MSHPO - Windows Server Update Services...

Windows Server Update Services 3.0

Windows Server Update Services 3.0Operations Guide

Windows Server Update Services 3.0 Operations Guide

Prepared by

Microsoft

Version 1.0.0.0 Baseline

First published

16 January 2008

Copyright

This document and/or software (“this Content”) has been created in partnership with the National Health Service (NHS) in EnglRights to this Content are jointly owned by Microsoft and the NHS in England, although both Microsoft and the NHS are entitled to independently exertheir rights of ownership. Microsoft acknowledges the contribution of the NHS in England through their Common User Interface Readers are referred to www.cui.nhs.uk for further information on the NHS CUI Programme.

All trademarks are the property of their respective companies. Microsoft and Windows are either registerCorporation in the United States and/or other countries.

© Microsoft Corporation and Crown Copyright 2008

Disclaimer

At the time of writing this document, Web sites are referenced using active hyperlinks to the correct Web page. Due to the dytime, these links may become invalid. Microsoft is not responsible for the content of external Intern

The example companies, organisations, products, domain names, eassociation with any real company, organisation, product, domain name, e

Windows Server Update Services 3.0Version 1.0.0.0

This document and/or software (“this Content”) has been created in partnership with the National Health Service (NHS) in Englare jointly owned by Microsoft and the NHS in England, although both Microsoft and the NHS are entitled to independently exer

their rights of ownership. Microsoft acknowledges the contribution of the NHS in England through their Common User Interface for further information on the NHS CUI Programme.

All trademarks are the property of their respective companies. Microsoft and Windows are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries.

Crown Copyright 2008

At the time of writing this document, Web sites are referenced using active hyperlinks to the correct Web page. Due to the dytime, these links may become invalid. Microsoft is not responsible for the content of external Internet sites.

The example companies, organisations, products, domain names, e-mail addresses, logos, people, places, and events depicted herein are fictitious. No association with any real company, organisation, product, domain name, e-mail address, logo, person, places, or events is intended or should be inferred.

Windows Server Update Services 3.0 Operations Guide 1.0.0.0 Baseline

Prepared by Microsoft

This document and/or software (“this Content”) has been created in partnership with the National Health Service (NHS) in England. Intellectual Property are jointly owned by Microsoft and the NHS in England, although both Microsoft and the NHS are entitled to independently exercise

their rights of ownership. Microsoft acknowledges the contribution of the NHS in England through their Common User Interface programme to this Content.

ed trademarks or trademarks of Microsoft

At the time of writing this document, Web sites are referenced using active hyperlinks to the correct Web page. Due to the dynamic nature of Web sites, in

mail addresses, logos, people, places, and events depicted herein are fictitious. No on, places, or events is intended or should be inferred.

Page ii


TABLE OF CONTENTS

1 Executive Summary ................................

2 Introduction ................................

2.1 Value Proposition ................................

2.2 Knowledge Prerequisites

2.2.1 Skills and Knowledge

2.2.2 Training and Assessment

2.3 Infrastructure Prerequisites

2.4 Audience ................................

2.5 Assumptions ................................

3 Using This Document ................................

3.1 Document Structure ................................

4 Deploy ................................

4.1 Configuring the WSUS 3.0 Server

4.1.1 Accessing the WSUS 3.0 Console

4.1.2 Configuring Synchronisation Options

4.1.3 Configuring Computer Groups

4.1.4 Enabling Reporting Rollup

4.1.5 Configuring E-mail Notification

4.2 Securing the WSUS 3.0 Deployment

4.2.1 Hardening Windows Server 2003

4.2.2 Adding Authentication for Linked WSUS 3.0 Servers

4.2.3 Securing WSUS 3.0 with SSL

4.3 Configuring the WSUS 3.0 Client

4.3.1 Configuring WSUS 3.0 Clients in an Active Directory Environment

4.3.2 Configuring WSUS 3.0 Clients in a Non

4.3.3 Configuring Background Intelligent Transfer Service

4.3.4 Roaming Clients ................................

5 Operate ................................

5.1 Managing WSUS 3.0 ................................

5.1.1 Managing Computers and Computer Groups

5.1.2 Managing Updates ................................

5.1.3 Managing Databases

5.1.4 Backup and Restore

5.1.5 Personalising the WSUS 3.0 Console

5.2 WSUS 3.0 Reporting ................................

5.2.1 Using Reporting................................

5.3 Troubleshooting WSUS 3.0


ONTENTS

................................................................................................

................................................................................................................................

................................................................................................

Knowledge Prerequisites ................................................................................................

Skills and Knowledge ................................................................................................

Training and Assessment ................................................................................................

Infrastructure Prerequisites ................................................................................................

................................................................................................................................

................................................................................................

................................................................................................

................................................................................................

................................................................................................................................

Configuring the WSUS 3.0 Server ................................................................

Accessing the WSUS 3.0 Console ................................................................

Configuring Synchronisation Options ................................................................

Configuring Computer Groups ................................................................

Enabling Reporting Rollup ................................................................................................

mail Notification ................................................................

Securing the WSUS 3.0 Deployment ................................................................

Hardening Windows Server 2003 ................................................................

Adding Authentication for Linked WSUS 3.0 Servers ................................

Securing WSUS 3.0 with SSL ................................................................

Configuring the WSUS 3.0 Client ................................................................

Configuring WSUS 3.0 Clients in an Active Directory Environment ................................

Configuring WSUS 3.0 Clients in a Non-Active Directory Environment

Configuring Background Intelligent Transfer Service................................

................................................................................................

................................................................................................................................

................................................................................................

ging Computers and Computer Groups ................................................................

................................................................................................

Managing Databases ................................................................................................

ckup and Restore ................................................................................................

Personalising the WSUS 3.0 Console................................................................

................................................................................................

................................................................................................

Troubleshooting WSUS 3.0 ................................................................................................


Page iii

....................................................... 1

.................................... 2

...................................................... 2

.......................................... 2

.......................................... 2

.................................... 2

...................................... 3

................................... 3

............................................................. 3

.................................................... 4

.................................................. 4

............................................. 6

............................................................ 6

...................................................... 7

.................................................. 8

.......................................................... 18

................................ 20

.......................................................... 21

..................................................... 23

..................................................... 23

....................................................... 23

........................................................... 25

........................................................... 28

................................. 28

Active Directory Environment ............................ 31

........................................................ 34

................................................ 39

......................................... 40

.............................................. 40

................................... 40

............................................ 44

........................................ 55

.......................................... 57

............................................... 60

.............................................. 62

................................................. 63

.................................... 66


5.3.1 Troubleshooting WSUS 3.0 Server Issues

5.3.2 Troubleshooting WSUS 3.0 Client Issues

5.4 Update Management with WSUS 3.0

5.4.1 Getting Started with Software Update Management

5.4.2 The Software Update Management Process

5.4.3 Dealing with Emergency Update Releases

APPENDIX A Skills and Training Resources

PART I WSUS 3.0 ................................

APPENDIX B Document Information

PART I Terms and Abbreviations

PART II References ................................


Troubleshooting WSUS 3.0 Server Issues ................................................................

Troubleshooting WSUS 3.0 Client Issues ................................................................

Update Management with WSUS 3.0 ................................................................

Getting Started with Software Update Management................................

The Software Update Management Process ................................................................

Dealing with Emergency Update Releases ................................................................

Skills and Training Resources ................................................................

................................................................................................

Document Information ..............................................................................................

Terms and Abbreviations ..............................................................................................

................................................................................................


Page iv

....................................... 66

......................................... 67

..................................................... 67

......................................................... 67

.................................... 69

....................................... 69

................................................. 72

.......................................................... 72

.............................. 73

.............................. 73

.................................................... 74


1 EXECUTIVE SUMMARY

In April 2007, Microsoft publicly released WSUS 3.0 which provides a number of new features, making WSUS easier to use, deploy, and support. Specifically, WSUS 3.0 in the following areas:

� Ease of use

� Improved deployment options

� Better support for complex server hierarchies

� Better performance and bandwidth optimisation

The scope of this document is to provide updated guidance on the management of WSUS 3.0 within together with its companion document, the which provides guidance on the design and deployment of WSUS

The aim of this document is to assist 3.0 solution. It also covers the tasks required to ensure the continued successful operation of a WSUS 3.0 solution.

1 Windows Server Update Services 3.0 Design Guidehttp://www.microsoft.com/industry/healthcare/technol


UMMARY

In April 2007, Microsoft publicly released WSUS 3.0 which provides a number of new features, making WSUS easier to use, deploy, and support. Specifically, WSUS 3.0 provides improvements

Improved deployment options

Better support for complex server hierarchies

Better performance and bandwidth optimisation

is to provide updated guidance on the configuration3.0 within a healthcare organisation. This document should be used

together with its companion document, the Windows Server Update Services 3.0 Design Guidewhich provides guidance on the design and deployment of WSUS 3.0.

The aim of this document is to assist healthcare IT professionals with the configuration of a WSUS 3.0 solution. It also covers the tasks required to ensure the continued successful operation of a

Windows Server Update Services 3.0 Design Guide {R1}: http://www.microsoft.com/industry/healthcare/technology/hpo/security/wsus.aspx


Page 1

In April 2007, Microsoft publicly released WSUS 3.0 which provides a number of new features, provides improvements

configuration, operation and . This document should be used

Windows Server Update Services 3.0 Design Guide1,

IT professionals with the configuration of a WSUS 3.0 solution. It also covers the tasks required to ensure the continued successful operation of a

http://www.microsoft.com/industry/healthcare/technology/hpo/security/wsus.aspx


2 INTRODUCTION

The purpose of this document is to provide guidance around the implementation of WSUS 3.0 for software update management on desktop procedures necessary to successfully configure, manage and operate WSUS 3.0 servers and clients. The content of this document provides guidance on the initial configuration of WSUS 3.0 servers and clients, and also provides guidance around the ongoing management and operation procedures that are necessary to maintain a functional WSUS 3.0 solutio

The companion document to this guide, the {R1}, provides the information and procedures necessaserver hierarchy and install the WSUS 3.0 servers and clients.

2.1 Value PropositionThis guide will take the healthcareconfigure, operate and manage a WSUS 3.0 environment. This guidance is designed to help:

� Identify potential deployment risks

� Provide rapid knowledge transfer to reduce the learning curve of configuring, operating and managing a WSUS 3.0 softwa

� Provide a consolidation of relevant WSUS 3.0 common best

2.2 Knowledge PrerequisitesTo implement the recommendations made throughout this documentknowledge-based and environmental infraoutlines the knowledge and skills required to use the Operations Guide guidance, while section

Section 2.2.1 details the prerequisite skills and knowledge, and section and suggested training resources or skill assessment.

2.2.1 Skills and Knowledge

The technical knowledge and minimum skills required to use th

� Windows Server® 2003 administration

� Windows® 2000 Professional, Windows

� Creation and administration of Organisational Units (OU) and Group Policy Objects (GPO) when using Microsoft®

� Modification of the Windows registry when using registry keys to settings

� Microsoft® SQL Serverserver database

2.2.2 Training and Assessment

Guidelines on the basic skill sets that are required in detailed in APPENDIX A. These represent the training courses and other resources available. However, all courses mentioned are optional and can be provided by a variety of certified training partners.


NTRODUCTION

cument is to provide guidance around the implementation of WSUS 3.0 for software update management on desktop computers. This document provides the information and procedures necessary to successfully configure, manage and operate WSUS 3.0 servers and

nts. The content of this document provides guidance on the initial configuration of WSUS 3.0 servers and clients, and also provides guidance around the ongoing management and operation procedures that are necessary to maintain a functional WSUS 3.0 solution.

The companion document to this guide, the Windows Server Updates Services 3.0 Design Guideprovides the information and procedures necessary to design and implement a WSUS 3.0

server hierarchy and install the WSUS 3.0 servers and clients.

Value Proposition healthcare IT professional through the necessary steps to successfully

configure, operate and manage a WSUS 3.0 solution within the healthcare organisation’s environment. This guidance is designed to help:

Identify potential deployment risks

Provide rapid knowledge transfer to reduce the learning curve of configuring, operating and managing a WSUS 3.0 software update management solution

Provide a consolidation of relevant WSUS 3.0 common best-practice guidance

Knowledge Prerequisites To implement the recommendations made throughout this document effectively

based and environmental infrastructure prerequisites should be in place. outlines the knowledge and skills required to use the Windows Server Update Services 3.0

guidance, while section 2.3 details the necessary infrastructure prerequisites.

details the prerequisite skills and knowledge, and section 2.2.2 details the inforand suggested training resources or skill assessment.

Skills and Knowledge

The technical knowledge and minimum skills required to use this guidance are:

2003 administration

2000 Professional, Windows® XP Professional or Windows Vista

Creation and administration of Organisational Units (OU) and Group Policy Objects (GPO) ® Active Directory® to configure WSUS client settings

Modification of the Windows registry when using registry keys to configure WSUS client

SQL Server® 2005 administration when using this product for the WSUS 3.0

Training and Assessment

Guidelines on the basic skill sets that are required in order to make best use of this guidance . These represent the training courses and other resources available.

However, all courses mentioned are optional and can be provided by a variety of certified training


Page 2

cument is to provide guidance around the implementation of WSUS 3.0 for . This document provides the information and

procedures necessary to successfully configure, manage and operate WSUS 3.0 servers and nts. The content of this document provides guidance on the initial configuration of WSUS 3.0

servers and clients, and also provides guidance around the ongoing management and operation

Windows Server Updates Services 3.0 Design Guide ry to design and implement a WSUS 3.0

IT professional through the necessary steps to successfully organisation’s network

Provide rapid knowledge transfer to reduce the learning curve of configuring, operating and

practice guidance

effectively, a number of structure prerequisites should be in place. This section

Windows Server Update Services 3.0 details the necessary infrastructure prerequisites.

details the information

are:

ows Vista® administration

Creation and administration of Organisational Units (OU) and Group Policy Objects (GPO) to configure WSUS client settings

configure WSUS client

2005 administration when using this product for the WSUS 3.0

order to make best use of this guidance are . These represent the training courses and other resources available.

However, all courses mentioned are optional and can be provided by a variety of certified training


2.3 Infrastructure PrerequisitesThe following are prerequisites for implementin

� Windows Server 2003 S

� Windows 2000 Professional SP4, Windows XP SP2, or Windows Vista clients

� Windows XP SP2, Windows Vista or Windows Server 2003 SP1 or laterWSUS 3.0 console

� A sufficient number of clients that need to be managed (ideally 2 or more examples of each desktop computer configuration deployed in the live environment)

� An Internet connection allowing access to Microsoft Update for swith sufficient bandwidth for the download of software updates

� Adequate bandwidth between the WSUS 3.0 server and clients for the download of software updates

Recommendation

Microsoft recommends that the latest service pack be app

2.4 Audience The guidance contained in this document is targeted at a variety of roles within the organisation. Table 1 provides a reading guide for this document, illustrating the roles and the sections of the document that are likely to be of most interest. The structure of the sections referred to is described in section 3.1.

Role Document Usage

IT Manager Review of the entire document to understand the justification and drivers, and to develop an understanding of the

IT Architect Review the relevant areas within the document against local architecture strategy and implementation plans

IT Professional/ Administrator

Detailed review and implementation of the guidance to meet local requirements

Table 1: Document Audience

2.5 Assumptions The guidance provided in this document assumes that services and resources between sites already have suitable schemes in place. This is to enable successful siteAddressing schemes assigned to each participating Directory and the underlying Domain Name System schemes at adjoining sites in order for crossof Network Address Translation (NAT) recommended nor supported by Microsoft.


Infrastructure Prerequisites The following are prerequisites for implementing WSUS 3.0 in a healthcare organisation

Windows Server 2003 Service Pack (SP) 1 or later, to host the WSUS 3.0 server

Windows 2000 Professional SP4, Windows XP SP2, or Windows Vista clients

Windows XP SP2, Windows Vista or Windows Server 2003 SP1 or later

A sufficient number of clients that need to be managed (ideally 2 or more examples of each configuration deployed in the live environment)

An Internet connection allowing access to Microsoft Update for server synchronisation and with sufficient bandwidth for the download of software updates

Adequate bandwidth between the WSUS 3.0 server and clients for the download of

Microsoft recommends that the latest service pack be applied to all deployed products

The guidance contained in this document is targeted at a variety of roles within the provides a reading guide for this document, illustrating the roles and the

sections of the document that are likely to be of most interest. The structure of the sections referred

Document Usage

Review of the entire document to understand the justification and drivers, and to develop an understanding of the implementation requirements

Review the relevant areas within the document against local architecture strategy and implementation plans

Detailed review and implementation of the guidance to meet local requirements

The guidance provided in this document assumes that healthcare organisationsservices and resources between sites already have suitable Internet Protocol (IP)

to enable successful site-to-site communication, that is, unique IP Addressing schemes assigned to each participating healthcare organisation with no overlap.

and the underlying Domain Name System (DNS), require the use of unique IP Addressing schemes at adjoining sites in order for cross-site communication to function successfully. The use

Network Address Translation (NAT) within an Active Directory environment is neither ed by Microsoft.


Page 3

a healthcare organisation:

to host the WSUS 3.0 server

Windows 2000 Professional SP4, Windows XP SP2, or Windows Vista clients

Windows XP SP2, Windows Vista or Windows Server 2003 SP1 or later, to host a remote

A sufficient number of clients that need to be managed (ideally 2 or more examples of each

erver synchronisation and

Adequate bandwidth between the WSUS 3.0 server and clients for the download of

products.

The guidance contained in this document is targeted at a variety of roles within the healthcare IT provides a reading guide for this document, illustrating the roles and the

sections of the document that are likely to be of most interest. The structure of the sections referred

Exec

utiv

e Su

mm

ary

Depl

oy

Ope

rate

� � �

�

� � �

healthcare organisations that want to share (IP) Addressing

that is, unique IP with no overlap. Active

(DNS), require the use of unique IP Addressing site communication to function successfully. The use

environment is neither


3 USING THIS D

This document is intended for use by use WSUS 3.0 to manage software updates on desktop computers. The document should be used as a reference guide for the mostguide, the Windows Server Update Services 3.0 Design Guidethe planning and implementation of WSUS 3.0.

3.1 Document StructureAs illustrated in Figure 1, this document contains

� Deploy

� Operate

The Microsoft Solutions Framework (MSF) Process Model typically contains four extra stages, ‘Envision’, ‘Plan’, ‘Develop’ and ‘Stabilise’ however, are not relevant to this document and

Each section is based on the Microsoft IT Project Lifecycle as defined in the MSF Process Model, and the Microsoft Operations Framework (MOF). The IT Project Lifecycle is descdetail in the MSF Process Model White PaperProcess Model and MOF describe a highmanaging IT solutions. Rather than prescribing a specific serenough to accommodate a broad range of IT projects.

The key public documentation resources for developing a Windows Server Update Services solution are:

� Deploying Microsoft Windows Server Update Services

� Microsoft Windows Server Update Services 3.0 Operations Guide

Where appropriate, throughout this document, specific chapters or sections from these documents have been referenced along with sections and white papers will be referenced using footnotes or references.

2 MSF Process Model White Paper {R2 http://www.microsoft.com/downloads/details.aspx?FamilyID=e481cb0b

3 MOF Executive Overview {R3}: http://www.microsoft.com/technet/itsolutions/cits/mo/mof/mofeo.mspx

4 Deploying Microsoft Windows Server Update Services 3.0

5 Microsoft Windows Server Update Service


DOCUMENT

This document is intended for use by healthcare organisations and IT administrators who wish to use WSUS 3.0 to manage software updates on desktop computers. The document should be used as a reference guide for the most common tasks involved with the use of WSUS 3.0

Windows Server Update Services 3.0 Design Guide {R1}, should be used to assist with the planning and implementation of WSUS 3.0.

Document Structure his document contains two sections that deal with the project lifecycle:

The Microsoft Solutions Framework (MSF) Process Model typically contains four extra stages, ‘Envision’, ‘Plan’, ‘Develop’ and ‘Stabilise’ which come before the Deploy stage

are not relevant to this document and therefore have not been included.

Each section is based on the Microsoft IT Project Lifecycle as defined in the MSF Process Model, and the Microsoft Operations Framework (MOF). The IT Project Lifecycle is desc

MSF Process Model White Paper2 and the MOF Executive OverviewProcess Model and MOF describe a high-level sequence of activities for building, deploying and managing IT solutions. Rather than prescribing a specific series of procedures, they are flexible enough to accommodate a broad range of IT projects.

The key public documentation resources for developing a Windows Server Update Services

Deploying Microsoft Windows Server Update Services 3.04

Windows Server Update Services 3.0 Operations Guide5

Where appropriate, throughout this document, specific chapters or sections from these documents along with relevant public white papers or other documents. All documents,

and white papers will be referenced using footnotes or references.

R2}: http://www.microsoft.com/downloads/details.aspx?FamilyID=e481cb0b-ac05-42a6-bab8-fc886956790e&DisplayLang=en

http://www.microsoft.com/technet/itsolutions/cits/mo/mof/mofeo.mspx

Deploying Microsoft Windows Server Update Services 3.0 {R4}: http://go.microsoft.com/fwlink/?LinkId=86416

Microsoft Windows Server Update Services 3.0 Operations Guide {R5}: http://go.microsoft.com/fwlink/?LinkId=86697


Page 4

and IT administrators who wish to use WSUS 3.0 to manage software updates on desktop computers. The document should be used

common tasks involved with the use of WSUS 3.0. Its companion should be used to assist with

ections that deal with the project lifecycle:

The Microsoft Solutions Framework (MSF) Process Model typically contains four extra stages, stage. These stages,

have not been included.

Each section is based on the Microsoft IT Project Lifecycle as defined in the MSF Process Model, and the Microsoft Operations Framework (MOF). The IT Project Lifecycle is described in more

MOF Executive Overview3. The MSF level sequence of activities for building, deploying and

ies of procedures, they are flexible

The key public documentation resources for developing a Windows Server Update Services

Where appropriate, throughout this document, specific chapters or sections from these documents relevant public white papers or other documents. All documents,

fc886956790e&DisplayLang=en


http://go.microsoft.com/fwlink/?LinkId=86416


http://www.microsoft.com/downloads/details.aspx?FamilyID=e481cb0b-ac05-42a6-bab8-fc886956790e&DisplayLang=en





Figure 1: MSF Process Model Phases and Document Structure


: MSF Process Model Phases and Document Structure


Page 5


4 DEPLOY

During the Deploy phase, the core solution components are deployed for more widespread application and use, and the deployment is stabilised through ongoing monitoring. The solution is then transitioned to operations and support.

Figure 2 acts as a high-level checklist, illustrating the critical components which an IT Professional responsible for deploying WSUS 3.0

Figure 2: Sequence for Deploying WSUS 3.0

4.1 Configuring the WSUS 3.0 ServerOnce WSUS 3.0 has been installed following the guidance in the 3.0 Design Guide {R1}, there are a number of configuration tasks that need to be performed. options can be configured using either the Server Configuration Wizard or the WSUS 3.0 console. This section provides information on the various configuration options and how to configure these optionsshould be defined following the installation of the WSUS 3.0 server. should not require any further reconfiguraticonfiguring WSUS 3.0 with the Server Configuration Wizard, see the Services 3.0 Design Guide {R1


During the Deploy phase, the core solution components are deployed for more widespread n and use, and the deployment is stabilised through ongoing monitoring. The solution is

then transitioned to operations and support.

level checklist, illustrating the critical components which an IT Professional WSUS 3.0, needs to determine.

Configuring the WSUS 3.0 Server has been installed following the guidance in the Windows Server Update Services

, there are a number of configuration tasks that need to be performed. options can be configured using either the Server Configuration Wizard or the WSUS 3.0 console. This section provides information on the various configuration options and shows

these options via the WSUS 3.0 console. The configuration options in this section should be defined following the installation of the WSUS 3.0 server. The majority should not require any further reconfiguration after they have been set. For more information about configuring WSUS 3.0 with the Server Configuration Wizard, see the Windows Server Update

R1}.


Page 6

During the Deploy phase, the core solution components are deployed for more widespread n and use, and the deployment is stabilised through ongoing monitoring. The solution is

level checklist, illustrating the critical components which an IT Professional

Windows Server Update Services , there are a number of configuration tasks that need to be performed. These

options can be configured using either the Server Configuration Wizard or the WSUS 3.0 console. shows, step-by-step,

. The configuration options in this section The majority of these settings

more information about Windows Server Update


4.1.1 Accessing the WSUS 3.0 Console

Most WSUS 3.0 configuration is performed through the WSUS 3.0 console. This is a Microsoft Management Console (MMC) that can be accessed on a WSUS 3.0 server by following:

� Click Start > All ProgramsServices

The WSUS 3.0 console can also be installed on any computer on the network, in a domain that has a trust relationship with the domain of the WSUS 3.0 server. Forinformation about installing the WSUS 3.0 console, including the supported operating systems and software prerequisites, see the

Figure 3 shows the WSUS 3.0 console

Figure 3: The WSUS 3.0 Console

Click to expand the <servername>Figure 4 shows the expanded tree structure console.

Figure 4: Expanded Tree Structure of the WSUS 3.0 Console

From each node in the expanded tree structure,available. The basic configuration options available summarised in Table 2, along with references to the sections in which they are covered in more detail.


the WSUS 3.0 Console

Most WSUS 3.0 configuration is performed through the WSUS 3.0 console. This is a Microsoft Management Console (MMC) that can be accessed on a WSUS 3.0 server by performing

Programs > Administrative Tools > Microsoft Windows Server Update

The WSUS 3.0 console can also be installed on any computer on the network, in a domain that has a trust relationship with the domain of the WSUS 3.0 server. Forinformation about installing the WSUS 3.0 console, including the supported operating systems and software prerequisites, see the Windows Server Update Services 3.0 Design Guide

WSUS 3.0 console when it is first accessed.

<servername> node to navigate through the various configuration pagesexpanded tree structure as it would appear in the left pane of the

Expanded Tree Structure of the WSUS 3.0 Console

in the expanded tree structure, further nodes and/or configuration options become available. The basic configuration options available in each node in the WSUS

, along with references to the sections in which they are covered in more


Page 7

Most WSUS 3.0 configuration is performed through the WSUS 3.0 console. This is a Microsoft performing the

Microsoft Windows Server Update

The WSUS 3.0 console can also be installed on any computer on the network, providing it resides in a domain that has a trust relationship with the domain of the WSUS 3.0 server. For more information about installing the WSUS 3.0 console, including the supported operating systems and

Windows Server Update Services 3.0 Design Guide {R1}.

to navigate through the various configuration pages. in the left pane of the WSUS 3.0

configuration options become the WSUS 3.0 console are

, along with references to the sections in which they are covered in more


Nodes Available Options

<servername> Shows the status of the server including update, computer and synchronisation statistics. A ‘To Do List’ shows any outstanding tasks that need to be performed

Updates View and approve updates

Computers View, modify and delete computers and computer groups

Downstream Servers

View downstream servers that are managed by the upstream server

Synchronizations View the synchronisations this server has attempted with an upstream WSUS 3.0 server or Update

Reports Generate reports based on updates, computers, synchronisation results and a summary of the server settings

Options Configure server settings including synchronisation options, computer group assignment optionsautomatic approval options

Table 2: WSUS 3.0 Console Nodes

4.1.2 Configuring Synchronisation Options

Synchronisation is the process of downloading updates from a content source. A content source can either be an upstream WSUS 3.0 server or Microsoft Update. When a WSUS 3.0 server synchronises for the first time, it connThis will be the metadata for all of the update products, classifications and languagesbeen specified for download, whensubsequent synchronisations,made available since the last synchronisation.

