Let me choose what to back up option,
Select the WSUS folder (<drive>\WSUS), and click
Browse and select a ype a name for the backup and click Next.
To set advanced options including selecting the type of backup (Normal, Copy, Incremental, and then follow the instructions in the wizard.
gb/library/bb545450.aspx
Windows Server Update Services 3.0Version 1.0.0.0
5.1.4.2 Restoring WSUS
When restoring a failed WSUS choosing the same options during setup as were chosen for the original install. Next, follow the procedure below to restore the database files and content directories. For more information on installing WSUS3.0, refer to the
To restore a WSUS 3.0 server
1. On the WSUS 3.0 server, click
2. In the Run dialog box, type
3. In the Services console find the the MSSQLSERVER service.
4. Next, click Start, and then click
5. In the Run dialog box, type
6. The Backup or Restore Wizard
7. The Backup or Restoreclick Next.
8. The What to Restore
9. The Open Backup FileBrowse to locate the backup file. Click
10. On the What to Restorebackup file. Select the WSUS folder
11. To set advanced options location, replace existing files, restore security settings, or specify other optionsAdvanced, and then follow the instructions in the wizard.
12. When the wizard is finished, click
13. When the restore is comp
14. Restart the server.
Important
When using a proxy server for synchronisation that requires authentication, it may be necessary to rethe password following a restore
After restoring the WSUS 3.0 database, WSUS 3.0 Application Pool in IIS 6.0 must be recycled. This will ensure that the restored database will
To recycle the WSUS 3.0 Application Pool in IIS:
1. Click Start, click Administrative ToolsManager.
2. In the tree view, expand the tree under the WSUS 3.0 server name, and then expand Application Pools.
3. Right-click WSUSPool
4. Close Internet Information Services (IIS) Manager
If updates are stored locally on the WSUS it will also need to be reset. This is done with the that every row of update metadata in the database is matched by the corresponding update files in
Windows Server Update Services 3.0 Operations Guide 1.0.0.0 Baseline
Restoring WSUS
When restoring a failed WSUS 3.0 server, firstly, re-install WSUS 3.0 to a default configuration me options during setup as were chosen for the original install. Next, follow the
procedure below to restore the database files and content directories. For more information on , refer to the Windows Server Update Services 3.0 Design Guide
3.0 server:
server, click Start, and then click Run.
box, type services.msc and click OK.
console find the Windows Internal Database (MICROSOFT##SSEE)service. Right-click the service and select Stop.
then click Run.
box, type %windir%\system32\ntbackup.exe and click
Backup or Restore Wizard displays. Click Next.
Backup or Restore page displays. Select the Restore files and settings
page displays. Click Browse.
Open Backup File dialog box displays. Type the path to the backup file or click locate the backup file. Click OK.
What to Restore page, under Items to restore, click to expand the backup file. Select the WSUS folder and click Next.
To set advanced options (including whether to restore the files or folders to a different location, replace existing files, restore security settings, or specify other options
, and then follow the instructions in the wizard.
When the wizard is finished, click Finish.
When the restore is complete, click Close.
When using a proxy server for synchronisation that requires authentication, it may be necessary to refollowing a restore as this information is not backed up.
database, WSUS 3.0 Application Pool in IIS 6.0 must be recycled. This will ensure that the restored database will synchronise correctly with IIS 6.0.
To recycle the WSUS 3.0 Application Pool in IIS:
Administrative Tools, and then click Internet Information Services (IIS)
In the tree view, expand the tree under the WSUS 3.0 server name, and then expand
WSUSPool, and then click Recycle.
Internet Information Services (IIS) Manager.
locally on the WSUS 3.0 server, then after restoring the WSUS . This is done with the wsusutil.exe command-line utility, which ensures
that every row of update metadata in the database is matched by the corresponding update files in
Prepared by Microsoft
Page 59
to a default configuration me options during setup as were chosen for the original install. Next, follow the
procedure below to restore the database files and content directories. For more information on Guide {R1}.
Windows Internal Database (MICROSOFT##SSEE) or
and click OK.
Restore files and settings option and
e backup file or click
to expand the selected
the files or folders to a different location, replace existing files, restore security settings, or specify other options), click
When using a proxy server for synchronisation that requires authentication, it may be necessary to re-type
database, WSUS 3.0 Application Pool in IIS 6.0 must be recycled. correctly with IIS 6.0.
nternet Information Services (IIS)
In the tree view, expand the tree under the WSUS 3.0 server name, and then expand
after restoring the WSUS 3.0 database, line utility, which ensures
that every row of update metadata in the database is matched by the corresponding update files in
Windows Server Update Services 3.0Version 1.0.0.0
the local storage location. If the utility does not find matching data, it will download the update files from Microsoft Update.
To reset update content:
1. Click Start, and then click
2. In the Run dialog box, type
3. Type the following command to change directory to the WSUS 3.0 tools folder:
cd\Program Files\Update Services
4. Type the following command
wsusutil reset
5. Wait until the command returns, and close the
5.1.5 Personalising the WSUS 3.0 Console
Various aspects of the way WSUS 3.0 server information is displayed in the WSUS 3.0 be configured. Information from downstream replica servers can be displayed when viewing computer and update status information. Validation errors can be displayed as popand different types of information can be displayed in the computer overview's
To display rollup data from downstream replica servers
1. Open the WSUS 3.0 console,
2. In the centre pane, click
3. In the General tab, select the servers option.
Windows Server Update Services 3.0 Operations Guide 1.0.0.0 Baseline
the local storage location. If the utility does not find matching data, it will download the update files
then click Run.
box, type cmd and click OK.
Type the following command to change directory to the WSUS 3.0 tools folder:
Update Services\Tools
Type the following command to reset the WSUS 3.0 server:
Wait until the command returns, and close the command prompt window.
Personalising the WSUS 3.0 Console
Various aspects of the way WSUS 3.0 server information is displayed in the WSUS 3.0 ed. Information from downstream replica servers can be displayed when viewing
computer and update status information. Validation errors can be displayed as popand different types of information can be displayed in the computer overview's
To display rollup data from downstream replica servers:
the WSUS 3.0 console, and navigate to the Options node.
click Personalization.
tab, select the Include computers and status from replica downstream
Prepared by Microsoft
Page 60
the local storage location. If the utility does not find matching data, it will download the update files
Type the following command to change directory to the WSUS 3.0 tools folder:
rompt window.
Various aspects of the way WSUS 3.0 server information is displayed in the WSUS 3.0 console can ed. Information from downstream replica servers can be displayed when viewing
computer and update status information. Validation errors can be displayed as pop-up windows and different types of information can be displayed in the computer overview's To Do section.
Include computers and status from replica downstream
Windows Server Update Services 3.0Version 1.0.0.0
4. Click OK.
Note
Computer and update status will roll up from downstream replica servers only. It is not possible to get rolled-up status from a downstream autonomous server.
To display validation errors as pop
1. Open the WSUS 3.0 console,
2. In the centre pane, click
3. In the General tab, select the
4. Click OK.
Note
If this option is selected, errors will appear as pop
To display different information in the To Do section
1. Open the WSUS 3.0 console,
2. In the centre pane, click
3. Click the To Do List tab, select one or more of the following
� Computers have not reported status for more than 30 days
� WSUS updates are waiting to be approved for install
� Critical updates are waiting to be approved for install
� Computers have requested nonexistent com
� The server database is almost full
� SSL is not enabled
� New products and new classifications have been added in the past 30 days
� Update file languages are enabled on this server, but are no longer supported by the upstream server
Windows Server Update Services 3.0 Operations Guide 1.0.0.0 Baseline
Computer and update status will roll up from downstream replica servers only. It is not possible to get up status from a downstream autonomous server.
