WSUS

In this section I will look at WSUS. WSUS, or Windows Server Update Services provides updates to computers in your organization Think of it as your own windows update server Once you start using WSUS, you will find that it can be used on small networks and also scalable to an enterprise network In this video I will first look at an overview of WSUS and how you can use it in your organization Following this I will look at prerequisites required to install WSUS and also the hardware requirements of WSUS. Following this I will show you how to install and configure WSUS A big part of the management of WSUS is groups I will spend some time looking at how the groups work in WSUS, then I show how you can configure the clients in your organization to use WSUS with group policy. There is a lot to WSUS but with careful planning you can update and audit the computers on your network One of the biggest advantages of WSUS is that it allows you to download updates from Microsoft and store them locally. By using WSUS to store data locally you can vastly reduce the amount of data that gets transferred over your WAN link. Imagine if one of your branches has 200 computers and each user goes to download a service pack directly from Microsoft. Each service pack could be up to 100 megabytes in size. You can imagine the load that would place on your wan connection When this course was created, service pack 1 for windows 7 had not yet been released Rumors have it that service pack one for windows 7 is 1.2 Giga bytes in size. Windows Vista service pack 2 is over 300 mega bytes in size Whatever mathematics you use, a network with 200 computers downloading the same service pack is a lot of data To help use your wan connection better, a wsus server can be placed on the network The wsus server will download updates from Microsoft while the client will download the updates from the wsus server. This means large downloads like services packs are only downloaded once over the wan connection. When deploying wsus on a large network, you should try and place your wsus servers with reference to your network topology If the company also had a site say in Floria with 50 computers connected by a high speed link, it would make sense for wsus to get its updates from the other wsus server in New York rather than from Microsoft. On a large network it is not un common for only one wsus server to access the internet and replicate updates to the other wsus servers at other sites In some cases it makes more sense for the wsus server to access the windows update server directly. Consider this. The company has a large office of 100 computers in Canada. The link back to the main office is a slow wan link, however the office in Canada has its own high speed internet link In this case, it makes more sense for the wsus server at this location to get its updates directly from a local windows update server if one is available rather than via the slower office wan link. Also consider a very small office in the UK with only two computers In this case you would want wsus to determine which updates the computers can install, but it is simply not worth installing a wsus server at that location or downloading the updates from head office This bring us to the next main reason for installing WSUS is to approve or decline updates or in other words, control how updates are installed in your organization. In the case of the UK office, the 2 computers would contact the internet directly to download windows updates, however they would also communicate back to the New York WSUS server on which updates they had installed and ask what updates they could install In other words, WSUS allows you to optimize downloading of your updates and also control which updates are installed. To do this, WSUS allows you to create groups. You are free to create whatever group you require but often originations will create a group for testing updates, a pilot group and a production group Even though Microsoft goes to quiet a lot of effort to test their updates, problems can occur if updates and other software on your computer have compatibility problems

Creating a pilot groups so you can first test the updates on your network and hopefully stop, or at least minimize potential problems on your network Currently the most recent version of WSUS is version 3 with service pack 2. In order to install WSUS, you need be running one of the following server operating system. First windows server 2008 R 2 or window server 2008 with services pack 1 Wsus also supports windows small business server 2008 and 2003 as well as windows server 2003 with service pack 1. There are also a number of software prerequisites to run WSUS First you need to have installed dot net frame work 2 point 0 To store the data required to run WSUS you need a database. For small installs of WSUS you can use the windows internal database If you need more of an enterprise solution you can use SQL server 2008 or SQL server 2005 with service pack 2 To run the administration of WSUS you require Microsoft management console 3 point 0. To generate reports wsus requires Microsoft report viewer redistributable 2008, but this is only required if you want to generate reports Wsus will install without this component and you can install the report component at any time Lastly wsus requires IIS 6 point 0 or greater When you install IIS you will need to make sure that certain components of IIS are also installed For the IIS requirements you require the ASP dot net component. This is a web application framework created by Microsoft. Next you require windows authentication. This will allow the client to be authentication by WSUS when requesting updates WSUS also requires dynamic content compression Dynamic content compression allows WSUS to reduce the size of web page by using compression Lastly if you are using IIS 7 you will require IIS 6 management compatibility Wsus currently has been updated to work directly with IIS 6 so this component provides the bridge until this occurs. Once you have meet all the software requirements there are also some hardware requirements to meet The first requirements is the system and WSUS partition must be formatted with NTFS. The WSUS partition must also not be a compressed drive. For the disk space requirements, you require 1 gigabyte free on the system partition The database requires 2 gigabytes of space and lastly you need 20 gigabytes free to store updates. Microsoft does recommend 30 gigabyte of free