WSUS

00:00

In this section I will look at WSUS. WSUS, or Windows Server Update Services provides

00:08

updates to computers in your organization. Think of it as your own windows update server.

00:15

Once you start using WSUS, you will find that it can be used on small networks and also

00:20

scalable to an enterprise network. In this video I will first look at an overview

00:26

of WSUS and how you can use it in your organization. Following this I will look at prerequisites

00:32

required to install WSUS and also the hardware requirements of WSUS. Following this I will

00:39

show you how to install and configure WSUS. A big part of the management of WSUS is groups.

00:47

I will spend some time looking at how the groups work in WSUS, then I show how you can

00:52

configure the clients in your organization to use WSUS with group policy. There is a

00:58

lot to WSUS but with careful planning you can update and audit the computers on your

01:04

network. One of the biggest advantages of WSUS is that

01:08

it allows you to download updates from Microsoft and store them locally. By using WSUS to store

01:16

data locally you can vastly reduce the amount of data that gets transferred over your WAN

01:21

link. Imagine if one of your branches has 200 computers and each user goes to download

01:28

a service pack directly from Microsoft. Each service pack could be up to 100 megabytes

01:33

in size. You can imagine the load that would place on your wan connection.

01:39

When this course was created, service pack 1 for windows 7 had not yet been released.

01:45

Rumors have it that service pack one for windows 7 is 1.2 Giga bytes in size. Windows Vista

01:53

service pack 2 is over 300 mega bytes in size. Whatever mathematics you use, a network with

01:59

200 computers downloading the same service pack is a lot of data.

02:06

To help use your wan connection better, a wsus server can be placed on the network.

02:12

The wsus server will download updates from Microsoft while the client will download the

02:18

updates from the wsus server. This means large downloads like services packs are only downloaded

02:24

once over the wan connection. When deploying wsus on a large network, you should try and

02:31

place your wsus servers with reference to your network topology.

02:37

If the company also had a site say in Floria with 50 computers connected by a high speed

02:42

link, it would make sense for wsus to get its updates from the other wsus server in

02:49

New York rather than from Microsoft. On a large network it is not un common for only

02:55

one wsus server to access the internet and replicate updates to the other wsus servers

03:01

at other sites. In some cases it makes more sense for the

03:06

wsus server to access the windows update server directly. Consider this. The company has a

03:12

large office of 100 computers in Canada. The link back to the main office is a slow wan

03:19

link, however the office in Canada has its own high speed internet link.

03:25

In this case, it makes more sense for the wsus server at this location to get its updates

03:31

directly from a local windows update server if one is available rather than via the slower

03:37

office wan link. Also consider a very small office in the UK with only two computers.

03:44

In this case you would want wsus to determine which updates the computers can install, but

03:51

it is simply not worth installing a wsus server at that location or downloading the updates

03:56

from head office. This bring us to the next main reason for

04:01

installing WSUS is to approve or decline updates or in other words, control how updates are

04:10

installed in your organization. In the case of the UK office, the 2 computers would contact

04:16

the internet directly to download windows updates, however they would also communicate

04:21

back to the New York WSUS server on which updates they had installed and ask what updates

04:28

they could install. In other words, WSUS allows you to optimize

04:34

downloading of your updates and also control which updates are installed. To do this, WSUS

04:41

allows you to create groups. You are free to create whatever group you require but often

04:47

originations will create a group for testing updates, a pilot group and a production group.

04:53

Even though Microsoft goes to quiet a lot of effort to test their updates, problems

04:58

can occur if updates and other software on your computer have compatibility problems.

05:04

Creating a pilot groups so you can first test the updates on your network and hopefully

05:09

stop, or at least minimize potential problems on your network.

05:14

Currently the most recent version of WSUS is version 3 with service pack 2. In order

05:20

to install WSUS, you need be running one of the following server operating system. First

05:27

windows server 2008 R 2 or window server 2008 with services pack 1.

05:34

Wsus also supports windows small business server 2008 and 2003 as well as windows server

05:41

2003 with service pack 1. There are also a number of software prerequisites to run WSUS.

05:49

First you need to have installed dot net frame work 2 point 0.

05:53

To store the data required to run WSUS you need a database. For small installs of WSUS

05:59

you can use the windows internal database. If you need more of an enterprise solution

06:04

you can use SQL server 2008 or SQL server 2005 with service pack 2.

06:11

To run the administration of WSUS you require Microsoft management console 3 point 0. To

06:17

generate reports wsus requires Microsoft report viewer redistributable 2008, but this is only

06:25

required if you want to generate reports. Wsus will install without this component and

06:32

you can install the report component at any time.

06:36

Lastly wsus requires IIS 6 point 0 or greater. When you install IIS you will need to make

06:43

sure that certain components of IIS are also installed.