To display validation errors as pop-up windows:
console, and navigate to the Options node in the left pane
click Personalization.
tab, select the Show validation errors as popups check box.
, errors will appear as pop-up windows and not as links in the UI.
o display different information in the To Do section:
the WSUS 3.0 console, and navigate to the Options node.
click Personalization.
tab, select one or more of the following options:
Computers have not reported status for more than 30 days
WSUS updates are waiting to be approved for install
Critical updates are waiting to be approved for install
Computers have requested nonexistent computer groups
The server database is almost full
SSL is not enabled
New products and new classifications have been added in the past 30 days
Update file languages are enabled on this server, but are no longer supported by the
Prepared by Microsoft
Page 61
Computer and update status will roll up from downstream replica servers only. It is not possible to get
in the left pane
check box.
windows and not as links in the UI.
New products and new classifications have been added in the past 30 days
Update file languages are enabled on this server, but are no longer supported by the
Windows Server Update Services 3.0Version 1.0.0.0
4. Click OK.
5.2 WSUS 3.0 ReportingReports are an important part of managing WSUS 3.0. Nearly every aspect of the WSUS 3.0 environment can be kept track of by means of reports. The most important kinds of reports are:
� Summary compliance reports (the number of computers tnumber of updates missing from computers). These reports can be generated from the root node of the WSUS administration console
� Individual computer reports. These reports can be generated by rightin the Details pane
� Individual update reports. These reports can be generated by rightthe Details pane
� Downstream server summary compliance reports. These reports can be generated by rightclicking the server in the
� Synchronisation reports. These reports can be generated by rightsynchronisation in the
Note
Generating detailed reports for large numbers of computers and/or updates can be memoryDetailed reports are most effective focreate a very large report and there are concerns about using CPU and memory resources on the WSUS 3.0 server, then generate the report from a remote WSUS 3.0 console.
Windows Server Update Services 3.0 Operations Guide 1.0.0.0 Baseline
WSUS 3.0 Reporting Reports are an important part of managing WSUS 3.0. Nearly every aspect of the WSUS 3.0 environment can be kept track of by means of reports. The most important kinds of reports are:
Summary compliance reports (the number of computers that need to install updates and the number of updates missing from computers). These reports can be generated from the root node of the WSUS administration console
Individual computer reports. These reports can be generated by right-clicking the computer
Individual update reports. These reports can be generated by right-clicking the update in
Downstream server summary compliance reports. These reports can be generated by rightclicking the server in the Details pane
ation reports. These reports can be generated by right-clicking the ation in the Details pane
Generating detailed reports for large numbers of computers and/or updates can be memoryDetailed reports are most effective for smaller subsets of computers or updates. If there is a need to create a very large report and there are concerns about using CPU and memory resources on the WSUS 3.0 server, then generate the report from a remote WSUS 3.0 console.
Prepared by Microsoft
Page 62
Reports are an important part of managing WSUS 3.0. Nearly every aspect of the WSUS 3.0 environment can be kept track of by means of reports. The most important kinds of reports are:
hat need to install updates and the number of updates missing from computers). These reports can be generated from the root
clicking the computer
clicking the update in
Downstream server summary compliance reports. These reports can be generated by right-
clicking the
Generating detailed reports for large numbers of computers and/or updates can be memory-intensive. r smaller subsets of computers or updates. If there is a need to
create a very large report and there are concerns about using CPU and memory resources on the WSUS
Windows Server Update Services 3.0Version 1.0.0.0
5.2.1 Using Reporting
Three kinds of reports can be generated, as described in
Report Type
Update Reports
Computer Reports
Synchronisation Reports
Table 15: WSUS 3.0 Report Types
5.2.1.1 Update Reports
Update reports show the status of updates. The report can be viewed in three ways: summary, detailed, and tabular. The report can also be filtered by update classification, product, target computer group, or update installation status. The report displays information from the most recent contact between WSUS 3.0 clients and the WSUS 3.0 server.
To run an update report:
1. Open the WSUS 3.0 console,
2. In the Reports pane, click report.
3. In the Updates Reportcomputer group, or update installation status.
4. Click Run Report.
The Update Status Summary view contains the elements listed in
Column Name
Updates Report tree view
Title
Description
Classification
Products
MSRC Severity Rating
MSRC Number
More Information
Approval Summary for Computer Group
Group
Approval
Deadline
Administrator
Table 16: Description of Elements Displayed in the Update Status Summary
The view of an Update Status Summary report by clicking Report View in the
Windows Server Update Services 3.0 Operations Guide 1.0.0.0 Baseline
Using Reporting
kinds of reports can be generated, as described in Table 15:
Function
View update status
View computer status
View the results of the last synchronisation
eports
Update reports show the status of updates. The report can be viewed in three ways: summary, The report can also be filtered by update classification, product, target
computer group, or update installation status. The report displays information from the most recent contact between WSUS 3.0 clients and the WSUS 3.0 server.
the WSUS 3.0 console, click the Reports node.
click Update Status Summary. This will provide an overview update
Updates Report window the updates can be configured by classification, product, computer group, or update installation status.
The Update Status Summary view contains the elements listed in Table 16:
Description
The tree listing all the updates in the report
The title of the update
The description of the update
The classification of the update
The products to which the update applies
Microsoft Security Response Center rating
Microsoft Security Response Center identification number
Redirection to the relevant Web site
The listing of groups and approvals
The computer group
Approval status (Approved, Not approved, Declined)
The date by which the update must be installed
The administrative action
isplayed in the Update Status Summary View
he view of an Update Status Summary report can be changed to a detailed view or a tabular view in the Updates Report toolbar.
Prepared by Microsoft
Page 63
View the results of the last synchronisation
Update reports show the status of updates. The report can be viewed in three ways: summary, The report can also be filtered by update classification, product, target
computer group, or update installation status. The report displays information from the most recent
. This will provide an overview update
window the updates can be configured by classification, product,
se Center identification number
proved, Not approved, Declined)
view or a tabular view
Windows Server Update Services 3.0Version 1.0.0.0
5.2.1.2 Computer Report
The Computer Reports provide an update status summary for the
To run a computer report:
1. Open the WSUS 3.0 console,
2. In the Reports pane, clickcomputer report.
3. In the Computers Reportproduct, computer group, or update installation status.
4. Click Run Report.
The Computer Reports can be reformatted Update Reports.
5.2.1.3 Synchronisation
The Synchronisation Results report for a given time period, including errors that occurred during synchroniupdates. In addition, it provides
To run a synchronisation results report
1. Open the WSUS 3.0 console, click
2. On the Reports pane, click synchronisations done today.
3. To change the synchroniwindow, click Between these dates
4. Click Run Report.
The report has five components, which are d
Component Name
Report Options
Synchronisation Summary
New Updates
Revised Updates
Expired Updates
Table 17: Components of Synchronization Results Report
Windows Server Update Services 3.0 Operations Guide 1.0.0.0 Baseline
eports
provide an update status summary for the specified computers.
the WSUS 3.0 console, click the Reports node.
click Computer Status Summary. This will provide an overview
Computers Report window, the updates can be configured by classification, product, computer group, or update installation status.
can be reformatted to summary, detailed, and tabular views, as with the
ation Report
ation Results report provides synchronisation information about a WSUS 3.0for a given time period, including errors that occurred during synchronisation and a l
it provides general, status, and revision information for each new update.
esults report:
the WSUS 3.0 console, click the Reports node.
pane, click Synchronization Results. By default, the report shows any synchronisations done today.