space for updates. As you will see later on in the configuration of WSUS, depending on how many products you decide to download and the updates you choose will determine how much disk space is required To install WSUS you can download it for the Microsoft web site. Just go to w w w dot Microsoft dot com slash wsus for details. WSUS can also be installed from the server manager. If you find that WSUS is not available in server manager you will need to update server manager using windows update Once the necessary update has been obtained from Windows update, WSUS 3 with service pack 2 will be available in server manager. Remember that even though it is available in server manager, once you attempt to install WSUS it will still download wsus from the internet If you server is not connected to the internet you will need to obtain the standalone version of WSUS and install it Also you need to take some time to consider what type of updates you want to download These include critical, definitions, drivers, feature packs, security, service packs, tools, update roll ups and other updates. As you can see the list is quite large Previously with windows updates, only a small amounts of updates were available. Microsoft has put a lot of work into windows update to provide additional features as well as more updates. At present, windows updates provides updates for windows operating system and other Microsoft products You will see in a moment the list of Microsoft products you can get updates from is quite large. Remember though, if you are retrieving updates from anther WSUS server, you can only retrieve the updates that other WSUS server have. If the upstream server for example decide

not to download Microsoft Office updates, you will not be able to download any Microsoft office updates to the downstream sever. Let’s have a look at how to install WSUS In this example I will install WSUS though the server manager, but as you will see whether you install it through server manager or via the stand alone install, the install is the same. First of all I will run server manager from the quick launch From the roles section select the option add roles from the right hand side. Once I am passed the welcome screen, select Window Server Update Services from the component list. Once selected windows will prompt you for additional IIS components that are required This is the advantage of installing WSUS through the server manager is that IIS components are automatically installed for you. If you are using the Wsus stand alone install, you will need to make sure the IIS components for WSUS are installed before you start installing WSUS Once I press next I will be taken in the configuration for IIS. Once past the IIS welcome screen you can see the components of IIS that will be installed. You can see that ASP dot Net has already been selected Under security windows authentication has been selected. Under performance dynamic content compression has been selected and lastly under management tools IIS 6 management capability has been selected You can see however that only IIS 6 metabase compatibility is selected out of the IIS 6 management compatibility components. If you plan on performing a manual install of WSUS, check your existing IIS setup or when installing IIS make sure that these four components are installed On the next screen you will be taken into the WSUS set up. You will see that when I press next there are no options to configure via server manager. Once I press install the WSUS install will start You will notice that under the progress bar it says downloading. In order to install WSUS via the server manager your server must have access to the internet. Once WSUS has been download from the internet, server manager will start installing the other components required for WSUS, in this case IIS The install may take a few minutes. I have accelerated time to the end so we don’t have to wait. You will notice that a new set up program has been launched. This set up program is the stand alone set up for WSUS The set up from here onwards is identical to the install performed by downloading and running the stand alone setup from Microsoft Once I accept the license and move on you will notice that I get a message telling me that Microsoft report viewer 2008 redistributable needs to be installed before I can generate any reports. This can be installed later so I will skip this part and move on On the next screen you can decide where you want to install the updates that WSUS downloads If you deselect this option, WSUS will not store any updates locally. When an update is requested via a client, WSUS will download the update directly from windows updates or from anther WSUS server If you only want to use WSUS to determine what updates an end user can install, you can choose not to store any updates locally In this case, I will store the updates in the default location on the c drive, but for best performance you should consider storing the updates on a separate hard disk On the next screen you can determine where WSUS will install its database files. By default you can use windows internal database. On large enterprise environment you may have a SQL server. If I had SQL server installed on this computer this option would not be grayed out and I would be able to select a database If your SQL database is on anther server you could select the last option to connect to it. In this case I will use windows internal database and move on. On this screen you can decide which web site you want wsus to use If you have no other web site on this server and are not planning on installing an additional web site in the future you should select the first option use existing IIS default web site. If you want to use the default web site