06:48

For the IIS requirements you require the ASP dot net component. This is a web application

06:54

framework created by Microsoft. Next you require windows authentication. This will allow the

07:01

client to be authentication by WSUS when requesting updates.

07:06

WSUS also requires dynamic content compression. Dynamic content compression allows WSUS to

07:13

reduce the size of web page by using compression. Lastly if you are using IIS 7 you will require

07:21

IIS 6 management compatibility. Wsus currently has been updated to work directly

07:27

with IIS 6 so this component provides the bridge until this occurs. Once you have meet

07:34

all the software requirements there are also some hardware requirements to meet.

07:40

The first requirements is the system and WSUS partition must be formatted with NTFS. The

07:46

WSUS partition must also not be a compressed drive. For the disk space requirements, you

07:53

require 1 gigabyte free on the system partition. The database requires 2 gigabytes of space

08:00

and lastly you need 20 gigabytes free to store updates. Microsoft does recommend 30 gigabyte

08:04

of free space for updates. As you will see later on in the configuration of WSUS, depending

08:08

on how many products you decide to download and the updates you choose will determine

08:12

how much disk space is required. To install WSUS you can download it for the

08:18

Microsoft web site. Just go to w w w dot Microsoft dot com slash wsus for details. WSUS can also

08:29

be installed from the server manager. If you find that WSUS is not available in server

08:35

manager you will need to update server manager using windows update.

08:40

Once the necessary update has been obtained from Windows update, WSUS 3 with service pack

08:45

2 will be available in server manager. Remember that even though it is available in server

08:51

manager, once you attempt to install WSUS it will still download wsus from the internet.

08:58

If you server is not connected to the internet you will need to obtain the standalone version

09:03

of WSUS and install it. Also you need to take some time to consider

09:08

what type of updates you want to download. These include critical, definitions, drivers,

09:15

feature packs, security, service packs, tools, update roll ups and other updates. As you

09:23

can see the list is quite large. Previously with windows updates, only a small

09:30

amounts of updates were available. Microsoft has put a lot of work into windows update

09:35

to provide additional features as well as more updates. At present, windows updates

09:42

provides updates for windows operating system and other Microsoft products.

09:47

You will see in a moment the list of Microsoft products you can get updates from is quite

09:52

large. Remember though, if you are retrieving updates from anther WSUS server, you can only

09:58

retrieve the updates that other WSUS server have. If the upstream server for example decide

10:05

not to download Microsoft Office updates, you will not be able to download any Microsoft

10:11

office updates to the downstream sever. Let’s have a look at how to install WSUS.

10:19

In this example I will install WSUS though the server manager, but as you will see whether

10:25

you install it through server manager or via the stand alone install, the install is the

10:30

same. First of all I will run server manager from the quick launch.

10:36

From the roles section select the option add roles from the right hand side. Once I am

10:43

passed the welcome screen, select Window Server Update Services from the component list. Once

10:49

selected windows will prompt you for additional IIS components that are required.

10:55

This is the advantage of installing WSUS through the server manager is that IIS components

11:00

are automatically installed for you. If you are using the Wsus stand alone install, you

11:06

will need to make sure the IIS components for WSUS are installed before you start installing

11:12

WSUS. Once I press next I will be taken in the configuration

11:18

for IIS. Once past the IIS welcome screen you can see the components of IIS that will

11:26

be installed. You can see that ASP dot Net has already been selected.

11:34

Under security windows authentication has been selected. Under performance dynamic content

11:40

compression has been selected and lastly under management tools IIS 6 management capability

11:48

has been selected. You can see however that only IIS 6 metabase

11:54

compatibility is selected out of the IIS 6 management compatibility components. If you

12:01

plan on performing a manual install of WSUS, check your existing IIS setup or when installing

12:08

IIS make sure that these four components are installed.

12:14

On the next screen you will be taken into the WSUS set up. You will see that when I

12:19

press next there are no options to configure via server manager. Once I press install the

12:26

WSUS install will start. You will notice that under the progress bar

12:31

it says downloading. In order to install WSUS via the server manager your server must have

12:38

access to the internet. Once WSUS has been download from the internet, server manager

12:44

will start installing the other components required for WSUS, in this case IIS.

12:51

The install may take a few minutes. I have accelerated time to the end so we don’t

12:56

have to wait. You will notice that a new set up program has been launched. This set up

13:02

program is the stand alone set up for WSUS. The set up from here onwards is identical

13:08

to the install performed by downloading and running the stand alone setup from Microsoft.

13:14

Once I accept the license and move on you will notice that I get a message telling me

13:18

that Microsoft report viewer 2008 redistributable needs to be installed before I can generate

13:24

any reports. This can be installed later so I will skip this part and move on.