To change the synchronisation period for the report, in the Synchronization ReportBetween these dates and specify the dates to include in the report.
components, which are described in Table 17:
Purpose
Shows the start and end dates of the period shown in the report, as well as report and the server for which the report was made
Displays summary information of the numbers of new, revised, and expired synchronisation
Displays the new updates that have been synchronised to the WSUS server report's time period
The properties for each update can be viewed by clicking the update. An update status report will be generated for that individual report
Displays the revised updates that have been synchronised to the WSUS server report's time period
The properties for each update can be viewed by clicking the update. An update status report will be generated for that individual report
Displays the updates that have been expired during the report's time period
: Components of Synchronization Results Report
Prepared by Microsoft
Page 64
computers.
will provide an overview
window, the updates can be configured by classification,
d, and tabular views, as with the
about a WSUS 3.0 server ation and a list of new
general, status, and revision information for each new update.
default, the report shows any
Synchronization Report in the report.
Shows the start and end dates of the period shown in the report, as well as the date of the
Displays summary information of the numbers of new, revised, and expired updates in each
ed to the WSUS server during the
by clicking the update. An update status
ed to the WSUS server during the
by clicking the update. An update status
uring the report's time period
Windows Server Update Services 3.0Version 1.0.0.0
5.2.1.4 Printing the Report
A report can be printed in summary, detailed, or tabular views, depending on how been formatted.
To print the report:
1. On the Updates Report
2. In the Print dialog box
5.2.1.5 Exporting the
A report can be exported to Microsoft
Note
Exporting a large report can be extremely timethe size to 200 pages or fewer. format can be chosen, rather than the
To export a report to Excel or PDF format
1. Run the report that is to
2. On the Updates Report
3. Two options will be displayed
5.2.1.6 Extending Reports
WSUS 3.0 reports can be customised in different ways:
� Using the WSUS 3.0 APIs to create a custom report
� Using WSUS 3.0 public views to create and extend custom reports
5.2.1.7 Use WSUS 3.0 AP
For more information on WSUS 3.0 APIs, see the documentation on MSDN. These APIs can be used to create reports on updates, approvals, installation information, and so on
5.2.1.8 Use WSUS Public
For more information on public views, as well as sample queries, see the documentation on MSDN.
If SQL Server 2005 is being used as the Report Builder can be used to generate custom reports using theviews can be accessed from the command line. database software for WSUS 3.0SQL Server 2005 Command Line Query UtFeature Pack for Microsoft SQL Server 2005
25 Windows Server Update Services SDK
26 Using WSUS Views {R18}: http://msdn2.microsoft.com/en
Windows Server Update Services 3.0 Operations Guide 1.0.0.0 Baseline
eport
in summary, detailed, or tabular views, depending on how
Updates Report toolbar, click the printer icon.
dialog box, select the desired options and click Print.
Report
A report can be exported to Microsoft Office Excel® or PDF formats.
be extremely time-consuming. If a report is to be exported, cthe size to 200 pages or fewer. Different filters can be used to reduce the size of the report, or the tabular
rather than the detailed format, to reduce the number of pages to export.
To export a report to Excel or PDF format:
to be exported.
Updates Report toolbar, click the down arrow associated with the
will be displayed: Excel and Acrobat (PDF) file. Select one of the options.
eports
WSUS 3.0 reports can be customised in different ways:
Using the WSUS 3.0 APIs to create a custom report
Using WSUS 3.0 public views to create and extend custom reports
Use WSUS 3.0 APIs to Create Custom Reports
For more information on WSUS 3.0 APIs, see the Windows Server Update Servicesdocumentation on MSDN. These APIs can be used to create reports on updates, approvals,
so on.
ublic Views to Create Custom Reports
For more information on public views, as well as sample queries, see the Using WSUS Views
is being used as the database software for WSUS 3.0, the SQL Serverto generate custom reports using the public views.
from the command line. If Windows Internal Database is being used software for WSUS 3.0, it can be accessed via the command line using
2005 Command Line Query Utility and the SQL Native Client, which are part of the Feature Pack for Microsoft SQL Server 2005 {R14}.
Windows Server Update Services SDK {R17}: http://go.microsoft.com/fwlink/?LinkId=85713
http://msdn2.microsoft.com/en-gb/library/bb410149.aspx
Prepared by Microsoft
Page 65
in summary, detailed, or tabular views, depending on how the report has
If a report is to be exported, consider limiting to reduce the size of the report, or the tabular
to reduce the number of pages to export.
associated with the Save icon.
one of the options.
Windows Server Update Services SDK25 documentation on MSDN. These APIs can be used to create reports on updates, approvals,
Using WSUS Views26
, the SQL Server 2005 Alternatively, the is being used as the
using the Microsoft ility and the SQL Native Client, which are part of the
Windows Server Update Services 3.0Version 1.0.0.0
5.3 Troubleshooting WSUS 3.0This section provides information on how to troubleshoot WSUS new issues are discovered and solutions created over time, links to public informational resources have been provided.
5.3.1 Troubleshooting
The first step in troubleshooting WSUS correct. This consists of verifying registry settings, configuration settings, IIS system permissions. These setttroubleshooting section of the {R5}.