4.1.2.1 Configuring a Storage Location for Updates

The storage options define where downloads are stored3.0 server, or remotely on Microsoft Update. If updates are stored locally on the two additional options become available:

� Download update files to this server only when

� Download express installation files

The option Download update files to this server only when the server to only download updates is known as ‘deferred updateson the WSUS 3.0 server.

Recommendation

‘Deferred updates’ is not the is because there may be a delay in distributing updates to downstream clients. Thwhen a server is situated more than one level deep in a hierarchy of WSUS


Available Options Further Information

Shows the status of the server including update, synchronisation statistics. A ‘To Do

List’ shows any outstanding tasks that need to be

This page displays status information for the server and a ‘To Do List’ which provides the administrator with a list of outstanding tasks

rove updates The configuration options on this page are covered in more detail in section 5.1.2

View, modify and delete computers and computer The configuration options on this page are covered in more detail in section 5.1.1

View downstream servers that are managed by the The view displays all downstream servers, their mode (replica/autonomous) and when they last synchronised

View the synchronisations this server has attempted with an upstream WSUS 3.0 server or with Microsoft

The view displays when the last synchronisation took place and whether or not it was successful

Generate reports based on the status of the updates, computers, synchronisation results and a summary of the server settings

The configuration options on this page are cmore detail in section 5.2

Configure server settings including synchronisation options, computer group assignment options and automatic approval options

The configuration options on this page are covered in more detail in sections 4.1.2, 5.1.1

Configuring Synchronisation Options

Synchronisation is the process of downloading updates from a content source. A content source an upstream WSUS 3.0 server or Microsoft Update. When a WSUS 3.0 server

synchronises for the first time, it connects to an update source and downloads update metadataThis will be the metadata for all of the update products, classifications and languages

when the synchronisation options were configured WSUS 3.0 will determine if any new update metadata

made available since the last synchronisation.

a Storage Location for Updates

The storage options define where downloads are stored. This can either be locally on theon Microsoft Update. If updates are stored locally on the

two additional options become available:

Download update files to this server only when updates are approved

Download express installation files

Download update files to this server only when updates are approvedthe server to only download updates once they have been approved in the WSUS

pdates’. Deferred updates save on both bandwidth and disk

not the recommended option when employing a hierarchy of WSUS is because there may be a delay in distributing updates to downstream clients. This is especially true when a server is situated more than one level deep in a hierarchy of WSUS 3.0 servers.


Page 8

This page displays status information for the server and a ‘To Do List’ which provides the administrator with a list of

The configuration options on this page are covered in


The view displays all downstream servers, their mode (replica/autonomous) and when they last synchronised

when the last synchronisation took place and whether or not it was successful


The configuration options on this page are covered in 5.1.1 and 5.1.2.6

Synchronisation is the process of downloading updates from a content source. A content source an upstream WSUS 3.0 server or Microsoft Update. When a WSUS 3.0 server

source and downloads update metadata. This will be the metadata for all of the update products, classifications and languages that have

were configured. During metadata has been

locally on the WSUS on Microsoft Update. If updates are stored locally on the WSUS 3.0 server,

are approved configures they have been approved in the WSUS 3.0 console. This

bandwidth and disk storage space

recommended option when employing a hierarchy of WSUS 3.0 servers. This is is especially true

servers.


The option Download express installation filesInternet link, whilst decreasing the bandwidth requiremeand WSUS 3.0 clients. It does this by distributing only the binary differences between updates. The increased Internet bandwidth is due to the fact that express installation files must contain all of the possible variations of each file it

Recommendation

It is recommended that this option be enabled storage space for the (larger) updates.

Though the difference in size between express WSUS 3.0 server are always larger than they would WSUS 3.0 clients are always smaller than they would approximately three to four times the amount normally used.

Note

If this option is enabled and then disabled at a later date, express installation files that have already been downloaded will remain on the server. Updates that are downloaded following subsequent synchronisations however, will not be downloaded in this format.

If the server being configured is a downstream WSUS 3.0 server, a third option becomes available:

� Download files from Microsoft Update; do not download from upstream server

The option Download files from Microsoft Update; do not download from upstream servercan be used to reduce the impact on bandwidth between sites

Recommendation

Downstream WSUS 3.0 serversupstream WSUS 3.0 server over a connection to the internet, should be configured to use this option. bandwidth usage on the upstre

To configure storage options:

1. Open the WSUS 3.0 console,

2. In the centre pane, click


Download express installation files increases the bandwidth requirements on the Internet link, whilst decreasing the bandwidth requirements internally between WSUS

clients. It does this by distributing only the binary differences between updates. The increased Internet bandwidth is due to the fact that express installation files must contain all of the

iations of each file it needs to update.

this option be enabled for sites with good link speeds to the Internet and plenty of storage space for the (larger) updates.

Though the difference in size between express installation files varies, the files downloaded to the server are always larger than they would be normally and the updates distributed to clients are always smaller than they would be normally. Disk storage space will be

ree to four times the amount normally used.

If this option is enabled and then disabled at a later date, express installation files that have already been downloaded will remain on the server. Updates that are downloaded following subsequent

sations however, will not be downloaded in this format.


Download files from Microsoft Update; do not download from upstream server

rom Microsoft Update; do not download from upstream servercan be used to reduce the impact on bandwidth between sites.

Downstream WSUS 3.0 servers in a healthcare organisation’s network environment, ver over a slow or congested inter-site network link, but which have a fast direct

should be configured to use this option. Enabling this option willbandwidth usage on the upstream WSUS 3.0 server’s site link.

configure storage options:

console, and navigate to the Options node in the left pane

In the centre pane, click Update Files and Languages.


Page 9

increases the bandwidth requirements on the nts internally between WSUS 3.0 servers

clients. It does this by distributing only the binary differences between updates. The increased Internet bandwidth is due to the fact that express installation files must contain all of the

for sites with good link speeds to the Internet and plenty of

installation files varies, the files downloaded to the normally and the updates distributed to

Disk storage space will be

If this option is enabled and then disabled at a later date, express installation files that have already been downloaded will remain on the server. Updates that are downloaded following subsequent


Download files from Microsoft Update; do not download from upstream server

rom Microsoft Update; do not download from upstream server

network environment, which connect to an site network link, but which have a fast direct

Enabling this option will reduce the

in the left pane.


3. In the Update Files and Languages

4. Depending on the deslocally on this serverMicrosoft Update option

� If the Store update files locally on this serverdownloads are required, select updates are approved

� If express installation files are required, select check box

5. Click OK.

4.1.2.2 Configuring the

Configuring the update source determines whether teither an upstream WSUS 3.0 server for synchronisation, it is also possible to specify a cussynchronisation traffic with Secure Sockets Layer (default ports (80 and 443) are not available on a server (for instance, when another application is using the default ports). When traffic is encrypted using SSL, only the metadata information is encrypted, the updates themselves are not. Updates are

More information on using custom ports can be found in the Design Guide {R1}. More information on using SSL encryption can be found in section document.


and Languages dialog box, click the Update Files

ign decisions made previously, select either the Store update files locally on this server, or the Do not store update files locally; computers

option.

Store update files locally on this server option is selected, and deferred are required, select the Download update files to this server only when

updates are approved check box

If express installation files are required, select the Download express installation files

the Update Source

Configuring the update source determines whether the WSUS 3.0 server will synchronise with 3.0 server or Microsoft Update. When using an upstream WSUS

server for synchronisation, it is also possible to specify a custom port number and to encrypt the Secure Sockets Layer (SSL). Custom port numbers are used when the

default ports (80 and 443) are not available on a server (for instance, when another application is When traffic is encrypted using SSL, only the metadata information is

encrypted, the updates themselves are not. Updates are, however, digitally signed.

More information on using custom ports can be found in the Windows Server Update Services. More information on using SSL encryption can be found in section


Page 10

Update Files tab.

Store update files omputers install from

, and deferred Download update files to this server only when

Download express installation files

synchronise with . When using an upstream WSUS 3.0

tom port number and to encrypt the . Custom port numbers are used when the

default ports (80 and 443) are not available on a server (for instance, when another application is When traffic is encrypted using SSL, only the metadata information is

however, digitally signed.

Windows Server Update Services 3.0 . More information on using SSL encryption can be found in section 4.2.3 of this


To configure the Update Source:

1. Open the WSUS 3.0 console, expand the the Options node.


3. In the Update Source

4. Depending on the design decisions made previously, select Microsoft Update, or server option.

� If the Synchronize from another Windows Serverselected, type the

� If SSL encryption is enabled on the upstream when synchroniz

Note

When enabling the SSL encryption option, ensure that this server trusts the certificate on the upstream WSUS 3.0 server or the certification authority that issued it. For an example of using SSL encryption with IIS 6.0 and Microsoft Certificate Services, see Microsoft Certificate Services and SSL

6 Chapter 6 - Managing Microsoft Certificate Services and SSL http://technet.microsoft.com/en-us/library/bb727098.aspx


Source:

Open the WSUS 3.0 console, expand the <servername> node in the left pane and select

In the centre pane, click Update Source and Proxy Server.

Update Source and Proxy Server dialog box, click the Update Source

Depending on the design decisions made previously, select either the Synchroni, or the Synchronize from another Windows Server Update Services

Synchronize from another Windows Server Update Services serverthe Server name and Port number of the upstream WSUS 3.0 server

If SSL encryption is enabled on the upstream WSUS 3.0 server, select the zing update information check box

e SSL encryption option, ensure that this server trusts the certificate on the upstream WSUS 3.0 server or the certification authority that issued it. For an example of using SSL encryption with IIS 6.0 and Microsoft Certificate Services, see Chapter 6 Microsoft Certificate Services and SSL6.

anaging Microsoft Certificate Services and SSL {R6}: brary/bb727098.aspx


Page 11

in the left pane and select

Update Source tab.

Synchronize from Windows Server Update Services

Update Services server is of the upstream WSUS 3.0 server

server, select the Use SSL

e SSL encryption option, ensure that this server trusts the certificate on the upstream WSUS 3.0 server or the certification authority that issued it. For an example of using

Chapter 6 – Managing

http://technet.microsoft.com/en-us/library/bb727098.aspx


� If this server is to be configured in replica mode, select the the upstream server

Note

If multiple downstream WSUS 3.0 server, schedule synchronidownstream replica utilisation.

If a downstream replica WSUS 3.0 server, it will retry the synchroniintervals. If both retries fail, the at the next scheduled time.

5. Click OK.

4.1.2.3 Configuring a

The proxy server settings allow the configuration of a proxy server for use when connecting to an upstream WSUS 3.0 server or Microsoft Update be used when connecting to Microsoft Update for synchronisation and when all be routed via a proxy server. However, if proxy servers are used organisation, it may be necessary to specify proxy settings for connectiservers.

Note

Because the WSUS 3.0 server initiates all synchronisation traffic, it is not necessary to make any configuration changes to the Windows Firewall on a WSUS 3.0 server in order to allow it to connect to Microsoft Update.

The WSUS 3.0 console allows the definition of a proxy server host name or IP address, the port number to use and the credentials

Recommendation

If authentication is required on the proxy server, it other resource access, is created and used for this purpose.

To configure Proxy Server options:




If this server is to be configured in replica mode, select the This server is a replica of the upstream server check box

downstream replica WSUS 3.0 servers are set up to connect to a single upstreamserver, schedule synchronisation to run at different times on each

replica WSUS 3.0 servers. This practice will prevent sudden surges in bandwidth

replica WSUS 3.0 server tries but fails to synchronise with the upstream server, it will retry the synchronisation twice, at approximately fifteen

intervals. If both retries fail, the downstream replica WSUS 3.0 server will run synchroniduled time.

Proxy Server

The proxy server settings allow the configuration of a proxy server for use when connecting to an or Microsoft Update during synchronisation. Typically,

connecting to Microsoft Update for synchronisation and when all a proxy server. However, if proxy servers are used between sites in

, it may be necessary to specify proxy settings for connections to upstream WSUS

Because the WSUS 3.0 server initiates all synchronisation traffic, it is not necessary to make any configuration changes to the Windows Firewall on a WSUS 3.0 server in order to allow it to connect to

console allows the definition of a proxy server host name or IP address, the port number to use and the credentials needed if authentication is required on the proxy server.

If authentication is required on the proxy server, it is recommended that a low privilege account, with no other resource access, is created and used for this purpose.

erver options:


e centre pane, click Update Source and Proxy Server.


Page 12

This server is a replica of

to connect to a single upstream on each of the

udden surges in bandwidth

e with the upstream at approximately fifteen-minute

server will run synchronisation

The proxy server settings allow the configuration of a proxy server for use when connecting to an Typically, this would only

connecting to Microsoft Update for synchronisation and when all Internet traffic must between sites in a healthcare

to upstream WSUS 3.0

Because the WSUS 3.0 server initiates all synchronisation traffic, it is not necessary to make any configuration changes to the Windows Firewall on a WSUS 3.0 server in order to allow it to connect to

console allows the definition of a proxy server host name or IP address, the port if authentication is required on the proxy server.

is recommended that a low privilege account, with no



3. In the Update Source and

4. Select the Use a proxy server when synchroniname and Port number

� If the proxy server requires authentication, select to the proxy serversuitable user account

� If basic authentication is required, selectsent in cleartext)

Recommendation

The use of basic authentication should be avoided where ever possible. If basic authentication is required, it is recommended that a low privilege account with no other resource access is created and used for this purpose.

5. Click OK.

4.1.2.4 Configuring Update Filtering for LanguageClassification

Update filtering makes it possible to filter the update metadata that will be downloaded to the WSUS 3.0 server by language, product

� The language option defines which language versions of update metadata will be downloaded to the WSUS 3.0 server.

� The products option defineWindows XP, for which update


Update Source and Proxy Server dialog box, click the Proxy Server

Use a proxy server when synchronizing check box, and typeort number.

If the proxy server requires authentication, select the Use user credentials to connect to the proxy server check box, and type the User name, Domain suitable user account

If basic authentication is required, select the Allow basic authentication (password is check box

Recommendation

The use of basic authentication should be avoided where ever possible. If basic authentication is required, it is recommended that a low privilege account with no other resource access is

eated and used for this purpose.

Configuring Update Filtering for Languages, Product

Update filtering makes it possible to filter the update metadata that will be downloaded to the WSUS 3.0 server by language, products and classification.

The language option defines which language versions of update metadata will be downloaded to the WSUS 3.0 server.

defines the products or product families, for example, Windows, or for which update metadata will be downloaded.


Page 13

Proxy Server tab.

type the Server

Use user credentials to connect and Password of a

tication (password is

The use of basic authentication should be avoided where ever possible. If basic authentication is required, it is recommended that a low privilege account with no other resource access is

, Products and

Update filtering makes it possible to filter the update metadata that will be downloaded to the

The language option defines which language versions of update metadata will be

for example, Windows, or


� The classification option defines the Security Updates of update

In a server hierarchy, the productupstream WSUS 3.0 server. For language options, it is possible for downstream replica WSUS 3.0 servers to select a subset of the languages defined at their upstream WSUS 3.0 server.

Recommendation

Downloading multiple language versions of updateTo save on disk storage space, only download the language versions that are required.

To configure the language option:



3. In the Update Files and Languages

4. Select the Download updates only in these languagesappropriate languages

5. Click OK.


he classification option defines the classifications, for example, Critical Updates or Security Updates of update metadata downloaded.

, the products and classifications options can only be defined on tFor language options, it is possible for downstream replica WSUS 3.0

servers to select a subset of the languages defined at their upstream WSUS 3.0 server.

Downloading multiple language versions of updates requires disk storage space on the WSUSspace, only download the language versions that are required.

language option:


In the centre pane, click Update Files and Languages.

Update Files and Languages dialog box, click the Update Languages

Download updates only in these languages option and then priate languages.


Page 14

for example, Critical Updates or

can only be defined on the highest For language options, it is possible for downstream replica WSUS 3.0

servers to select a subset of the languages defined at their upstream WSUS 3.0 server.

space on the WSUS 3.0 server. space, only download the language versions that are required.


Update Languages tab.

then select the


To configure Products and Classifications options:



Note

Initially no product or product family options will be available for Microsoft Office updates. After the first synchronisation of the server, additional products and/or product families will become available as options on the Productsmay become available. This is because Microsoft continues to add support for additional products.

3. In the Products and Classifications

Note

If the WSUS 3.0 server is being used as the distribution server component of a Forefront™ Client Security solution, ensure that the

4. Select the check boxes for the required products or product famili

Recommendation

Select the options that are relevant to the selected, all products in the family beneath it will be automatically selected and this will increase storage requirements on the server.healthcare organisation


To configure Products and Classifications options:


In the centre pane, click Products and Classifications.

Initially no product or product family options will be available for Microsoft Office updates. After the first synchronisation of the server, additional products and/or product families will become available

Products tab, including Microsoft Office. Additionally, over time more products may become available. This is because Microsoft continues to add support for additional products.

Products and Classifications dialog box, click the Products tab.

If the WSUS 3.0 server is being used as the distribution server component of a Client Security solution, ensure that the Forefront Client Security

Select the check boxes for the required products or product families.

Select the options that are relevant to the healthcare organisation only. If the Windows product is selected, all products in the family beneath it will be automatically selected and this will increase storage requirements on the server. Select only those Windows versions which are used in the healthcare organisation’s environment.


Page 15


Initially no product or product family options will be available for Microsoft Office updates. After the first synchronisation of the server, additional products and/or product families will become available

soft Office. Additionally, over time more products may become available. This is because Microsoft continues to add support for additional products.

tab.

If the WSUS 3.0 server is being used as the distribution server component of a Microsoft® Forefront Client Security product is selected.

only. If the Windows product is selected, all products in the family beneath it will be automatically selected and this will increase

Select only those Windows versions which are used in the


5. In the Products and Classifications

6. Select the check boxes for the required classifications.

7. Click OK.

4.1.2.5 Synchronising the WSUS 3.0 Server

Once all the synchronisation options are configured, the WSUS 3.0 server is ready to be synchronised. Synchronisation can either be performed manually, or on a predefined schedule.

To perform a manual synchronisation, use

� Open the WSUS 3.0 console and select the centre pane, click Synchronize Now

� Open the WSUS 3.0 console, expand the the Synchronizations

To synchronise on a predefined schedule, it is necessary to set the time of the first synchronisation and specify the number of synchronisations to perform per day.

Note

Typically, the first synchronization on a changes to the server's update filters (products, classifications, languages) while the server is being synchronised.


Products and Classifications dialog box, click the Classifications

Select the check boxes for the required classifications.

ing the WSUS 3.0 Server


To perform a manual synchronisation, use one of the following two options:

Open the WSUS 3.0 console and select the <servername> node in the left pane. In the Synchronize Now.

Open the WSUS 3.0 console, expand the <servername> node in the left pane and select Synchronizations node. In the right pane, click Synchronize Now

To synchronise on a predefined schedule, it is necessary to set the time of the first synchronisation and specify the number of synchronisations to perform per day.

Typically, the first synchronization on a WSUS 3.0 server will take a long time. It is not possible to make changes to the server's update filters (products, classifications, languages) while the server is being


Page 16

Classifications tab.


e following two options:

in the left pane. In the

in the left pane and select Synchronize Now.

To synchronise on a predefined schedule, it is necessary to set the time of the first synchronisation

WSUS 3.0 server will take a long time. It is not possible to make changes to the server's update filters (products, classifications, languages) while the server is being


To configure a predefined synchronisation schedule:

1. Open the WSUS adminiand select the Options


3. In the Synchronization Scheduleoption and specify the time day.

Recommendation

The Microsoft Security Research Centre (MSRC) releases new security updates and their accompanying bulletins on the second Tuesday of every month at 101 synchronisation per day is selected, then it should be set to occur in the evening 6:00 P.M. Greenwich Mean Time

4. Click OK.


synchronisation schedule:

Open the WSUS administration console, expand the <servername> nodeOptions node.

In the centre pane, click Synchronisation Schedule.

Synchronization Schedule dialog box, select the Synchronise automatically and specify the time of the First Synchronization and the Sync

The Microsoft Security Research Centre (MSRC) releases new security updates and their accompanying bulletins on the second Tuesday of every month at 10:00 A.M1 synchronisation per day is selected, then it should be set to occur in the evening

Greenwich Mean Time to ensure that new security updates are received promptly.


Page 17

node in the left pane

Synchronise automatically Synchronizations per

The Microsoft Security Research Centre (MSRC) releases new security updates and their M. Pacific Time. If only

1 synchronisation per day is selected, then it should be set to occur in the evening sometime after to ensure that new security updates are received promptly.


4.1.3 Configuring Computer Groups

WSUS 3.0 enables updates to be targeted to specific client computers that have been logically organised into computer groups on the WSUS 3.0 server. This capability helps to ensure that the right computers get the right updates.Computers group. They are also assigned to the been assigned to one or more

Client computers are assigned to computer groups using one of two methods: or client-side targeting. With serverComputers node of the WSUS 3.0 consolemore client computers, at a time. With clientgroups automatically using Group Policy or registry entries on the client computers. Clienttargeting only allows computers to be added to one computer group, in addition to the Computers group.

4.1.3.1 Server-Side Targeting

With server-side targeting, the WSUS 3.0 console is used to create groups and then assign computers to the groups. Serverthe client computers into computer groups manually or when there icomputers to be members of more than one computer group.

When there are many WSUS 3.0 clients connecting to a WSUS 3.0 server, and there is a requirement for organising them into groups for improved targeting, this option leads administrative work with assigning computers to

4.1.3.2 Client-Side Targeting

With client-side (or computer-basedclient-side targeting through Group Policy or registry keys, computer groups with which they have been configured. Clientthrough Group Policy (in an Active DirectoryActive Directory environment) oconnect to the WSUS 3.0 server, they will add themselves to the correct computer group.

Note

When using client-side targeting, the computer groups that clients will add themselves to must be manually created in the WSUS 3.0 console. Clients will not be able to add themselves to the groups until this task has been performed.

Client-side targeting is an excellent option when there is a need to reduce the amount of administrative work associated with have the restriction of only allowing computers to be added to one computer group, in addition to the All Computers group.

For information on configuring clients when using clientActive Directory environments, see section


Configuring Computer Groups

updates to be targeted to specific client computers that have been logically organised into computer groups on the WSUS 3.0 server. This capability helps to ensure that the right computers get the right updates. By default, all computers are always assigne

are also assigned to the Unassigned Computers groupone or more of the other groups.

Client computers are assigned to computer groups using one of two methods: servertargeting. With server-side targeting, the Change Membership task is used in the

node of the WSUS 3.0 console, to modify the computer group membership of one or more client computers, at a time. With client-side targeting, computers are assigned to computer groups automatically using Group Policy or registry entries on the client computers. Clienttargeting only allows computers to be added to one computer group, in addition to the

ide Targeting

side targeting, the WSUS 3.0 console is used to create groups and then assign computers to the groups. Server-side targeting is an excellent option when it is preferable to move the client computers into computer groups manually or when there is a requirement for client computers to be members of more than one computer group.

When there are many WSUS 3.0 clients connecting to a WSUS 3.0 server, and there is a requirement for organising them into groups for improved targeting, this option leads

assigning computers to computer groups.

ide Targeting

based) targeting, client computers that have been configured for side targeting through Group Policy or registry keys, automatically add themselves to the

they have been configured. Client-side targeting can be enabled Active Directory environment) or by editing registry values (in a non

environment) on the WSUS 3.0 client computers. When the client computers connect to the WSUS 3.0 server, they will add themselves to the correct computer group.

side targeting, the computer groups that clients will add themselves to must be lly created in the WSUS 3.0 console. Clients will not be able to add themselves to the groups until

this task has been performed.

side targeting is an excellent option when there is a need to reduce the amount of administrative work associated with assigning computers to computer groups. However, it does have the restriction of only allowing computers to be added to one computer group, in addition to

For information on configuring clients when using client-side targeting in Active Directoryenvironments, see section 4.3.


Page 18

updates to be targeted to specific client computers that have been logically organised into computer groups on the WSUS 3.0 server. This capability helps to ensure that the

By default, all computers are always assigned to the All group, until they have

server-side targeting task is used in the

to modify the computer group membership of one or assigned to computer

groups automatically using Group Policy or registry entries on the client computers. Client-side targeting only allows computers to be added to one computer group, in addition to the All

side targeting, the WSUS 3.0 console is used to create groups and then assign side targeting is an excellent option when it is preferable to move

s a requirement for client

When there are many WSUS 3.0 clients connecting to a WSUS 3.0 server, and there is a requirement for organising them into groups for improved targeting, this option leads to increased

targeting, client computers that have been configured for automatically add themselves to the

side targeting can be enabled environment) or by editing registry values (in a non-

n the WSUS 3.0 client computers. When the client computers connect to the WSUS 3.0 server, they will add themselves to the correct computer group.

side targeting, the computer groups that clients will add themselves to must be lly created in the WSUS 3.0 console. Clients will not be able to add themselves to the groups until

side targeting is an excellent option when there is a need to reduce the amount of However, it does

have the restriction of only allowing computers to be added to one computer group, in addition to

Active Directory and non-


4.1.3.3 Configuring Targeting

To configure client-side or server



3. The Computers dialog box

� To configure server

� To configure clientcomputers option

4. Click OK.


Configuring Targeting

side or server-side targeting:

pen the WSUS 3.0 console, expand the <servername> node in the left pane

lick Computers.

dialog box displays with two options:

To configure server-side targeting, select the Use the Update Services console

To configure client-side targeting, select the Use Group Policy or registry settings on option


Page 19

node in the left pane and select

Services console option

r registry settings on


4.1.4 Enabling Reporting Rollup

Computer and update status from upstream WSUS 3.0 server. The reports run information about the entire WSUS 3.0 server hierarchy. Downstream autonomous WSUS 3.0 servers do not roll-up reporting data to their upstream WSUS 3.0 servers.

To enable reporting rollup for replica servers

1. In the WSUS 3.0 console on the upstream server,


3. Select the Roll up statu

4. Click OK.


Enabling Reporting Rollup

Computer and update status from a downstream replica WSUS 3.0 server can be rolledupstream WSUS 3.0 server. The reports run on the upstream WSUS 3.0 server then provide information about the entire WSUS 3.0 server hierarchy. Downstream autonomous WSUS 3.0 servers

p reporting data to their upstream WSUS 3.0 servers.

To enable reporting rollup for replica servers:

In the WSUS 3.0 console on the upstream server, select the Options in the left pane.

lick Reporting Rollup.

Roll up status from replica downstream servers option.


Page 20

downstream replica WSUS 3.0 server can be rolled-up to their the upstream WSUS 3.0 server then provide

information about the entire WSUS 3.0 server hierarchy. Downstream autonomous WSUS 3.0 servers

in the left pane.


4.1.5 Configuring E-mail Notification

The WSUS 3.0 server can be configured to send esent when new updates are synchronised to the WSUS 3.0 server. It is also e-mail notification capability to send WSUS 3.0 status reports

To set up e-mail notifications



3. Click the General tab.

4. To enable e-mail notifications

� Select the Send e-

� In the Recipientsnotification should be sent

� To enable e-mail notifications for status reportsbox

� From the Frequency

� In the Send reports


mail Notification

The WSUS 3.0 server can be configured to send e-mail notifications. E-mail notifications can be sent when new updates are synchronised to the WSUS 3.0 server. It is also possible to use

to send WSUS 3.0 status reports on a daily or weekly basis.

mail notifications:

console, and navigate to the Options node in the left pane.

pane, click E-Mail Notifications.

notifications for newly synchronised updates:

-mail notification when new updates are synchronized

Recipients: field, type the e-mail addresses of the people should be sent. Separate the names with semi-colons

mail notifications for status reports, select the Send status reports

Frequency: drop-down list, select either Daily or Weekly

Send reports at: field, set the time at which the status reports


Page 21

mail notifications can be possible to use the

a daily or weekly basis.

in the left pane.

mail notification when new updates are synchronized check box

mail addresses of the people to whom an update colons

Send status reports check

Weekly

status reports should be sent


� In the Recipientsreports should be sent

� From the Languagereports.

