Managing the Life Cycle—Keeping Windows 7 Up to Date : Using Windows Server Update Services

Figure 1 shows a typical configuration using WSUS in an enterprise. In the figure, the WSUS server retrieves updates from the Microsoft update site and all clients receive their updates from the WSUS server.

Figure 1. Using WSUS in an enterprise

An administrator chooses which updates to download to WSUS. Once the updates have been downloaded, they can be tested, approved, and deployed to clients. WSUS allows you to organize computers in groups, so it's possible to approve an update for one group of computers but not another group.

Although Figure 1 shows only 12 network clients, your network could have many more. In a large network, you may even choose to use multiple WSUS servers.

Figure 2 shows a typical configuration when multiple WSUS servers are used. A single WSUS server is used to download updates from the Microsoft update site and is referred to as the upstream server. WSUS servers that receive updates from the upstream server are referred to as downstream servers. Downstream WSUS servers retrieve the updates from this server, and administrators of each downstream server can then choose to approve and deploy updates to their clients based on their needs.

Figure 2. Using WSUS in an enterprise

This is useful in a large but decentralized environment where administrators in different locations need to make decisions on the management of the systems that are different from what may be needed in another location of the enterprise. In other words, an administrator of one downstream server can deploy an update to clients in her network, while an administrator for another downstream server can wait until further testing is completed before deploying updates to his network.

1. WSUS Updates

WSUS can receive and deploy a wide range of updates. This includes updates for operating systems, applications, and enterprise applications.

Operating systems All Microsoft operating systems, from Windows 2000 through Windows 7 and Windows Server 2008 R2, are supported.

Applications A full range of Microsoft applications, including Microsoft Office, Microsoft Works, Microsoft Live, Silverlight, Expression, Report Viewer, Visual Studio, and much more, are supported.

Application server products Microsoft server products, such as Microsoft Exchange, Microsoft SQL Server, Internet Security and Acceleration Server, Host Integration Server, System Center Configuration Management Server, Windows Small Business Server, and more, are supported.

2. WSUS Requirements

WSUS is installed on a server such as Windows Server 2003 R2, Windows Server 2008, or Windows Server 2008 R2. To support Windows 7 clients, you'll need at least WSUS 3.0 with SP2 or later.

Other requirements are as follows:

Server roles

WSUS requires both the Application Server and the Web Server (IIS) roles installed. Internet Information Services (IIS) is Microsoft's web server product, and it is installed when the Web Server (IIS) role is installed. These roles should be added prior to adding WSUS. IIS 6.0 or later is required.

Disk space

You should have at least 8 GB of available disk space. WSUS will need at least 6 GB to store updates downloaded from the Microsoft Update site. If you're short of disk space, it is possible to store the updates on the Microsoft Update site, but the overall performance will be slower. An additional 2 GB of disk space is need to house the Windows Internal Database that will be used to store the WSUS data, but it's also possible to use an existing SQL Server and store the database on that server.

Downloaded files

You'll need to download the following two files: WSUS 3.0 and the Microsoft Report Viewer Redistribu table 2008. Both are available as free downloads from Microsoft's download site (www.microsoft.com/downloads). Search for "WSUS 3" and "Report Viewer Redistributable 2008" to locate each item.

Both x86 and x64 versions are available for WSUS, so download the version you need based on where you'll install it. For example, if you're installing it on a 64-bit server, download the x64 version. The Report Viewer has only a single edition that works on both x86 and x64 servers.

3. Installing, Configuring, and Using WSUS

Once you've reviewed the requirements and prerequisites, you can begin the installation of WSUS, configure clients to use WSUS, approve updates for deployment, and verify that updates have been deployed by viewing WSUS reports. The following sections will lead you through the entire process.

3.1. Adding the Application Server and Web Server (IIS) Roles

3.2. Installing the Report Viewer

3.3. Installing WSUS

With the prerequisites out of the way, you can now install WSUS.

3.4. Configuring Group Policy Settings for WSUS

The Group Policy node that is configured is Computer Configuration => Policies => Administrative Templates => Windows Components => Windows Update. Figure 3 shows the GPO setting that can be manipulated to configure clients for Automatic Updates. Once the setting is set to Enabled, you can select one of four settings from the Configure Automatic Updating drop-down box.

Figure 3. Group Policy Settings for Automatic Updates

The choices available from the Configure Automatic Updating drop-down box are numbered 2 through 5. If Configure Automatic Updates is set to Disabled, updates must be downloaded and installed manually, and this value is 1 (which isn't selectable from the drop-down box). The four choices numbered 2 through 5 are as follows:

2 – Notify for Download and Notify for Install

When updates become available for download, an icon appears in the status area of the taskbar to inform the user that updates are available, but the update is not automatically downloaded. This can be used for clients located in remote sites who need to connect to the WSUS server over a slow wide area network connection. However, it has an inherent risk because it depends on the user to download and install the updates.

3 – Auto Download and Notify for Install

This is the default setting when this Group Policy setting is enabled, but it is not the best setting. The update is downloaded based on the schedule but not installed. An icon appears in the status area that the user can click to initiate the installation. Just as with the previous option, it has an inherent risk because it depends on the user to take action to install the updates.

4 – Auto Download and Schedule the Install

When using WSUS, this is the commonly used setting. The update is automatically downloaded to the client, and the installation of the update is scheduled. By default, the scheduled install occurs every day at 3:00 AM, though you can change the day and time setting.

5 – Allow Local Admin To Choose Setting This option allows a local administrator to select one these options. However, the local administrator cannot disable Automatic Updates. In other words, Automatic Updates will be scheduled, but the local administrator can choose whether the update is automatically downloaded and/or automatically installed via the Windows Update console.