Once the WSUS 3.0 server settings are verified to be correct, check the log files and event logs on the server. Table 18 details some of the sources of logged information to be found on the server:
Source
<drive>\Program Files\Update Services\Logfiles\SoftwareDistribution.log
%temp%\WSUSCa_timestamp.log
%temp%\WSUSWyukonSetup_timestamp
%temp%\WSUSSetup.log
%temp%\WSUSSetupMsi_timestamp.log
Event Viewer
%systemroot%\System32\LogFiles\W3SVC1
Table 18: WSUS 3.0 Server Troubleshooting Information
Following verifying the WSUS 3.0 information on the WSUS 3.0 available which provide information on known issues. The useful:
� The troubleshooting section of the Operations Guide {R5
� The WSUS Community
27 Welcome to the Windows Server Update Services Community http://www.microsoft.com/technet/windowsserver/wsus/community/default.mspx
Windows Server Update Services 3.0 Operations Guide 1.0.0.0 Baseline
Troubleshooting WSUS 3.0 This section provides information on how to troubleshoot WSUS 3.0 server and client issues. As new issues are discovered and solutions created over time, links to public informational resources
Troubleshooting WSUS 3.0 Server Issues
The first step in troubleshooting WSUS 3.0 server issues is to verify that the server settings are correct. This consists of verifying registry settings, configuration settings, IIS 6.0 system permissions. These settings can be checked against the documented settings in the
section of the Microsoft Windows Server Update Services 3.0 Operations Guide
server settings are verified to be correct, check the log files and event logs on details some of the sources of logged information to be found on the server:
Detail
SoftwareDistribution.log This file contains information about the operation of the WSUS including synchronisation information
This log file is used by custom actions. Errors that occurred while executing any of the custom actions in WSUS component or BITS setup are logged to this file
timestamp.log This is the log file for Windows Internal Database setup. All Windows Internal Database installation/uninstallation information is logged to this file
The status of each of the component installations performed during WSUS 3.0 setup is logged to this file
.log This log file is generated by the MSI for WSUS 3.0 component setup
WSUS 3.0 events are logged to the Windows Event Viewer application log. Also, service related issues may be entered in the sy
W3SVC1\*.log This folder contains the log files created by IIS 6.0. Connections from clients to the IIS service are logged here
Server Troubleshooting Information Locations
WSUS 3.0 server settings and checking the various sources of logged WSUS 3.0 server, if there is still a problem, there are a number of resources
available which provide information on known issues. The following sources of information may be
roubleshooting section of the Microsoft Windows Server Update Services }
The WSUS Community Web site27 provides links to various newsgroups, forums and blogs
Welcome to the Windows Server Update Services Community {R19}: http://www.microsoft.com/technet/windowsserver/wsus/community/default.mspx
Prepared by Microsoft
Page 66
server and client issues. As new issues are discovered and solutions created over time, links to public informational resources
server issues is to verify that the server settings are 6.0 settings and file
ings can be checked against the documented settings in the Operations Guide
server settings are verified to be correct, check the log files and event logs on details some of the sources of logged information to be found on the server:
This file contains information about the operation of the WSUS 3.0 server,
This log file is used by custom actions. Errors that occurred while executing any of the custom actions in WSUS component or BITS setup are logged to this file
the log file for Windows Internal Database setup. All Windows Internal Database installation/uninstallation information is logged to this file
The status of each of the component installations performed during WSUS 3.0
MSI for WSUS 3.0 component setup
events are logged to the Windows Event Viewer application log. system log
. Connections from clients to
server settings and checking the various sources of logged server, if there is still a problem, there are a number of resources
following sources of information may be
Windows Server Update Services 3.0
provides links to various newsgroups, forums and blogs
Windows Server Update Services 3.0Version 1.0.0.0
5.3.2 Troubleshooting
When experiencing WSUS 3.0 that the WSUS 3.0 client has been correctly pointed to the relevant WSUS Automatic Updates Control Panel applet has been pointed to a WSUS 3.0 Group Policy or the registry, depending on how the Automatic Updates settings have been assigned to the WSUS 3.0 client. Use the information in section settings) and section 4.3.2 (for registry assigned settings) in this document to verify that the correct settings have been applied.
Table 19 lists sources of information on the troubleshooting process.
Source
%systemroot%\WindowsUpdate.log
Event Viewer
Table 19: WSUS 3.0 Client Troubleshooting Information Locations
Further information on troubleshooting the Automatic Updates client can be found using theresources listed in the troubleshooting3.0 Operations Guide {R5}.
5.4 Update Management with WSUS 3.0It is recommended that a software update management process is followed to decrease the risk associated with installing software updates in the provides information on:
� How to get started with bringing computer systems up
� Microsoft’s recommended approach to software update management
� How to quickly deploy software updates in emergency s
As the software update management process is a fairly lengthy subject, a summary is included in this document with links provided to the publicly available documentation.
5.4.1 Getting Started with Software Update Management
One of the biggest challengesof software updates that need to be approved for installation on computer systems. If computer systems have not been updated with software updates for an extended period of timeprove to be a major task. The following considerations need to be planned for when first deploying WSUS 3.0:
� Properly testing software updates before approving for installation
� Bringing computer systems up
It is recommended that software updates are appropriately tested before they are installed onto production computer systems. Where possible, use a test environment that closely resembles the live environment. Client systems in the test environment should run versions, service pack levels, software and applications as in the live environment.
If a test environment is not available, use a subset of clients in the live environment to test the software updates. This can be performed by orinto a ‘test’ computer group and changing the approval status of updates to computer group only. For more information on the software update management process, see section 5.4.2.
Windows Server Update Services 3.0 Operations Guide 1.0.0.0 Baseline
Troubleshooting WSUS 3.0 Client Issues
WSUS 3.0 client issues, first check the WSUS 3.0 server is operational and client has been correctly pointed to the relevant WSUS 3.0
anel applet on the WSUS 3.0 client should be greyed out if the client 3.0 server. Verify the client settings are correct by checking either
depending on how the Automatic Updates settings have been client. Use the information in section 4.3.1 (for Group Policy assigned (for registry assigned settings) in this document to verify that the correct
lists sources of information on the WSUS 3.0 client that can be used in the
Detail
This is the log file for the Automatic Updates client.
Automatic Updates events are logged to the Windows Event Viewer system log.
Client Troubleshooting Information Locations
Further information on troubleshooting the Automatic Updates client can be found using theroubleshooting section of the Microsoft Windows Server Update Services
Management with WSUS 3.0 It is recommended that a software update management process is followed to decrease the risk associated with installing software updates in the healthcare network environment. This section
ow to get started with bringing computer systems up-to-date with software updates
Microsoft’s recommended approach to software update management
ow to quickly deploy software updates in emergency situations
As the software update management process is a fairly lengthy subject, a summary is included in this document with links provided to the publicly available documentation.
Getting Started with Software Update Management
es, when initially deploying WSUS 3.0, is dealing with the large number of software updates that need to be approved for installation on computer systems. If computer systems have not been updated with software updates for an extended period of timeprove to be a major task. The following considerations need to be planned for when first deploying
Properly testing software updates before approving for installation
Bringing computer systems up-to-date using a staged deployment approach
is recommended that software updates are appropriately tested before they are installed onto production computer systems. Where possible, use a test environment that closely resembles the live environment. Client systems in the test environment should run the same operating system versions, service pack levels, software and applications as in the live environment.
If a test environment is not available, use a subset of clients in the live environment to test the software updates. This can be performed by organising a number of clients in the live environment
computer group and changing the approval status of updates to Installcomputer group only. For more information on the software update management process, see
Prepared by Microsoft
Page 67
server is operational and 3.0 server. The
client should be greyed out if the client y the client settings are correct by checking either
depending on how the Automatic Updates settings have been (for Group Policy assigned
(for registry assigned settings) in this document to verify that the correct
client that can be used in the
Automatic Updates events are logged to the Windows Event Viewer system log.
Further information on troubleshooting the Automatic Updates client can be found using the public Microsoft Windows Server Update Services
It is recommended that a software update management process is followed to decrease the risk twork environment. This section
date with software updates
As the software update management process is a fairly lengthy subject, a summary is included in
Getting Started with Software Update Management
is dealing with the large number of software updates that need to be approved for installation on computer systems. If computer systems have not been updated with software updates for an extended period of time, this can prove to be a major task. The following considerations need to be planned for when first deploying
date using a staged deployment approach
is recommended that software updates are appropriately tested before they are installed onto production computer systems. Where possible, use a test environment that closely resembles the
the same operating system versions, service pack levels, software and applications as in the live environment.
If a test environment is not available, use a subset of clients in the live environment to test the ganising a number of clients in the live environment
Install for this computer group only. For more information on the software update management process, see
Windows Server Update Services 3.0Version 1.0.0.0
Once software updates have been fully tested and are ready to be installed on clients in the live environment, there are a numberupdates to WSUS clients. The method that is used depends on the computers into computer groups: serveron server-side targeting and clientmethods to stage the installation of software updates:
For server-side targeting:
1. Deploy Automatic Updates settings to all WSUS status of software updates has not been modified from the default).
2. Create a computer group for organising clients that are to receive updates.
3. Change the approval status for the tested software updates to computer group only.
4. Move an appropriate number of computers into the computer group. Continue to add computers to the computer group at staggered intervals, in order to manage the loWSUS 3.0 server.