13:30

On the next screen you can decide where you want to install the updates that WSUS downloads.

13:36

If you deselect this option, WSUS will not store any updates locally. When an update

13:42

is requested via a client, WSUS will download the update directly from windows updates or

13:48

from anther WSUS server. If you only want to use WSUS to determine

13:53

what updates an end user can install, you can choose not to store any updates locally.

13:59

In this case, I will store the updates in the default location on the c drive, but for

14:04

best performance you should consider storing the updates on a separate hard disk.

14:10

On the next screen you can determine where WSUS will install its database files. By default

14:15

you can use windows internal database. On large enterprise environment you may have

14:21

a SQL server. If I had SQL server installed on this computer this option would not be

14:26

grayed out and I would be able to select a database.

14:31

If your SQL database is on anther server you could select the last option to connect to

14:36

it. In this case I will use windows internal database and move on. On this screen you can

14:42

decide which web site you want wsus to use. If you have no other web site on this server

14:49

and are not planning on installing an additional web site in the future you should select the

14:54

first option use existing IIS default web site. If you want to use the default web site

15:00

for something else you should select the second option and WSUS will not use the default web

15:07

site. In this case I am not planning on setting

15:10

up an additional web sites on this server so I can select the default option. Once I

15:15

confirm the install option on the next screen I can move on and the install will start.

15:21

The install may take 5 minutes or so to finish, I have accelerated time to the end of the

15:27

install. You can see now that IIS and WSUS have been installed through the server manager,

15:34

however WSUS is still not configured. Once the install has completed the WSUS configuration

15:41

wizard will automatically be started. If I close server manager install wizard, you will

15:46

notice that in server manager there is a warning. This is because WSUS has not been configured

15:53

yet. The wsus configuration wizard can be run at

15:56

any time and is available through the start menu. You will notice I can close server manger

16:03

without effecting the WSUS configuration wizard. Once I am pass the WSUS welcome screen I will

16:09

get the option to decide if I want to take part in the Microsoft improvement program.

16:14

Taking part in the program means that Microsoft will receive statistics on your network. Since

16:20

this is a test network, I don’t want to give Microsoft any mis leading statistics

16:24

so I will switch this option off. On the next screen you can decide where this

16:31

WSUS server will get it’s updates from. By default WSUS will receive it’s updates

16:36

from windows update server. If you have anther WSUS server on the network, you can download

16:42

updates from this server. You can choose to enable S S L if you want

16:47

traffic between the two servers to be encrypted. If I choose to obtain updates from anther

16:53

server, I will only be able to download updates from the server that update server has already

16:59

downloaded. For example, just say you had a large company

17:03

and a central IT department which decided which updates would be available to the rest

17:08

of the company. Once these updates are approved they could be download to other servers and

17:14

the local administrator could decide which updates are installed on which computer.

17:20

This is a good set up when you have two different IT departments working independently from

17:24

each other but can only install approved updates. If both WSUS server are being managed by the

17:31

same IT department you may want to select the option “this is a replica of the upstream

17:36

server”. You will notice that when this option is selected

17:41

you can’t configure any options on the server. What this means is that this server will have

17:47

all the same settings as the parent server. This makes administration of multiple WSUS

17:54

servers a lot easier. Since this server is a standalone server,

17:59

I will get my updates from Microsoft and move on. On this screen I can enter in a proxy

18:06

server if I need one to access the internet. In this case I have a direct connection so

18:11

I can leave it on the default and move on. Before you can start using the WSUS you need

18:17

to download a catalog of all the available updates. To do this, press the start connection

18:24

button and the catalog will be downloaded. The time required for this step depends on

18:29

your internet connection and can take a while. I have accelerated time to the end of the

18:35

download. Once complete I can move on to the next screen and select which languages I want

18:40

to download updates for. At the top you can select to download updates for all languages.

18:47

A word of caution with selecting this option. Doing so will greatly increase the amount

18:54

of space required on your local server required for installing updates and also the amount

18:59

of data traveling over your WAN link. In this case I will only download english updates.

19:06

I will get a warning here reminding me that any updates that you do not download on this

19:10

server will also not be available to any downstream servers that your configure later on.

19:17

A downstream server is simply anther WSUS server that is set to retrieve it’s updates

19:23

from anther WSUS server. On the next screen I can decide which products that I want to

19:29

download updates for. There is a huge range of Microsoft products but WSUS does not allow

19:35

3rd party products to be added. You should choose products that you use in

19:41

your organization, in this case Microsoft Office. You will need to take some time going

19:46

through the list making sure that you have selected all the products you use. You could

19:52

selected them all, but this of course will use more bandwidth and hard disk space.