5. Click Apply to save these settings

6. Click OK.

Note

If both the WSUS 3.0 console and the WSUS adjustments, notifications will appear at the correct time. different, then notifications will be off by the difference in the Daylight Savings Time adjustment.

To set up the e-mail server:



3. Click the E-Mail Server

4. Complete the Server I

a. In the Outgoing e-

b. In the Port number


Recipients: field, type the e-mail addresses of the people should be sent. Separate the names with semi-colons

Language: drop-down list, select the appropriate language

to save these settings

console and the WSUS 3.0 server have the same settings for Daylight Savings Time adjustments, notifications will appear at the correct time. If the adjustments for Daylight Savings Time are different, then notifications will be off by the difference in the Daylight Savings Time adjustment.

the WSUS 3.0 console, and navigate to the Options node in the left pane.

In the centre pane, click E-Mail Notifications.

Mail Server tab.

Information:

-mail server (SMTP): field, type the name of the

Port number: field, type the server's SMTP port (25 by default)


Page 22

mail addresses of the people to whom status

anguage for the status

server have the same settings for Daylight Savings Time If the adjustments for Daylight Savings Time are

different, then notifications will be off by the difference in the Daylight Savings Time adjustment.

node in the left pane.

SMTP server

default)


5. Complete the Sender

a. In the Sender name

b. In the E-mail address

6. If the SMTP server requires

a. Select the My SMTP server requires authenticationRecommendation

If authentication is required on the SMTP server, it is recommended that a low privilege account, with no other resource access, is created and used for this purpose.

b. Type the User name

Note

The authentication credentials may only be changed on a WSUS 3.0 console running locally on the WSUS 3.0 server. It is not possible to change authentication credentials on a remote WSUS 3.0 console.

7. Click Apply to save th

8. Click Test to test the ewere any issues when

9. Click OK.

4.2 Securing the WSUS 3.0 DeploymentThis section covers the options available for adding security to

� Hardening the Windows Server 2003 server hosting the WSUS 3.0 server

� Adding authentication between

� Implementing the SSL prot

4.2.1 Hardening Windows Server 2003

The recommended settings for hardening a Windows Server 2003 server that is hosting a WSUS 3.0 server are documented in Deploying Microsoft Windows Server Update Services 3.0hardening a number of Windows Server 2003 components, as well as Internet Information Services (IIS) 6.0 and SQL Server 2005.

4.2.2 Adding Authenticat

Authentication for server-to-server synchronisation can be added to linked WSUS 3.0 servers. The following prerequisites need to be met in order to use authentication between linked WSUS 3.0 servers:

� All WSUS 3.0 servers that are to be autenvironment

� If the WSUS 3.0 servers are located in different forests, a trust must exist between thforests

When authentication restrictions are added on a WSUS 3.0 server, downstream WSUS 3.0 servers that wish to synchronise with an upstream WSUS 3.0 server, must be authenticated against a list of explicitly allowed servers. The list is contained in a configuration file on the upstream WSUS 3.0 server. The host names of the downstream WSUS 3.0 servers that are amust be manually added to the file.


Sender Information:

Sender name: field, type the name of the WSUS 3.0 administrator

mail address: field, type the WSUS 3.0 administrator’s e-mail address

If the SMTP server requires authentication, complete the Logon Information

My SMTP server requires authentication check box Recommendation


ser name: and Password: in the respective fields

The authentication credentials may only be changed on a WSUS 3.0 console running locally on the WSUS 3.0 server. It is not possible to change authentication credentials on a remote

nsole.

to save these settings.

to test the e-mail server configuration and check the Event Viewer when sending the e-mail.

Securing the WSUS 3.0 Deployment options available for adding security to a WSUS 3.0 solution

Hardening the Windows Server 2003 server hosting the WSUS 3.0 server

dding authentication between linked WSUS 3.0 servers in an Active Directory

mplementing the SSL protocol on WSUS 3.0 servers

Hardening Windows Server 2003

The recommended settings for hardening a Windows Server 2003 server that is hosting a WSUS 3.0 server are documented in Appendix E: List of Security Settings in the Microsoft White Paper,

Windows Server Update Services 3.0 {R4}. These recommendations include hardening a number of Windows Server 2003 components, as well as Internet Information Services (IIS) 6.0 and SQL Server 2005.

uthentication for Linked WSUS 3.0 Servers

server synchronisation can be added to linked WSUS 3.0 servers. The following prerequisites need to be met in order to use authentication between linked WSUS 3.0

All WSUS 3.0 servers that are to be authenticated must be in an Active Directory

If the WSUS 3.0 servers are located in different forests, a trust must exist between th

When authentication restrictions are added on a WSUS 3.0 server, downstream WSUS 3.0 servers to synchronise with an upstream WSUS 3.0 server, must be authenticated against a list of

The list is contained in a configuration file on the upstream WSUS 3.0 server. The host names of the downstream WSUS 3.0 servers that are allowed to authenticate must be manually added to the file.


Page 23

administrator

mail address

nformation:


The authentication credentials may only be changed on a WSUS 3.0 console running locally on the WSUS 3.0 server. It is not possible to change authentication credentials on a remote

Event Viewer to see if there

3.0 solution. They are:

Hardening the Windows Server 2003 server hosting the WSUS 3.0 server

Active Directory environment

The recommended settings for hardening a Windows Server 2003 server that is hosting a WSUS in the Microsoft White Paper,

. These recommendations include hardening a number of Windows Server 2003 components, as well as Internet Information Services

ervers

server synchronisation can be added to linked WSUS 3.0 servers. The following prerequisites need to be met in order to use authentication between linked WSUS 3.0

Active Directory

If the WSUS 3.0 servers are located in different forests, a trust must exist between those

When authentication restrictions are added on a WSUS 3.0 server, downstream WSUS 3.0 servers to synchronise with an upstream WSUS 3.0 server, must be authenticated against a list of

The list is contained in a configuration file on the upstream WSUS 3.0 llowed to authenticate


Recommendation

Enabling this functionality is recommended as it prevents unauthorised servers from being allowed to synchronise content from the WSUSWSUS 3.0 servers. Use a ‘deny all’ wildcard asterisk on the downstream servers at the bottom of the server hierarchy.

To add authentication between linked WSUS 3.0 servers:

1. On the WSUS 3.0 server to which access is to be restricted,

2. Navigate to the C:\Program Filesfolder.

3. Right-click the file web.c

4. In the Windows cannot open this filelist option.

5. Click OK.

6. In the Open With dialog box, choose

7. Click OK.

8. Use the <authorization>authenticate, ensuring the <configuration> and

<?xml version="1.0" encoding="utf

<configuration>

<system.web>

<authorization>

<allow users="

<deny users="*" />

</authorization>

</system.web>

</configuration>

Here, contoso-wsus-srvWSUS 3.0 server. All other servers

Important

Always append a dollar sign to the computer name as in the example above. This is the name the computer will use during authentication.

9. In Notepad, click File, then click file.

The computer names specified in the ‘allow users’ and ‘deny users’ sections must be format domain\computer_name$a member of, and computer_name$dollar sign appended.

The second part of adding authentication between linked WSUS 3.0 servers requires a configuration change to IIS. This involves disabling anonymous access to the ServerSyncWebService virtual directory and enabl


Enabling this functionality is recommended as it prevents unauthorised servers from being allowed to synchronise content from the WSUS 3.0 server. Consider restricting access to upstream and downstream

servers. Use a ‘deny all’ wildcard asterisk on the downstream servers at the bottom of the

To add authentication between linked WSUS 3.0 servers:

rver to which access is to be restricted, launch Windows

Program Files\Update Services\WebServices\serversyncwebservice

eb.config and select Open.

cannot open this file: dialog box, select the Select the program from a

dialog box, choose Notepad.

<authorization> element to define the list of servers that are allowed to ensuring the <authorization> element is added below the

and <system web> elements, as per the following example

<?xml version="1.0" encoding="utf-8" ?>

<authorization>

<allow users="domain\contoso-wsus-srv1$,domain\contoso

<deny users="*" />

</authorization>

srv1 and contoso-wsus-srv2 will be allowed to synchronise with thserver. All other servers will be denied access to this WSUS 3.0 server

Always append a dollar sign to the computer name as in the example above. This is the name the computer will use during authentication.

, then click Save to save the amendments that have been made to the

The computer names specified in the ‘allow users’ and ‘deny users’ sections must be computer_name$, where domain is the name of the domain the computer_name$ is the host name of the downstream WSUS

The second part of adding authentication between linked WSUS 3.0 servers requires a configuration change to IIS. This involves disabling anonymous access to the ServerSyncWebService virtual directory and enabling integrated Windows authentication.


Page 24

Enabling this functionality is recommended as it prevents unauthorised servers from being allowed to server. Consider restricting access to upstream and downstream

servers. Use a ‘deny all’ wildcard asterisk on the downstream servers at the bottom of the

Windows Explorer.

serversyncwebservice

Select the program from a

element to define the list of servers that are allowed to ed below the

, as per the following example:

contoso-wsus-srv2$" />

2 will be allowed to synchronise with this this WSUS 3.0 server.

Always append a dollar sign to the computer name as in the example above. This is the name the

to save the amendments that have been made to the

The computer names specified in the ‘allow users’ and ‘deny users’ sections must be typed in the is the name of the domain the WSUS 3.0 server is

WSUS 3.0 server with a

The second part of adding authentication between linked WSUS 3.0 servers requires a

uthentication.


To configure IIS:

1. On the WSUS 3.0 server to which access is Services (IIS) Manager

2. Expand the <servername>

3. Expand the WSUS Web site node

4. Right-click ServerSyncWebService

5. Click the Directory Security

6. In the Authentication and access control

7. In the Authentication Methodsbox and select the Integrated Windows authentication

8. Click OK and then OK

4.2.3 Securing WSUS

It is possible to use SSL to secure a clients to authenticate to WSUS 3.0 serverservers to authenticate to upstream WSUS 3.0 supdate metadata that is passed between

WSUS 3.0 servers will only use SSL for encrypting not sent over the encrypted SSL channel. To provide security for the updates, the updates are digitally signed by Microsoft. Additionally, a hash is computed and sent with the encmetadata for each update.

Recommendation

SSL should be used whenever possible to add an additional layer of security to the WSUS deployment. One of the most important reasons to use SSL is not for encryption, but for server authentication. When a WSUSWSUS 3.0 client can authenticate the identity of the WSUS prevents rogue WSUS 3.0 servers from impersonating a trusted WSUS

Note

Encrypting data using the SSL protocol places an additional processing overhead on the WSUS 3.0 server. Plan for around a 10 percent loss of performance.

When the WSUS 3.0 database is installed on a remote SQL server, the connection between the WSUS 3.0 server and the database server is not secured with SSL. To secure this connection, one of the following methods:

� Move the database to the WSUS 3.0 serve

� Connect the remote SQL server to the WSUS 3.0 server over a private network connected to an additional Network Interface Card (NIC)

� Deploy Internet Protocol Security (IPSec) between the servers to encrypt the network traffic

For further information on deploying IPSec, see

7 Overview of IPSec Deployment {R7}


server to which access is to be restricted, open the Internet Information Services (IIS) Manager.

<servername> node.

Expand the WSUS Web site node (either Default Web Site or WSUS Administration

ServerSyncWebService, and click Properties.

Directory Security tab.

Authentication and access control frame, click Edit.

Authentication Methods dialog box, clear the Enable anonymous accessIntegrated Windows authentication check box.

OK again.

Securing WSUS 3.0 with SSL

It is possible to use SSL to secure a WSUS 3.0 deployment. SSL can be used to allow WSUS 3.0 clients to authenticate to WSUS 3.0 servers. It can be used to allow downstream WSUS 3.0 servers to authenticate to upstream WSUS 3.0 servers. SSL can also be used

metadata that is passed between WSUS 3.0 clients and WSUS 3.0 servers.

will only use SSL for encrypting update metadata; the updates themselves are not sent over the encrypted SSL channel. To provide security for the updates, the updates are digitally signed by Microsoft. Additionally, a hash is computed and sent with the enc

be used whenever possible to add an additional layer of security to the WSUS . One of the most important reasons to use SSL is not for encryption, but for server

a WSUS 3.0 client is configured to connect to a WSUS 3.0 server using SSL, client can authenticate the identity of the WSUS 3.0 server using the SSL certificate. This

servers from impersonating a trusted WSUS 3.0 server.

Encrypting data using the SSL protocol places an additional processing overhead on the WSUS 3.0 server. Plan for around a 10 percent loss of performance.

When the WSUS 3.0 database is installed on a remote SQL server, the connection between the WSUS 3.0 server and the database server is not secured with SSL. To secure this connection,

Move the database to the WSUS 3.0 server

Connect the remote SQL server to the WSUS 3.0 server over a private network connected to an additional Network Interface Card (NIC)

Deploy Internet Protocol Security (IPSec) between the servers to encrypt the network traffic

ion on deploying IPSec, see Overview of IPSec Deployment

}: http://go.microsoft.com/fwlink/?LinkId=45154


Page 25

Internet Information

WSUS Administration).

Enable anonymous access check

. SSL can be used to allow WSUS 3.0 s. It can be used to allow downstream WSUS 3.0

can also be used to encrypt the WSUS 3.0 servers.

metadata; the updates themselves are not sent over the encrypted SSL channel. To provide security for the updates, the updates are digitally signed by Microsoft. Additionally, a hash is computed and sent with the encrypted

be used whenever possible to add an additional layer of security to the WSUS 3.0 . One of the most important reasons to use SSL is not for encryption, but for server

server using SSL, the server using the SSL certificate. This

Encrypting data using the SSL protocol places an additional processing overhead on the WSUS 3.0

When the WSUS 3.0 database is installed on a remote SQL server, the connection between the WSUS 3.0 server and the database server is not secured with SSL. To secure this connection, use

Connect the remote SQL server to the WSUS 3.0 server over a private network which is

Deploy Internet Protocol Security (IPSec) between the servers to encrypt the network traffic

Overview of IPSec Deployment7.




4.2.3.1 Configuring SSL on the

It is not possible to use SSL for the entire traffic is actually encrypted using SSL. require SSL encryption:

� SimpleAuthWebService

� DSSAuthWebService

� ServerSyncWebService

� APIRemoting30

� ClientWebService

Ensure the following virtual roots

� Content

� Inventory

� ReportingWebService

� SelfUpdate

Once IIS 6.0 has been configured necessary to use a different URL. This will be in the format: https://<servername>/custom port number for the SSL port has been configured, append this to the server hostname in the URL, for instance, for port 2424 use the URL: https://<servername>:2424/WSUSAdmin.

Note

When using a custom Web site for WSUS, the SSL port changed manually, but bear in mind that WSUS always uses the port that numerically precedes the SSL port for the clear text HTTP traffic. For example, when using port 2424 for SSL, WSUS will use port 2424 for HTTPS and port 2423 for HTTP.

To configure SSL on a WSUS

1. Install a SSL certificate to the Web site that runs IISSSL certificate will depend on the

2. In IIS Manager, expand the local computer node, and expand the WSUS Web site node.

3. Right-click the first of the

4. Click the Directory Security

5. Click Require secure channel (SSL)

6. Click OK and then OK

7. Repeat steps 3 to 7 for each virtual root for which SSL is to be enabled.


Configuring SSL on the Upstream WSUS 3.0 Server

It is not possible to use SSL for the entire WSUS 3.0 Web site. This is because only the mtraffic is actually encrypted using SSL. Only the following virtual roots should be configured to

SimpleAuthWebService

ServerSyncWebService

Ensure the following virtual roots are not encrypted using SSL:

has been configured so that SSL is required to access the WSUS necessary to use a different URL. This will be in the format: https://<servername>/custom port number for the SSL port has been configured, append this to the server hostname in the URL, for instance, for port 2424 use the URL: https://<servername>:2424/WSUSAdmin.

When using a custom Web site for WSUS, the SSL port will automatically use port 8531. This can be changed manually, but bear in mind that WSUS always uses the port that numerically precedes the SSL port for the clear text HTTP traffic. For example, when using port 2424 for SSL, WSUS will use port 2424

TTPS and port 2423 for HTTP.

To configure SSL on a WSUS 3.0 server:

Install a SSL certificate to the Web site that runs IIS 6.0. The procedures for installing the SSL certificate will depend on the healthcare organisation’s network environment.

, expand the local computer node, and expand the WSUS Web site node.

first of the virtual roots for which SSL is to be enabled, and click

Directory Security tab and under Secure Communications,

uire secure channel (SSL) and Require 128-bit encryption

OK again.

for each virtual root for which SSL is to be enabled.


Page 26

Web site. This is because only the metadata he following virtual roots should be configured to

to access the WSUS 3.0 console, it is necessary to use a different URL. This will be in the format: https://<servername>/WSUSAdmin. If a custom port number for the SSL port has been configured, append this to the server hostname in the URL, for instance, for port 2424 use the URL: https://<servername>:2424/WSUSAdmin.

will automatically use port 8531. This can be changed manually, but bear in mind that WSUS always uses the port that numerically precedes the SSL port for the clear text HTTP traffic. For example, when using port 2424 for SSL, WSUS will use port 2424

. The procedures for installing the network environment.

, expand the local computer node, and expand the WSUS Web site node.

and click Properties.

, click Edit.

bit encryption

for each virtual root for which SSL is to be enabled.


4.2.3.2 Configuring Downstream WSUS 3.0

Downstream WSUS 3.0 servers need to upstream WSUS 3.0 server’s SSL certificate.

� If downstream servers certificate, for instance if an untrusted CA or selfupstream WSUS 3.0 server’s SSL certificate needs to be imported into the Trusted Root CA store of the local computer. In an automatically through Group Policy.

� If an upstream WSUS 3.0 sstore of the current user and not into the Trusted Root CA store of the authentication will fail.

To configure a downstream WSUS

1. Open the WSUS 3.0 console


3. In the Update SourceUpdate Services server

a. Type the Server name

b. Type the Port number

c. Select the Use SSL when synchroni

4. Click OK.

4.2.3.3 Configuring SSL on Client Computers

When configuring a WSUS 3.0 following:

� The URL for the secure port must be configured in Automatic Updates on the client. Use the Specify intranet Microsoft Update service locationto enter the modified URLGroup Policy option, see section

� The URL required will be in the format: https://<the SSL port has been configured, append this toexample, if port 2424 has been configured,

� WSUS 3.0 clients need to trust the certificate. If they do not automatically trust the upstream certificate, for instance if an untrusted CA or selfupstream WSUS 3.0 server’s SSL certificate needs to be imported into store of the local computer. In an automatically through Group Policy.

Important

If an upstream WSUS 3.0 server’s SSL certificate is only imported into the Trusted Root current user and not into the Trusted Root


ownstream WSUS 3.0 Servers to Connect

Downstream WSUS 3.0 servers need to trust the Certification Authority (CA) that issued the upstream WSUS 3.0 server’s SSL certificate.

downstream servers do not automatically trust the upstream WSUS 3.0 server’s SSL certificate, for instance if an untrusted CA or self-signed certificate has been used, the upstream WSUS 3.0 server’s SSL certificate needs to be imported into the Trusted Root CA

omputer. In an Active Directory environment, this can be performed automatically through Group Policy.

If an upstream WSUS 3.0 server’s SSL certificate is only imported into the Trusted Root CA ser and not into the Trusted Root CA store of the l

To configure a downstream WSUS 3.0 server to connect using SSL:

console and select the Options node.

lick Update Source and Proxy Server.

Update Source dialog box, select the Synchronize from another Windows Server Update Services server check box.

Server name of the upstream WSUS 3.0 server.

ort number it uses for SSL connections.

Use SSL when synchronizing update information check box

Configuring SSL on Client Computers

3.0 client to connect to WSUS 3.0 server using SSL,

The URL for the secure port must be configured in Automatic Updates on the Specify intranet Microsoft Update service location Group Policy

o enter the modified URL, or edit the registry directly. For more information on setting this Group Policy option, see section 4.3.1

The URL required will be in the format: https://<servername>. If the custom port numbthe SSL port has been configured, append this to the server hostname in the URL.

has been configured, use the URL: https://<servername

clients need to trust the CA that issued the upstream WSUS 3.0 certificate. If they do not automatically trust the upstream WSUS 3.0 server’s SSL certificate, for instance if an untrusted CA or self-signed certificate has been used, the

server’s SSL certificate needs to be imported into omputer. In an Active Directory environment this can be performed

automatically through Group Policy.

server’s SSL certificate is only imported into the Trusted Root ser and not into the Trusted Root CA store of the local computer, authentication will fail.


Page 27

onnect Using SSL

trust the Certification Authority (CA) that issued the

do not automatically trust the upstream WSUS 3.0 server’s SSL as been used, the

upstream WSUS 3.0 server’s SSL certificate needs to be imported into the Trusted Root CA this can be performed

erver’s SSL certificate is only imported into the Trusted Root CA ocal computer,

Synchronize from another Windows Server

check box.

server using SSL, be aware of the

The URL for the secure port must be configured in Automatic Updates on the WSUS 3.0 Group Policy setting

. For more information on setting this

custom port number for the server hostname in the URL. For

servername>:2424

WSUS 3.0 server’s SSL server’s SSL

signed certificate has been used, the server’s SSL certificate needs to be imported into the Trusted Root CA

environment this can be performed

server’s SSL certificate is only imported into the Trusted Root CA store of the omputer, authentication will fail.


4.3 Configuring the WSUS 3.0 ClientThis section provides the information and procedures necessary to configure Automatic Updates. Automatic Updates is the client component of WSUS 3.0.

To configure a WSUS 3.0 client to connect to a WSUS 3.0 server, settings must be applied to Automatic Updates on the client. Automatic Updates comes with a user interface which can be accessed from the Control Panel. However, WSthe user interface; instead they must be applied in one of the following three ways, depending on the healthcare organisation’s environment:

� Group Policy Objects applied through

� Local Group Policy

� Registry keys

When WSUS 3.0 client settings are set by an administrator through Group Policy, they always take precedence over user-defined options. This is true whether using Group Policy in an Directory environment or using the configured, the Automatic Updates user interface becomes disabled on the client computer.

4.3.1 Configuring WSUS 3.0 Environment

To deploy the WSUS 3.0 client settings in use Group Policy. Microsoft does not recommend editing the Default Domain or Default Domain Controller GPOs to add WSUS 3.0 client settings. Instead, create new GPOs for the application of WSUS 3.0 client settings.

Recommendation

It is recommended that a separate GPO should be linked to the OU container that holds the relevant client computers andconfigured to apply the recommended comthe WSUS 3.0 client settings need to be defined differently for different sets of computers.practice on using Group Policy, see

Table 3 shows the commands that Policy refresh:

Operating System Command

Windows Vista

Windows XP

gpupdate.exe /force

Windows 2000 Computer settings

secedit.exe /refreshpolicy machine_policy /enforce

User settings

secedit.exe /refreshpolicy user_policy /enforce

Table 3: Group Policy Refresh Commands

4.3.1.1 Load the WSUS

Before setting Group Policy options for the WSUStemplate has been loaded on the computer used to administer Group Policy. The administrative template that contains WSUS

8 Group Policy for Healthcare Desktop Management http://www.microsoft.com/industry/healthcare/technology/hpo/desktop/grouppolicy.aspx


Configuring the WSUS 3.0 Client This section provides the information and procedures necessary to configure Automatic Updates.

ent component of WSUS 3.0.

To configure a WSUS 3.0 client to connect to a WSUS 3.0 server, settings must be applied to Automatic Updates on the client. Automatic Updates comes with a user interface which can be

the Control Panel. However, WSUS 3.0 client settings cannot be configured through the user interface; instead they must be applied in one of the following three ways, depending on

environment:

Group Policy Objects applied through Active Directory

When WSUS 3.0 client settings are set by an administrator through Group Policy, they always take defined options. This is true whether using Group Policy in an

environment or using the Local Group Policy editor. When WSUS 3.0 settings are configured, the Automatic Updates user interface becomes disabled on the client computer.

WSUS 3.0 Clients in an Active Directory

To deploy the WSUS 3.0 client settings in a healthcare organisation with Active Directoryuse Group Policy. Microsoft does not recommend editing the Default Domain or Default Domain Controller GPOs to add WSUS 3.0 client settings. Instead, create new GPOs for the application of

a separate GPO is created for the application of WSUS 3.0 GPO should be linked to the OU container that holds the relevant client computers andconfigured to apply the recommended computer configuration settings. Further GPOs can be created if

client settings need to be defined differently for different sets of computers.practice on using Group Policy, see Group Policy for Healthcare Desktop Management

the commands that can be run by the client operating system, to force a

Command

pupdate.exe /force

Computer settings


User settings

ecedit.exe /refreshpolicy user_policy /enforce

Load the WSUS 3.0 Administrative Template

Before setting Group Policy options for the WSUS 3.0 client, ensure that the latest administrative template has been loaded on the computer used to administer Group Policy. The administrative

3.0 settings is named ‘wuau.adm’.

Group Policy for Healthcare Desktop Management {R8}: http://www.microsoft.com/industry/healthcare/technology/hpo/desktop/grouppolicy.aspx


Page 28

This section provides the information and procedures necessary to configure Automatic Updates.

To configure a WSUS 3.0 client to connect to a WSUS 3.0 server, settings must be applied to Automatic Updates on the client. Automatic Updates comes with a user interface which can be

US 3.0 client settings cannot be configured through the user interface; instead they must be applied in one of the following three ways, depending on

When WSUS 3.0 client settings are set by an administrator through Group Policy, they always take defined options. This is true whether using Group Policy in an Active

oup Policy editor. When WSUS 3.0 settings are configured, the Automatic Updates user interface becomes disabled on the client computer.

Active Directory

Active Directory deployed, use Group Policy. Microsoft does not recommend editing the Default Domain or Default Domain Controller GPOs to add WSUS 3.0 client settings. Instead, create new GPOs for the application of

client settings. The GPO should be linked to the OU container that holds the relevant client computers and should be

puter configuration settings. Further GPOs can be created if client settings need to be defined differently for different sets of computers. For best

Desktop Management8.

to force a Group


ecedit.exe /refreshpolicy user_policy /enforce

client, ensure that the latest administrative template has been loaded on the computer used to administer Group Policy. The administrative

http://www.microsoft.com/industry/healthcare/technology/hpo/desktop/grouppolicy.aspx


If the computer that is being used to configure Group Policy has the latest version of is not necessary to load the file to configure settings. The with Windows XP Professional are stored in the %windir%\Inf

Note

The correct version of wuau.adm can be found on any computer that has the WSUSversion of Automatic Updates WSUS 3.0 server. After the client selfwuau.adm can be found in the

To load the administrative template:

1. Open the relevant Group Policy Object.

2. Under Computer ConfigurationTemplates and select

3. Click Add.

4. Select wuau.adm and click

5. In the Add/Remove Templates

4.3.1.2 Configure Automatic Updates

This section details the procedures necessary to implement Group Policy settings for the configuration of the WSUS 3.0 component of Group Policy.