For client-side targeting:
1. Create a computer group for organising clients that are to receive updates.
2. Change the approval status for the tested software updates to computer group only.
3. Deploy Automatic Updates settings to an appropriate subset of WSUS the Enable client-side targetingregistry entry, using the name of the computer group created in step 1.
Note
To deploy the settings igradually deploying the Automatic Updates settings to clients. For instance, when using Group Policy settings, use security filtering on GPOs to apply the GPO only to members of a compgroup and add computers gradually to the computer group, or alternatively, link a GPO to an Active Directory OU and move computers gradually into the OU.
Bear in mind that when clients first connect to 3.1 (KB893803) {R9} and Update for Background Intelligent Transfer Service (BITS) 2.0 and WinHTTP 5.1 (KB842773) {R10have not already been installed on the clients). This is so that the WSUS advantage of the improved installation and download functionality provided by thincluding BITS bandwidth limitation policies. This will result in clients installing these updates, rebooting and not installing any remaining updates until the next scheduled installation time (if the WSUS 3.0 clients are configured with a daWSUS 3.0 clients up-to-date will require at
Once WSUS 3.0 clients have been brought upmanagement process becomes easier as only nedeployed.
Windows Server Update Services 3.0 Operations Guide 1.0.0.0 Baseline
Once software updates have been fully tested and are ready to be installed on clients in the live number of methods that can be used to stage the install of software
updates to WSUS clients. The method that is used depends on the option selectedcomputers into computer groups: server-side targeting or client-side targeting. For more information
side targeting and client-side targeting, see section 4.1.3. Use one of the following methods to stage the installation of software updates:
Deploy Automatic Updates settings to all WSUS 3.0 clients (assuming that the approval status of software updates has not been modified from the default).
Create a computer group for organising clients that are to receive updates.
proval status for the tested software updates to Install for the
Move an appropriate number of computers into the computer group. Continue to add computers to the computer group at staggered intervals, in order to manage the lo
Create a computer group for organising clients that are to receive updates.
Change the approval status for the tested software updates to Install for the created
dates settings to an appropriate subset of WSUS side targeting Group Policy setting or creating the “TargetGroup”
registry entry, using the name of the computer group created in step 1.
To deploy the settings in step 2 to a subset of clients, use whatever methods are available for gradually deploying the Automatic Updates settings to clients. For instance, when using Group
use security filtering on GPOs to apply the GPO only to members of a compgroup and add computers gradually to the computer group, or alternatively, link a GPO to an Active Directory OU and move computers gradually into the OU.
Bear in mind that when clients first connect to a WSUS 3.0 server, the Microsoft Windows Installand Update for Background Intelligent Transfer Service (BITS) 2.0 and
R10} updates are installed before any other updates (assuming these have not already been installed on the clients). This is so that the WSUS 3.0 clients can take advantage of the improved installation and download functionality provided by thincluding BITS bandwidth limitation policies. This will result in clients installing these updates, rebooting and not installing any remaining updates until the next scheduled installation time (if the
clients are configured with a daily scheduled installation time). Therefore, to bring the date will require at least two days.
clients have been brought up-to-date with software updates, the software update management process becomes easier as only newly released updates need to be tested and
Prepared by Microsoft
Page 68
Once software updates have been fully tested and are ready to be installed on clients in the live of methods that can be used to stage the install of software
option selected to organise side targeting. For more information
Use one of the following
clients (assuming that the approval
Create a computer group for organising clients that are to receive updates.
for the created
Move an appropriate number of computers into the computer group. Continue to add computers to the computer group at staggered intervals, in order to manage the load on the
Create a computer group for organising clients that are to receive updates.
for the created
3.0 clients, enabling Group Policy setting or creating the “TargetGroup”
registry entry, using the name of the computer group created in step 1.
n step 2 to a subset of clients, use whatever methods are available for gradually deploying the Automatic Updates settings to clients. For instance, when using Group
use security filtering on GPOs to apply the GPO only to members of a computer group and add computers gradually to the computer group, or alternatively, link a GPO to an Active
, the Microsoft Windows Installer and Update for Background Intelligent Transfer Service (BITS) 2.0 and
updates are installed before any other updates (assuming these clients can take
advantage of the improved installation and download functionality provided by these updates, including BITS bandwidth limitation policies. This will result in clients installing these updates, rebooting and not installing any remaining updates until the next scheduled installation time (if the
ily scheduled installation time). Therefore, to bring the
date with software updates, the software update wly released updates need to be tested and
Windows Server Update Services 3.0Version 1.0.0.0
5.4.2 The Software Update Management Process
Microsoft recommends using a fourupdates. This approach provides control over the deployment of software update releases into the healthcare organisation’s production network environment.
The four-phase approach works as follows:
� Assess – the process starts with an assessment of what is in the production network environment, what security threats and vulnerabilities may be applicable, and whether updates
� Identify – the goal during determine whether or not network environment, and change
� Evaluate and Plan – tsoftware update, determine what is needed to deploy it, and test the software update in a production-like environment to confirm that it does not compromise business critical systems and applications
� Deploy – the goal during into the healthcare organisation’s requirements of any deployment service level agreements (SLAs) that are in place are met
More detailed information about the software update management processfour-phase approach, can be found documentation has been created with the Systems Management Update Services (SUS) 1.0 SP1 products in mind. Thinclude WSUS 3.0 specific information; however, it pthe process of delivering software updates safely into a production environment.
One important improvement with WSUS Evaluate and Plan phase with rewould be configured with some nonwere approved for installation on the production SUS possible to assign a number of nonthat are to be tested for this test group only. This alleviates the need for a separate server for testing updates.
5.4.3 Dealing with Emergency Update Releases
Sometimes it may be necessary to deploy an update before the next scheduled installation time. This may be because a critical security update has been released that needs to be installed on critical systems as a matter of urgency. The easiest process for quickly deplsetting Group Policy settings. However, for nonperform these procedures if there is some other method of automatically deploying the corresponding registry keys. If there is no methodhealthcare organisation’s network environment, the only way to perform these procedures is to manually enter the Group Policy settings or registry keys on each client.
In this section, the procedures for depenvironment are provided. For noncorresponding registry keys have also been detailed.
28 Update Management Process {R20 http://www.microsoft.com/technet/security/topics/patchmanagement/secmod193.mspx
Windows Server Update Services 3.0 Operations Guide 1.0.0.0 Baseline
The Software Update Management Process
Microsoft recommends using a four-phase approach for the testing and deployment of software updates. This approach provides control over the deployment of software update releases into the
production network environment.
phase approach works as follows:
he process starts with an assessment of what is in the healthcare organisation’s production network environment, what security threats and vulnerabilities may be applicable, and whether or not the organisation is prepared to respond to new software
he goal during this phase is to discover new software updates in a reliable way, or not they are relevant to the healthcare organisation’s
network environment, and determine whether an update represents a normal or emergency
the goal during this phase is to make a decision to deploy the software update, determine what is needed to deploy it, and test the software update in a
environment to confirm that it does not compromise business critical systems and applications
he goal during this phase is to successfully roll out the approved software update healthcare organisation’s production network environment, so that all of the
requirements of any deployment service level agreements (SLAs) that are in place are met
More detailed information about the software update management process, and each phase of the can be found in Update Management Process28. However, this
documentation has been created with the Systems Management Server (SMS) 1.0 SP1 products in mind. The documentation has not been updated to
.0 specific information; however, it provides useful information to help understand the process of delivering software updates safely into a production environment.