for something else you should select the second option and WSUS will not use the default web site In this case I am not planning on setting up an additional web sites on this server so I can select the default option. Once I confirm the install option on the next screen I can move on and the install will start The install may take 5 minutes or so to finish, I have accelerated time to the end of the install. You can see now that IIS and WSUS have been installed through the server manager, however WSUS is still not configured Once the install has completed the WSUS configuration wizard will automatically be started. If I close server manager install wizard, you will notice that in server manager there is a warning This is because WSUS has not been configured yet The wsus configuration wizard can be run at any time and is available through the start menu. You will notice I can close server manger without effecting the WSUS configuration wizard Once I am pass the WSUS welcome screen I will get the option to decide if I want to take part in the Microsoft improvement program Taking part in the program means that Microsoft will receive statistics on your network. Since this is a test network, I don’t want to give Microsoft any mis leading statistics so I will switch this option off On the next screen you can decide where this WSUS server will get it’s updates from By default WSUS will receive it’s updates from windows update server. If you have anther WSUS server on the network, you can download updates from this server You can choose to enable S S L if you want traffic between the two servers to be encrypted If I choose to obtain updates from anther server, I will only be able to download updates from the server that update server has already downloaded For example, just say you had a large company and a central IT department which decided which updates would be available to the rest of the company. Once these updates are approved they could be download to other servers and the local administrator could decide which updates are installed on which computer This is a good set up when you have two different IT departments working independently from each other but can only install approved updates If both WSUS server are being managed by the same IT department you may want to select the option “this is a replica of the upstream server” You will notice that when this option is selected you can’t configure any options on the server What this means is that this server will have all the same settings as the parent server This makes administration of multiple WSUS servers a lot easier Since this server is a standalone server, I will get my updates from Microsoft and move on. On this screen I can enter in a proxy server if I need one to access the internet In this case I have a direct connection so I can leave it on the default and move on Before you can start using the WSUS you need to download a catalog of all the available updates. To do this, press the start connection button and the catalog will be downloaded The time required for this step depends on your internet connection and can take a while I have accelerated time to the end of the download. Once complete I can move on to the next screen and select which languages I want to download updates for. At the top you can select to download updates for all languages A word of caution with selecting this option Doing so will greatly increase the amount of space required on your local server required for installing updates and also the amount of data traveling over your WAN link. In this case I will only download english updates I will get a warning here reminding me that any updates that you do not download on this server will also not be available to any downstream servers that your configure later on A downstream server is simply anther WSUS server that is set to retrieve it’s updates from anther WSUS server. On the next screen I can decide which products that I want to download updates for. There is a huge range of Microsoft products but WSUS does not allow 3rd party products to be added You should choose products that you use in your organization, in this case Microsoft Office. You will need to take some time going through the list making sure that you have selected all the products you use. You could selected them all, but this of course will use more bandwidth and hard disk space Notice the operation systems at the bottom You should deselect the operating systems

that you no longer use in your company. If you are planning on deploying new operating systems in the future, for example windows 7, I would leave it ticked so that the updates are ready when you deploy your first computer On the next screen you can choose which types of updates you want to download. By default critical updates, definitions and security updates are selected by default. Some companies don’t like download new drivers as they may cause an existing operating system to start blue screening I like to select things like feature packs and services packs. These can be very large and in my opinion save a lot of bandwidth when you deploy them to a big group of clients Remember however that if you download service packs, the end user may experience a long day when login in one morning when the service pack installs In some companies I have seen them deselect service packs and choose to install them manually so they can better manage when they are installed In this case I will select everything. Once you have decided which updates you want to install you need to download them On the next screen you can decide if you want to perform manual synchronizations or set up a schedule. In this case I will leave it on manual so I can decide when to perform the synchronization. On the next screen I can decide if I want to perform the initial synchronization now The first synchronization takes the longest to complete so I leave the setting on manual and perform the synchronization later on That’s it for the WSUS, the initial install of WSUS and initial configuration are completed Now that you have WSUS installed, you need to give some thought on how to configure it Depending on your network will determine how you want to deploy WSUS. Consider this network Like most companies you have a firewall between your network and the internet This particular company has a policy that severs that connect to the internet must be on a perimeter network or a D M Z. Since the WSUS server needs to access the internet it is placed on the premier network. For your clients to access a WSUS server, you need to install anther WSUS server on the production network This server is configured as a replica of the WSUS parent. Any changes to the settings on the parent WSUS server will be mirrored on the replica server. Replica WSUS servers are common in large organizations. Imagine a large network with 20 sites. If you configured all the sites as replicas for the WSUS parent, you would only need to make changes on the one WSUS server The next option you have for your server is autonomous. This basically means the server can download updates from the WSUS parent but administrators on this server are free to make any changes that they wish. Times when