19:58

Notice the operation systems at the bottom. You should deselect the operating systems

20:03

that you no longer use in your company. If you are planning on deploying new operating

20:09

systems in the future, for example windows 7, I would leave it ticked so that the updates

20:14

are ready when you deploy your first computer. On the next screen you can choose which types

20:21

of updates you want to download. By default critical updates, definitions and security

20:26

updates are selected by default. Some companies don’t like download new drivers as they

20:32

may cause an existing operating system to start blue screening.

20:36

I like to select things like feature packs and services packs. These can be very large

20:42

and in my opinion save a lot of bandwidth when you deploy them to a big group of clients.

20:48

Remember however that if you download service packs, the end user may experience a long

20:53

day when login in one morning when the service pack installs.

20:58

In some companies I have seen them deselect service packs and choose to install them manually

21:04

so they can better manage when they are installed. In this case I will select everything. Once

21:10

you have decided which updates you want to install you need to download them.

21:16

On the next screen you can decide if you want to perform manual synchronizations or set

21:22

up a schedule. In this case I will leave it on manual so I can decide when to perform

21:27

the synchronization. On the next screen I can decide if I want to perform the initial

21:33

synchronization now. The first synchronization takes the longest

21:38

to complete so I leave the setting on manual and perform the synchronization later on.

21:43

That’s it for the WSUS, the initial install of WSUS and initial configuration are completed.

21:50

Now that you have WSUS installed, you need to give some thought on how to configure it.

21:56

Depending on your network will determine how you want to deploy WSUS. Consider this network.

22:03

Like most companies you have a firewall between your network and the internet.

22:08

This particular company has a policy that severs that connect to the internet must be

22:13

on a perimeter network or a D M Z. Since the WSUS server needs to access the internet it

22:21

is placed on the premier network. For your clients to access a WSUS server, you need

22:27

to install anther WSUS server on the production network.

22:32

This server is configured as a replica of the WSUS parent. Any changes to the settings

22:37

on the parent WSUS server will be mirrored on the replica server. Replica WSUS servers

22:44

are common in large organizations. Imagine a large network with 20 sites. If you configured

22:51

all the sites as replicas for the WSUS parent, you would only need to make changes on the

22:57

one WSUS server. The next option you have for your server is

23:02

autonomous. This basically means the server can download updates from the WSUS parent

23:08

but administrators on this server are free to make any changes that they wish. Times

23:14

when you may use this option is when you have separate IT departments.

23:19

For example you may have a secure network that has it’s own administrators but they

23:23

still needs to get updates from your server. Using a WSUS server configure as autonomous

23:31

they can get the updates from your server, but decide themselves if they want to install

23:36

them and the settings they want to use for the their WSUS server. Now that you understand

23:43

the way WSUS servers can be used, let’s have a look at how to configure one.

23:49

To configure WSUS, run the admin tool, windows server updates services from the start menu.

23:57

On the start screen you can see some statistics about the WSUS server. When you starting using

24:03

WSUS this provides a quick rundown on how your server and the status of the clients.

24:09

Since this WSUS server has just been installed the statistics are all zero.

24:16

To configure your WSUS server, expand down in the admin tool until you get to options.

24:23

Some of the options are already configured. These were configured by the start up configuration

24:28

wizard when I first install WSUS. The first thing you want to set up is the source of

24:35

where your updates will be downloaded from. From the install wizard I select windows update.

24:43

If I select the second option I can change it to another WSUS server. Notice also I can

24:49

select the option “this server is a replica of the upstream server”. This is the same

24:55

option that was available in the original WSUS wizard.

25:00

Notice that I when I select this option I get a message saying that all other options

25:04

have been disabled. This is how you change an existing WSUS server into a replicator.

25:12

If I set the option back to windows update and select the proxy tab I can change the

25:17

proxy setting used to download updates. The next option allows you to change the products

25:24

and classifications you want to download. If you wish, you can select all the products,

25:30

however this will increase the size of your downloads. If you don’t have the product

25:34

on your network it is a good idea to deselect it.

25:39

In a moment I am going to perform the first synchronization. For this reason I will de-select

25:45

all the other products. I will also go through and deselect any old operating system not

25:51

used on the network. This will help speed up the initial sync. If you are not sure if

25:58

a product is being used on your network, you should select it otherwise WSUS will not download

26:03

any updates for that product. At any time you can come in and change the

26:09

options. On the classification tabs you can decide which types of updates you want to

26:14

install. To speed up the initial sync I am going to select security and critical updates.

26:20

The type of updates you select is depend on your needs. I have seen some network install

26:26

everything other than service packs due to there size and time it takes it install.