One important improvement with WSUS 3.0 is the addition of computer groups. This is useful in the Evaluate and Plan phase with regards to testing updates. Previously, a separate SUS would be configured with some non-production clients and used for testing updateswere approved for installation on the production SUS 1.0 server. With computer groups, it is
ible to assign a number of non-production clients to a computer group and approve updates that are to be tested for this test group only. This alleviates the need for a separate server for
Dealing with Emergency Update Releases
t may be necessary to deploy an update before the next scheduled installation time. This may be because a critical security update has been released that needs to be installed on critical systems as a matter of urgency. The easiest process for quickly deploying updates relies on setting Group Policy settings. However, for non-Active Directory environments it is possible to perform these procedures if there is some other method of automatically deploying the corresponding registry keys. If there is no method of automatically deploying registry keys in the
network environment, the only way to perform these procedures is to manually enter the Group Policy settings or registry keys on each client.
the procedures for deploying emergency update releases in an environment are provided. For non-Active Directory environments, the Group Policy settings and corresponding registry keys have also been detailed.
R20}: echnet/security/topics/patchmanagement/secmod193.mspx
Prepared by Microsoft
Page 69
phase approach for the testing and deployment of software updates. This approach provides control over the deployment of software update releases into the
healthcare organisation’s production network environment, what security threats and vulnerabilities may be
prepared to respond to new software
phase is to discover new software updates in a reliable way, healthcare organisation’s production
determine whether an update represents a normal or emergency
phase is to make a decision to deploy the software update, determine what is needed to deploy it, and test the software update in a
environment to confirm that it does not compromise business critical
phase is to successfully roll out the approved software update o that all of the
requirements of any deployment service level agreements (SLAs) that are in place are met
and each phase of the However, this
Server (SMS) 2003 and Software documentation has not been updated to
rovides useful information to help understand the process of delivering software updates safely into a production environment.
is the addition of computer groups. This is useful in the gards to testing updates. Previously, a separate SUS 1.0 server
production clients and used for testing updates, before they server. With computer groups, it is
production clients to a computer group and approve updates that are to be tested for this test group only. This alleviates the need for a separate server for
t may be necessary to deploy an update before the next scheduled installation time. This may be because a critical security update has been released that needs to be installed on
oying updates relies on environments it is possible to
perform these procedures if there is some other method of automatically deploying the of automatically deploying registry keys in the
network environment, the only way to perform these procedures is to
Active Directory the Group Policy settings and
Windows Server Update Services 3.0Version 1.0.0.0
5.4.3.1 Deploying Emergency Update Releases in an Environment
To perform the procedures in this sectionDirectory to:
� Create and link Group Policy objects in the relevant location in
� Force Domain Controller
Important
When using the procedures in this section, be careful to ensure that any BITS bandwidth limitation policies are not overridden by the new Group Policy object that is created. These settings must still be aWSUS 3.0 clients during the emergency update deployment to prevent saturation of any slow network links.
To deploy emergency update releases in an
1. Synchronise all WSUS
2. Create a temporary GPO and assign it to an appropriate location in the OU structure so that it will be applied to the relevant computers. Use security filtering to ensure that it is applied to the appropriate containers and enable the ‘No override’ object be of a higher priority than the GPO that is currently used for applying Automatic Updates settings.
3. Open the temporary GPO. Expand > Windows Components
4. Enable the Automatic Updates detection frequencyvalue to 1.
5. Enable the Configure Automatic Updates
a. Change the Configure automatic updatingschedule the install
b. Set the Scheduled install day
c. Set the Scheduled install time
6. Enable the Specify intranet Microsoft update service locationhttp://<servername> (replacing <servername> with the hostnameWSUS server), or https://<service for detecting updates
7. Disable the Reschedule Automatic Updates scheduled installations
8. Force DC replication to occur, so that all
It will take up to 120 minutes for all clients within the OU to refresh the Group Policy. Once the Group Policy is refreshed, the clients will poll the WSUS within 48-60 minutes (automatic download should occur. The scheduled installation time should still be in the future; once the scheduled installation time is reached the install will
Note
At this point, forcing the refresh of Group Policy on a client will result in the client checking in with the server within one hour and beginning the download. To speed the process up, if there are only a few clients and it is possible todetection on each WSUS one hour from the present time and then run the relevant command to force a Group Policy refresh
Windows Server Update Services 3.0 Operations Guide 1.0.0.0 Baseline
Deploying Emergency Update Releases in an Active
To perform the procedures in this section, it is necessary to have the following rights in
Create and link Group Policy objects in the relevant location in Active Directory
orce Domain Controller (DC) replication in the relevant Active Directory
When using the procedures in this section, be careful to ensure that any BITS bandwidth limitation policies are not overridden by the new Group Policy object that is created. These settings must still be a
clients during the emergency update deployment to prevent saturation of any slow network
o deploy emergency update releases in an Active Directory environment:
Synchronise all WSUS 3.0 servers and approve the emergency updates.
Create a temporary GPO and assign it to an appropriate location in the OU structure so that it will be applied to the relevant computers. Use security filtering to ensure that it is applied to the appropriate containers and enable the ‘No override’ object option. This GPO should be of a higher priority than the GPO that is currently used for applying Automatic Updates
Open the temporary GPO. Expand Computer Configuration > Administrative Templates Windows Components, and then click Windows Update.
Automatic Updates detection frequency setting and set the
Configure Automatic Updates setting:
Configure automatic updating setting to 4 - Auto download and schedule the install.
heduled install day to 0 – Every day.
Scheduled install time to a time slot three hours from the present time.
Specify intranet Microsoft update service location setting> (replacing <servername> with the hostname or IP address of the
WSUS server), or https://<servername> if using SSL, into the Set the intranet update service for detecting updates and the Set the intranet statistics server
Reschedule Automatic Updates scheduled installations
replication to occur, so that all DCs have a copy of the new GPO
It will take up to 120 minutes for all clients within the OU to refresh the Group Policy. Once the Group Policy is refreshed, the clients will poll the WSUS 3.0 server for new
one hour minus a random offset of up to 20%). At this point the automatic download should occur. The scheduled installation time should still be in the future; once the scheduled installation time is reached the install will take place.
At this point, forcing the refresh of Group Policy on a client will result in the client checking in with hour and beginning the download. To speed the process up, if there are only
a few clients and it is possible to manually force a Group Policy refresh and Automatic Updates detection on each WSUS 3.0 client, in step 5 set the Scheduled install time
hour from the present time and then run the relevant command to force a Group Policy refresh
Prepared by Microsoft
Page 70
Active Directory
it is necessary to have the following rights in Active
Active Directory
Active Directory domain
When using the procedures in this section, be careful to ensure that any BITS bandwidth limitation policies are not overridden by the new Group Policy object that is created. These settings must still be applied to
clients during the emergency update deployment to prevent saturation of any slow network
environment:
servers and approve the emergency updates.
Create a temporary GPO and assign it to an appropriate location in the OU structure so that it will be applied to the relevant computers. Use security filtering to ensure that it is applied
option. This GPO should be of a higher priority than the GPO that is currently used for applying Automatic Updates
Administrative Templates
setting and set the interval (hours)
Auto download and
hours from the present time.
setting. Type or IP address of the
Set the intranet update Set the intranet statistics server fields.