you may use this option is when you have separate IT departments For example you may have a secure network that has it’s own administrators but they still needs to get updates from your server Using a WSUS server configure as autonomous they can get the updates from your server, but decide themselves if they want to install them and the settings they want to use for the their WSUS server. Now that you understand the way WSUS servers can be used, let’s have a look at how to configure one To configure WSUS, run the admin tool, windows server updates services from the start menu On the start screen you can see some statistics about the WSUS server. When you starting using WSUS this provides a quick rundown on how your server and the status of the clients Since this WSUS server has just been installed the statistics are all zero To configure your WSUS server, expand down in the admin tool until you get to options Some of the options are already configured These were configured by the start up configuration wizard when I first install WSUS. The first thing you want to set up is the source of where your updates will be downloaded from From the install wizard I select windows update If I select the second option I can change it to another WSUS server. Notice also I can select the option “this server is a replica of the upstream server”. This is the same option that was available in the original WSUS wizard Notice that I when I select this option I get a message saying that all other options

have been disabled. This is how you change an existing WSUS server into a replicator If I set the option back to windows update and select the proxy tab I can change the proxy setting used to download updates The next option allows you to change the products and classifications you want to download If you wish, you can select all the products, however this will increase the size of your downloads. If you don’t have the product on your network it is a good idea to deselect it In a moment I am going to perform the first synchronization. For this reason I will de-select all the other products. I will also go through and deselect any old operating system not used on the network. This will help speed up the initial sync. If you are not sure if a product is being used on your network, you should select it otherwise WSUS will not download any updates for that product At any time you can come in and change the options. On the classification tabs you can decide which types of updates you want to install. To speed up the initial sync I am going to select security and critical updates The type of updates you select is depend on your needs. I have seen some network install everything other than service packs due to there size and time it takes it install I am sure that none of your end users want to wait 5 to 10 minutes for the computer to start up one morning because a service pack was installed. Remember however, unless your approve the update it will not be installed If you have plenty of hard disk space I would personally select everything and then you can choose later on which updates you want to install If I select the option updates files and languages I can choose how the updates will be stored on the server. Download updates files to this server only when updates are approved means updates will not be downloaded until you approve them in the admin tool This does save disk space as updates will not be downloaded until they are required, however it also means that updates will not be installed until the next synchronization in performed The option download express installation files makes the download files larger, however they are more intelligence in the way they update the operating system. This means they own replace files that need to be replaced and thus tend to install faster, however the trade off is the files are larger If you select the option do not store updates locally this will force the clients to download the updates from windows update. If you have limited hard disk space you may want to select this option or if you have high speed link to the internet and very few clients. Remember though, if you clients are correctly configured they won’t be able to download any updates from Microsoft unless you approve them On the language screen, you can add additional languages if require additional languages later on. If I now select the option synchronize schedule, when you can decide when WSUS will sync, by default once per day. You can set this up to 24 times a day When configuring settings like these, keep in mind patch Tuesday. Patch Tuesday is the second Tuesday of every month when Microsoft releases security updates. Microsoft do release patches at other times if there is enough need, but try to follow this schedule whenever possible Depending on your environment you may have a lot of time to look through the patches or you may just decide to install any patch that Microsoft releases. If I select the option automatic approvals I can select the option “default automatic approval rule” As you can see down the bottom of the screen, critical and security updates will be approved on all computers when they are released. Selecting this option will reduce your WSUS administration, however also means that untested updates will be deployed on your network On the advanced tab, WSUS has the ability to automatically approve updates that are for the WSUS product itself. Also notice the two options revisions of updates. Sometimes Microsoft will releases revisions for an update When this tick box is ticked, a revision of an update will automatically be installed even though it has not been approved as long as the original update was approved Notice also the option “automatically decline updates when a new revision causes them to expire”. This means if a newer update is released, the old update will automatically

