Patch Management Made Easy with WSUS 3.0 SP2
One of the challenges that comes with running a network is keeping your operating systems patched and secure. In response to this problem, Microsoft has released Windows Server Update Service 3.0 SP2 as a means to centrally download updates and control how they are deployed to the computers throughout your network. Additionally, WSUS provides extensive reporting features to quickly give you a snapshot of your computers’ status. If your network is big enough to have a server and use Active Directory, it’s big enough to benefit from using WSUS.
Despite the relative sophistication of Windows Server Update Service, it’s fairly easy to get a basic installation up and running. The prerequisites are a server running Windows Server 2003 SP1 or greater, IIS 6.0 or greater, .NET 2.0 framework, and Report Viewer 2008 Redistributable 2008. If you run SQL server 2005 SP2 or greater, you can use that. Otherwise the Windows Internal Database will be installed automatically. It’s worth taking a look at the WSUS 3.0 SP2 release notes for more detailed requirements.
Installing WSUS 3.0 SP2
Once you confirm that your server meets the above prerequisites, download the appropriate version (32-bit or 64-bit) of WSUS and run the setup. If you’re upgrading from an unsupported database, WSUS 3.0 SP2 will automatically migrate your database to the Windows Internal Database. During installation, you’ll need to specify an uncompressed NTFS partition with at least 6GB of free space. Once installed on a server, you can run the installation on your desktop computer for remote management.
During setup, WSUS launches a configuration wizard, giving you an opportunity to specify what languages you use, what products you want to see updates for, and what types of updates are synchronized. By default, only critical updates, definitions, and security updates are selected. I recommend selecting All Classifications, since updates aren’t actually deployed unless you approve them anyway.
Configuring Clients
Next you’ll want to configure your clients to use the WSUS server using Group Policy. If you’re unfamiliar with Group Policy, visit the Group Policy home page for more information.
Using the Group Policy Management Console create a new policy and link it to the appropriate Organizational Unit. Then right-click on the policy, select edit, and browse to Computer Configuration, Policies, Administrative Templates, Windows Components, and finally Windows Update. Here you’ll want to modify the following policies.
– Configure Automatic Updates. Click Enable and then choose the option most appropriate for you organization.
– Specify intranet Microsoft update service location. Click Enable then type in the URL for your server in both fields (e.g. http://yourWSUSserver).
– No Auto-restart with logged on users for scheduled automatic updates. Enabling this is optional, but highly recommended. Users get irate when their computers automatically restart without their consent.
– Enable Client-side targeting. This one is also optional. While you can use the WSUS client for putting computers in groups, you can also specify them here.
Creating Groups
Groups are useful when you want different computers to have updates applied differently. For example, you might want to automatically install service packs for office computers, but install them manually on your servers or lab computers.
Creating groups is simple. Open the Windows Server Update Services management tool, then expand Computers, right-click on Unassigned Computers, and select Add Computer Group. You can add computers to this group by right-clicking on them in Unassigned Computers, selecting Change Membership and check the group (or groups) you want to add it to.
Configure Auto-Approval Rules
Virtually no one is sadistic enough to want to manually approve each update from Microsoft. Fortunately, there’s a way to automatically approve updates. Open the Windows Server Update Services management tool, click on Options and then Automatic Approvals. You’ll notice there’s already a rule created named Default Automatic Approval Rule. This rule automatically approves all critical updates and security updates for all computers. It’s a great default rule and may be all you need. To enable it, simply check the box next to it and click apply.
It should be obvious that WSUS is a robust tool with a host of options and features. While I highly recommend exploring it further to see how else it can serve you, simply installing it and configuring the options recommended here will go a long way toward automating the management of your network.
Michael Scalisi is an IT manager based in Alameda, California.