Figure 4 shows the Specify Intranet Microsoft Update Service Location Properties setting. You'd use this to configure the clients to use the WSUS server for updates instead of getting updates from the Windows Update site. In my network, I have configured a server named DC1 as the only WSUS server, so the address is http://dc1, and I have set this address for the update server and the statistics server.

Figure 4. Configuring the address of the WSUS server

The WSUS statistics server is a single WSUS server that collects information from all WSUS-managed clients in the enterprise.

You can also configure how often clients check to see if updates are available. Figure 5 shows the Automatic Updates Detection Frequency with an interval of 20 hours selected. This time isn't specific but is instead randomized around the number entered.

Figure 5. Configuring the Automatic Updates Detection Frequency GPO setting

The actual time when a client is checked is a random number between 80 percent of the given number and 120 percent of the number. With the number at 20, the client would check at some point between 16 hours (20 × 0.80) and 24 hours (20 × 1.2) after the last check. The default setting is 22, causing clients to check for updates at random intervals of between about 17.6 and 26.4 hours. Other Group Policy settings exist that can be manipulated, but these are the common ones.

3.4.1. Creating a GPO to Configure Clients to Use WSUS

3.4.2. Verifying That Clients Are Using GPO Settings for WSUS

Group Policy will be applied to clients every 90 to 120 minutes by default. You can wait two hours and check to see if it has been applied, or you can use the gpupdate /force command from the command prompt to force an immediate refresh of Group Policy. I suggest using the command if you're trying to verify the update.

After the GPO has been applied, you can verify that the clients are using the WSUS server. Exercise 4.7 shows how to run the gpupdate /force command and then verify that clients are configured to their updates from the WSUS server.

If you want the client to connect to the WSUS server immediately and check for updates, you can enter the following command at the command prompt:

wuauclt /detectnow

However, if no updates have been approved by the WSUS server, nothing will be downloaded.

3.4.3. Verifying That Clients Are Using GPO Settings with GPResult

You can also verify that clients are using the WSUS server from the command prompt. Launch a command prompt, and execute the following two commands:

Gpresult /v > gpr.txt
Notepad gpr.txt

Gpresult /v shows the result of applied Group Policies. The /v switch provides the results in verbose mode (lots of words), and > gpr.txt redirects the output to a text file named gpr.txt. You can then open the file in Notepad with Notepad gpr.txt, which can then be easily browsed and searched.

If you created a new policy and named it WSUS, it will be displayed in the Computer Settings section under the Applied Group Policy Objects heading as follows:

Applied Group Policy Objects
-----------------------------
    Default Domain Policy
    WSUS
    Local Group Policy

In addition, the Administrative Templates section will have several settings related to updates but aren't in simple English. The easiest thing to decipher here is the UseWUServer Registry key. It has a value of 1, indicating that a WSUS server is designated.

GPO: WSUS
KeyName:    Software\Policies\Microsoft\Windows\WindowsUpdate\AU\UseWUServer
Value:      1, 0, 0, 0
State:      Enabled

					  

Not so easy to decipher is that the server is designated as http://DC1 using ASCII characters. Each character is separated with a 0 or an ASCII null character.

GPO: WSUS
KeyName:       Software\Policies\Microsoft\Windows\WindowsUpdate\WUServer
Value:         104, 0, 116, 0, 116, 0, 112, 0, 58, 0, 47, 0, 47, 0,
                  100, 0, 99, 0, 49, 0, 0, 0
State:         Enabled

ASCII 104 is h, ASCII 116 is t, ASCII 112 is p, and so on.

3.5. Creating Computer Groups on WSUS

A significant improvement of WSUS over earlier versions is the ability to approve updates for specific groups of computers. In other words, you can choose to approve updates for one group of computers but not others.

In order to support this with WSUS, you create computer groups and then move the computers into the appropriate group. 

3.6. Approving Updates in WSUS

At this point, WSUS is configured to receive and deploy updates. In addition, clients in the domain are configured through Group Policy to receive updates from the WSUS server. However, updates will not be deployed to the clients automatically, and they aren't even downloaded to the WSUS server automatically.

Instead, an administrator must take several steps to deploy updates. These steps are as follows:

• Locate the update in the WSUS console.

• Right-click the update and select Approve.

• Select either the All Computers group or individual computer groups where the update should be deployed.

• Right-click the computer group(s), select Approved for Install, and click OK.

Once an update is approved, it will be scheduled for download from Microsoft's website to the WSUS server. When the client checks in with the WSUS server, it will see that the server has the new update, and the client will download and install it (unless the GPO settings were configured to handle the update differently).

Updates are downloaded to the WSUS server when the server synchronizes with the Microsoft website. Synchronization can be done manually, or a synchronization schedule can be created using the WSUS Options page.

3.7. Viewing WSUS Reports

WSUS includes a rich set of reporting capabilities. You can create summary and detailed reports based on updates or based on computers and also view reports of synchronization results.

Figure 6 shows the report for a Windows 7 PC managed by WSUS. The report was created by right-clicking the computer and selecting Status Report. The first page provides summary data, and the following pages list all of the updates, their approval status, and their installation status.

If you select the Reports node, it allows you to create reports on all of the updates and all of the computers. It also includes the ability to create the reports in a tabular format, which can easily be displayed in a Microsoft Excel worksheet. All of the reports can also be saved in a PDF format if desired.

WSUS is feature rich, especially considering that it's a free product. It provides administrators with any easy-to-learn and easy-to-use tool that gives them better administrative control over updates in the enterprise.

Figure 6. Viewing a WSUS report for a client