Reschedule Automatic Updates scheduled installations setting.
GPO.
It will take up to 120 minutes for all clients within the OU to refresh the Group Policy. Once server for new updates
hour minus a random offset of up to 20%). At this point the automatic download should occur. The scheduled installation time should still be in the
take place.
At this point, forcing the refresh of Group Policy on a client will result in the client checking in with hour and beginning the download. To speed the process up, if there are only
manually force a Group Policy refresh and Automatic Updates Scheduled install time setting to a time slot
hour from the present time and then run the relevant command to force a Group Policy refresh
Windows Server Update Services 3.0Version 1.0.0.0
on the clients. For Windows XP, run the command 2000, run the command Policy has been refreshed, run the command Updates client to check in with the server.
9. After the update has been successfully installed on all of the target computers, delete the temporary GPO that was usedAutomatic Updates download and installation options after they next refresh their Group Policy settings.
5.4.3.2 Deploying Emergency Update Releases in a NonEnvironment
To deploy emergency update releases in a non
1. Synchronise all WSUS
2. Record the current values of the AU registry key on a WSUS
3. Deploy the registry keys detailed in
4. Once the registry keys have been deployed to each client, the clients will poll the WSUS server for new updates within 4820%). At this point the automatic download should occur. The scheduled installation time should still be in the future; once the scheduled installation time is reached the install will take place.
5. After the update has been successfully installed on all of registry keys back to their original values.
The registry keys that need to be deployed are located in the following subkey:
HKEY_LOCAL_MACHINE\Software
For more information on all the available registry keys for configuring a WSUSthose that are needed to point a client at a WSUS
Table 20 shows the registry keys that need to be deployed.
Entry Name
AUOptions
DetectionFrequency
DetectionFrequencyEnabled
RescheduleWaitTimeEnabled
RebootWarningTimeoutEnabled
ScheduledInstallDay
ScheduledInstallTime
Table 20: Emergency Update Release Registry Keys
Windows Server Update Services 3.0 Operations Guide 1.0.0.0 Baseline
on the clients. For Windows XP, run the command gpupdate.exe /force2000, run the command secedit.exe /refreshpolicy machine_policyPolicy has been refreshed, run the command wuauclt.exe /detectnow to force the Automatic Updates client to check in with the server.
After the update has been successfully installed on all of the target computers, delete the temporary GPO that was used to make the changes. Computers will fall back to the existing Automatic Updates download and installation options after they next refresh their Group
Deploying Emergency Update Releases in a Non-Active Directory
gency update releases in a non-Active Directory environment:
Synchronise all WSUS 3.0 servers and approve the emergency updates.
Record the current values of the AU registry key on a WSUS 3.0 client.
Deploy the registry keys detailed in Table 20.
Once the registry keys have been deployed to each client, the clients will poll the WSUS server for new updates within 48-60 minutes (one hour minus a random offset of up to 20%). At this point the automatic download should occur. The scheduled installation time should still be in the future; once the scheduled installation time is reached the install will
After the update has been successfully installed on all of the target computers, change the registry keys back to their original values.
The registry keys that need to be deployed are located in the following subkey:
Software\Policies\Microsoft\Windows\WindowsUpdate
all the available registry keys for configuring a WSUS those that are needed to point a client at a WSUS 3.0 server, see section 4.3.2
shows the registry keys that need to be deployed.
Value Data Type
4 REG_DWORD
1 REG_DWORD
1 REG_DWORD
0 REG_DWORD
0 REG_DWORD
0 REG_DWORD
The range = n; where n = the time of day in 24-hour format (0-23). Set this value to the next hour interval that is 1 hour ahead of the time the registry keys will have been deployed to the clients.
REG_DWORD
: Emergency Update Release Registry Keys
Prepared by Microsoft
Page 71
pupdate.exe /force and for Windows policy. Next, once Group
to force the Automatic
After the update has been successfully installed on all of the target computers, delete the to make the changes. Computers will fall back to the existing
Automatic Updates download and installation options after they next refresh their Group
Active Directory
environment:
servers and approve the emergency updates.
client.
Once the registry keys have been deployed to each client, the clients will poll the WSUS hour minus a random offset of up to
20%). At this point the automatic download should occur. The scheduled installation time should still be in the future; once the scheduled installation time is reached the install will
the target computers, change the
The registry keys that need to be deployed are located in the following subkey:
WindowsUpdate\AU
3.0 client, including 4.3.2.
Data Type
_DWORD
DWORD
_DWORD
_DWORD
_DWORD
_DWORD
_DWORD
Windows Server Update Services 3.0Version 1.0.0.0
APPENDIX A The tables in PART I of this appendix list the suggested training and skill assessment resources available. This list is not exhaustive; there are many thirdresources listed are those provided by Microsoft.
PART I WSUS 3.0 For further information on WSUS 3.0, see
Skill or Technology Area Resource Location
Microsoft Windows Server Update Services 3.0 Overview
http://go.microsoft.com/fwlink/?LinkId=71191
Step-by-Step Guide to Getting Started with Microsoft Windows Server Update Services 3.0
http://go.microsoft.com/fwlink/?LinkId=71190
Deploying Microsoft Windows Server Update Services
http://go.microsoft.com/fwlink/?LinkId=86416
Microsoft Windows Server Update Services 3.0 Operations Guide
http://go.microsoft.com/fwlink/?LinkId=86697
Table 21: Windows Server Update Services 3.0
Windows Server Update Services 3.0 Operations Guide 1.0.0.0 Baseline
SKILLS AND TRAINING RESOURCES
of this appendix list the suggested training and skill assessment resources available. This list is not exhaustive; there are many third-party providers of such skills. The resources listed are those provided by Microsoft.