26:31

I am sure that none of your end users want to wait 5 to 10 minutes for the computer to

26:36

start up one morning because a service pack was installed. Remember however, unless your

26:42

approve the update it will not be installed. If you have plenty of hard disk space I would

26:48

personally select everything and then you can choose later on which updates you want

26:53

to install. If I select the option updates files and languages.

26:58

I can choose how the updates will be stored on the server. Download updates files to this

27:04

server only when updates are approved means updates will not be downloaded until you approve

27:10

them in the admin tool. This does save disk space as updates will

27:14

not be downloaded until they are required, however it also means that updates will not

27:20

be installed until the next synchronization in performed.

27:24

The option download express installation files makes the download files larger, however they

27:31

are more intelligence in the way they update the operating system. This means they own

27:36

replace files that need to be replaced and thus tend to install faster, however the trade

27:42

off is the files are larger. If you select the option do not store updates

27:48

locally this will force the clients to download the updates from windows update. If you have

27:54

limited hard disk space you may want to select this option or if you have high speed link

27:59

to the internet and very few clients. Remember though, if you clients are correctly configured

28:05

they won’t be able to download any updates from Microsoft unless you approve them.

28:11

On the language screen, you can add additional languages if require additional languages

28:16

later on. If I now select the option synchronize schedule, when you can decide when WSUS will

28:24

sync, by default once per day. You can set this up to 24 times a day.

28:30

When configuring settings like these, keep in mind patch Tuesday. Patch Tuesday is the

28:37

second Tuesday of every month when Microsoft releases security updates. Microsoft do release

28:44

patches at other times if there is enough need, but try to follow this schedule whenever

28:49

possible. Depending on your environment you may have

28:52

a lot of time to look through the patches or you may just decide to install any patch

28:57

that Microsoft releases. If I select the option automatic approvals I can select the option

29:04

“default automatic approval rule”. As you can see down the bottom of the screen,

29:10

critical and security updates will be approved on all computers when they are released. Selecting

29:16

this option will reduce your WSUS administration, however also means that untested updates will

29:23

be deployed on your network. On the advanced tab, WSUS has the ability

29:28

to automatically approve updates that are for the WSUS product itself. Also notice the

29:34

two options revisions of updates. Sometimes Microsoft will releases revisions for an update.

29:42

When this tick box is ticked, a revision of an update will automatically be installed

29:48

even though it has not been approved as long as the original update was approved.

29:54

Notice also the option “automatically decline updates when a new revision causes them to

29:59

expire”. This means if a newer update is released, the old update will automatically

30:05

be declined. If I exit out of here and select the option computers, I can set how computers

30:11

will be assigned to groups. The default setting means you have to use the WSUS admin tool

30:18

to assign computers to groups. The second option uses group policy or registry

30:24

settings on computer to determine which group the computer is a member of. On a large network

30:30

this is a better way of performing administration on your network. In a moment I will create

30:36

a group policy to configure my client computer so I will leave it on the second option and

30:41

press o.k. The next option is the server clean up wizard.

30:47

The server clean up wizard let’s you perform some maintenance on your server. As you can

30:52

see, there are quite a lot of options that you can select in the WSUS cleanup wizard.

30:58

The first option allows you to delete unused updates and update revisions that have expired

31:04

or have not been approved for more than 30 days. The next option allows you to remove

31:10

computers that have not contacted the server in the last 30 days.

31:16

Personally I would be careful about using this option because mobile users or users

31:21

that take extended holidays may be removed from the server by mistake. 30 days may seem

31:27

a long time, but when someone in on extended holidays or in an office that is isolated

31:32

from the network, ticking this option may remove their computer when it is still in

31:37

service. The next option removes any unneeded update files. These files are not required

31:44

by WSUS server or required by any downstream servers.

31:50

You also have a tick box which will remove expired updates. These include updates that

31:55

you have been declined in the administrative tool or updates that Microsoft has marked

31:59

as expired. The next option removes superseded updates which have not been approved but have

32:07

been superseded by Microsoft. This simply put means there is a newer update for that

32:13

update available. Once I have decided on which maintenance options

32:17

that I need, when I press next WSUS will perform maintenance. Depending on how many computers

32:27

are removed and added to your network will determine how often you will want to run this

32:31

maintenance tool. Given that WSUS has just been installed, there

32:34

will not be any updates or computers that need to be remove. If I now exit out, the

32:40

next option is a reporting rollup. Reporting rollup essentially means that any downstream

32:47

servers will send reporting data to this server which will then be included in this servers

32:53

reports. Since I don't have any downstream servers

32:56

configured I won't worry about setting any options in here. The option e-mail notifications

33:03

allow us to send an administrator e-mails when new updates are available and also you

33:09

can configure it to send status reports about the WSUS server. The option Microsoft update

33:16

improvement program simply allows you to select whether you want to participate in the program

33:21

or not. The personalization option allows you to configure

33:26

how information will be displayed in WSUS. For example you could choose to filter out

33:33

data reported from your replica servers. You could also choose which "to do" alerts to

33:38

generate and which ones to ignore. The last configuration Wizard runs the same wizard

33:44

that ran when I first installed WSUS. If you canceled the wizard when you first installed

33:51

WSUS or you need to run the wizard again you can select this option.