be declined. If I exit out of here and select the option computers, I can set how computers will be assigned to groups. The default setting means you have to use the WSUS admin tool to assign computers to groups The second option uses group policy or registry settings on computer to determine which group the computer is a member of. On a large network this is a better way of performing administration on your network. In a moment I will create a group policy to configure my client computer so I will leave it on the second option and press o.k The next option is the server clean up wizard The server clean up wizard let’s you perform some maintenance on your server. As you can see, there are quite a lot of options that you can select in the WSUS cleanup wizard The first option allows you to delete unused updates and update revisions that have expired or have not been approved for more than 30 days. The next option allows you to remove computers that have not contacted the server in the last 30 days Personally I would be careful about using this option because mobile users or users that take extended holidays may be removed from the server by mistake. 30 days may seem a long time, but when someone in on extended holidays or in an office that is isolated from the network, ticking this option may remove their computer when it is still in service. The next option removes any unneeded update files. These files are not required by WSUS server or required by any downstream servers You also have a tick box which will remove expired updates. These include updates that you have been declined in the administrative tool or updates that Microsoft has marked as expired. The next option removes superseded updates which have not been approved but have been superseded by Microsoft. This simply put means there is a newer update for that update available Once I have decided on which maintenance options that I need, when I press next WSUS will perform maintenance. Depending on how many computers are removed and added to your network will determine how often you will want to run this maintenance tool Given that WSUS has just been installed, there will not be any updates or computers that need to be remove. If I now exit out, the next option is a reporting rollup. Reporting rollup essentially means that any downstream servers will send reporting data to this server which will then be included in this servers reports Since I don’t have any downstream servers configured I won’t worry about setting any options in here. The option e-mail notifications allow us to send an administrator e-mails when new updates are available and also you can configure it to send status reports about the WSUS server. The option Microsoft update improvement program simply allows you to select whether you want to participate in the program or not The personalization option allows you to configure how information will be displayed in WSUS For example you could choose to filter out data reported from your replica servers. You could also choose which “to do” alerts to generate and which ones to ignore. The last configuration Wizard runs the same wizard that ran when I first installed WSUS. If you canceled the wizard when you first installed WSUS or you need to run the wizard again you can select this option Now that WSUS is configured I will perform the first synchronization. If I select the option synchronizations on the left I can select the option synchronization now from the right hand side. If I select the synchronization job, you can see down the bottom of the screen how much of the process has completed. The first synchronization will take the longest but synchronizes after this will be completed a lot faster To better control the installation of updates on your network, WSUS allows you to create groups to make administration easier. By default WSUS contains two groups. The first group is all computers. All the computers that WSUS in providing updates for will be found in this group The next group is unassigned computers. You can create as many groups as you want and assigned computers to these groups. Wsus will then decide which updates will be deployed on this computer by the group the computer

is in. Microsoft has two different ways of placing computers into groups If you perform this process manually it is called Server side targeting. This is done though the WSUS admin tool. On a large network with a lot of computers being removed and added to the network this can become a very time intensive task. To make this process easier and more automated Microsoft offers what it calls client side targeting. When client side targeting is used the client decides which group the computer will be assigned to Client side targeting is usually done through group policy. Using group policy you can set the group membership for computers in your domain and also newly created computers in the domain. Let’s have a look at how to perform server side and client side targeting To perform server side targeting first of all you need to configure your client to use your WSUS server. To do this, on my Windows 7 computer, first of all I need to go to my start menu and then run edit group policy I will cover group policy in more detail later on when I go through client side targeting I need to use group policy to set the WSUS server that windows update will use. Unfortunately you can’t set this information in the control panel. Once you are in local group policy, you need to go into computer configuration, administrative templates, windows components and then Windows update The option I need to set is “specify intranet Microsoft update service location”. Once this is enabled I can set the location for my WSUS server. I can also set the statistics server which in most cases will be the same as your WSUS server Now that I have set my WSUS server all I need to do is close group policy and from the start menu and open a command prompt. From the command prompt run GP update to update group policy on the local computer Windows update will now be changed to connect to my WSUS server. This computer will eventually register itself with the WSUS server. To speed up the process I can run the command w u a u c l t with the switch detect now. This will make windows update register itself with wsus Now that I have configured my client, I will switch to my WSUS server Now that I am logged into my WSUS server, if I run the admin tool and in the admin tool expand computers, you will notice under computers the group all computers. If I expand all computers you can see the group unassigned computers These are the two default groups that created by WSUS To create a new group all I need to do is right-click on all computers and select add computer group. In this case I will call the group trial group. Computers in his group will receive updates before the rest of the computers on the network. This allows me to test the updates for problems before they are deployed to the rest of the network In the unassigned computers group there are currently no computers listed. At the top, notice zero computers of one shown. What