For further information on WSUS 3.0, see http://www.microsoft.com/wsus
Resource Location Description
http://go.microsoft.com/fwlink/?LinkId=71191 This overview introduces WSUS 3.0 and provides information about features, and server and client computer requirements
http://go.microsoft.com/fwlink/?LinkId=71190 This guide provides basic instructions for getting started with WSUS 3.0
http://go.microsoft.com/fwlink/?LinkId=86416 This document describes how to deploy, install and configure WSUS 3.0
http://go.microsoft.com/fwlink/?LinkId=86697 This document describes how to administer and troubleshoot WSUS 3.0
: Windows Server Update Services 3.0
Prepared by Microsoft
Page 72
ESOURCES
of this appendix list the suggested training and skill assessment resources party providers of such skills. The
This overview introduces WSUS 3.0 and provides information about features, and server and client computer requirements
This guide provides basic instructions for getting started with WSUS 3.0
This document describes how to deploy, install and configure WSUS 3.0
This document describes how to administer and troubleshoot WSUS 3.0
Windows Server Update Services 3.0Version 1.0.0.0
APPENDIX B
PART I Terms and Abbreviations
Abbreviation Definition
API Application Programming Interface
AU Automatic Updates
BITS Background Intelligent Transfer Service
CA Certification Authority
DC Domain Controller
DNS Domain Name System
GPMC Group Policy Management Console
GPO Group Policy Object
IIS Internet Information Services
IP Internet Protocol
IPSec Internet
KB Microsoft Knowledge Base
MOF Microsoft Operations Framework
MMC Microsoft Management Console
MPLS Multi-Protocol Label Switching
MSDN Microsoft Developer Network
MSF Microsoft Solutions Framework
MSI Microsoft Windows Installer
MSRC Microsoft Security Research Cente
NAT Network Address Translation
NIC Network Interface Card
OU Organisational
PDF Portable Document Format
POP Point of Presence
SDK Software Development Kit
SLA Service Level Agreement
SMS Systems Management Server
SP Service Pack
SPN Service Principal Name
SSL Secure Sockets Layer
SUS Software Update Services
TCO Total Cost of Ownership
UI User Interface
Windows Server Update Services 3.0 Operations Guide 1.0.0.0 Baseline
DOCUMENT INFORMATION
Terms and Abbreviations
Definition
Application Programming Interface
Automatic Updates
Background Intelligent Transfer Service
Certification Authority
Domain Controller
Domain Name System
Policy Management Console
Group Policy Object
Internet Information Services
Internet Protocol
nternet Protocol Security
Microsoft Knowledge Base
Microsoft Operations Framework
Microsoft Management Console
Protocol Label Switching
Microsoft Developer Network
Microsoft Solutions Framework
Microsoft Windows Installer
Microsoft Security Research Center
Network Address Translation
Network Interface Card
Organisational Unit
Portable Document Format
Point of Presence
Software Development Kit
Service Level Agreement
Systems Management Server
Service Pack
Service Principal Name
Secure Sockets Layer
Software Update Services
Total Cost of Ownership
User Interface
Prepared by Microsoft
Page 73
Windows Server Update Services 3.0Version 1.0.0.0
Abbreviation Definition
URL Uniform Resource Locator
WAN Wide Area Network
WSUS Windows Server Update Services
WUA Windows Update Agent
Table 22: Terms and Abbreviations
PART II References
Reference Document
R1. Windows Server Update Services 3.0 Design Guidehttp://www.microsoft.com/industry/healthcare/technology/hpo/security/wsus.aspx
R2. MSF Process Model Whitehttp://www.microsoft.com/downloads/details.aspx?FamilyID=e481cb0bfc886956790e&DisplayLang=en
R3. MOF Executive Overviewhttp://www.microsoft.com/technet/itsolutions/cits/mo/mof/mofeo.mspx
R4. Deploying Microsoft Windows Server Update Serviceshttp://go.microsoft.com/fwlink/?LinkId=86416
R5. Microsoft Windows Server Update Services 3.0 Operations Guidehttp://go.microsoft.com/fwlink/?LinkId=86697
R6. Chapter 6 – Managing Microsoft Certificate Services and SSLhttp://www.microsoft.com/technet/prodtechnol/windows2000serv/technologies/iis/maintain/featusability/c06iis.mspx.
R7. Overview of IPSec Deploymenthttp://go.microsoft.com/fwlink/?LinkId=45154
R8. Group Policy for Healthcare Desktop Managementhttp://www.microsoft.com/industry/healthcare/technology/hpo/desktop/grouppolicy.aspx
R9. Windows Installer 3.1 v2 (3.1.4000.2435)http://support.microsoft.com/kb/893803/
R10. An update package that includes BITS 2.0 and WinHTTP 5.1 is available for Windows Server 2003, for Windows XP, and for Windowshttp://support.microsoft.com/kb/842773
R11. Peer Caching http://go.microsoft.com/fwlink/?LinkId=79432
R12. How DNS Works http://technet2.microsoft.com/WindowsServer/en/library/19a63021abaf82e7fb7c1033.mspx?mfr=true
R13. Re-index the WSUS 3.0http://go.microsoft.com/fwlink/?LinkId=87027
R14. Feature Pack for Microsoft SQL Server 2005http://go.microsoft.com/fwlink/?LinkI
R15. sqlcmd Utility http://go.microsoft.com/fwlink/?LinkId=81183
Windows Server Update Services 3.0 Operations Guide 1.0.0.0 Baseline
Definition
Uniform Resource Locator
Wide Area Network
Windows Server Update Services
Windows Update Agent
References
Windows Server Update Services 3.0 Design Guide: http://www.microsoft.com/industry/healthcare/technology/hpo/security/wsus.aspx
MSF Process Model White Paper http://www.microsoft.com/downloads/details.aspx?FamilyID=e481cb0b-ac05-42a6-bab8-fc886956790e&DisplayLang=en
MOF Executive Overview http://www.microsoft.com/technet/itsolutions/cits/mo/mof/mofeo.mspx
Deploying Microsoft Windows Server Update Services 3.0 http://go.microsoft.com/fwlink/?LinkId=86416
Microsoft Windows Server Update Services 3.0 Operations Guide http://go.microsoft.com/fwlink/?LinkId=86697
Managing Microsoft Certificate Services and SSL http://www.microsoft.com/technet/prodtechnol/windows2000serv/technologies/iis/maintain/featusability/
Overview of IPSec Deployment http://go.microsoft.com/fwlink/?LinkId=45154
Group Policy for Healthcare Desktop Management: http://www.microsoft.com/industry/healthcare/technology/hpo/desktop/grouppolicy.aspx
Installer 3.1 v2 (3.1.4000.2435) http://support.microsoft.com/kb/893803/
An update package that includes BITS 2.0 and WinHTTP 5.1 is available for Windows Server 2003, for Windows XP, and for Windows 2000 http://support.microsoft.com/kb/842773
http://go.microsoft.com/fwlink/?LinkId=79432
http://technet2.microsoft.com/WindowsServer/en/library/19a63021-cc53-4ded-a7a3-abaf82e7fb7c1033.mspx?mfr=true
index the WSUS 3.0 Database http://go.microsoft.com/fwlink/?LinkId=87027
Feature Pack for Microsoft SQL Server 2005 http://go.microsoft.com/fwlink/?LinkId=70728
http://go.microsoft.com/fwlink/?LinkId=81183
Prepared by Microsoft
Page 74
Version
1.0.0.0
3.1
1.0
1.1
1.1
http://www.microsoft.com/technet/prodtechnol/windows2000serv/technologies/iis/maintain/featusability/
1.0.0.0
An update package that includes BITS 2.0 and WinHTTP 5.1 is available for Windows Server 2003, for
Nov-2005
Windows Server Update Services 3.0Version 1.0.0.0
Reference Document
R16. SQL Server TechCenter http://technet.microsoft.com/en
R17. Windows Server Update Services SDKhttp://go.microsoft.com/fwlink/?LinkId=85713
R18. Using WSUS Views http://msdn2.microsoft.com/en
R19. Welcome to the Windows Server Update Services Communityhttp://www.microsoft.com/technet/windowsserver/wsus/community/default.mspx
R20. Update Management Processhttp://www.microsoft.com/technet/security/topics/patchmanagement/secmod193.mspx
Table 23: References
Windows Server Update Services 3.0 Operations Guide 1.0.0.0 Baseline
SQL Server TechCenter – Microsoft SQL Server http://technet.microsoft.com/en-gb/library/bb545450.aspx
Windows Server Update Services SDK http://go.microsoft.com/fwlink/?LinkId=85713
http://msdn2.microsoft.com/en-gb/library/bb410149.aspx
Welcome to the Windows Server Update Services Community http://www.microsoft.com/technet/windowsserver/wsus/community/default.mspx
Update Management Process http://www.microsoft.com/technet/security/topics/patchmanagement/secmod193.mspx
Prepared by Microsoft
Page 75
Version
01-Jun-2007