33:57

Now that WSUS is configured I will perform the first synchronization. If I select the

34:03

option synchronizations on the left I can select the option synchronization now from

34:09

the right hand side. If I select the synchronization job, you can see down the bottom of the screen

34:15

how much of the process has completed. The first synchronization will take the longest

34:21

but synchronizes after this will be completed a lot faster.

34:26

To better control the installation of updates on your network, WSUS allows you to create

34:32

groups to make administration easier. By default WSUS contains two groups. The first group

34:39

is all computers. All the computers that WSUS in providing updates for will be found in

34:45

this group. The next group is unassigned computers. You

34:50

can create as many groups as you want and assigned computers to these groups. Wsus will

34:56

then decide which updates will be deployed on this computer by the group the computer

35:01

is in. Microsoft has two different ways of placing computers into groups.

35:07

If you perform this process manually it is called Server side targeting. This is done

35:13

though the WSUS admin tool. On a large network with a lot of computers being removed and

35:19

added to the network this can become a very time intensive task. To make this process

35:25

easier and more automated Microsoft offers what it calls client side targeting. When

35:32

client side targeting is used the client decides which group the computer will be assigned

35:38

to. Client side targeting is usually done through

35:41

group policy. Using group policy you can set the group membership for computers in your

35:47

domain and also newly created computers in the domain. Let's have a look at how to perform

35:53

server side and client side targeting. To perform server side targeting first of

36:00

all you need to configure your client to use your WSUS server. To do this, on my Windows

36:07

7 computer, first of all I need to go to my start menu and then run edit group policy.

36:13

I will cover group policy in more detail later on when I go through client side targeting.

36:19

I need to use group policy to set the WSUS server that windows update will use. Unfortunately

36:26

you can’t set this information in the control panel. Once you are in local group policy,

36:32

you need to go into computer configuration, administrative templates, windows components

36:40

and then Windows update. The option I need to set is “specify intranet

36:47

Microsoft update service location”. Once this is enabled I can set the location for

36:53

my WSUS server. I can also set the statistics server which in most cases will be the same

36:59

as your WSUS server. Now that I have set my WSUS server all I need

37:05

to do is close group policy and from the start menu and open a command prompt. From the command

37:11

prompt run GP update to update group policy on the local computer.

37:18

Windows update will now be changed to connect to my WSUS server. This computer will eventually

37:24

register itself with the WSUS server. To speed up the process I can run the command w u a

37:31

u c l t with the switch detect now. This will make windows update register itself with wsus.

37:41

Now that I have configured my client, I will switch to my WSUS server.

37:47

Now that I am logged into my WSUS server, if I run the admin tool and in the admin tool

37:52

expand computers, you will notice under computers the group all computers. If I expand all computers

38:01

you can see the group unassigned computers. These are the two default groups that created

38:08

by WSUS. To create a new group all I need to do is

38:12

right-click on all computers and select add computer group. In this case I will call the

38:18

group trial group. Computers in his group will receive updates before the rest of the

38:24

computers on the network. This allows me to test the updates for problems before they

38:29

are deployed to the rest of the network. In the unassigned computers group there are

38:33

currently no computers listed. At the top, notice zero computers of one shown. What has

38:40

happened is that the client that I just added is all ready up to date. The filter at the

38:46

top by default is showing only computers that have a status of failed or needed. In other

38:53

words updates have failed to install on the computer or the computer requires updates

38:58

to be installed. To fix this all I need to do is select the

39:01

drop down box and select any and then press the refresh button. You can see now that my

39:08

computer has appeared. If I now right-click on the computer and select change membership

39:13

I can assign the computer to the group that I just created. You can imagine that by doing

39:19

this method, which Microsoft calls this server side targeting, could become very time consuming

39:25

very quickly on large networks. Now that I have a trial group set up, I want

39:31

to create an automatic approval rule for the trial group. To do this, select options and

39:38

then select automatic approvals. To create a new rule, select the option new rule. You

39:45

can then specify if you want the rule to apply to classification and products. The last option

39:52

allows you to set a deadline. A deadline allows the user to decline an update if their set

39:58

up allows it. After the deadline has expired the update must be installed.

40:05

At the bottom of the screen, I can change which classifications I want updates installed

40:10

for. You could for example only install security updates and critical updates. The rest of

40:16

the updates you could set so they have to be manually approved.