There are twelve Group Policy settings in the computer configuration component of a GPO that can be used for configuring the WSUS recommendation for each setting. more information on each Group Policy setting, refer to the ‘Explain’ tab of the setting within the Group Policy Management Console (

These settings can be found in the following Group Policy location:Administrative Templates > Windows Comp

Table 4 lists the available Automatic Updates settings in the computer configuration component of a GPO, and provides a recom

Setting

Do not display ‘Install Updates and Shut Down’ option in Shut Down Windows dialog box9

Do not adjust default option to ‘Install Updates and Shut Down’ in Shut Down Windows dialog box9

Configure Automatic Updates10:

Configure Automatic Updating

Scheduled install day

Scheduled install time

9 This setting is supported on at least Windows

10 This setting is supported on at least Windows 2000 SP3, Windows XP SP1 and Windows Server 2003.


If the computer that is being used to configure Group Policy has the latest version of is not necessary to load the file to configure settings. The latest version of wuau.adm is

Professional SP2 and Windows Server 2003 SP1. Administrative template files Inf folder, by default.

uau.adm can be found on any computer that has the WSUSversion of Automatic Updates installed. The old version of wuau.adm can be used to point a client at a

fter the client self-updates the Automatic Updates software, the new version of uau.adm can be found in the %windir%\Inf folder.

To load the administrative template:

relevant Group Policy Object.

Computer Configuration or User Configuration, right-click Administrative and select Add/Remove Templates.

and click Open.

Add/Remove Templates dialog box, click Close.

e Automatic Updates

This section details the procedures necessary to implement Group Policy settings for the 3.0 client. All the settings are configured in the computer configuration

There are twelve Group Policy settings in the computer configuration component of a GPO that can be used for configuring the WSUS 3.0 client. Table 4 lists all the available settings and the recommendation for each setting. Table 5 details the recommended properties for the GPO. For

on each Group Policy setting, refer to the ‘Explain’ tab of the setting within the Group Policy Management Console (GPMC).

These settings can be found in the following Group Policy location: Computer Configuration > Administrative Templates > Windows Components > Windows Update.

lists the available Automatic Updates settings in the computer configuration component of a GPO, and provides a recommendation for each setting.

Recommended Value

Do not display ‘Install Updates and Shut Down’ option in Shut Down Enabled

Do not adjust default option to ‘Install Updates and Shut Down’ in Shut Not Configured (has no effect due to the policy setting above to not display the option)

Enabled

4 – Auto download and schedule the install

0 – Every day

14:00

s setting is supported on at least Windows XP SP2.

This setting is supported on at least Windows 2000 SP3, Windows XP SP1 and Windows Server 2003.


Page 29

If the computer that is being used to configure Group Policy has the latest version of wuau.adm, it uau.adm is provided

SP2 and Windows Server 2003 SP1. Administrative template files

uau.adm can be found on any computer that has the WSUS 3.0 compatible uau.adm can be used to point a client at a

the new version of

Administrative

This section details the procedures necessary to implement Group Policy settings for the settings are configured in the computer configuration

There are twelve Group Policy settings in the computer configuration component of a GPO that can lists all the available settings and the

details the recommended properties for the GPO. For on each Group Policy setting, refer to the ‘Explain’ tab of the setting within the

Computer Configuration >

lists the available Automatic Updates settings in the computer configuration component of

(has no effect due to the policy setting above to not display the option)

Auto download and schedule the install

This setting is supported on at least Windows 2000 SP3, Windows XP SP1 and Windows Server 2003.


Setting

Specify intranet Microsoft update service location

Set the intranet update service for detecting updates

Set the intranet statistics server

Enable client-side targeting10

Target group name for this computer

Reschedule Automatic Updates scheduled installations

Wait after system startup (minutes)

No auto-restart for scheduled Automatic Updates installations

Automatic Updates detection frequency10

Allow Automatic Updates immediate installation

Delay Restart for scheduled installations10

Re-prompt for restart with scheduled installations

Wait the following period before prompting again with a scheduled restart (minutes):

Allow non-administrators to receive update notifications

Turn on recommended updates via Automatic Updates

Enabling Windows Update Power Management to automatically wake up the system to install scheduled updates11

Table 4: WSUS 3.0 GPO Settings

Note

The setting Enabling Windows Update install scheduled updates enables management functionality. For operating systems prior to Windows Vista, client machines would typically be left on overnight to enable remote management tasks, such as applying updates, to be carried out. This is no longer required with Windows Vista. Using this setting enables a save energy and therefore reduce

Table 5 details the properties of the Automatic Updates computer configuration GPO.

Property Setting

Block Inheritance Unchecked

Enforced (No Override) Unchecked

GPO Status User Configuration Settings Disabled

Permissions12 Authenticated User:

Creator Owner: (none explicitly set)

Domain Admins (DomainNameChild Objects

Enterprise Admins (DomainNameDelete All Child Objects

System: Read, Write Create All Child Objects, and Delete All Child Objects

Table 5: WSUS 3.0 GPO Properties

11 This setting is supported on at least Windows Vista

12 All permissions detailed here are Allow permissions unless stated otherwise.


Recommended Value

Specify intranet Microsoft update service location10

Set the intranet update service for detecting updates

Enabled

http://ServerName

http://ServerName

Enabled

GroupName

Reschedule Automatic Updates scheduled installations10 Enabled

30

restart for scheduled Automatic Updates installations10 Enabled

10 Not Configured (default interval of 22 hours will be used)

Allow Automatic Updates immediate installation10 Enabled

10 Not configured (No effect as No auto

prompt for restart with scheduled installations10

Wait the following period before prompting again with a scheduled

Enabled

30

administrators to receive update notifications10 Not Configured

Turn on recommended updates via Automatic Updates11 Enabled

Enabling Windows Update Power Management to automatically wake up 11

Enabled

Enabling Windows Update Power Management to automatically wake up the system to enables healthcare organisations to take advantage of clients’ power

management functionality. For operating systems prior to Windows Vista, client machines would typically e left on overnight to enable remote management tasks, such as applying updates, to be carried out.

This is no longer required with Windows Vista. Using this setting enables a healthcare organisationsave energy and therefore reduce the total cost of ownership (TCO) of managing a computer.

details the properties of the Automatic Updates computer configuration GPO.

Unchecked

Unchecked

User Configuration Settings Disabled

Authenticated User: Read & Apply Group Policy


Domain Admins (DomainName\Domain Admins): Read, Write Create All Child Objects, and Delete All Child Objects

Enterprise Admins (DomainName\Enterprise Admins): Read, Write Create All Child Objects, and Delete All Child Objects

Read, Write Create All Child Objects, and Delete All Child Objects

This setting is supported on at least Windows Vista.

All permissions detailed here are Allow permissions unless stated otherwise.


Page 30

val of 22 hours will be used)

(No effect as No auto-restart is Enabled)

Power Management to automatically wake up the system to to take advantage of clients’ power

management functionality. For operating systems prior to Windows Vista, client machines would typically e left on overnight to enable remote management tasks, such as applying updates, to be carried out.

healthcare organisation to of managing a computer.

details the properties of the Automatic Updates computer configuration GPO.

Create All Child Objects, and Delete All

Read, Write Create All Child Objects, and

Read, Write Create All Child Objects, and Delete All Child Objects


4.3.2 Configuring WSUS 3.0 Environment

In a non-Active Directory environmentAutomatic Updates client:

� Using the Group Policy Object Editor and editing the Local Group Policy object

� Editing the registry directly by using the registry editor (Regedit.exe)

� Centrally deploying registry entries by using some other automated method

When editing the Local Group Policy object4.3.1.2. Refer to section 4.3.1.2recommended settings.

When editing the registry either directly or through an automated method, the available options are the same. Most of the options server, and the other for the Automatic Updates

4.3.2.1 WSUS 3.0 Server

These registry entries are located in the following subkey:

HKEY_LOCAL_MACHINE\Software

Note

On some operating system versions, the first manually create the key. Additionally, create the

Table 6 details all the available entries, their types.

Entry Name

AcceptTrustedPublisherCerts

DisableWindowsUpdateAccess

ElevateNonAdmins

TargetGroup

TargetGroupEnabled


WSUS 3.0 Clients in a Non-Active Directory

environment, the following options are available for configuring the

Policy Object Editor and editing the Local Group Policy object

Editing the registry directly by using the registry editor (Regedit.exe)

registry entries by using some other automated method

When editing the Local Group Policy object, the available settings are the same as in section4.3.1.2 for more information on the available options and the

When editing the registry either directly or through an automated method, the available options are the options are organised into two registry locations; one for the WSUS

, and the other for the Automatic Updates client.

3.0 Server Options


Software\Policies\Microsoft\Windows\WindowsUpdate

On some operating system versions, the WindowsUpdate registry key does not exist. If this is the case, first manually create the key. Additionally, create the AU key beneath the WindowsUpdate

details all the available entries, their possible and recommended values

Possible Values Recommended

Values

1 = Enabled. The WSUS 3.0 server will distribute signed third-party updates if available

0 = Disabled. The WSUS 3.0 server will not distribute third-party updates

1

1 = Disables access to Windows Update

0 = Enables access to Windows Update

1

1 = Users in the Users security group are allowed to approve or unapprove updates

0 = Only users in the Administrators user group can approve or unapprove updates

0

Name of the computer group to which the computer belongs, used to implement client-side targeting, for example, ‘TestServers.’ This policy is paired with TargetGroupEnabled

GroupName

1 = Use client-side targeting

0 = Do not use client-side targeting. This policy is paired with TargetGroup

1


Page 31

Active Directory

available for configuring the

Policy Object Editor and editing the Local Group Policy object

registry entries by using some other automated method

the available settings are the same as in section s and the

When editing the registry either directly or through an automated method, the available options are one for the WSUS 3.0

ndowsUpdate

registry key does not exist. If this is the case, WindowsUpdate key.

values, and their data

Recommended Values

Data Type

1 REG_DWORD

1 REG_DWORD

0 REG_DWORD

GroupName REG_SZ

1 REG_DWORD


Entry Name

WUServer

WUStatusServer

Table 6: WSUS 3.0 Server Options

4.3.2.2 Automatic Updates C



Table 7 details all the available entries, their types.

Entry Name

AUOptions

AutoInstallMinorUpdates

DetectionFrequency

DetectionFrequencyEnabled

NoAUShutdownOption

NoAutoRebootWithLoggedOnUsers

NoAutoUpdate

RebootRelaunchTimeout



Values

HTTP(S) URL of the WSUS 3.0 server used by Automatic Updates and (by default) Application Programming Interface (API) callers. This policy is paired with WUStatusServer; both must be set to the same value in order for them to be valid

http://ServerName

The HTTP(S) URL of the server to which reporting information will be sent by client computers. This policy is paired with WUServer; both must be set to the same value in order for them to be valid

http://ServerName

Automatic Updates Client Options



details all the available entries, their possible and recommended values


Values

2 = Notify before download

3 = Automatically download and notify of installation

4 = Automatic download and scheduled installation (Only valid if values exist for ScheduledInstallDay and ScheduledInstallTime)

5 = Automatic Updates is required, but end users can configure it

4

0 = Treat minor updates like other updates

1 = Silently install minor updates

1

Range = n; where n = time in hours (1-22)

Time between detection cycles

Not Configured

0 = Disable custom DetectionFrequency (use default value of 22 hours)

1 = Enable DetectionFrequency

0

0 = The Install Updates and Shut Down option will be available in the Shut Down Windows dialog box

1 = The Install Updates and Shut Down option will not be available in the Shut Down Windows dialog box

1

0 = Automatic Updates notifies user that the computer will restart in five minutes

1 = Logged-on user gets to choose whether or not to restart their computer

1

0 = Enable Automatic Updates

1 = Disable Automatic Updates

0

Range = n; where n = time in minutes (1-1440)

Time between prompting for a scheduled restart

30


Page 32

Recommended Values

Data Type

http://ServerName REG_SZ

http://ServerName REG_SZ

WindowsUpdate\AU

s, and their data

Recommended Values

Data Type

4 REG_DWORD

1 REG_DWORD

Not Configured REG_DWORD

0 REG_DWORD

1 REG_DWORD

1 REG_DWORD

0 REG_DWORD

30 REG_DWORD


Entry Name

RebootRelaunchTimeoutEnabled

RebootWarningTimeout

RebootWarningTimeoutEnabled

RescheduleWaitTime

RescheduleWaitTimeEnabled

ScheduledInstallDay

ScheduledInstallTime

UseWUServer

Table 7: Automatic Updates Client Options

4.3.2.3 Additional Registry Settings

The Group Policy setting Remove access to use all Windows Update featuresaccess to Microsoft Update. This setting also hides the Automatic Updates icon in the notification area for WSUS 3.0 clients. This setting can be enabled in the registry in either of the following registry subkeys:

HKEY_CURRENT_USER\Software




Values

0 = Disable custom RebootRelaunchTimeout (use default value of 10 minutes)

1 = Enable RebootRelaunchTimeout

1

Range = n; where n = time in minutes (1-30).

Length of the restart warning countdown after installing updates with a deadline or installing scheduled updates

Not Configured

0 = Disable custom RebootWarningTimeout (use default value of five minutes)

1 = Enable RebootWarningTimeout

Not Configured

Range = n; where n = time in minutes (1-60).

Time that Automatic Updates should wait at startup before applying updates from a missed scheduled installation time

Note

This policy applies only to scheduled installations, not deadlines. Updates whose deadlines have expired should always be installed as soon as possible

30

0 = Disable RescheduleWaitTime (attempt the missed installation during the next scheduled installation time)

1 = Enable RescheduleWaitTime

1

0 = Every day

1 through 7 = The days of the week from Sunday (1) to Saturday (7)

(Only valid if AUOptions equals 4)

0

Range = n; where n = the time of day in 24-hour format (0-23)

14

The WUServer value is not respected unless this key is set

1

Additional Registry Settings

Remove access to use all Windows Update featuresaccess to Microsoft Update. This setting also hides the Automatic Updates icon in the notification

clients. This setting can be enabled in the registry in either of the following

Software\Microsoft\Windows\CurrentVersion\Policies

Software\Microsoft\Windows\CurrentVersion\Policies


Page 33

Recommended Values

Data Type

1 REG_DWORD



30 REG_DWORD

1 REG_DWORD

0 REG_DWORD

14 REG_DWORD

1 REG_DWORD

Remove access to use all Windows Update features removes all access to Microsoft Update. This setting also hides the Automatic Updates icon in the notification

clients. This setting can be enabled in the registry in either of the following

Policies\Explorer

Policies\Explorer


Table 8 shows the registry entry that is used to configure the Update features setting.

Entry Name

NoWindowsUpdate

Table 8: NoWindowsUpdate Setting

Important

When this setting is enabled under the HKEY_LOCAL_MACHINE subkey, links to Windows Update are removed, including the links in Internet Explorer and on the Start Menu. However, access is still possible to Windows Update by typing the URL into Internet ExploHKEY_CURRENT_USER subkeyHKEY_CURRENT_USER subkey affects only the currently logged on user.

Recommendation

It is recommended that this senot been through the organisation’s that have not been approved on the WSUS server.

4.3.3 Configuring Background

Background Intelligent Transfer Service (download updates by using idle bandwidth.monitoring the network traffic on the computers local NIC, and using only the idle portion of the available bandwidth for downloading updates.

However, BITS is only aware of the network bandwidth conditions on the computeBITS is not aware of the network conditions beyond the computer itself. If the computer is connected to the network using a fast Ethernet link, but is downloading updates using BITS from a computer on the other side of a slow WAN link, such the bandwidth on the WAN link, potentially causing bandwidth related problems. This is because BITS is not aware of the speed or bandwidth utilisation of the WAN link.

BITS 2.0 can be configured to ensure a clienthrough bandwidth limitation policies. Professional SP4, BITS is upgraded to BITS 2.0 when the client first connects to the WSUS server. BITS 3.0 is part of the Windows Vista operating system and includes additional features not included in earlier versions of BITS, namely peer

Warning

Be aware that when implementing BITS bandwidth limitation policies, all applications that utilise BITS wbe affected by the policy.

Bandwidth limitation policies are implemented through Group Policy or registry entries and limit the amount of bandwidth that BITS is allowed to use. If bandwidth limitation policies are not implemented, BITS may consume larg

Recommendation

When clients download updates from a WSUS appropriate BITS bandwidth limitation policies are implemented.


shows the registry entry that is used to configure the Remove access to use all Windows


Values

0 = Users can connect to the Windows Update Web site

1 = Remove access to use all Windows Update features

1

When this setting is enabled under the HKEY_LOCAL_MACHINE subkey, links to Windows Update are removed, including the links in Internet Explorer and on the Start Menu. However, access is still possible

ng the URL into Internet Explorer. Whenever possible, define this entry in the HKEY_CURRENT_USER subkey, which will prevent all access to Windows Update. Be aware that the HKEY_CURRENT_USER subkey affects only the currently logged on user.

this setting is enabled to prevent users from installing software updates that have organisation’s normal software update testing and change control procedures

that have not been approved on the WSUS server.

ackground Intelligent Transfer Service

Background Intelligent Transfer Service (BITS) is used by the WSUS 3.0 serverusing idle bandwidth. BITS calculates how much idle bandwidth to use by

monitoring the network traffic on the computers local NIC, and using only the idle portion of the available bandwidth for downloading updates.

However, BITS is only aware of the network bandwidth conditions on the computeBITS is not aware of the network conditions beyond the computer itself. If the computer is connected to the network using a fast Ethernet link, but is downloading updates using BITS from a computer on the other side of a slow WAN link, such as a 56 Kbps link, BITS may use too much of the bandwidth on the WAN link, potentially causing bandwidth related problems. This is because BITS is not aware of the speed or bandwidth utilisation of the WAN link.

BITS 2.0 can be configured to ensure a client uses no more than a defined amount of bandwidth, through bandwidth limitation policies. BITS 2.0 is installed on Windows XP SP2.

is upgraded to BITS 2.0 when the client first connects to the WSUS 0 is part of the Windows Vista operating system and includes additional features not

included in earlier versions of BITS, namely peer-caching.

Be aware that when implementing BITS bandwidth limitation policies, all applications that utilise BITS w

Bandwidth limitation policies are implemented through Group Policy or registry entries and limit the amount of bandwidth that BITS is allowed to use. If bandwidth limitation policies are not implemented, BITS may consume large amounts of WAN bandwidth.

When clients download updates from a WSUS 3.0 server across a WAN link, it is recommended that appropriate BITS bandwidth limitation policies are implemented.


Page 34

Remove access to use all Windows

Recommended Values

Data Type

1 REG_DWORD

When this setting is enabled under the HKEY_LOCAL_MACHINE subkey, links to Windows Update are removed, including the links in Internet Explorer and on the Start Menu. However, access is still possible

rer. Whenever possible, define this entry in the which will prevent all access to Windows Update. Be aware that the

to prevent users from installing software updates that have normal software update testing and change control procedures, and

Intelligent Transfer Service

server and client to how much idle bandwidth to use by

monitoring the network traffic on the computers local NIC, and using only the idle portion of the

However, BITS is only aware of the network bandwidth conditions on the computer’s local NIC; BITS is not aware of the network conditions beyond the computer itself. If the computer is connected to the network using a fast Ethernet link, but is downloading updates using BITS from a

link, BITS may use too much of the bandwidth on the WAN link, potentially causing bandwidth related problems. This is because

t uses no more than a defined amount of bandwidth, 2.0 is installed on Windows XP SP2. On Windows 2000

is upgraded to BITS 2.0 when the client first connects to the WSUS 3.0 0 is part of the Windows Vista operating system and includes additional features not

Be aware that when implementing BITS bandwidth limitation policies, all applications that utilise BITS will

Bandwidth limitation policies are implemented through Group Policy or registry entries and limit the amount of bandwidth that BITS is allowed to use. If bandwidth limitation policies are not

server across a WAN link, it is recommended that


Note

Though BITS bandwidth limitation policies are ofdownload updates across WAN links, it may still be advantageous to set applicable settings in LAN environments. Determine the maximum amount of bandwidth that WSUS clients can use without adversely affecting LAN performance, and apply the settings accordingly.

4.3.3.1 Upgrading to BITS 2.0

The bandwidth limitation features mentioned above were introduced with BITS 2.0. and Windows XP SP2 already 2000 Professional SP4 will need to

To verify the version of BITS installed:

1. Open Windows Explorer and locate

2. Right-click the file and select

3. Click the Version tab.

4. Check the version number and compare with the values in

5. Check for the existence of exists in this location, repeat the preceding steps and use the DLL with the highest version number.

Table 9 can be used to determine the installed version of BITS.

BITS Version

BITS 3.0

BITS 2.5

BITS 2.0

BITS 1.5

BITS 1.2

BITS 1.0

Table 9: Determine BITS Versions

Recommendation

It is recommended that the latest update for the Microsoft Installer be installed, which can help to reduce download sizes. This update SP2 and Windows 2000 Professional SP4 to

The updates for BITS and the Windows Installer are automatically approved for installation by WSUS 3.0. This means no configuration changes need to be made. The first time a client connects to a WSUS 3.0 server it will download and install these updates before downloading any further updates. This ensures that any updates that are downloaded after BITS haversion 2.0 can take advantage of any previously configured BITS bandwidth policies. The updates are:

� Microsoft Windows Installer 3.1 (KB893803)

� Update for Background Intelligent Transfer Service (BITS) 2.0 and WinHTTP 5.1 (KB842773)14

13 Windows Installer 3.1 v2 (3.1.4000.2435)


Though BITS bandwidth limitation policies are of most use in environments where WSUS clients download updates across WAN links, it may still be advantageous to set applicable settings in LAN environments. Determine the maximum amount of bandwidth that WSUS clients can use without

performance, and apply the settings accordingly.

Upgrading to BITS 2.0

The bandwidth limitation features mentioned above were introduced with BITS 2.0. Windows XP SP2 already include versions of BITS that support bandwidth limitation.

2000 Professional SP4 will need to be updated before it can take advantage of these features.

To verify the version of BITS installed:

Open Windows Explorer and locate qmgr.dll in the %systemroot%\system32

click the file and select Properties.

Check the version number and compare with the values in Table 9.

Check for the existence of qmgr.dll in the %systemroot%\system32\BITSexists in this location, repeat the preceding steps and use the DLL with the highest version

an be used to determine the installed version of BITS.

QMgr.dll File Version Number

7.0.xxxx.xxxx

6.7.xxxx.xxxx

6.6.xxxx.xxxx

6.5.xxxx.xxxx

6.2.xxxx.xxxx

6.0.xxxx.xxxx

It is recommended that the latest update for the Microsoft Installer be installed, which can help to reduce . This update is included in Windows Vista, but will need to be instal

SP2 and Windows 2000 Professional SP4 to take advantage of this improved functionality.

The updates for BITS and the Windows Installer are automatically approved for installation by . This means no configuration changes need to be made. The first time a client connects

it will download and install these updates before downloading any further updates. This ensures that any updates that are downloaded after BITS have been upgraded to version 2.0 can take advantage of any previously configured BITS bandwidth policies. The updates

Microsoft Windows Installer 3.1 (KB893803)13

Update for Background Intelligent Transfer Service (BITS) 2.0 and WinHTTP 5.1

Windows Installer 3.1 v2 (3.1.4000.2435) {R9}: http://support.microsoft.com/kb/893803/


Page 35

most use in environments where WSUS clients download updates across WAN links, it may still be advantageous to set applicable settings in LAN environments. Determine the maximum amount of bandwidth that WSUS clients can use without

The bandwidth limitation features mentioned above were introduced with BITS 2.0. Windows Vista that support bandwidth limitation. Windows

t can take advantage of these features.

ystem32 folder.

BITS folder. If the file exists in this location, repeat the preceding steps and use the DLL with the highest version

It is recommended that the latest update for the Microsoft Installer be installed, which can help to reduce installed on Windows XP

take advantage of this improved functionality.

The updates for BITS and the Windows Installer are automatically approved for installation by . This means no configuration changes need to be made. The first time a client connects

it will download and install these updates before downloading any further been upgraded to

version 2.0 can take advantage of any previously configured BITS bandwidth policies. The updates

Update for Background Intelligent Transfer Service (BITS) 2.0 and WinHTTP 5.1

http://support.microsoft.com/kb/893803/


4.3.3.2 Configuring BITS Bandwidth Limitation in an Environment

There are two Group Policy settings in the computer configuration component of a GPO that can be used for configuring BITS. These settings can be found in the following Group PolicyComputer Configuration > Administrative Templates > Network > Background Intelligent Transfer Service.

In this section, Table 10 lists all trecommendation for each setting. more information on each Group Policy setting, refer to the Group Policy MMC.

Note

It is not necessary to create a new policy to apply these settings. These settings can be included in the GPO that is used to configure Automatic Updates settings, or any other GPO that applies computer configuration settings to the relevant computers.

Table 10 lists the available BITS settings in the computer configuration component of a GPO, and provides a recommendation for each setting.

Setting

Maximum network bandwidth that BITS uses

Limit BITS transfer rate (Kbps) to

From

to

OR Limit BITS transfer rate (Kbps) to

Timeout (days) for inactive jobs16

Table 10: BITS GPO Settings

Table 11 details the properties of the recommended BITS settings GPO:

Property Settings



GPO Status User Configuration Settings Disabled




Enterprise Admins (DomainNameAll Child Objects

System: Read, Write, Create All Child Objects, and Delete All Child Objects

Table 11: BITS GPO Properties

14 An update package that includes BITS 2.0 and WinHTTP 5.1 is available for Windows Server 2003, for Windows XP, and for Windows 2000 {R10}: http://support.microsoft.com/kb/842773

15 The minimum operating system requirement for this setting is Microsoft Windows XP SP2, or computers with BITS 2.0 installed

16 The minimum operating system requirement for this setting is Microsoft Windows XP or Windows Server 2003, or computers with BITS 1.5 installed

17 All permissions detailed here are Allow permissions unless stated otherwise


Configuring BITS Bandwidth Limitation in an Active Directory

There are two Group Policy settings in the computer configuration component of a GPO that can be These settings can be found in the following Group Policy

Computer Configuration > Administrative Templates > Network > Background Intelligent

lists all the available settings, and provides a brief description and the recommendation for each setting. Table 11 details the recommended properties for the GPmore information on each Group Policy setting, refer to the Explain tab of the setting within the

It is not necessary to create a new policy to apply these settings. These settings can be included in the onfigure Automatic Updates settings, or any other GPO that applies computer

configuration settings to the relevant computers.

lists the available BITS settings in the computer configuration component of a GPO, and provides a recommendation for each setting.

Recommendation

Maximum network bandwidth that BITS uses15

Enabled

10

8 AM

5 PM

20

Not Configured

details the properties of the recommended BITS settings GPO:




Domain Admins (DomainName\Domain Admins): Read, Write, Create All Child Objects, and Delete All

Enterprise Admins (DomainName\Enterprise Admins): Read, Write, Create All Child Objects, and Delete All Child Objects

Read, Write, Create All Child Objects, and Delete All Child Objects

An update package that includes BITS 2.0 and WinHTTP 5.1 is available for Windows Server 2003, for Windows XP, and http://support.microsoft.com/kb/842773/

The minimum operating system requirement for this setting is Microsoft Windows XP SP2, or computers with BITS 2.0

The minimum operating system requirement for this setting is Microsoft Windows XP or Windows Server 2003, or

All permissions detailed here are Allow permissions unless stated otherwise


Page 36

Active Directory

There are two Group Policy settings in the computer configuration component of a GPO that can be These settings can be found in the following Group Policy location:

Computer Configuration > Administrative Templates > Network > Background Intelligent

he available settings, and provides a brief description and the details the recommended properties for the GPO. For

tab of the setting within the

It is not necessary to create a new policy to apply these settings. These settings can be included in the onfigure Automatic Updates settings, or any other GPO that applies computer

lists the available BITS settings in the computer configuration component of a GPO, and

Read, Write, Create All Child Objects, and Delete All

Read, Write, Create All Child Objects, and Delete

An update package that includes BITS 2.0 and WinHTTP 5.1 is available for Windows Server 2003, for Windows XP, and

The minimum operating system requirement for this setting is Microsoft Windows XP SP2, or computers with BITS 2.0

The minimum operating system requirement for this setting is Microsoft Windows XP or Windows Server 2003, or

http://support.microsoft.com/kb/842773


4.3.3.3 Configuring BITS Bandwidth Limitations in a Environment

In a non-Active Directory environment there are a number of options available for configuring BITS. The following options exist:

� Using the Group Policy Object Editor and editing the Local Group Policy object

� Editing the registry directly by using the registry editor (Regedit.exe)

� Deploying registry entries

When editing the Local Group Policy objectmentioned in section 4.3.3.2. Refer to section the recommended settings.