has happened is that the client that I just added is all ready up to date. The filter at the top by default is showing only computers that have a status of failed or needed. In other words updates have failed to install on the computer or the computer requires updates to be installed To fix this all I need to do is select the drop down box and select any and then press the refresh button. You can see now that my computer has appeared. If I now right-click on the computer and select change membership I can assign the computer to the group that I just created. You can imagine that by doing this method, which Microsoft calls this server side targeting, could become very time consuming very quickly on large networks Now that I have a trial group set up, I want to create an automatic approval rule for the trial group. To do this, select options and then select automatic approvals. To create a new rule, select the option new rule. You can then specify if you want the rule to apply to classification and products. The last option allows you to set a deadline. A deadline allows the user to decline an update if their set up allows it. After the deadline has expired the update must be installed

At the bottom of the screen, I can change which classifications I want updates installed for. You could for example only install security updates and critical updates. The rest of the updates you could set so they have to be manually approved The last option is the most important option as it determines which computer the rule will apply to. Lastly all I need to do is enter in the name for this new automatic approval rule. Now my WSUS server is set up so that any computer that is in the trial group will automatically without any administration on my part have all updates install on it As you can see ,using server side targeting can become quite time-consuming. If you want to use client side targeting, what you need to do is select the option computers. In this option I can choose to use client side targeting by selecting the option use group policy setting or registry settings on computers This means that group membership will be determined by a setting that is found on the local computer which will be sent to the server when the client registers itself with the WSUS server Now that I have switched WSUS to client side targeting, I will now switch to my domain controller and set up a new group policy for my domain On my domain controller I will go to my start menu and open group policy management. In my domain I have already created an organizational unit or O U that contains my servers. If I right-click on this O U and select the option crated G P O in this domain and link it here I can create a new group policy to apply Windows updates to all my servers. This new group policy I will call Windows update servers G P O Once I have created the G P O I can edit the G P O and then go into computer configuration, policies, administrative templates, Windows components and then all the way down to the bottom to Windows update. If I select the standard view you I can see the complete group policy setting without it being cut off. The option you need to enable for client side targeting is the one here, enable client side targeting Once enabled I can enter in a group name and then any computers that have this group policy applied to them will automatically be placed in this group on the WSUS server. As I did before, I need to set the location of the WSUS server so the client knows where to get it’s updates from. These are the two main settings you need to configure so clients on your network can access Windows updates from your WSUS server and be placed in to a group However there are a lot of other options the you may want to consider setting. Going through the list from the top. The first option when enabled removes installed updates from the shut down option from the start menu. In a moment you will see that you can configure Windows updates to install at scheduled times If you are planning on doing this you may want to disable this option Enabling this option gives the user the option to install updates when they shut down the computer. Most users don’t mind doing this as they are generally going home when they shut down their computer. The next setting determines whether installed updates and shut down is the default option when the user goes to shut down their computer Generally it is a good idea to leave on the default shut down and install updates as when the user shuts their computer down by default updates will be installed. The next option allows Windows update to automatically wake-up the system if updates are scheduled to be installed This option you may want to enable on desktop systems. This allows windows update to wake up a computer and install updates on it. If you have computers that are regularly rebooted and used regularly you may not need this option This option is useful when you have computers that may be off for an extended period of time and you want ensure that updates are installed on them. The next option, configure automatic updates is the setting that will be set on most networks. When enabled you have a number of different ways that you can configure automatic updates The first option, option number two, notifies the user when a new update is available for download and also prompts the user when the

update is ready to be installed. This gives the user the maximum amount of user interaction for Windows updates. Option number three will automatically download windows update and notify the user asking them if they want to install the update Option number four is the option that is chosen on most networks as this will automatically download updates and then schedule the install without any user interaction. If I select option number four, you will also notice that I can select down the bottom which days that I want to run scheduled updates on I can choose every day or a particular day I can also set the time that the update will be installed. The default is three o’clock in the morning. What this essentially means is that if the computer happens to be on at three o’clock in the morning the updates will automatically be installed If the computer is switched off at that time, when the computer is switched on after a random delay Windows will automatically install the updates. The reason Microsoft use a delay is so that when the user first starts their computer it is not slowed down trying to install updates