40:20

The last option is the most important option as it determines which computer the rule will

40:26

apply to. Lastly all I need to do is enter in the name for this new automatic approval

40:33

rule. Now my WSUS server is set up so that any computer that is in the trial group will

40:40

automatically without any administration on my part have all updates install on it.

40:49

As you can see ,using server side targeting can become quite time-consuming. If you want

40:55

to use client side targeting, what you need to do is select the option computers. In this

41:01

option I can choose to use client side targeting by selecting the option use group policy setting

41:08

or registry settings on computers. This means that group membership will be determined

41:13

by a setting that is found on the local computer which will be sent to the server when the

41:19

client registers itself with the WSUS server. Now that I have switched WSUS to client side

41:26

targeting, I will now switch to my domain controller and set up a new group policy for

41:31

my domain. On my domain controller I will go to my start

41:35

menu and open group policy management. In my domain I have already created an organizational

41:43

unit or O U that contains my servers. If I right-click on this O U and select the option

41:50

crated G P O in this domain and link it here. I can create a new group policy to apply Windows

41:58

updates to all my servers. This new group policy I will call Windows update servers

42:04

G P O. Once I have created the G P O I can edit the

42:08

G P O and then go into computer configuration, policies, administrative templates, Windows

42:17

components and then all the way down to the bottom to Windows update. If I select the

42:24

standard view you I can see the complete group policy setting without it being cut off. The

42:31

option you need to enable for client side targeting is the one here, enable client side

42:36

targeting. Once enabled I can enter in a group name and

42:41

then any computers that have this group policy applied to them will automatically be placed

42:46

in this group on the WSUS server. As I did before, I need to set the location of the

42:52

WSUS server so the client knows where to get it’s updates from. These are the two main

42:57

settings you need to configure so clients on your network can access Windows updates

43:03

from your WSUS server and be placed in to a group.

43:08

However there are a lot of other options the you may want to consider setting. Going through

43:13

the list from the top. The first option when enabled removes installed updates from the

43:19

shut down option from the start menu. In a moment you will see that you can configure

43:24

Windows updates to install at scheduled times. If you are planning on doing this you may

43:30

want to disable this option. Enabling this option gives the user the option

43:35

to install updates when they shut down the computer. Most users don’t mind doing this

43:41

as they are generally going home when they shut down their computer. The next setting

43:46

determines whether installed updates and shut down is the default option when the user goes

43:51

to shut down their computer. Generally it is a good idea to leave on the

43:55

default shut down and install updates as when the user shuts their computer down by default

44:01

updates will be installed. The next option allows Windows update to automatically wake-up

44:07

the system if updates are scheduled to be installed.

44:12

This option you may want to enable on desktop systems. This allows windows update to wake

44:18

up a computer and install updates on it. If you have computers that are regularly rebooted

44:25

and used regularly you may not need this option. This option is useful when you have computers

44:31

that may be off for an extended period of time and you want ensure that updates are

44:37

installed on them. The next option, configure automatic updates is the setting that will

44:44

be set on most networks. When enabled you have a number of different ways that you can

44:49

configure automatic updates. The first option, option number two, notifies

44:56

the user when a new update is available for download and also prompts the user when the

45:01

update is ready to be installed. This gives the user the maximum amount of user interaction

45:07

for Windows updates. Option number three will automatically download windows update and

45:13

notify the user asking them if they want to install the update.

45:18

Option number four is the option that is chosen on most networks as this will automatically

45:23

download updates and then schedule the install without any user interaction. If I select

45:30

option number four, you will also notice that I can select down the bottom which days that

45:35

I want to run scheduled updates on. I can choose every day or a particular day.

45:41

I can also set the time that the update will be installed. The default is three o'clock

45:47

in the morning. What this essentially means is that if the computer happens to be on at

45:52

three o'clock in the morning the updates will automatically be installed.

45:57

If the computer is switched off at that time, when the computer is switched on after a random

46:03

delay Windows will automatically install the updates. The reason Microsoft use a delay

46:09

is so that when the user first starts their computer it is not slowed down trying to install

46:15

updates. Option number five allows the local administrators

46:19

to choose their own settings. On most networks you want to select option number four as this

46:27

provides the most automation way to install updates with the least amount of user interaction.

46:34

If you have programmers or developers on your networks you will probably want to select

46:39

option number five so they can choose if they want to install updates.

46:44

The next option I have already set, it simply specifies the WSUS server that will be used.