To configure BITS by editing the registry, modify the key detailed in this section by either manually editing the registry or by using some other automated method.

The registry entries are located in the following subkey:


Table 12 details all the available entries for BITS 2.0, thetheir data types.

Entry Name

EnableBITSMaxBandwidth

MaxBandwidthValidFrom

MaxBandwidthValidTo

MaxTransferRateOffSchedule

MaxTransferRateOnSchedule

UseSystemMaximum

Table 12: BITS 2.0 Registry Settings


Configuring BITS Bandwidth Limitations in a Non-Active

environment there are a number of options available for configuring BITS.

Using the Group Policy Object Editor and editing the Local Group Policy object

directly by using the registry editor (Regedit.exe)

registry entries centrally by using some other automated method

When editing the Local Group Policy object, the available settings are the same as . Refer to section 4.3.3.2 more information on the available options and

To configure BITS by editing the registry, modify the key detailed in this section by either manually editing the registry or by using some other automated method.

cated in the following subkey:

Software\Policies\Microsoft\Windows\BITS

details all the available entries for BITS 2.0, their possible and recommended values, and


Values

0 = BITS imposes no limit on bandwidth of background jobs

1 = BITS limits bandwidth of background jobs

1


If missing or invalid, ‘8’ is assumed

8


If missing or invalid, ‘18’ is assumed

17

Range = n; where n = the maximum rate, measured in kilobits per second (0x0-0xffffffff)

0xffffffff is interpreted as ‘unlimited’

If the key is not present or invalid, ‘unlimited’ is assumed

This value is ignored if UseSystemMaximum is nonzero

20

Range = n; where n = the maximum rate, measured in kilobits per second (0x0-0xffffffff)

0xffffffff is interpreted as ‘unlimited’

If the key is not present or invalid, 50 kbps is assumed

10

0 = The off-schedule maximum is read from MaxTransferRateOffSchedule

Any other value means the off-schedule maximum is unlimited

0


Page 37

Active Directory

environment there are a number of options available for configuring BITS.

Using the Group Policy Object Editor and editing the Local Group Policy object

by using some other automated method

the available settings are the same as those formation on the available options and

To configure BITS by editing the registry, modify the key detailed in this section by either manually

ir possible and recommended values, and

Recommended Values

Data Type

1 REG_DWORD

8 REG_DWORD

17 REG_DWORD

20 REG_DWORD

10 REG_DWORD

0 REG_DWORD


4.3.3.4 Configuring BITS

Peer caching is a new feature of BITS 3.0 that allows peers (computers within the same subnet of a network that have the peer caching feature enabled) to share files. If peer caching is enabled on a computer, the Automatic Update agent instructs BITS to make downloaded files available to that computer's peers as well.

When the files have been downloaded, BITS caches them. When another (peer cachingcomputer tries to download the same update, BITS on thall of that computer's peers. If one or more of the peers responds to the request, BITS will download the file from the first computer to respond. If the download from the peer fails or take too long, BITS continues the download from the WSUS server or Microsoft Update.

This feature of BITS can optimi

� Peer caching decreases the amount of data transferred from the WSUS clients, because computers in teach other.

� Peer caching decreases the amount of data transferred across the WAN when some or all of the clients are located

� Peer caching decreases the amount clients in the same subnet are configured to download

Note

BITS peer caching requires computers to be running Windows Vista, and to be part of an domain. For more information about peer caching and peer servers, see

There are four Group Policy settings in the computer configuration component of a GPO that can be used for configuring peer cachinglocation: Computer Configuration > Administrative Templates > NetworkIntelligent Transfer Service.

In this section, Table 13 lists all the available settings, providrecommendation for each setting. more information on each Group Policy setting, refer to the Group Policy MMC.

Note

It is not necessary to create a new policy to apply these settings. TGPO that is used to configure Automatic Updates settings, or any other GPO that applies computer configuration settings to the relevant computers.

Table 13 lists the available peer cachingGPO, and provides a recommendation for each setting.

Setting

Allow BITS Peercaching

Limit age of items in the BITS Peercache

Limit the BITS Peercache size

Maximum network bandwidth used for Peercaching

Table 13: Peer Caching GPO Settings

18 Peer Caching {R11}: http://go.microsoft.com/fwlink/?LinkId=79432


Configuring BITS Peer Caching on Windows Vista

Peer caching is a new feature of BITS 3.0 that allows peers (computers within the same subnet of a network that have the peer caching feature enabled) to share files. If peer caching is enabled on a

the Automatic Update agent instructs BITS to make downloaded files available to that

When the files have been downloaded, BITS caches them. When another (peer cachingcomputer tries to download the same update, BITS on that computer sends a multicast request to all of that computer's peers. If one or more of the peers responds to the request, BITS will download the file from the first computer to respond. If the download from the peer fails or take too

the download from the WSUS server or Microsoft Update.

This feature of BITS can optimise the bandwidth used by WSUS 3.0 in several ways

Peer caching decreases the amount of data transferred from the WSUS clients, because computers in the same subnet will usually download the updates from

Peer caching decreases the amount of data transferred across the WAN when some or all of the clients are located at different sites to the WSUS 3.0 server.

Peer caching decreases the amount of data transferred across the Internet if WSUS clients in the same subnet are configured to download updates from Microsoft Update.

BITS peer caching requires computers to be running Windows Vista, and to be part of an domain. For more information about peer caching and peer servers, see Peer Caching

Group Policy settings in the computer configuration component of a GPO that can ing peer caching. These settings can be found in the following Group Policy

Computer Configuration > Administrative Templates > Network > Background

lists all the available settings, providing a brief description and the recommendation for each setting. Table 14 details the recommended properties for the GPO. For more information on each Group Policy setting, refer to the Explain tab of the setting within the

It is not necessary to create a new policy to apply these settings. These settings can be included in the GPO that is used to configure Automatic Updates settings, or any other GPO that applies computer configuration settings to the relevant computers.

peer caching settings in the computer configuration component of a GPO, and provides a recommendation for each setting.

Recommendation

Enabled

Peercache Not Configured (uses the default value of 90 days)

Not Configured (uses the default value of 5% of disk space)

Maximum network bandwidth used for Peercaching Not Configured (uses the default value of 104857bps)



Page 38

Peer caching is a new feature of BITS 3.0 that allows peers (computers within the same subnet of a network that have the peer caching feature enabled) to share files. If peer caching is enabled on a

the Automatic Update agent instructs BITS to make downloaded files available to that

When the files have been downloaded, BITS caches them. When another (peer caching-enabled) at computer sends a multicast request to

all of that computer's peers. If one or more of the peers responds to the request, BITS will download the file from the first computer to respond. If the download from the peer fails or take too

the download from the WSUS server or Microsoft Update.

3.0 in several ways:

Peer caching decreases the amount of data transferred from the WSUS 3.0 server to its he same subnet will usually download the updates from

Peer caching decreases the amount of data transferred across the WAN when some or all

of data transferred across the Internet if WSUS 3.0 updates from Microsoft Update.

BITS peer caching requires computers to be running Windows Vista, and to be part of an Active Directory Peer Caching18.

Group Policy settings in the computer configuration component of a GPO that can llowing Group Policy > Background

a brief description and the tails the recommended properties for the GPO. For

tab of the setting within the

hese settings can be included in the GPO that is used to configure Automatic Updates settings, or any other GPO that applies computer

settings in the computer configuration component of a

(uses the default value of 90 days)

(uses the default value of 5% of disk space)

(uses the default value of 104857bps)



Table 14 details the properties of the recommended Peer Caching

Property Settings



GPO Status User Configuration Settings




Enterprise Admins (DomainNameDelete All Child Objects

System: Read, Write, Create All Child Objects, and Delete All Child Objects

Table 14: Peer Caching GPO Properties

4.3.4 Roaming Clients

This section lists a couple of possible ways tobetween locations in a healthcare organisation

4.3.4.1 Remote Storage

A centrally located WSUS 3.0 server configured to use remote storage is one solution for providing updates to roaming clients. The roaming clients server across the network or via dialup/Vclients would then retrieve the actual update files directly from Microsoft Update

4.3.4.2 DNS Netmask Ordering

The DNS Netmask Ordering function in Windows Server 2003 allows roaming WSUS be directed to the closest WSUS multiple WSUS 3.0 servers – preferably adownstream replica WSUS 3.0 host records in DNS with the same fullyDNS and WSUS 3.0 are correctly configured, all name resolution requests for will return an IP address on the client’s subnet. If a local WSUS Round Robin will choose one at random. More information about DNS Netmask Ordering and Round Robin, see How DNS Works

19 All permissions detailed here are All

20 How DNS Works {R12}: http://technet2.microsoft.com/WindowsServer/en/library/19a63021


perties of the recommended Peer Caching settings GPO:

Unchecked

Unchecked




Domain Admins (DomainName\Domain Admins): Read, Write, Create All Child Objects, and Delete All Child Objects

Enterprise Admins (DomainName\Enterprise Admins): Read, Write, Create All Child Objects, and Delete All Child Objects


Roaming Clients

couple of possible ways to keep mobile computers updated when they roam a healthcare organisation’s network, and onto the public Internet.

Remote Storage

A centrally located WSUS 3.0 server configured to use remote storage is one solution for providing updates to roaming clients. The roaming clients would always connect to the same

or via dialup/Virtual Private Network (VPN), to get update approvals. The clients would then retrieve the actual update files directly from Microsoft Update

DNS Netmask Ordering

The DNS Netmask Ordering function in Windows Server 2003 allows roaming WSUS WSUS 3.0 server (based on IP subnet). This type of design implies

preferably an upstream WSUS 3.0 server at the network hubWSUS 3.0 servers in other locations. All of the WSUS 3.0 servers must have

records in DNS with the same fully-qualified domain name, but different IP addresses. Once are correctly configured, all name resolution requests for a

will return an IP address on the client’s subnet. If a local WSUS 3.0 server does not exist, DNS Round Robin will choose one at random. More information about DNS Netmask Ordering and

How DNS Works20.

All permissions detailed here are Allow permissions unless stated otherwise

http://technet2.microsoft.com/WindowsServer/en/library/19a63021-cc53-4ded-a7a3-abaf82e7fb7c1033.mspx?mfr=true


Page 39

settings GPO:

Read, Write, Create All Child Objects, and Delete All

Read, Write, Create All Child Objects, and


keep mobile computers updated when they roam , and onto the public Internet.

A centrally located WSUS 3.0 server configured to use remote storage is one solution for providing same WSUS 3.0

, to get update approvals. The clients would then retrieve the actual update files directly from Microsoft Update.

The DNS Netmask Ordering function in Windows Server 2003 allows roaming WSUS 3.0 clients to server (based on IP subnet). This type of design implies

server at the network hub, and servers must have

qualified domain name, but different IP addresses. Once a WSUS 3.0 server

server does not exist, DNS Round Robin will choose one at random. More information about DNS Netmask Ordering and

abaf82e7fb7c1033.mspx?mfr=true



5 OPERATE

During the Operate phase, the deployed solution components are proactively managed to ensure they provide the required levels of solution reliability, availability, supportability, and manageability.

Figure 5 acts as a high-level checklist, illustrating the critical components which an IT professional is responsible for ensuring, in a managed and operational

Figure 5: Sequence for Operating WSUS 3.0

5.1 Managing WSUS 3This section provides information on the various tasks required for the management of a WSUS 3.0 server, and how to perform these tasks.

5.1.1 Managing Computers and Computer Groups

The Computers node in the WSUS 3.0 console is used for the administration of computer groups. This section provides the information and procedures for viewing and managing computers and computer groups.

5.1.1.1 Viewing Computers and Computer Groups

When viewing computers and computer groups it is possible to perform a number

� View the members of a specific group

� View properties for individual computers including: computer group membership, IP address, operating system, service pack, operating system language, last status report date and time, last contacted date and


During the Operate phase, the deployed solution components are proactively managed to ensure vide the required levels of solution reliability, availability, supportability, and manageability.

level checklist, illustrating the critical components which an IT professional in a managed and operational WSUS 3.0 solution.

Managing WSUS 3.0 This section provides information on the various tasks required for the management of a WSUS 3.0 server, and how to perform these tasks.

Managing Computers and Computer Groups

node in the WSUS 3.0 console is used for the administration of computer groups. This section provides the information and procedures for viewing and managing computers and computer groups.

Viewing Computers and Computer Groups

When viewing computers and computer groups it is possible to perform a number

View the members of a specific group

View properties for individual computers including: computer group membership, IP address, operating system, service pack, operating system language, last status report date and time, last contacted date and time, hardware information and status information


Page 40

During the Operate phase, the deployed solution components are proactively managed to ensure vide the required levels of solution reliability, availability, supportability, and manageability.

level checklist, illustrating the critical components which an IT professional

This section provides information on the various tasks required for the management of a WSUS 3.0

node in the WSUS 3.0 console is used for the administration of computers and computer groups. This section provides the information and procedures for viewing and managing

When viewing computers and computer groups it is possible to perform a number of actions:

View properties for individual computers including: computer group membership, IP address, operating system, service pack, operating system language, last status report date

time, hardware information and status information


This information is useful when troubleshooting issues with WSUSimportant information, such as the last status report date and time.

To view computers and computer groups

1. Open the WSUS 3.0 console, Computers node.

2. Expand the All Computersperform the following tasks:

� To view the members of a specific groupappropriate group. The members of the group will be displayed in the centre pane.

� To view properties of an individual computercomputer. The computer properties will be displayed inpane.

5.1.1.2 Managing Computer Groups

The following tasks, covered in this section, are available for managing WSUSgroups:

� Create a computer group

� Remove a computer group

Note

If client-side targeting is usedadministration console. Clients will not be able to add themselves to the groups until this task has been performed. For more information on client

To create a computer group:

1. Open the WSUS 3.0 console and Computers node.

2. In the right pane, click

3. In the Add Computer GroupAdd.

Recommendation

Consider the naming of computer groups and organisation of computers into groups carefully. Attempt to mirror how computers are organised in the organising computers into groups based on the updates they require. This will help to simplify administration.


This information is useful when troubleshooting issues with WSUS 3.0 clients, as it shows such as the last status report date and time.

To view computers and computer groups:

console, expand the <servername> node, and expand the

All Computers node and then click All Computers. From there it is possible to ollowing tasks:

To view the members of a specific group; under the All Computersappropriate group. The members of the group will be displayed in the centre pane.

To view properties of an individual computer; in the centre pane, select the appropriate . The computer properties will be displayed in the lower part of the centre

Managing Computer Groups

The following tasks, covered in this section, are available for managing WSUS

Create a computer group

Remove a computer group

is used, computer groups must be manually pre-created in the WSUS administration console. Clients will not be able to add themselves to the groups until this task has been performed. For more information on client-side targeting, see section 4.1.3.2.

To create a computer group:

console and navigate to the All Computers node, under the

In the right pane, click Add Computer Group.

er Group dialog box, type a name for the computer group and click

Consider the naming of computer groups and organisation of computers into groups carefully. Attempt to mirror how computers are organised in the healthcare organisation’s network environmentorganising computers into groups based on the updates they require. This will help to simplify


Page 41

as it shows

expand the

. From there it is possible to

All Computers node, click the appropriate group. The members of the group will be displayed in the centre pane.

in the centre pane, select the appropriate the lower part of the centre

3.0 computer

created in the WSUS 3.0 administration console. Clients will not be able to add themselves to the groups until this task has been

node, under the

a name for the computer group and click

Consider the naming of computer groups and organisation of computers into groups carefully. Attempt to network environment, whilst also

organising computers into groups based on the updates they require. This will help to simplify


To remove a computer group:

1. Open the WSUS 3.0 console Computers node.

2. In the left pane, under select Delete.

� If the computer group being deleted contains no computersimmediately with no additional dialog

� If the computer group being deleted contains computer membersbox will be displayed:

3. Select the desired option to Remove.

Note

It is not possible to remove the remains a member of the All Computersare members of the Unassigned Computersthe option Remove the computers from this WSUS serverdeleted and it will no longer be possible to manage update distribution for the client computers that were members of the deleted group, nor will these clients be able to receive updates from the WSUS server.

However, if the client is still configured to connect to the WSUS account in the WSUS 3.0 database the next time it receive updates that are approved for the being used and the deleted group was the computers configured group, the computer account will not be re-created. If the deleted group was not the computers configured group, the computer account will be recreated and the computer will be added back into its configured groupapproved for that group. For more information on clientshould not continue to receive updates, ensure the Automatic Updates settings for WSUS removed from the client, or Automatic Updates is disabled on the client.

5.1.1.3 Managing WSUS 3.0 Client Computers

This section details management operations for computermanaging WSUS 3.0 client computers:

� Modify a computer’s group membership (server

� Removing a computer from a WSUS 3.0 server

To modify a computer’s grou

1. Open the WSUS 3.0 console and navigate to the Computers node.


To remove a computer group:


nder the All Computers node, right-click the group to be removed

If the computer group being deleted contains no computers, it will be deleted immediately with no additional dialog boxes.

omputer group being deleted contains computer members, the following will be displayed:

option to determine what happens to the members of the group and click

It is not possible to remove the Unassigned Computers or All Computers groups. Every client computer All Computers group in addition to any group it is assigned to. Client computers

Unassigned Computers group only until they are assigned to a computer gthe computers from this WSUS server is selected, the computer accounts will be

deleted and it will no longer be possible to manage update distribution for the client computers that were members of the deleted group, nor will these clients be able to receive updates from the WSUS

the client is still configured to connect to the WSUS 3.0 server, it will re-database the next time it communicates with the server and will be able to

receive updates that are approved for the All Computers group. Additionally, if clientbeing used and the deleted group was the computers configured group, the computer account will not be

created. If the deleted group was not the computers configured group, the computer account will be rethe computer will be added back into its configured group, and will be able to receive updates

approved for that group. For more information on client-side targeting, see section 4.1.3.2should not continue to receive updates, ensure the Automatic Updates settings for WSUS removed from the client, or Automatic Updates is disabled on the client.

Managing WSUS 3.0 Client Computers

ction details management operations for computers. The following tasks are available for managing WSUS 3.0 client computers:

Modify a computer’s group membership (server-side targeting)

Removing a computer from a WSUS 3.0 server

To modify a computer’s group membership:

Open the WSUS 3.0 console and navigate to the All Computers node, under the


Page 42

node, under the

click the group to be removed, and

it will be deleted

the following dialog

the members of the group and click

groups. Every client computer group in addition to any group it is assigned to. Client computers

group only until they are assigned to a computer group. If the computer accounts will be

deleted and it will no longer be possible to manage update distribution for the client computers that were members of the deleted group, nor will these clients be able to receive updates from the WSUS 3.0

-create its computer with the server and will be able to

up. Additionally, if client-side targeting is being used and the deleted group was the computers configured group, the computer account will not be

created. If the deleted group was not the computers configured group, the computer account will be re-and will be able to receive updates

4.1.3.2. If a client should not continue to receive updates, ensure the Automatic Updates settings for WSUS 3.0 are

. The following tasks are available for

node, under the


2. Select the computer or computers, whose group membership needs to be modified, from the centre pane.

3. Right-click the selected computer or computers an

4. Select the check boxes of the computer groups that the selected computer or computers should be added to. Clear the check boxes of the computer groups that they should be removed from.

5. Click OK.

Note

If the computer is already a member of a computer group, it will now be moved to the newly specified computer group and will no longer be a member of the original computer group. The computer will still be a member of the All Computers

To remove a computer from a WSUS

1. Open the WSUS 3.0 console and Computers node.

2. Select the computer or computers, which need to be deleted

3. Right-click the selected computer or computers and select

4. The Delete Computer


Select the computer or computers, whose group membership needs to be modified, from

click the selected computer or computers and select Change Membership

Select the check boxes of the computer groups that the selected computer or computers should be added to. Clear the check boxes of the computer groups that they should be

If the computer is already a member of a computer group, it will now be moved to the newly specified computer group and will no longer be a member of the original computer group. The computer will still be

All Computers group.

omputer from a WSUS 3.0 server:


Select the computer or computers, which need to be deleted.

click the selected computer or computers and select Delete.

Delete Computer dialog box displays. Click Yes to delete the computer


Page 43

Select the computer or computers, whose group membership needs to be modified, from

Change Membership.

Select the check boxes of the computer groups that the selected computer or computers should be added to. Clear the check boxes of the computer groups that they should be

If the computer is already a member of a computer group, it will now be moved to the newly specified computer group and will no longer be a member of the original computer group. The computer will still be

node, under the

to delete the computer or computers.


Note

It will no longer be possible to manage update distribution for the client computer once it is removed from the WSUS 3.0 server, nor will the client be able to recei

However, if the client is still configured to connect to the WSUS account in the WSUS 3.0 database the next time it cable to receive updates that are approved for the targeting is being used, the computer will be added back into its configured group and will be able to receive updates that are approved for that group. For more infsection 4.1.3.2. If a client should not continue to receive updates, ensure the Automatic Updates settings for WSUS 3.0 are removed from the client, or Automatic Updates is disabled on the client.

5.1.2 Managing Updates

In the Updates node of the WSUS 3.0 console, it is possible to do the following:

� View updates – the update overview displays updates that have been synchronithe update source to the

� Filter updates – in the default viewinstallation status. The default some clients, or that have had installation failures on some clients. changed by modifying Refresh

� Create new update viewsproduct, the group for which they have been approved, and synchroni

� Search for updates – adescription, Knowledge Base article, or the Microsoft Security Response Center number for the update

� View details, status, and revision history for each update

� Approve updates

� Decline updates

Note

The list of updates can be sorted possible to customise the columns displayed by rightclearing the names of the columns required.

5.1.2.1 Viewing Updates

To filter the list of updates disp

1. Open the WSUS 3.0 console, expand the

2. In the centre pane next to select the desired installation status.

3. Click Refresh.


It will no longer be possible to manage update distribution for the client computer once it is removed from server, nor will the client be able to receive updates from the WSUS

However, if the client is still configured to connect to the WSUS 3.0 server, it will re-database the next time it communicates with the WSUS 3.0

eceive updates that are approved for the All Computers group. Additionally, if clienttargeting is being used, the computer will be added back into its configured group and will be able to receive updates that are approved for that group. For more information on client-side targeting, see

If a client should not continue to receive updates, ensure the Automatic Updates settings removed from the client, or Automatic Updates is disabled on the client.

Updates

node of the WSUS 3.0 console, it is possible to do the following:

he update overview displays updates that have been synchronithe WSUS 3.0 server and are available for approval

n the default view, it is possible to filter updates by approval status and installation status. The default filter setting is for unapproved updates that are needed

or that have had installation failures on some clients. This the approval status and installation status filters, and then clicking

Create new update views – new views can be created that filter updates by classification, product, the group for which they have been approved, and synchronisation date

an individual update or set of updates can be searched for description, Knowledge Base article, or the Microsoft Security Response Center number for

View details, status, and revision history for each update

can be sorted by clicking the appropriate column heading in the title bar. It is also possible to customise the columns displayed by right-clicking on the column heading, and selecting or clearing the names of the columns required.

Viewing Updates

To filter the list of updates displayed on the Updates page:

the WSUS 3.0 console, expand the Updates node, and then click

In the centre pane next to Approval, select the desired approval status, and next to select the desired installation status.


Page 44

It will no longer be possible to manage update distribution for the client computer once it is removed from ve updates from the WSUS 3.0 server.

-create its computer WSUS 3.0 server and will be

group. Additionally, if client-side targeting is being used, the computer will be added back into its configured group and will be able to

side targeting, see If a client should not continue to receive updates, ensure the Automatic Updates settings

removed from the client, or Automatic Updates is disabled on the client.

node of the WSUS 3.0 console, it is possible to do the following:

he update overview displays updates that have been synchronised from server and are available for approval

filter updates by approval status and setting is for unapproved updates that are needed by

This view can be the approval status and installation status filters, and then clicking

ates by classification, ation date

can be searched for by title, description, Knowledge Base article, or the Microsoft Security Response Center number for

the appropriate column heading in the title bar. It is also clicking on the column heading, and selecting or

node, and then click All Updates.

, select the desired approval status, and next to Status


To create a new update view:


2. In the right pane, click

3. In the Add Update Viewrequired for the update view

� Select Updates are in a specific classificationmore update classifications

� Select Updates are for a specific productproducts or product families

� Select Updates are approved for a specific groupone or more computer groups

� Select Updates were synchronized within a specific timesynchronised at a specific time

� Select Updates are WSUS updat

4. Under Step 2: Edit the propertiesto pick the values for the selected filter properties

5. Under Step 3: Specify a name

6. Click OK. The new view will appear in the tree view pane under displayed, like the standard views, in the centr


To create a new update view:


pane, click New Update View.

Add Update View dialog box, under Step 1: Select properties, select the properties the update view filter:

Updates are in a specific classification to filter on updates belonging to one or more update classifications

Updates are for a specific product to filter on updates for one or more products or product families

Updates are approved for a specific group to filter on updates approved for one or more computer groups

Updates were synchronized within a specific time period to filter on updates ed at a specific time

Updates are WSUS updates to filter on WSUS 3.0 updates

Step 2: Edit the properties (click an underlined value), click the underlined words for the selected filter properties.

Step 3: Specify a name, give the view a unique name.

iew will appear in the tree view pane under Updatesdisplayed, like the standard views, in the centre pane when it is selected


Page 45


, select the properties

to filter on updates belonging to one or

to filter on updates for one or more

to filter on updates approved for

period to filter on updates

updates

, click the underlined words

Updates. It will be ed.


To search for an update:

1. Select the Updates node (or any node under it).

2. In the Actions pane, click

3. In the Search dialog boxTitle, Description, and Microsoft Knowledge Base (KB) article number fieldsas search criteria. Each of these items is a property listed on the properties.