Option number five allows the local administrators to choose their own settings. On most networks you want to select option number four as this provides the most automation way to install updates with the least amount of user interaction If you have programmers or developers on your networks you will probably want to select option number five so they can choose if they want to install updates The next option I have already set, it simply specifies the WSUS server that will be used The next option allows you to set how often Windows update will check for updates. The default is 22 hours but having said that the time always has a randomized delay added in the range of 0 to 20% The reason Microsoft do this is because if there was no randomized delay. All the clients on your network could potentially attempt to connect to your WSUS server at once and retrieve updates. This would put a huge load on your network and your WSUS server This value can be set all the way down to once an hour. On most networks the default value of 22 hours will work fine. The next option allows a non-administrator like a domain user to receive update notifications. If you have configured Windows update to run automatically in the background you may what want to disable this setting The next setting determines whether the user will be prompted when features are available for the operating system. Enabling this option allows the user to decide if they want these features installed. This setting will automatically install updates immediately that do not require a restart. For example if you are running Windows defender, definition updates can be delivered through Windows update and these updates do not require a restart. In most cases you will want to enable this option The next setting determines whether recommend updates will be included. By default, security and critical updates are installed. If you would like to include updates that Microsoft recommend these will also be download and installed. The setting disables automatic restarting if a user is logged in. If the computer is on the login screen and no user is logged in, windows update will automatic restart the computer if required The next option is the delay before the user is prompted to install scheduled updates after they have previously refused to. As you can see you can set this value quite high. Moving on to the next setting. This setting allows you to set the delay for how long windows will wait after scheduled updates are install before asking the user to restart the computer You can see this value up to 30 minutes. The next setting determines how long windows update will wait after the computer starts up before it will attempt to run a missed scheduled update. This value goes all the way up to 1 hour. Having this value set gives the user time to start they computer up and run some applications before windows installs any updates You could imagine that a user starting their computer up in the morning is not going to want their performance of their computer slowed down due to windows update being installed Setting this value allows the user time to start their computer up and launch some applications The down side is the computer will need to be on long enough for the updates to be installed

The next setting is client side targeting which I set previously The last option allows you to receive signed updates from an intranet Microsoft update service location. What this essentially means is that you can receive updates that were not directly signed by Microsoft. As long as your computer trusts the publisher of the update, the update can be installed on the computer that is in group policy Now that I have configured group policy, I can close all the group policy windows and then switch back to my WSUS server to demonstrate client side targeting On my server if I now run the WSUS admin tool I first need to create a group to store my servers in. To do this I will right click on all computers and select add computer group Given enough time your clients of your wsus server will start appearing You may however want to speed up the process If I open a command prompt and run the command w u a u c l t with the switches reset authorization and detect now this will force the client to update itself on the WSUS server right away Reset authorization resets any group membership and detect now forces WSUS to redetect the client. If I now exit the command prompt and go into the servers group, select any computer and press refresh, you can now see that this server, WSUS 1 has been added In time all your servers and clients will add themselves and place themselves in groups according to your client targeting options If I select the root of the WSUS server, I will get a quick overview of the server. You can see that there are a number of security updates that have not been approved If I select approved I can see all the updates that are waiting to be approved. If I right click on one I can select approve. As you can see, I can now select which groups I want to approve the update to. WSUS is also a great report tool If I select reports there are a number of different reports I can generate. If I select one I will get an error message telling me that report viewer redistributable is not installed. I have all ready downloaded report redistributable and place it on the desktop If I now close the WSUS admin tool and go to my desktop and run it. You will see the install for the report viewer is very simple I have sped up the install but it only takes a minute or so. Once installed if I now run the admin tool again and then select reports and select the report I want All I need to do to generate the report is select the option run report. Using WSUS you can manage the deployment of your updates as well as perform reporting on computers in your organization In summary, remember that WSUS is primary used to manage updates. It allows you to install, report and audit updates on your network Expect in the exam Microsoft to make reference to server side targeting. This is when group membership is decided with the admin tool Client side targeting is when the clients tells the WSUS server which group to put themselves in. Normally you will use WSUS with computers that are in your domain. If you have a computer that are not in the domain, use local group policy on that computer to set it to use your WSUS server. Set up correctly, WSUS can make managing and keeping your computers update to data a lot easier