46:51

The next option allows you to set how often Windows update will check for updates. The

46:58

default is 22 hours but having said that the time always has a randomized delay added in

47:05

the range of 0 to 20%. The reason Microsoft do this is because if

47:10

there was no randomized delay. All the clients on your network could potentially attempt

47:17

to connect to your WSUS server at once and retrieve updates. This would put a huge load

47:23

on your network and your WSUS server. This value can be set all the way down to

47:29

once an hour. On most networks the default value of 22 hours will work fine. The next

47:36

option allows a non-administrator like a domain user to receive update notifications. If you

47:43

have configured Windows update to run automatically in the background you may what want to disable

47:49

this setting. The next setting determines whether the user

47:53

will be prompted when features are available for the operating system. Enabling this option

47:59

allows the user to decide if they want these features installed. This setting will automatically

48:05

install updates immediately that do not require a restart. For example if you are running

48:11

Windows defender, definition updates can be delivered through Windows update and these

48:16

updates do not require a restart. In most cases you will want to enable this option.

48:23

The next setting determines whether recommend updates will be included. By default, security

48:29

and critical updates are installed. If you would like to include updates that Microsoft

48:34

recommend these will also be download and installed. The setting disables automatic

48:41

restarting if a user is logged in. If the computer is on the login screen and no user

48:47

is logged in, windows update will automatic restart the computer if required.

48:53

The next option is the delay before the user is prompted to install scheduled updates after

48:59

they have previously refused to. As you can see you can set this value quite high. Moving

49:06

on to the next setting. This setting allows you to set the delay for how long windows

49:11

will wait after scheduled updates are install before asking the user to restart the computer.

49:17

You can see this value up to 30 minutes. The next setting determines how long windows update

49:24

will wait after the computer starts up before it will attempt to run a missed scheduled

49:29

update. This value goes all the way up to 1 hour. Having this value set gives the user

49:35

time to start they computer up and run some applications before windows installs any updates.

49:42

You could imagine that a user starting their computer up in the morning is not going to

49:46

want their performance of their computer slowed down due to windows update being installed.

49:52

Setting this value allows the user time to start their computer up and launch some applications.

49:58

The down side is the computer will need to be on long enough for the updates to be installed.

50:05

The next setting is client side targeting which I set previously.

50:10

The last option allows you to receive signed updates from an intranet Microsoft update

50:16

service location. What this essentially means is that you can receive updates that were

50:22

not directly signed by Microsoft. As long as your computer trusts the publisher of the

50:28

update, the update can be installed on the computer that is in group policy.

50:34

Now that I have configured group policy, I can close all the group policy windows and

50:39

then switch back to my WSUS server to demonstrate client side targeting.

50:45

On my server if I now run the WSUS admin tool. I first need to create a group to store my

50:51

servers in. To do this I will right click on all computers and select add computer group.

50:59

Given enough time your clients of your wsus server will start appearing.

51:03

You may however want to speed up the process. If I open a command prompt and run the command

51:09

w u a u c l t with the switches reset authorization and detect now this will force the client

51:19

to update itself on the WSUS server right away.

51:24

Reset authorization resets any group membership and detect now forces WSUS to redetect the

51:31

client. If I now exit the command prompt and go into the servers group, select any computer

51:38

and press refresh, you can now see that this server, WSUS 1 has been added.

51:46

In time all your servers and clients will add themselves and place themselves in groups

51:52

according to your client targeting options. If I select the root of the WSUS server, I

51:59

will get a quick overview of the server. You can see that there are a number of security

52:04

updates that have not been approved. If I select approved I can see all the updates

52:11

that are waiting to be approved. If I right click on one I can select approve. As you

52:17

can see, I can now select which groups I want to approve the update to. WSUS is also a great

52:25

report tool. If I select reports there are a number of

52:29

different reports I can generate. If I select one I will get an error message telling me

52:35

that report viewer redistributable is not installed. I have all ready downloaded report

52:41

redistributable and place it on the desktop. If I now close the WSUS admin tool and go

52:48

to my desktop and run it. You will see the install for the report viewer is very simple.

52:55

I have sped up the install but it only takes a minute or so. Once installed if I now run

53:00

the admin tool again and then select reports and select the report I want.

53:06

All I need to do to generate the report is select the option run report. Using WSUS you

53:14

can manage the deployment of your updates as well as perform reporting on computers

53:19

in your organization. In summary, remember that WSUS is primary

53:26

used to manage updates. It allows you to install, report and audit updates on your network.

53:35

Expect in the exam Microsoft to make reference to server side targeting. This is when group

53:41

membership is decided with the admin tool. Client side targeting is when the clients

53:48

tells the WSUS server which group to put themselves in. Normally you will use WSUS with computers

53:56

that are in your domain. If you have a computer that are not in the domain, use local group

54:02

policy on that computer to set it to use your WSUS server. Set up correctly, WSUS can make

54:10

managing and keeping your computers update to data a lot easier.