4. Click Find Now.

To view the properties for an update


2. In the list of updates in the centre panecentre pane, the following

� The title bar displays the title of the update; for example, Security Update for Windows Media Player 9 (KB911565)

� The Status section displays

� The installation status of the update

� Computers on which it needs to be installed

� Computers on which it was installed with errors

� Computers on which it has been installed or is not applicable

� Computers that have not reported status for the update

� General information

� KB and MSRC numbers release date,

� The Description section displays a brief description of the update

� The Additional Details

� The installation behaviorestart, requires user input, or must be installed exclusively)

� Whether or not the update has Microsoft Software License Terms

� The products to which the update applies

� The updates that supersede this update

� The updates that are superseded by this

� The languages supported by the update

� The update ID


node (or any node under it).

pane, click Search.

dialog box, click the Updates tab and type the search criteria. Title, Description, and Microsoft Knowledge Base (KB) article number fields

. Each of these items is a property listed on the Details

To view the properties for an update:

console, expand the Updates node, and then click

in the centre pane, select an update to view. In the lower following property sections will be displayed:

The title bar displays the title of the update; for example, Security Update for Windows Media Player 9 (KB911565)

section displays:

he installation status of the update, showing:

omputers on which it needs to be installed

omputers on which it was installed with errors

omputers on which it has been installed or is not applicable

omputers that have not reported status for the update

eneral information

KB and MSRC numbers release date, and so on

section displays a brief description of the update

Additional Details section displays the following information:

The installation behaviour of the update (whether or not it is removable, rerestart, requires user input, or must be installed exclusively)

Whether or not the update has Microsoft Software License Terms

The products to which the update applies

The updates that supersede this update

The updates that are superseded by this update

The languages supported by the update


Page 46

search criteria. Text from the Title, Description, and Microsoft Knowledge Base (KB) article number fields can be entered

ls tab in the update


to view. In the lower part of the

The title bar displays the title of the update; for example, Security Update for Windows

omputers on which it has been installed or is not applicable

r of the update (whether or not it is removable, requests a

Whether or not the update has Microsoft Software License Terms


5.1.2.2 Approving Updates for Installation

When an update is approved for installation, the update will be installed on compatible WSUS clients in the selected groups the next time they possible to set a deadline for installation.

Note

The deadline setting forces the update to be installed by a specific date and time. This setting overrides any client settings that allow the install to be preventedcan be specified for a deadline, causing the computer to install the update straight after it next checks in with the WSUS 3.0 server and learns of the installation deadline.

Important

It is not possible to set a deadline for installation for an update if user input is required (for example, accepting a licence agreement). If a deadline is set for such an updatedetermine whether or not an update will require user input, check theInstallation Information in the update properties for an update.Approve Updates dialog box which says "support an installation deadlin

Updates will need to be approved for installation on an onupdates are released on the second Tuesday of each month. However, revisions to updates are released more regularly and may need to be approved. This depsetting: Automatically approve the latest revision of the updatesetting can be found in section

To approve updates:


2. In the list of updates, select one or more updates to approveApprove.

3. In the Approve Updatesupdates will be approved

4. Select Approved for Installcomputer group again


Approving Updates for Installation

When an update is approved for installation, the update will be installed on compatible WSUS clients in the selected groups the next time they communicate with the WSUS 3.0possible to set a deadline for installation.

The deadline setting forces the update to be installed by a specific date and time. This setting overrides any client settings that allow the install to be prevented, or a reboot postponed. Additionally, a past date can be specified for a deadline, causing the computer to install the update straight after it next checks in

server and learns of the installation deadline.

a deadline for installation for an update if user input is required (for example, accepting a licence agreement). If a deadline is set for such an update, the installation will fail. To

an update will require user input, check the May request user input in the update properties for an update. Also check for a message in the

dialog box which says "The selected update requires user input and does not support an installation deadline".

Updates will need to be approved for installation on an on-going basis. Most critical and security updates are released on the second Tuesday of each month. However, revisions to updates are released more regularly and may need to be approved. This depends on the Automatic Approval

Automatically approve the latest revision of the update. More information on this setting can be found in section 5.1.2.6.


In the list of updates, select one or more updates to approve. In the Actions

Approve Updates dialog box, select the computer group for which updates will be approved, and click the arrow next to it.

Approved for Install. To add a deadline, click the arrow next to the s and select Deadline.


Page 47

When an update is approved for installation, the update will be installed on compatible WSUS 3.0 3.0 server. It is also

The deadline setting forces the update to be installed by a specific date and time. This setting overrides reboot postponed. Additionally, a past date

can be specified for a deadline, causing the computer to install the update straight after it next checks in

a deadline for installation for an update if user input is required (for example, installation will fail. To

May request user input field under Also check for a message in the

The selected update requires user input and does not

going basis. Most critical and security updates are released on the second Tuesday of each month. However, revisions to updates are

ends on the Automatic Approval . More information on this


Actions pane, select

, select the computer group for which the update or

. To add a deadline, click the arrow next to the selected


� One of the standard deadlines (one week, two weeks, one month) can be selected, or to specify a date and time, click

� If an update needs to be installed as soon as the client computers contact the WSUS 3.0 server, click Customone in the past

5. Click OK. The Approval Progressthe approval.

6. When the approval process is complete,

5.1.2.3 Approving Updates for Removal

An option exists that allows the uninstalling of updates that have been installed using WSUSThis option is only available if the updaremoval, including specifying a past datenext checks in with the WSUS

Most updates do not support removal. For those that back an update that has caused some kind of issue in the environment. However, appropriate testing should be performed before approving updates for removal to ensure the un-installation works as expected.

To approve updates for removal


2. In the list of updates, select one or more updates that need to be approved for removalthe Actions pane, click

3. In the Approve Updatesneeds to be removed, and click the arrow next to it.

4. Select Approved for Removalcomputer group again and select

� One of the standard deadlines (one week, two weeks, one month) can be selected, orto specify a date and time, click

� If an update needs to be removed as soon as the client computers contact the WSUS 3.0 server, click Custom

5. Click OK. The Approval Progressthe approval.

6. When the process is complete,

5.1.2.4 Unapproving Updates

It is possible to alter the approval status of an Approved necessary if it is decided that an update should no longer be applied, but there is still a need to report client compliance for the update

To unapprove updates:

1. Open the WSUS 3.0 console

2. In the list of updates, select one or more updates that need to be Actions pane, click Approve

3. In the Approve Updatesto be unapproved, and click the arrow next to it.


One of the standard deadlines (one week, two weeks, one month) can be selected, or specify a date and time, click Custom

If an update needs to be installed as soon as the client computers contact the WSUS Custom, and set the date and time to the current date and time

Approval Progress dialog box will display the progress toward completing

process is complete, click Close.

Approving Updates for Removal

allows the uninstalling of updates that have been installed using WSUSThis option is only available if the update supports removal. It is also possible to set a deadline for

including specifying a past date in order to run the approval action as soon as the client next checks in with the WSUS 3.0 server.

Most updates do not support removal. For those that do, this option may provide the ability to roll back an update that has caused some kind of issue in the healthcare organisationenvironment. However, appropriate testing should be performed before approving updates for

nstallation works as expected.

To approve updates for removal:


In the list of updates, select one or more updates that need to be approved for removal, click Approve.

Approve Updates dialog box, select the computer group from which the update needs to be removed, and click the arrow next to it.

Approved for Removal. To add a deadline, click the arrow next to the selected ain and select Deadline.

One of the standard deadlines (one week, two weeks, one month) can be selected, orspecify a date and time, click Custom

If an update needs to be removed as soon as the client computers contact the WSUS Custom, and set a date in the past

Approval Progress dialog box will display the progress toward completing

When the process is complete, click Close.

Unapproving Updates

alter the approval status of an Approved update to Not Approved.necessary if it is decided that an update should no longer be applied, but there is still a need to report client compliance for the update.

Open the WSUS 3.0 console, expand the Updates node, and then click

In the list of updates, select one or more updates that need to be unapproved. In the Approve.

Approve Updates dialog box, select the computer group for which the update needs , and click the arrow next to it.


Page 48

One of the standard deadlines (one week, two weeks, one month) can be selected, or

If an update needs to be installed as soon as the client computers contact the WSUS date and time to the current date and time, or to

s toward completing

allows the uninstalling of updates that have been installed using WSUS 3.0. . It is also possible to set a deadline for

to run the approval action as soon as the client

do, this option may provide the ability to roll healthcare organisation’s network

environment. However, appropriate testing should be performed before approving updates for


In the list of updates, select one or more updates that need to be approved for removal. In

, select the computer group from which the update

. To add a deadline, click the arrow next to the selected

One of the standard deadlines (one week, two weeks, one month) can be selected, or

If an update needs to be removed as soon as the client computers contact the WSUS

will display the progress toward completing

update to Not Approved. This may be necessary if it is decided that an update should no longer be applied, but there is still a need to

hen click All Updates.

approved. In the

which the update needs


4. Select Not Approved, and then click the progress toward completing the approval.

5. When the process is complete,

5.1.2.5 Declining Updates

When an update is declined, it is removed from the list of available updates. Once an update has been declined, it will only be visible in the updates list if the criteria under to show either Declined or All updates

This option can be useful when it has beenthe environment, in order to remove it from the console view.

To decline updates:


2. In the list of updates, select one orpane, click Decline.

3. In the Decline Updates

5.1.2.6 Configuring Automatic Approvals

A WSUS 3.0 server can be configured to automatically approve certain updatesWhen an update is approved for installation, the update will be available to be installed on a WSUS 3.0 client the next time the client cupdate is required.

Updates can be approved for installation based on membership.

Recommendation

It is recommended that most appropriately tested before theDefinition updates for products like Forefront Client Security creates its own automatic approval rule for dleft in place.

To configure Automatic Approv




, and then click OK. The Approval Progress dialog box the progress toward completing the approval.

When the process is complete, click Close.

Declining Updates

it is removed from the list of available updates. Once an update has been declined, it will only be visible in the updates list if the criteria under View

All updates.

This option can be useful when it has been determined that a particular update is not suitable for in order to remove it from the console view.

Open the WSUS 3.0 console, expand the Updates node, and then click

In the list of updates, select one or more updates that need to be declined

Decline Updates dialog box, click Yes.

Configuring Automatic Approvals

A WSUS 3.0 server can be configured to automatically approve certain updatesWhen an update is approved for installation, the update will be available to be installed on a WSUS

client the next time the client communicates with the WSUS 3.0 server, and determines that the

Updates can be approved for installation based on products, classifications and computer group

most updates are not automatically approved for installationappropriately tested before they are approved for installation. The exception to this Definition updates for products like Forefront Client Security are updated multiple times in a single day.

creates its own automatic approval rule for definition updates

Approvals:


click Automatic Approvals.


Page 49

dialog box will display

it is removed from the list of available updates. Once an update has have been selected

determined that a particular update is not suitable for


declined. In the Actions

A WSUS 3.0 server can be configured to automatically approve certain updates for installation. When an update is approved for installation, the update will be available to be installed on a WSUS

and determines that the

and computer group

installation. Updates should be is definition updates.

are updated multiple times in a single day. efinition updates, which should be

in the left pane.


3. In the Automatic Approvals

4. In the Add Rule dialog box, under classifications or products (or both) as criteria.

5. In Step 2: Edit the propertiesto select the values for


Automatic Approvals dialog box, click the Update Rules tab and

dialog box, under Step 1: Select properties, select whether to use update classifications or products (or both) as criteria.

Step 2: Edit the properties (click an underlined value), click the underlined properties to select the values for the filtered properties of automatic approval rule


Page 50

and click New Rule.

, select whether to use update

underlined properties the filtered properties of automatic approval rule.


6. In Step 3: Specify a name

The Automatic Approvals option also has some additional advanced settings, which are all enabled by default. These additional settings

� Automatically approve

� Automatically decline updates when a new revision causes them to expire

� Automatically approve updates to the WSUS product itself

Recommendation

The option to automatically approve the latest after updates have been approved for installation, minor revisions whichrequire the same level of testing as the original update.

To configure Advanced options for Automatic Approvals



3. In the Automatic Approvals

4. Select or clear the desired


Step 3: Specify a name, give the rule a unique name.

option also has some additional advanced settings, which are all These additional settings are:

Automatically approve new revisions of updates that are already approved

Automatically decline updates when a new revision causes them to expire

Automatically approve updates to the WSUS product itself

he option to automatically approve the latest revisions of updates should be left enabled. This is because after updates have been approved for installation, minor revisions which might be maderequire the same level of testing as the original update.

Advanced options for Automatic Approvals:


click Automatic Approvals.

Automatic Approvals dialog box, click the Advanced tab.

desired options, and click OK.


Page 51

option also has some additional advanced settings, which are all

s that are already approved

Automatically decline updates when a new revision causes them to expire

enabled. This is because might be made will not normally

in the left pane.


5.1.2.7 Microsoft Update Catalog

The Microsoft Update Catalog site is the Microsoft location from which additional hardware drivers can be imported. In order to import Catalog site must be accessed

To access the Microsoft Update

1. Open the WSUS 3.0 consImport Updates. An Internetsite.

2. In order to access the updates at this site, the Microsoft Update Catalog ActiveX control must be installed. If prompted to install the ActiveX control, follow the instructions on screen.

3. Browse the site for the desiredrequired updates. The

4. When all the desired updates have been import the updates. To download the updates without importing them into WSUS 3.0, clear the Import directly into Windows Server Update Services

5.1.2.8 Preloading Updates on a

In order to save on Internet or network bandwidthfiles on an upstream WSUS 3.0 server to removable media. These can then be imported on the new downstream WSUS 3.0 server prior to the first synchronisation procedure can also be used to update a WSUS 3.0 server on a disconnected network.

There are three steps to exporting and then importing updates:

1. Make sure that the options for express installation files and update languages on the exporting server are compatible with the settings on the importing server

2. Copy updates from the file system of the export server to the file system of the import server.

3. Export update metadata from the database on the export server, and import it into thedatabase on the import server

If the update metadata and files are to be imported on a downstream replica WSUS 3.0 server, the replica setting needs to be turned off before the import can take place. Once the import is complete, the replica setting can be re

To import metadata to a replica server:



3. In the Update Sourceserver check box, and then click

4. Follow the procedures in the rest of this section for exporting and importing metadata, and copying update files.

5. After completing the import, go back to the Proxy Server option. Select the check box and click OK

6. Navigate to Synchronizations


Microsoft Update Catalog Site

atalog site is the Microsoft location from which additional hardware drivers can be imported. In order to import updates into WSUS 3.0, the Microsoft Update

ed from a computer that has the WSUS 3.0 console installed.

To access the Microsoft Update Catalog site:

the WSUS 3.0 console, select the Updates node, and in the Actionsn Internet browser window opens the Microsoft Update Catalog Web

In order to access the updates at this site, the Microsoft Update Catalog ActiveX control If prompted to install the ActiveX control, follow the instructions on

the desired Windows updates and hardware drivers updates are added to a basket.

When all the desired updates have been selected, go to the basket and click import the updates. To download the updates without importing them into WSUS 3.0, clear

Import directly into Windows Server Update Services check box.

Preloading Updates on a New WSUS 3.0 Server

nternet or network bandwidth, it may be prudent to export update metadata and files on an upstream WSUS 3.0 server to removable media. These can then be imported on the new downstream WSUS 3.0 server prior to the first synchronisation taking place. This same procedure can also be used to update a WSUS 3.0 server on a disconnected network.

There are three steps to exporting and then importing updates:

Make sure that the options for express installation files and update languages on the exporting server are compatible with the settings on the importing server

Copy updates from the file system of the export server to the file system of the import

Export update metadata from the database on the export server, and import it into thedatabase on the import server.

If the update metadata and files are to be imported on a downstream replica WSUS 3.0 server, the replica setting needs to be turned off before the import can take place. Once the import is

the replica setting can be re-enabled.

To import metadata to a replica server:

the WSUS 3.0 console, and navigate to the Options node in the left pane.

In the centre pane, click Update Source and Proxy Server.

Update Source tab, clear the This server is a replica server of the upstream check box, and then click OK.

Follow the procedures in the rest of this section for exporting and importing metadata, and

After completing the import, go back to the Update Source tab of the Update Source and Select the This server is a replica server of the upstream

OK to save the setting.

Synchronizations and select Synchronize Now in the Actions


Page 52

atalog site is the Microsoft location from which additional updates and into WSUS 3.0, the Microsoft Update

from a computer that has the WSUS 3.0 console installed.

Actions pane click the Microsoft Update Catalog Web

In order to access the updates at this site, the Microsoft Update Catalog ActiveX control If prompted to install the ActiveX control, follow the instructions on

and hardware drivers and select the

selected, go to the basket and click Import to import the updates. To download the updates without importing them into WSUS 3.0, clear

box.

it may be prudent to export update metadata and files on an upstream WSUS 3.0 server to removable media. These can then be imported on the

taking place. This same procedure can also be used to update a WSUS 3.0 server on a disconnected network.

Make sure that the options for express installation files and update languages on the exporting server are compatible with the settings on the importing server.

Copy updates from the file system of the export server to the file system of the import

Export update metadata from the database on the export server, and import it into the

If the update metadata and files are to be imported on a downstream replica WSUS 3.0 server, the replica setting needs to be turned off before the import can take place. Once the import is

node in the left pane.

s server is a replica server of the upstream

Follow the procedures in the rest of this section for exporting and importing metadata, and

Update Source and This server is a replica server of the upstream server

Actions pane.


Make sure that the options for express installation files and languages on the exporting server match the settings on the importing server. exporting server is not selected,possible to distribute updates have been synchronised. A mismatch of language sett

There is no need to match the server. The setting for deferred download of updates has no

To ensure that express installation and language options on the exporting server match settings on the importing ser

1. In the WSUS 3.0 console of the expoUpdate Files and Languages

2. In the Update Files tab, check the setting for

3. In the Update Languages

4. In the WSUS 3.0 consoleUpdate Files and Languages

5. Make sure the settings for match the selections on the exporting

The procedures described below use the Windows Backup or Restore Wizard, use any utility that facilitates the copying of the required datathe importing server, the folder structure for almaintained. Make sure that the updates appear in the folder on the importing server that has been designated to store updates; this designation is typically

To back up updates from the

1. On the exporting WSUS

2. In the Run dialog box, type

3. The Backup or Restore Wizard

4. The Backup Utility page

a. Click the Backup tab, and then select the folder where updates are stored on the exporting server. By default, WSUSWSUSInstallationDrivedrive on which WSUS

b. In the Backup media or file name(.bkf) file.

c. Click Start Backup

5. The Backup Job Informationoperation.

6. Once the backup operation is complete, cimporting server.


tions for express installation files and languages on the exporting server match the settings on the importing server. If the option for express installation files on the

is not selected, but on the importing server it is selected, then it would not be on the importing server, because no express installation files would

. A mismatch of language settings can have a similar effect.

There is no need to match the settings for schedule, products and classifications, source, or proxy server. The setting for deferred download of updates has no effect on the importing server.

To ensure that express installation and language options on the exporting server match settings on the importing server:

3.0 console of the exporting server, navigate to Options and then Update Files and Languages.

tab, check the setting for Download express installation files

Update Languages tab, check the settings for the update languages.

3.0 console of the importing server, navigate to Options and then select Update Files and Languages.

Make sure the settings for Download express installation files and languages options match the selections on the exporting server.

The procedures described below use the Windows Backup or Restore Wizard, use any utility that facilitates the copying of the required data. When the update

importing server, the folder structure for all folders under the content directory. Make sure that the updates appear in the folder on the importing server that has been

designated to store updates; this designation is typically made during the setup process.

the file system of the exporting server to a file:

exporting WSUS 3.0 server, click Start, and then click Run.

dialog box, type ntbackup and click OK.

Backup or Restore Wizard displays. Click the Advanced Mode link

page displays.

tab, and then select the folder where updates are stored on the exporting server. By default, WSUS 3.0 stores updates at WSUSInstallationDrive\WSUS\WSUSContent\, where WSUSInstallationDrivedrive on which WSUS 3.0 is installed.

Backup media or file name dialog box, type a path and file name for the backup

Start Backup.

Backup Job Information page displays. Click Start Backup to start the backup

operation is complete, copy the backup file that was created to the


Page 53

tions for express installation files and languages on the exporting server the option for express installation files on the

then it would not be express installation files would

ings can have a similar effect.

products and classifications, source, or proxy effect on the importing server.

To ensure that express installation and language options on the exporting server match

and then select

Download express installation files.

e update languages.

and then select

anguages options

The procedures described below use the Windows Backup or Restore Wizard, but it is possible to the update files are copied to

l folders under the content directory must be . Make sure that the updates appear in the folder on the importing server that has been

made during the setup process.

link.

tab, and then select the folder where updates are stored on the

WSUSInstallationDrive is the

box, type a path and file name for the backup

to start the backup

created to the


To restore updates from a file to the file system of the importing server

1. On the importing WSUS



4. The Backup Utility page

a. Click the Restore and Manage Mediaon the exporting server. If the file does notCatalog File to add the location of the file.

b. In the Restore files topreserves the folder structure of the updates; all folders and subfolders will appear in the folder designate

c. Under Alternate locationserver. By default, WSUS WSUSInstallationDrivedrive on which WSUS

d. Click Start Restorerestore operation.

Only import metadata on the importing server finds metadata for an update that is not in the file system, the WSUS update failed to be downloaded.

Export update metadata from the database on the exporting serveron the importing server using the WSUSUtil.exe utility program.

Note

You must be a member of the local Administrators group on the WSUS 3.0 server to export or import metadata; both operations can only be run on a WSUS 3.0 server.

To export metadata from the database of the exporting

1. On the exporting WSUS 3.0 server, click


3. At the command prompt(usually U\Program Filescd\Program Files\Update Services

4. Type the following: wsusutil.exe export

For example: wsusutil.exe export export.cab export.log

The package name (.cab file) and log file name must be unique. WSUSutil.exe creates these two files as it exports metadata from the WSUS

5. Move the export package


To restore updates from a file to the file system of the importing server:

importing WSUS 3.0 server, click Start, and then click Run.

dialog box, type ntbackup and click OK.

Backup or Restore Wizard displays. Click the Advanced Mode link.

page displays.

Restore and Manage Media tab, and select the backup file on the exporting server. If the file does not appear, right-click File, and then click

to add the location of the file.

Restore files to drop-down box, select Alternate location. This option preserves the folder structure of the updates; all folders and subfolders will appear in he folder designated.

Alternate location, specify the folder where updates are stored on the importing server. By default, WSUS 3.0 stores updates at WSUSInstallationDrive\WSUS\WSUSContent\, where WSUSInstallationDrivedrive on which WSUS 3.0 is installed.

Start Restore. When the Confirm Restore page displays, click

on the importing server after the update files have been copied.finds metadata for an update that is not in the file system, the WSUS 3.0 console shows that the update failed to be downloaded.

Export update metadata from the database on the exporting server, and import it into the database the WSUSUtil.exe utility program.

You must be a member of the local Administrators group on the WSUS 3.0 server to export or import metadata; both operations can only be run on a WSUS 3.0 server.

To export metadata from the database of the exporting server:

On the exporting WSUS 3.0 server, click Start, and then click Run.

dialog box, type cmd and click OK.

the command prompt, change directory to the folder that contains WSUSutil.exe am Files\Update Services\Tools):

Update Services\Tools

wsusutil.exe export <packagename> <logfile>

wsusutil.exe export export.cab export.log

(.cab file) and log file name must be unique. WSUSutil.exe creates these two files as it exports metadata from the WSUS 3.0 database.

Move the export package that was created to the importing server.


Page 54

link.

tab, and select the backup file that was created , and then click

. This option preserves the folder structure of the updates; all folders and subfolders will appear in

, specify the folder where updates are stored on the importing

WSUSInstallationDrive is the

, click OK to start the

after the update files have been copied. If WSUS 3.0 console shows that the

and import it into the database

You must be a member of the local Administrators group on the WSUS 3.0 server to export or import

to the folder that contains WSUSutil.exe

(.cab file) and log file name must be unique. WSUSutil.exe creates


To import metadata to the database of the importing ser

1. On the importing WSUS 3.0 server, click


3. At the command prompt(usually U\Program Filescd\Program Files\Update Services

4. Type the following: wsusutil.exe import

For example: wsusutil.exe import export.cab import.log

WSUSutil.exe imports the metadata from the exporting server and creates a log file of the operation.

Note

After the metadata has been imported itIf the importing server is a downstream replica WSUS 3.0 server, remember to enable the replica setting and then force a synchronisation with the

5.1.3 Managing Databases

The WSUS 3.0 database stores the metadata that describes each update, WSUS 3.0 server configuration information and information about WSUS 3.0 client computers, updates and client interaction with updates.

Generally, most tasks that are performed to manage the database are performed through the WSUS 3.0 console. There are a few tasks, however, that may need to be performed on the database system itself; these depend on the database system that was chosen for the

5.1.3.1 Using the Server Cleanup Wizard

The Server Cleanup Wizard is integrated into the WSUS 3.0 console, and can be used to help manage disk storage space. This wizard can do the following things:

� Remove unused updates and update revisionsupdate revisions that have not been approved for thirty days or more

� Delete computers not contacting the serverhave not contacted the server in thirty days or more

� Delete unneeded update filesupdates or by downstream servers

� Decline expired updatesMicrosoft

� Decline superseded updates. The wizard criteria:

� The superseded update is not mandatory

� The superseded update has been on the server for thirty days or more

� The superseded update is not currently reported as needed by any client

� The superseded update has not been explicitly deployed to a computer group for ninety days or more

� The superseding update must be approved for install to a computer group


To import metadata to the database of the importing server:

On the importing WSUS 3.0 server, click Start, and then click Run.

dialog box, type cmd and click OK.

At the command prompt, change directory to the folder that contains WSUSutil.exe Program Files\Update Services\Tools):


wsusutil.exe import <packagename> <logfile>

wsusutil.exe import export.cab import.log

WSUSutil.exe imports the metadata from the exporting server and creates a log file of

After the metadata has been imported it can take three to four hours for the database to validate content.importing server is a downstream replica WSUS 3.0 server, remember to enable the replica setting

and then force a synchronisation with the upstream WSUS 3.0 server.

Managing Databases

The WSUS 3.0 database stores the metadata that describes each update, WSUS 3.0 server configuration information and information about WSUS 3.0 client computers, updates and client

ally, most tasks that are performed to manage the database are performed through the WSUS 3.0 console. There are a few tasks, however, that may need to be performed on the database system itself; these depend on the database system that was chosen for the

Using the Server Cleanup Wizard

The Server Cleanup Wizard is integrated into the WSUS 3.0 console, and can be used to help manage disk storage space. This wizard can do the following things:

Remove unused updates and update revisions – the wizard will remove all updates and update revisions that have not been approved for thirty days or more

Delete computers not contacting the server – the wizard will delete all client computers that have not contacted the server in thirty days or more

nneeded update files – the wizard will delete all update files that are not needed by updates or by downstream servers

Decline expired updates – the wizard will decline all updates that have been expired by

Decline superseded updates. The wizard will decline all updates that meet all the following

The superseded update is not mandatory

The superseded update has been on the server for thirty days or more

The superseded update is not currently reported as needed by any client

d update has not been explicitly deployed to a computer group for ninety

The superseding update must be approved for install to a computer group


Page 55

to the folder that contains WSUSutil.exe

WSUSutil.exe imports the metadata from the exporting server and creates a log file of

hours for the database to validate content. importing server is a downstream replica WSUS 3.0 server, remember to enable the replica setting

The WSUS 3.0 database stores the metadata that describes each update, WSUS 3.0 server configuration information and information about WSUS 3.0 client computers, updates and client

ally, most tasks that are performed to manage the database are performed through the WSUS 3.0 console. There are a few tasks, however, that may need to be performed on the database system itself; these depend on the database system that was chosen for the deployment.

The Server Cleanup Wizard is integrated into the WSUS 3.0 console, and can be used to help

ard will remove all updates and

he wizard will delete all client computers that

he wizard will delete all update files that are not needed by

he wizard will decline all updates that have been expired by

will decline all updates that meet all the following

The superseded update has been on the server for thirty days or more

The superseded update is not currently reported as needed by any client

d update has not been explicitly deployed to a computer group for ninety

The superseding update must be approved for install to a computer group


Note

If unneeded content is removed with the Server Cleanup Wizard, all the private update files tbeen downloaded from the Microsoft Update be re-imported after running the Server Cleanup Wizard.

To run the Server Cleanup Wizard:



3. By default this wizard will remove unneeded content and computers that have not contacted the server for 30 days or more. Select all possible options, and click

4. The wizard will begin the cleanup process, and will present a summary when has finished. Click Finish

Note

In some cases, particularly if downstream WSUS 2.0 servers, discrepancies may be seen in update metadata on upstream and downstream servers. If this is the case, the problem can be resolved by running iisreset on the upstream server to refresh the Web cache.


If unneeded content is removed with the Server Cleanup Wizard, all the private update files tMicrosoft Update Catalog site will be removed as well. These files will need to

imported after running the Server Cleanup Wizard.

To run the Server Cleanup Wizard:

the WSUS 3.0 console, and navigate to the Options node.

click Server Cleanup Wizard.

By default this wizard will remove unneeded content and computers that have not contacted the server for 30 days or more. Select all possible options, and click Next

The wizard will begin the cleanup process, and will present a summary when Finish to close the wizard.

if the Server Cleanup Wizard is run on an upstream WSUS 3.0 server that has SUS 2.0 servers, discrepancies may be seen in update metadata on upstream and

downstream servers. If this is the case, the problem can be resolved by running iisreset on the upstream server to refresh the Web cache.


Page 56

If unneeded content is removed with the Server Cleanup Wizard, all the private update files that have ite will be removed as well. These files will need to

By default this wizard will remove unneeded content and computers that have not contacted Next.

The wizard will begin the cleanup process, and will present a summary when the process

the Server Cleanup Wizard is run on an upstream WSUS 3.0 server that has SUS 2.0 servers, discrepancies may be seen in update metadata on upstream and

downstream servers. If this is the case, the problem can be resolved by running iisreset on the upstream


5.1.3.2 Reindexing the

In order to keep a WSUS 3.0 server functioning correctly, a maintenance plan place that includes re-indexing the database on a regular basis, pr

The WsusDBMaintenance.sql It allows the re-indexing of the that is, either SQL Server 2005 or Windows Internal Database.

If Windows Internal Database sqlcmd utility can be downloaded from information about the sqlcmd

To use this script with Windows Internal Database, run the following <scriptLocation> is the folder to which the WsusDBMaintenance.sql script has been copied

sqlcmd -S np:\\.\pipe\MSSQL$MICROSOFT##SSEE<scriptLocation>\WsusDBMaintenance.sql

5.1.4 Backup and Restore

5.1.4.1 Backing up WSUS

WSUS 3.0 can be backed up by backup programs that are compatible with Windows Server 2003. As WSUS 3.0 does not provide its own backup tool, backup consists of backing up file locations where important WSUS 3.0 information is stored.

Recommendation

The WSUS 3.0 server should be depends largely on how much change there is in the environment. For instance, if computer groups are regularly created, or new computers are added to or moved between groups regularlbe lost if the server has not been backed up since changes have been made. The servers configuration, update approval status and reporting information will also be lost if the server has not been backed up since changes have been made. In most environments it is sufficient to backup the server around once a week.

Note

The backup procedures in this section need to be performed manually. However, any automated backup program that has the ability to back up open files, or that uses a back up WSUS 3.0. Whatever backup program is used, ensure the the backup procedure below are selected for backup.

The following information needs to be backed up:

� The WSUS 3.0 database

� If Windows Internal Database is being used, t<drive>\WSUS\UpdateServicesDbFiles folder

� If SQL Server 2005 is being usedFiles\Microsoft SQL Server

Regardless of the database

� Update metadata, including information about updates (for example, properties). Metadata is also whe

21 Re-index the WSUS 3.0 Database {

22 Feature Pack for Microsoft SQL Server

23 sqlcmd Utility {R15}: http://go.microsoft.com/fwlink/?LinkId=81183


Reindexing the Database

server functioning correctly, a maintenance plan should be put in indexing the database on a regular basis, preferably at least once a month.

script can be downloaded from Re-index the WSUS 3.0 Dof the WSUS 3.0 database, regardless of the version of database software,

either SQL Server 2005 or Windows Internal Database.

is being used, the sqlcmd utility is required to executcan be downloaded from Feature Pack for Microsoft SQL Server

utility, see the sqlcmd Utility23 Web page.

To use this script with Windows Internal Database, run the following command, where is the folder to which the WsusDBMaintenance.sql script has been copied

MSSQL$MICROSOFT##SSEE\sql\query –i WsusDBMaintenance.sql

Backup and Restore

Backing up WSUS 3.0

backed up by backup programs that are compatible with Windows Server 2003. does not provide its own backup tool, backup consists of backing up file locations

information is stored.

should be backed up on a regular basis. How often the backup is performed depends largely on how much change there is in the environment. For instance, if computer groups are

or new computers are added to or moved between groups regularlbe lost if the server has not been backed up since changes have been made. The servers configuration, update approval status and reporting information will also be lost if the server has not been backed up

ade. In most environments it is sufficient to backup the server around once a

The backup procedures in this section need to be performed manually. However, any automated backup program that has the ability to back up open files, or that uses a SQL Agent, can be used to automatically

. Whatever backup program is used, ensure the folder locations detailed in step elow are selected for backup.

The following information needs to be backed up:

database

If Windows Internal Database is being used, the database will be located UpdateServicesDbFiles folder

If SQL Server 2005 is being used, the database will be located in the Microsoft SQL Server folder.

database software used, the database contains:

Update metadata, including information about updates (for example, properties). Metadata is also where EULAs are stored

{R13}: http://go.microsoft.com/fwlink/?LinkId=87027

Feature Pack for Microsoft SQL Server 2005 {R14}: http://go.microsoft.com/fwlink/?LinkId=70728



Page 57

should be put in eferably at least once a month.

index the WSUS 3.0 Database21. regardless of the version of database software,

is required to execute the script. The ck for Microsoft SQL Server 200522. For more

, where is the folder to which the WsusDBMaintenance.sql script has been copied:

backed up by backup programs that are compatible with Windows Server 2003. does not provide its own backup tool, backup consists of backing up file locations

backed up on a regular basis. How often the backup is performed depends largely on how much change there is in the environment. For instance, if computer groups are

or new computers are added to or moved between groups regularly, this information will be lost if the server has not been backed up since changes have been made. The servers configuration, update approval status and reporting information will also be lost if the server has not been backed up

ade. In most environments it is sufficient to backup the server around once a

The backup procedures in this section need to be performed manually. However, any automated backup SQL Agent, can be used to automatically

locations detailed in step 9 in

e located in the

the database will be located in the <drive>\Program

Update metadata, including information about updates (for example, properties).






� WSUS 3.0 server configuration information, which includes all the settings for the WSUS 3.0 server (that is, options that were specified through the WSUS and settings configured by WSUS

� Information about client computers, updates, and client interaction with updates. This information can be accessed through the WSUS running reports on update status and client computer status

� The folder where the update filinstall an update on a computer. By default, update files are stored in the <drive>\WSUS\WSUSContent folder on the WSUS utilised (files are stored on Microstorage folder on the WSUS

Note

If Microsoft SQL Server 2005 backup the WSUS 3.0 database information. For The backup procedures detailed in this document utilise the NT Backup Utility (ntbackup.exe).

To back up a WSUS 3.0 server

1. On the WSUS 3.0 server, click


3. In the Services console find the the MSSQLSERVER service

4. Next, click Start, and then click



7. The Backup or Restoreselected, and click Next

8. The What to Back Upand click Next.

9. The Items to Back UpNext.

10. The Backup Type, Destination, and Namelocation to store the backup

11. To set advanced options including selecting the type of backup (Normal, Copy, Incremental, Differential, Daily), click

12. When the wizard is finished, click

13. When the backup is complete, click

14. Restart the service stopped in

24 SQL Server TechCenter – Microsoft SQL Server


server configuration information, which includes all the settings for the server (that is, options that were specified through the WSUS

and settings configured by WSUS 3.0 automatically during setup)

mation about client computers, updates, and client interaction with updates. This information can be accessed through the WSUS 3.0 console by viewing ‘status’running reports on update status and client computer status

The folder where the update files are stored – update files are the actual files required to install an update on a computer. By default, update files are stored in the

WSUSContent folder on the WSUS 3.0 server. If remote storage has been utilised (files are stored on Microsoft Update), it is not necessary to back up the update file storage folder on the WSUS 3.0 server

If Microsoft SQL Server 2005 is being used for the database, the SQL administration tools can be used to database information. For more information, refer to the SQL

The backup procedures detailed in this document utilise the NT Backup Utility (ntbackup.exe).

3.0 server:

server, click Start, and then click Run.

, type services.msc and click OK.

console find the Windows Internal Database (MICROSOFT##SSEE)service. Right-click the service and select Stop.

then click Run.

box, type %windir%\system32\ntbackup.exe and click

Backup or Restore Wizard displays. Click Next.

Backup or Restore page displays. Verify that Back up files and settingsNext.

What to Back Up page displays. Select the Let me choose what to back up

Items to Back Up page displays. Select the WSUS folder (<drive>

Backup Type, Destination, and Name page displays. Click Browseto store the backup and click Save. Type a name for the backup and click

To set advanced options including selecting the type of backup (Normal, Copy, Incremental, Differential, Daily), click Advanced and then follow the instructions in the wizard.

hen the wizard is finished, click Finish.

When the backup is complete, click Close.

Restart the service stopped in step 3 above.

Microsoft SQL Server {R16}: http://technet.microsoft.com/en-gb/library/bb545450.aspx


Page 58

server configuration information, which includes all the settings for the server (that is, options that were specified through the WSUS 3.0 console

mation about client computers, updates, and client interaction with updates. This console by viewing ‘status’, and

pdate files are the actual files required to install an update on a computer. By default, update files are stored in the

server. If remote storage has been soft Update), it is not necessary to back up the update file

being used for the database, the SQL administration tools can be used to more information, refer to the SQL Server TechCenter24.

The backup procedures detailed in this document utilise the NT Backup Utility (ntbackup.exe).

Windows Internal Database (MICROSOFT##SSEE) or

and click OK.

Back up files and settings option is

Let me choose what to back up option,

Select the WSUS folder (<drive>\WSUS), and click

Browse and select a ype a name for the backup and click Next.

To set advanced options including selecting the type of backup (Normal, Copy, Incremental, and then follow the instructions in the wizard.

gb/library/bb545450.aspx

http://technet.microsoft.com/en-gb/library/bb545450.aspx


5.1.4.2 Restoring WSUS

When restoring a failed WSUS choosing the same options during setup as were chosen for the original install. Next, follow the procedure below to restore the database files and content directories. For more information on installing WSUS3.0, refer to the

To restore a WSUS 3.0 server

1. On the WSUS 3.0 server, click


3. In the Services console find the the MSSQLSERVER service.

4. Next, click Start, and then click



7. The Backup or Restoreclick Next.

8. The What to Restore

9. The Open Backup FileBrowse to locate the backup file. Click

10. On the What to Restorebackup file. Select the WSUS folder

11. To set advanced options location, replace existing files, restore security settings, or specify other optionsAdvanced, and then follow the instructions in the wizard.

12. When the wizard is finished, click

13. When the restore is comp

14. Restart the server.

Important

When using a proxy server for synchronisation that requires authentication, it may be necessary to rethe password following a restore

After restoring the WSUS 3.0 database, WSUS 3.0 Application Pool in IIS 6.0 must be recycled. This will ensure that the restored database will

To recycle the WSUS 3.0 Application Pool in IIS:

1. Click Start, click Administrative ToolsManager.

2. In the tree view, expand the tree under the WSUS 3.0 server name, and then expand Application Pools.

3. Right-click WSUSPool

4. Close Internet Information Services (IIS) Manager

If updates are stored locally on the WSUS it will also need to be reset. This is done with the that every row of update metadata in the database is matched by the corresponding update files in


Restoring WSUS

When restoring a failed WSUS 3.0 server, firstly, re-install WSUS 3.0 to a default configuration me options during setup as were chosen for the original install. Next, follow the

procedure below to restore the database files and content directories. For more information on , refer to the Windows Server Update Services 3.0 Design Guide

3.0 server:

server, click Start, and then click Run.

box, type services.msc and click OK.

console find the Windows Internal Database (MICROSOFT##SSEE)service. Right-click the service and select Stop.

then click Run.

box, type %windir%\system32\ntbackup.exe and click

Backup or Restore Wizard displays. Click Next.

Backup or Restore page displays. Select the Restore files and settings

page displays. Click Browse.

Open Backup File dialog box displays. Type the path to the backup file or click locate the backup file. Click OK.

What to Restore page, under Items to restore, click to expand the backup file. Select the WSUS folder and click Next.

To set advanced options (including whether to restore the files or folders to a different location, replace existing files, restore security settings, or specify other options

, and then follow the instructions in the wizard.

When the wizard is finished, click Finish.

When the restore is complete, click Close.

When using a proxy server for synchronisation that requires authentication, it may be necessary to refollowing a restore as this information is not backed up.

database, WSUS 3.0 Application Pool in IIS 6.0 must be recycled. This will ensure that the restored database will synchronise correctly with IIS 6.0.

To recycle the WSUS 3.0 Application Pool in IIS:

Administrative Tools, and then click Internet Information Services (IIS)

In the tree view, expand the tree under the WSUS 3.0 server name, and then expand

WSUSPool, and then click Recycle.

Internet Information Services (IIS) Manager.

locally on the WSUS 3.0 server, then after restoring the WSUS . This is done with the wsusutil.exe command-line utility, which ensures

that every row of update metadata in the database is matched by the corresponding update files in


Page 59

to a default configuration me options during setup as were chosen for the original install. Next, follow the

procedure below to restore the database files and content directories. For more information on Guide {R1}.

Windows Internal Database (MICROSOFT##SSEE) or

and click OK.

Restore files and settings option and

e backup file or click

to expand the selected

the files or folders to a different location, replace existing files, restore security settings, or specify other options), click

When using a proxy server for synchronisation that requires authentication, it may be necessary to re-type

database, WSUS 3.0 Application Pool in IIS 6.0 must be recycled. correctly with IIS 6.0.

nternet Information Services (IIS)

In the tree view, expand the tree under the WSUS 3.0 server name, and then expand

after restoring the WSUS 3.0 database, line utility, which ensures

that every row of update metadata in the database is matched by the corresponding update files in


the local storage location. If the utility does not find matching data, it will download the update files from Microsoft Update.

To reset update content:

1. Click Start, and then click


3. Type the following command to change directory to the WSUS 3.0 tools folder:

cd\Program Files\Update Services

4. Type the following command

wsusutil reset

5. Wait until the command returns, and close the

5.1.5 Personalising the WSUS 3.0 Console

Various aspects of the way WSUS 3.0 server information is displayed in the WSUS 3.0 be configured. Information from downstream replica servers can be displayed when viewing computer and update status information. Validation errors can be displayed as popand different types of information can be displayed in the computer overview's

To display rollup data from downstream replica servers



3. In the General tab, select the servers option.


the local storage location. If the utility does not find matching data, it will download the update files

then click Run.

box, type cmd and click OK.

Type the following command to change directory to the WSUS 3.0 tools folder:


Type the following command to reset the WSUS 3.0 server:

Wait until the command returns, and close the command prompt window.

Personalising the WSUS 3.0 Console

Various aspects of the way WSUS 3.0 server information is displayed in the WSUS 3.0 ed. Information from downstream replica servers can be displayed when viewing

computer and update status information. Validation errors can be displayed as popand different types of information can be displayed in the computer overview's

To display rollup data from downstream replica servers:


click Personalization.

tab, select the Include computers and status from replica downstream


Page 60

the local storage location. If the utility does not find matching data, it will download the update files

Type the following command to change directory to the WSUS 3.0 tools folder:

rompt window.

Various aspects of the way WSUS 3.0 server information is displayed in the WSUS 3.0 console can ed. Information from downstream replica servers can be displayed when viewing

computer and update status information. Validation errors can be displayed as pop-up windows and different types of information can be displayed in the computer overview's To Do section.

Include computers and status from replica downstream


4. Click OK.

Note

Computer and update status will roll up from downstream replica servers only. It is not possible to get rolled-up status from a downstream autonomous server.

To display validation errors as pop



3. In the General tab, select the

4. Click OK.

Note

If this option is selected, errors will appear as pop

To display different information in the To Do section



3. Click the To Do List tab, select one or more of the following

� Computers have not reported status for more than 30 days

� WSUS updates are waiting to be approved for install

� Critical updates are waiting to be approved for install

� Computers have requested nonexistent com

� The server database is almost full

� SSL is not enabled

� New products and new classifications have been added in the past 30 days

� Update file languages are enabled on this server, but are no longer supported by the upstream server


Computer and update status will roll up from downstream replica servers only. It is not possible to get up status from a downstream autonomous server.

To display validation errors as pop-up windows:

console, and navigate to the Options node in the left pane


tab, select the Show validation errors as popups check box.

, errors will appear as pop-up windows and not as links in the UI.

o display different information in the To Do section:



tab, select one or more of the following options:

Computers have not reported status for more than 30 days

WSUS updates are waiting to be approved for install

Critical updates are waiting to be approved for install

Computers have requested nonexistent computer groups

The server database is almost full

SSL is not enabled

New products and new classifications have been added in the past 30 days

Update file languages are enabled on this server, but are no longer supported by the


Page 61

Computer and update status will roll up from downstream replica servers only. It is not possible to get

in the left pane

check box.

windows and not as links in the UI.

New products and new classifications have been added in the past 30 days

Update file languages are enabled on this server, but are no longer supported by the


4. Click OK.

5.2 WSUS 3.0 ReportingReports are an important part of managing WSUS 3.0. Nearly every aspect of the WSUS 3.0 environment can be kept track of by means of reports. The most important kinds of reports are:

� Summary compliance reports (the number of computers tnumber of updates missing from computers). These reports can be generated from the root node of the WSUS administration console

� Individual computer reports. These reports can be generated by rightin the Details pane

� Individual update reports. These reports can be generated by rightthe Details pane

� Downstream server summary compliance reports. These reports can be generated by rightclicking the server in the

� Synchronisation reports. These reports can be generated by rightsynchronisation in the

Note

Generating detailed reports for large numbers of computers and/or updates can be memoryDetailed reports are most effective focreate a very large report and there are concerns about using CPU and memory resources on the WSUS 3.0 server, then generate the report from a remote WSUS 3.0 console.


WSUS 3.0 Reporting Reports are an important part of managing WSUS 3.0. Nearly every aspect of the WSUS 3.0 environment can be kept track of by means of reports. The most important kinds of reports are:

Summary compliance reports (the number of computers that need to install updates and the number of updates missing from computers). These reports can be generated from the root node of the WSUS administration console

Individual computer reports. These reports can be generated by right-clicking the computer

Individual update reports. These reports can be generated by right-clicking the update in

Downstream server summary compliance reports. These reports can be generated by rightclicking the server in the Details pane

ation reports. These reports can be generated by right-clicking the ation in the Details pane

Generating detailed reports for large numbers of computers and/or updates can be memoryDetailed reports are most effective for smaller subsets of computers or updates. If there is a need to create a very large report and there are concerns about using CPU and memory resources on the WSUS 3.0 server, then generate the report from a remote WSUS 3.0 console.


Page 62

Reports are an important part of managing WSUS 3.0. Nearly every aspect of the WSUS 3.0 environment can be kept track of by means of reports. The most important kinds of reports are:

hat need to install updates and the number of updates missing from computers). These reports can be generated from the root

clicking the computer

clicking the update in

Downstream server summary compliance reports. These reports can be generated by right-

clicking the

Generating detailed reports for large numbers of computers and/or updates can be memory-intensive. r smaller subsets of computers or updates. If there is a need to

create a very large report and there are concerns about using CPU and memory resources on the WSUS


5.2.1 Using Reporting

Three kinds of reports can be generated, as described in

Report Type

Update Reports

Computer Reports

Synchronisation Reports

Table 15: WSUS 3.0 Report Types

5.2.1.1 Update Reports

Update reports show the status of updates. The report can be viewed in three ways: summary, detailed, and tabular. The report can also be filtered by update classification, product, target computer group, or update installation status. The report displays information from the most recent contact between WSUS 3.0 clients and the WSUS 3.0 server.

To run an update report:


2. In the Reports pane, click report.

3. In the Updates Reportcomputer group, or update installation status.

4. Click Run Report.

The Update Status Summary view contains the elements listed in

Column Name

Updates Report tree view

Title

Description

Classification

Products

MSRC Severity Rating

MSRC Number

More Information

Approval Summary for Computer Group

Group

Approval

Deadline

Administrator

Table 16: Description of Elements Displayed in the Update Status Summary

The view of an Update Status Summary report by clicking Report View in the


Using Reporting

kinds of reports can be generated, as described in Table 15:

Function

View update status

View computer status

View the results of the last synchronisation

eports

Update reports show the status of updates. The report can be viewed in three ways: summary, The report can also be filtered by update classification, product, target

computer group, or update installation status. The report displays information from the most recent contact between WSUS 3.0 clients and the WSUS 3.0 server.

the WSUS 3.0 console, click the Reports node.

click Update Status Summary. This will provide an overview update

Updates Report window the updates can be configured by classification, product, computer group, or update installation status.

The Update Status Summary view contains the elements listed in Table 16:

Description

The tree listing all the updates in the report

The title of the update

The description of the update

The classification of the update

The products to which the update applies

Microsoft Security Response Center rating

Microsoft Security Response Center identification number

Redirection to the relevant Web site

The listing of groups and approvals

The computer group

Approval status (Approved, Not approved, Declined)

The date by which the update must be installed

The administrative action

isplayed in the Update Status Summary View

he view of an Update Status Summary report can be changed to a detailed view or a tabular view in the Updates Report toolbar.


Page 63

View the results of the last synchronisation

Update reports show the status of updates. The report can be viewed in three ways: summary, The report can also be filtered by update classification, product, target

computer group, or update installation status. The report displays information from the most recent

. This will provide an overview update

window the updates can be configured by classification, product,

se Center identification number

proved, Not approved, Declined)

view or a tabular view


5.2.1.2 Computer Report

The Computer Reports provide an update status summary for the

To run a computer report:


2. In the Reports pane, clickcomputer report.

3. In the Computers Reportproduct, computer group, or update installation status.


The Computer Reports can be reformatted Update Reports.

5.2.1.3 Synchronisation

The Synchronisation Results report for a given time period, including errors that occurred during synchroniupdates. In addition, it provides

To run a synchronisation results report

1. Open the WSUS 3.0 console, click

2. On the Reports pane, click synchronisations done today.

3. To change the synchroniwindow, click Between these dates


The report has five components, which are d

Component Name

Report Options

Synchronisation Summary

New Updates

Revised Updates

Expired Updates

Table 17: Components of Synchronization Results Report


eports

provide an update status summary for the specified computers.


click Computer Status Summary. This will provide an overview

Computers Report window, the updates can be configured by classification, product, computer group, or update installation status.

can be reformatted to summary, detailed, and tabular views, as with the

ation Report

ation Results report provides synchronisation information about a WSUS 3.0for a given time period, including errors that occurred during synchronisation and a l

it provides general, status, and revision information for each new update.

esults report:


pane, click Synchronization Results. By default, the report shows any synchronisations done today.

To change the synchronisation period for the report, in the Synchronization ReportBetween these dates and specify the dates to include in the report.

components, which are described in Table 17:

Purpose

Shows the start and end dates of the period shown in the report, as well as report and the server for which the report was made

Displays summary information of the numbers of new, revised, and expired synchronisation

Displays the new updates that have been synchronised to the WSUS server report's time period

The properties for each update can be viewed by clicking the update. An update status report will be generated for that individual report

Displays the revised updates that have been synchronised to the WSUS server report's time period

The properties for each update can be viewed by clicking the update. An update status report will be generated for that individual report

Displays the updates that have been expired during the report's time period

: Components of Synchronization Results Report


Page 64

computers.

will provide an overview

window, the updates can be configured by classification,

d, and tabular views, as with the

about a WSUS 3.0 server ation and a list of new

general, status, and revision information for each new update.

default, the report shows any

Synchronization Report in the report.

Shows the start and end dates of the period shown in the report, as well as the date of the

Displays summary information of the numbers of new, revised, and expired updates in each

ed to the WSUS server during the

by clicking the update. An update status

ed to the WSUS server during the

by clicking the update. An update status

uring the report's time period


5.2.1.4 Printing the Report

A report can be printed in summary, detailed, or tabular views, depending on how been formatted.

To print the report:

1. On the Updates Report

2. In the Print dialog box

5.2.1.5 Exporting the

A report can be exported to Microsoft

Note

Exporting a large report can be extremely timethe size to 200 pages or fewer. format can be chosen, rather than the

To export a report to Excel or PDF format

1. Run the report that is to

2. On the Updates Report

3. Two options will be displayed

5.2.1.6 Extending Reports

WSUS 3.0 reports can be customised in different ways:

� Using the WSUS 3.0 APIs to create a custom report

� Using WSUS 3.0 public views to create and extend custom reports

5.2.1.7 Use WSUS 3.0 AP

For more information on WSUS 3.0 APIs, see the documentation on MSDN. These APIs can be used to create reports on updates, approvals, installation information, and so on

5.2.1.8 Use WSUS Public

For more information on public views, as well as sample queries, see the documentation on MSDN.

If SQL Server 2005 is being used as the Report Builder can be used to generate custom reports using theviews can be accessed from the command line. database software for WSUS 3.0SQL Server 2005 Command Line Query UtFeature Pack for Microsoft SQL Server 2005

25 Windows Server Update Services SDK

26 Using WSUS Views {R18}: http://msdn2.microsoft.com/en


eport

in summary, detailed, or tabular views, depending on how

Updates Report toolbar, click the printer icon.

dialog box, select the desired options and click Print.

Report

A report can be exported to Microsoft Office Excel® or PDF formats.

be extremely time-consuming. If a report is to be exported, cthe size to 200 pages or fewer. Different filters can be used to reduce the size of the report, or the tabular

rather than the detailed format, to reduce the number of pages to export.

To export a report to Excel or PDF format:

to be exported.

Updates Report toolbar, click the down arrow associated with the

will be displayed: Excel and Acrobat (PDF) file. Select one of the options.

eports

WSUS 3.0 reports can be customised in different ways:

Using the WSUS 3.0 APIs to create a custom report

Using WSUS 3.0 public views to create and extend custom reports

Use WSUS 3.0 APIs to Create Custom Reports

For more information on WSUS 3.0 APIs, see the Windows Server Update Servicesdocumentation on MSDN. These APIs can be used to create reports on updates, approvals,

so on.

ublic Views to Create Custom Reports

For more information on public views, as well as sample queries, see the Using WSUS Views

is being used as the database software for WSUS 3.0, the SQL Serverto generate custom reports using the public views.

from the command line. If Windows Internal Database is being used software for WSUS 3.0, it can be accessed via the command line using

2005 Command Line Query Utility and the SQL Native Client, which are part of the Feature Pack for Microsoft SQL Server 2005 {R14}.

Windows Server Update Services SDK {R17}: http://go.microsoft.com/fwlink/?LinkId=85713

http://msdn2.microsoft.com/en-gb/library/bb410149.aspx


Page 65

in summary, detailed, or tabular views, depending on how the report has

If a report is to be exported, consider limiting to reduce the size of the report, or the tabular

to reduce the number of pages to export.

associated with the Save icon.

one of the options.

Windows Server Update Services SDK25 documentation on MSDN. These APIs can be used to create reports on updates, approvals,

Using WSUS Views26

, the SQL Server 2005 Alternatively, the is being used as the

using the Microsoft ility and the SQL Native Client, which are part of the




5.3 Troubleshooting WSUS 3.0This section provides information on how to troubleshoot WSUS new issues are discovered and solutions created over time, links to public informational resources have been provided.

5.3.1 Troubleshooting

The first step in troubleshooting WSUS correct. This consists of verifying registry settings, configuration settings, IIS system permissions. These setttroubleshooting section of the {R5}.

Once the WSUS 3.0 server settings are verified to be correct, check the log files and event logs on the server. Table 18 details some of the sources of logged information to be found on the server:

Source

<drive>\Program Files\Update Services\Logfiles\SoftwareDistribution.log

%temp%\WSUSCa_timestamp.log

%temp%\WSUSWyukonSetup_timestamp

%temp%\WSUSSetup.log

%temp%\WSUSSetupMsi_timestamp.log

Event Viewer

%systemroot%\System32\LogFiles\W3SVC1

Table 18: WSUS 3.0 Server Troubleshooting Information

Following verifying the WSUS 3.0 information on the WSUS 3.0 available which provide information on known issues. The useful:

� The troubleshooting section of the Operations Guide {R5

� The WSUS Community

27 Welcome to the Windows Server Update Services Community http://www.microsoft.com/technet/windowsserver/wsus/community/default.mspx


Troubleshooting WSUS 3.0 This section provides information on how to troubleshoot WSUS 3.0 server and client issues. As new issues are discovered and solutions created over time, links to public informational resources

Troubleshooting WSUS 3.0 Server Issues

The first step in troubleshooting WSUS 3.0 server issues is to verify that the server settings are correct. This consists of verifying registry settings, configuration settings, IIS 6.0 system permissions. These settings can be checked against the documented settings in the

section of the Microsoft Windows Server Update Services 3.0 Operations Guide

server settings are verified to be correct, check the log files and event logs on details some of the sources of logged information to be found on the server:

Detail

SoftwareDistribution.log This file contains information about the operation of the WSUS including synchronisation information

This log file is used by custom actions. Errors that occurred while executing any of the custom actions in WSUS component or BITS setup are logged to this file

timestamp.log This is the log file for Windows Internal Database setup. All Windows Internal Database installation/uninstallation information is logged to this file

The status of each of the component installations performed during WSUS 3.0 setup is logged to this file

.log This log file is generated by the MSI for WSUS 3.0 component setup

WSUS 3.0 events are logged to the Windows Event Viewer application log. Also, service related issues may be entered in the sy

W3SVC1\*.log This folder contains the log files created by IIS 6.0. Connections from clients to the IIS service are logged here

Server Troubleshooting Information Locations

WSUS 3.0 server settings and checking the various sources of logged WSUS 3.0 server, if there is still a problem, there are a number of resources

available which provide information on known issues. The following sources of information may be

roubleshooting section of the Microsoft Windows Server Update Services }

The WSUS Community Web site27 provides links to various newsgroups, forums and blogs

Welcome to the Windows Server Update Services Community {R19}: http://www.microsoft.com/technet/windowsserver/wsus/community/default.mspx


Page 66

server and client issues. As new issues are discovered and solutions created over time, links to public informational resources

server issues is to verify that the server settings are 6.0 settings and file

ings can be checked against the documented settings in the Operations Guide

server settings are verified to be correct, check the log files and event logs on details some of the sources of logged information to be found on the server:

This file contains information about the operation of the WSUS 3.0 server,

This log file is used by custom actions. Errors that occurred while executing any of the custom actions in WSUS component or BITS setup are logged to this file

the log file for Windows Internal Database setup. All Windows Internal Database installation/uninstallation information is logged to this file

The status of each of the component installations performed during WSUS 3.0

MSI for WSUS 3.0 component setup

events are logged to the Windows Event Viewer application log. system log

. Connections from clients to

server settings and checking the various sources of logged server, if there is still a problem, there are a number of resources

following sources of information may be

Windows Server Update Services 3.0

provides links to various newsgroups, forums and blogs

http://www.microsoft.com/technet/windowsserver/wsus/community/default.mspx


5.3.2 Troubleshooting

When experiencing WSUS 3.0 that the WSUS 3.0 client has been correctly pointed to the relevant WSUS Automatic Updates Control Panel applet has been pointed to a WSUS 3.0 Group Policy or the registry, depending on how the Automatic Updates settings have been assigned to the WSUS 3.0 client. Use the information in section settings) and section 4.3.2 (for registry assigned settings) in this document to verify that the correct settings have been applied.

Table 19 lists sources of information on the troubleshooting process.

Source

%systemroot%\WindowsUpdate.log

Event Viewer

Table 19: WSUS 3.0 Client Troubleshooting Information Locations

Further information on troubleshooting the Automatic Updates client can be found using theresources listed in the troubleshooting3.0 Operations Guide {R5}.

5.4 Update Management with WSUS 3.0It is recommended that a software update management process is followed to decrease the risk associated with installing software updates in the provides information on:

� How to get started with bringing computer systems up

� Microsoft’s recommended approach to software update management

� How to quickly deploy software updates in emergency s

As the software update management process is a fairly lengthy subject, a summary is included in this document with links provided to the publicly available documentation.

5.4.1 Getting Started with Software Update Management

One of the biggest challengesof software updates that need to be approved for installation on computer systems. If computer systems have not been updated with software updates for an extended period of timeprove to be a major task. The following considerations need to be planned for when first deploying WSUS 3.0:

� Properly testing software updates before approving for installation

� Bringing computer systems up

It is recommended that software updates are appropriately tested before they are installed onto production computer systems. Where possible, use a test environment that closely resembles the live environment. Client systems in the test environment should run versions, service pack levels, software and applications as in the live environment.

If a test environment is not available, use a subset of clients in the live environment to test the software updates. This can be performed by orinto a ‘test’ computer group and changing the approval status of updates to computer group only. For more information on the software update management process, see section 5.4.2.


Troubleshooting WSUS 3.0 Client Issues

WSUS 3.0 client issues, first check the WSUS 3.0 server is operational and client has been correctly pointed to the relevant WSUS 3.0

anel applet on the WSUS 3.0 client should be greyed out if the client 3.0 server. Verify the client settings are correct by checking either

depending on how the Automatic Updates settings have been client. Use the information in section 4.3.1 (for Group Policy assigned (for registry assigned settings) in this document to verify that the correct

lists sources of information on the WSUS 3.0 client that can be used in the

Detail

This is the log file for the Automatic Updates client.

Automatic Updates events are logged to the Windows Event Viewer system log.

Client Troubleshooting Information Locations

Further information on troubleshooting the Automatic Updates client can be found using theroubleshooting section of the Microsoft Windows Server Update Services

Management with WSUS 3.0 It is recommended that a software update management process is followed to decrease the risk associated with installing software updates in the healthcare network environment. This section

ow to get started with bringing computer systems up-to-date with software updates

Microsoft’s recommended approach to software update management

ow to quickly deploy software updates in emergency situations

As the software update management process is a fairly lengthy subject, a summary is included in this document with links provided to the publicly available documentation.

Getting Started with Software Update Management

es, when initially deploying WSUS 3.0, is dealing with the large number of software updates that need to be approved for installation on computer systems. If computer systems have not been updated with software updates for an extended period of timeprove to be a major task. The following considerations need to be planned for when first deploying

Properly testing software updates before approving for installation

Bringing computer systems up-to-date using a staged deployment approach

is recommended that software updates are appropriately tested before they are installed onto production computer systems. Where possible, use a test environment that closely resembles the live environment. Client systems in the test environment should run the same operating system versions, service pack levels, software and applications as in the live environment.

If a test environment is not available, use a subset of clients in the live environment to test the software updates. This can be performed by organising a number of clients in the live environment

computer group and changing the approval status of updates to Installcomputer group only. For more information on the software update management process, see


Page 67

server is operational and 3.0 server. The

client should be greyed out if the client y the client settings are correct by checking either

depending on how the Automatic Updates settings have been (for Group Policy assigned

(for registry assigned settings) in this document to verify that the correct

client that can be used in the

Automatic Updates events are logged to the Windows Event Viewer system log.

Further information on troubleshooting the Automatic Updates client can be found using the public Microsoft Windows Server Update Services

It is recommended that a software update management process is followed to decrease the risk twork environment. This section

date with software updates

As the software update management process is a fairly lengthy subject, a summary is included in

Getting Started with Software Update Management

is dealing with the large number of software updates that need to be approved for installation on computer systems. If computer systems have not been updated with software updates for an extended period of time, this can prove to be a major task. The following considerations need to be planned for when first deploying

date using a staged deployment approach

is recommended that software updates are appropriately tested before they are installed onto production computer systems. Where possible, use a test environment that closely resembles the

the same operating system versions, service pack levels, software and applications as in the live environment.

If a test environment is not available, use a subset of clients in the live environment to test the ganising a number of clients in the live environment

Install for this computer group only. For more information on the software update management process, see


Once software updates have been fully tested and are ready to be installed on clients in the live environment, there are a numberupdates to WSUS clients. The method that is used depends on the computers into computer groups: serveron server-side targeting and clientmethods to stage the installation of software updates:

For server-side targeting:

1. Deploy Automatic Updates settings to all WSUS status of software updates has not been modified from the default).

2. Create a computer group for organising clients that are to receive updates.

3. Change the approval status for the tested software updates to computer group only.

4. Move an appropriate number of computers into the computer group. Continue to add computers to the computer group at staggered intervals, in order to manage the loWSUS 3.0 server.

For client-side targeting:

1. Create a computer group for organising clients that are to receive updates.

2. Change the approval status for the tested software updates to computer group only.

3. Deploy Automatic Updates settings to an appropriate subset of WSUS the Enable client-side targetingregistry entry, using the name of the computer group created in step 1.

Note

To deploy the settings igradually deploying the Automatic Updates settings to clients. For instance, when using Group Policy settings, use security filtering on GPOs to apply the GPO only to members of a compgroup and add computers gradually to the computer group, or alternatively, link a GPO to an Active Directory OU and move computers gradually into the OU.

Bear in mind that when clients first connect to 3.1 (KB893803) {R9} and Update for Background Intelligent Transfer Service (BITS) 2.0 and WinHTTP 5.1 (KB842773) {R10have not already been installed on the clients). This is so that the WSUS advantage of the improved installation and download functionality provided by thincluding BITS bandwidth limitation policies. This will result in clients installing these updates, rebooting and not installing any remaining updates until the next scheduled installation time (if the WSUS 3.0 clients are configured with a daWSUS 3.0 clients up-to-date will require at

Once WSUS 3.0 clients have been brought upmanagement process becomes easier as only nedeployed.


Once software updates have been fully tested and are ready to be installed on clients in the live number of methods that can be used to stage the install of software

updates to WSUS clients. The method that is used depends on the option selectedcomputers into computer groups: server-side targeting or client-side targeting. For more information

side targeting and client-side targeting, see section 4.1.3. Use one of the following methods to stage the installation of software updates:

Deploy Automatic Updates settings to all WSUS 3.0 clients (assuming that the approval status of software updates has not been modified from the default).

Create a computer group for organising clients that are to receive updates.

proval status for the tested software updates to Install for the

Move an appropriate number of computers into the computer group. Continue to add computers to the computer group at staggered intervals, in order to manage the lo


Change the approval status for the tested software updates to Install for the created

dates settings to an appropriate subset of WSUS side targeting Group Policy setting or creating the “TargetGroup”

registry entry, using the name of the computer group created in step 1.

To deploy the settings in step 2 to a subset of clients, use whatever methods are available for gradually deploying the Automatic Updates settings to clients. For instance, when using Group

use security filtering on GPOs to apply the GPO only to members of a compgroup and add computers gradually to the computer group, or alternatively, link a GPO to an Active Directory OU and move computers gradually into the OU.

Bear in mind that when clients first connect to a WSUS 3.0 server, the Microsoft Windows Installand Update for Background Intelligent Transfer Service (BITS) 2.0 and

R10} updates are installed before any other updates (assuming these have not already been installed on the clients). This is so that the WSUS 3.0 clients can take advantage of the improved installation and download functionality provided by thincluding BITS bandwidth limitation policies. This will result in clients installing these updates, rebooting and not installing any remaining updates until the next scheduled installation time (if the

clients are configured with a daily scheduled installation time). Therefore, to bring the date will require at least two days.

clients have been brought up-to-date with software updates, the software update management process becomes easier as only newly released updates need to be tested and


Page 68

Once software updates have been fully tested and are ready to be installed on clients in the live of methods that can be used to stage the install of software

option selected to organise side targeting. For more information

Use one of the following

clients (assuming that the approval


for the created

Move an appropriate number of computers into the computer group. Continue to add computers to the computer group at staggered intervals, in order to manage the load on the


for the created

3.0 clients, enabling Group Policy setting or creating the “TargetGroup”

registry entry, using the name of the computer group created in step 1.

n step 2 to a subset of clients, use whatever methods are available for gradually deploying the Automatic Updates settings to clients. For instance, when using Group

use security filtering on GPOs to apply the GPO only to members of a computer group and add computers gradually to the computer group, or alternatively, link a GPO to an Active

, the Microsoft Windows Installer and Update for Background Intelligent Transfer Service (BITS) 2.0 and

updates are installed before any other updates (assuming these clients can take

advantage of the improved installation and download functionality provided by these updates, including BITS bandwidth limitation policies. This will result in clients installing these updates, rebooting and not installing any remaining updates until the next scheduled installation time (if the

ily scheduled installation time). Therefore, to bring the

date with software updates, the software update wly released updates need to be tested and


5.4.2 The Software Update Management Process

Microsoft recommends using a fourupdates. This approach provides control over the deployment of software update releases into the healthcare organisation’s production network environment.

The four-phase approach works as follows:

� Assess – the process starts with an assessment of what is in the production network environment, what security threats and vulnerabilities may be applicable, and whether updates

� Identify – the goal during determine whether or not network environment, and change

� Evaluate and Plan – tsoftware update, determine what is needed to deploy it, and test the software update in a production-like environment to confirm that it does not compromise business critical systems and applications

� Deploy – the goal during into the healthcare organisation’s requirements of any deployment service level agreements (SLAs) that are in place are met

More detailed information about the software update management processfour-phase approach, can be found documentation has been created with the Systems Management Update Services (SUS) 1.0 SP1 products in mind. Thinclude WSUS 3.0 specific information; however, it pthe process of delivering software updates safely into a production environment.

One important improvement with WSUS Evaluate and Plan phase with rewould be configured with some nonwere approved for installation on the production SUS possible to assign a number of nonthat are to be tested for this test group only. This alleviates the need for a separate server for testing updates.

5.4.3 Dealing with Emergency Update Releases

Sometimes it may be necessary to deploy an update before the next scheduled installation time. This may be because a critical security update has been released that needs to be installed on critical systems as a matter of urgency. The easiest process for quickly deplsetting Group Policy settings. However, for nonperform these procedures if there is some other method of automatically deploying the corresponding registry keys. If there is no methodhealthcare organisation’s network environment, the only way to perform these procedures is to manually enter the Group Policy settings or registry keys on each client.

In this section, the procedures for depenvironment are provided. For noncorresponding registry keys have also been detailed.

28 Update Management Process {R20 http://www.microsoft.com/technet/security/topics/patchmanagement/secmod193.mspx


The Software Update Management Process

Microsoft recommends using a four-phase approach for the testing and deployment of software updates. This approach provides control over the deployment of software update releases into the

production network environment.

phase approach works as follows:

he process starts with an assessment of what is in the healthcare organisation’s production network environment, what security threats and vulnerabilities may be applicable, and whether or not the organisation is prepared to respond to new software

he goal during this phase is to discover new software updates in a reliable way, or not they are relevant to the healthcare organisation’s

network environment, and determine whether an update represents a normal or emergency

the goal during this phase is to make a decision to deploy the software update, determine what is needed to deploy it, and test the software update in a

environment to confirm that it does not compromise business critical systems and applications

he goal during this phase is to successfully roll out the approved software update healthcare organisation’s production network environment, so that all of the

requirements of any deployment service level agreements (SLAs) that are in place are met

More detailed information about the software update management process, and each phase of the can be found in Update Management Process28. However, this

documentation has been created with the Systems Management Server (SMS) 1.0 SP1 products in mind. The documentation has not been updated to

.0 specific information; however, it provides useful information to help understand the process of delivering software updates safely into a production environment.

One important improvement with WSUS 3.0 is the addition of computer groups. This is useful in the Evaluate and Plan phase with regards to testing updates. Previously, a separate SUS would be configured with some non-production clients and used for testing updateswere approved for installation on the production SUS 1.0 server. With computer groups, it is

ible to assign a number of non-production clients to a computer group and approve updates that are to be tested for this test group only. This alleviates the need for a separate server for

Dealing with Emergency Update Releases

t may be necessary to deploy an update before the next scheduled installation time. This may be because a critical security update has been released that needs to be installed on critical systems as a matter of urgency. The easiest process for quickly deploying updates relies on setting Group Policy settings. However, for non-Active Directory environments it is possible to perform these procedures if there is some other method of automatically deploying the corresponding registry keys. If there is no method of automatically deploying registry keys in the

network environment, the only way to perform these procedures is to manually enter the Group Policy settings or registry keys on each client.

the procedures for deploying emergency update releases in an environment are provided. For non-Active Directory environments, the Group Policy settings and corresponding registry keys have also been detailed.

R20}: echnet/security/topics/patchmanagement/secmod193.mspx


Page 69

phase approach for the testing and deployment of software updates. This approach provides control over the deployment of software update releases into the

healthcare organisation’s production network environment, what security threats and vulnerabilities may be

prepared to respond to new software

phase is to discover new software updates in a reliable way, healthcare organisation’s production

determine whether an update represents a normal or emergency

phase is to make a decision to deploy the software update, determine what is needed to deploy it, and test the software update in a

environment to confirm that it does not compromise business critical

phase is to successfully roll out the approved software update o that all of the

requirements of any deployment service level agreements (SLAs) that are in place are met

and each phase of the However, this

Server (SMS) 2003 and Software documentation has not been updated to

rovides useful information to help understand the process of delivering software updates safely into a production environment.

is the addition of computer groups. This is useful in the gards to testing updates. Previously, a separate SUS 1.0 server

production clients and used for testing updates, before they server. With computer groups, it is

production clients to a computer group and approve updates that are to be tested for this test group only. This alleviates the need for a separate server for

t may be necessary to deploy an update before the next scheduled installation time. This may be because a critical security update has been released that needs to be installed on

oying updates relies on environments it is possible to

perform these procedures if there is some other method of automatically deploying the of automatically deploying registry keys in the

network environment, the only way to perform these procedures is to

Active Directory the Group Policy settings and

http://www.microsoft.com/technet/security/topics/patchmanagement/secmod193.mspx


5.4.3.1 Deploying Emergency Update Releases in an Environment

To perform the procedures in this sectionDirectory to:

� Create and link Group Policy objects in the relevant location in

� Force Domain Controller

Important

When using the procedures in this section, be careful to ensure that any BITS bandwidth limitation policies are not overridden by the new Group Policy object that is created. These settings must still be aWSUS 3.0 clients during the emergency update deployment to prevent saturation of any slow network links.

To deploy emergency update releases in an

1. Synchronise all WSUS

2. Create a temporary GPO and assign it to an appropriate location in the OU structure so that it will be applied to the relevant computers. Use security filtering to ensure that it is applied to the appropriate containers and enable the ‘No override’ object be of a higher priority than the GPO that is currently used for applying Automatic Updates settings.

3. Open the temporary GPO. Expand > Windows Components

4. Enable the Automatic Updates detection frequencyvalue to 1.

5. Enable the Configure Automatic Updates

a. Change the Configure automatic updatingschedule the install

b. Set the Scheduled install day

c. Set the Scheduled install time

6. Enable the Specify intranet Microsoft update service locationhttp://<servername> (replacing <servername> with the hostnameWSUS server), or https://<service for detecting updates

7. Disable the Reschedule Automatic Updates scheduled installations

8. Force DC replication to occur, so that all

It will take up to 120 minutes for all clients within the OU to refresh the Group Policy. Once the Group Policy is refreshed, the clients will poll the WSUS within 48-60 minutes (automatic download should occur. The scheduled installation time should still be in the future; once the scheduled installation time is reached the install will

Note

At this point, forcing the refresh of Group Policy on a client will result in the client checking in with the server within one hour and beginning the download. To speed the process up, if there are only a few clients and it is possible todetection on each WSUS one hour from the present time and then run the relevant command to force a Group Policy refresh


Deploying Emergency Update Releases in an Active

To perform the procedures in this section, it is necessary to have the following rights in

Create and link Group Policy objects in the relevant location in Active Directory

orce Domain Controller (DC) replication in the relevant Active Directory

When using the procedures in this section, be careful to ensure that any BITS bandwidth limitation policies are not overridden by the new Group Policy object that is created. These settings must still be a

clients during the emergency update deployment to prevent saturation of any slow network

o deploy emergency update releases in an Active Directory environment:

Synchronise all WSUS 3.0 servers and approve the emergency updates.

Create a temporary GPO and assign it to an appropriate location in the OU structure so that it will be applied to the relevant computers. Use security filtering to ensure that it is applied to the appropriate containers and enable the ‘No override’ object option. This GPO should be of a higher priority than the GPO that is currently used for applying Automatic Updates

Open the temporary GPO. Expand Computer Configuration > Administrative Templates Windows Components, and then click Windows Update.

Automatic Updates detection frequency setting and set the

Configure Automatic Updates setting:

Configure automatic updating setting to 4 - Auto download and schedule the install.

heduled install day to 0 – Every day.

Scheduled install time to a time slot three hours from the present time.

Specify intranet Microsoft update service location setting> (replacing <servername> with the hostname or IP address of the

WSUS server), or https://<servername> if using SSL, into the Set the intranet update service for detecting updates and the Set the intranet statistics server

Reschedule Automatic Updates scheduled installations

replication to occur, so that all DCs have a copy of the new GPO

It will take up to 120 minutes for all clients within the OU to refresh the Group Policy. Once the Group Policy is refreshed, the clients will poll the WSUS 3.0 server for new

one hour minus a random offset of up to 20%). At this point the automatic download should occur. The scheduled installation time should still be in the future; once the scheduled installation time is reached the install will take place.

At this point, forcing the refresh of Group Policy on a client will result in the client checking in with hour and beginning the download. To speed the process up, if there are only

a few clients and it is possible to manually force a Group Policy refresh and Automatic Updates detection on each WSUS 3.0 client, in step 5 set the Scheduled install time

hour from the present time and then run the relevant command to force a Group Policy refresh


Page 70

Active Directory

it is necessary to have the following rights in Active

Active Directory

Active Directory domain

When using the procedures in this section, be careful to ensure that any BITS bandwidth limitation policies are not overridden by the new Group Policy object that is created. These settings must still be applied to

clients during the emergency update deployment to prevent saturation of any slow network

environment:

servers and approve the emergency updates.

Create a temporary GPO and assign it to an appropriate location in the OU structure so that it will be applied to the relevant computers. Use security filtering to ensure that it is applied

option. This GPO should be of a higher priority than the GPO that is currently used for applying Automatic Updates

Administrative Templates

setting and set the interval (hours)

Auto download and

hours from the present time.

setting. Type or IP address of the

Set the intranet update Set the intranet statistics server fields.

Reschedule Automatic Updates scheduled installations setting.

GPO.

It will take up to 120 minutes for all clients within the OU to refresh the Group Policy. Once server for new updates

hour minus a random offset of up to 20%). At this point the automatic download should occur. The scheduled installation time should still be in the

take place.

At this point, forcing the refresh of Group Policy on a client will result in the client checking in with hour and beginning the download. To speed the process up, if there are only

manually force a Group Policy refresh and Automatic Updates Scheduled install time setting to a time slot

hour from the present time and then run the relevant command to force a Group Policy refresh


on the clients. For Windows XP, run the command 2000, run the command Policy has been refreshed, run the command Updates client to check in with the server.

9. After the update has been successfully installed on all of the target computers, delete the temporary GPO that was usedAutomatic Updates download and installation options after they next refresh their Group Policy settings.

5.4.3.2 Deploying Emergency Update Releases in a NonEnvironment

To deploy emergency update releases in a non

1. Synchronise all WSUS

2. Record the current values of the AU registry key on a WSUS

3. Deploy the registry keys detailed in

4. Once the registry keys have been deployed to each client, the clients will poll the WSUS server for new updates within 4820%). At this point the automatic download should occur. The scheduled installation time should still be in the future; once the scheduled installation time is reached the install will take place.

5. After the update has been successfully installed on all of registry keys back to their original values.

The registry keys that need to be deployed are located in the following subkey:


For more information on all the available registry keys for configuring a WSUSthose that are needed to point a client at a WSUS

Table 20 shows the registry keys that need to be deployed.

Entry Name

AUOptions

DetectionFrequency

DetectionFrequencyEnabled

RescheduleWaitTimeEnabled

RebootWarningTimeoutEnabled

ScheduledInstallDay

ScheduledInstallTime

Table 20: Emergency Update Release Registry Keys


on the clients. For Windows XP, run the command gpupdate.exe /force2000, run the command secedit.exe /refreshpolicy machine_policyPolicy has been refreshed, run the command wuauclt.exe /detectnow to force the Automatic Updates client to check in with the server.

After the update has been successfully installed on all of the target computers, delete the temporary GPO that was used to make the changes. Computers will fall back to the existing Automatic Updates download and installation options after they next refresh their Group

Deploying Emergency Update Releases in a Non-Active Directory

gency update releases in a non-Active Directory environment:

Synchronise all WSUS 3.0 servers and approve the emergency updates.

Record the current values of the AU registry key on a WSUS 3.0 client.

Deploy the registry keys detailed in Table 20.

Once the registry keys have been deployed to each client, the clients will poll the WSUS server for new updates within 48-60 minutes (one hour minus a random offset of up to 20%). At this point the automatic download should occur. The scheduled installation time should still be in the future; once the scheduled installation time is reached the install will

After the update has been successfully installed on all of the target computers, change the registry keys back to their original values.



all the available registry keys for configuring a WSUS those that are needed to point a client at a WSUS 3.0 server, see section 4.3.2

shows the registry keys that need to be deployed.

Value Data Type

4 REG_DWORD

1 REG_DWORD

1 REG_DWORD

0 REG_DWORD

0 REG_DWORD

0 REG_DWORD

The range = n; where n = the time of day in 24-hour format (0-23). Set this value to the next hour interval that is 1 hour ahead of the time the registry keys will have been deployed to the clients.

REG_DWORD

: Emergency Update Release Registry Keys


Page 71

pupdate.exe /force and for Windows policy. Next, once Group

to force the Automatic

After the update has been successfully installed on all of the target computers, delete the to make the changes. Computers will fall back to the existing

Automatic Updates download and installation options after they next refresh their Group

Active Directory

environment:

servers and approve the emergency updates.

client.

Once the registry keys have been deployed to each client, the clients will poll the WSUS hour minus a random offset of up to

20%). At this point the automatic download should occur. The scheduled installation time should still be in the future; once the scheduled installation time is reached the install will

the target computers, change the


WindowsUpdate\AU

3.0 client, including 4.3.2.

Data Type

_DWORD

DWORD

_DWORD

_DWORD

_DWORD

_DWORD

_DWORD


APPENDIX A The tables in PART I of this appendix list the suggested training and skill assessment resources available. This list is not exhaustive; there are many thirdresources listed are those provided by Microsoft.

PART I WSUS 3.0 For further information on WSUS 3.0, see

Skill or Technology Area Resource Location

Microsoft Windows Server Update Services 3.0 Overview


Step-by-Step Guide to Getting Started with Microsoft Windows Server Update Services 3.0


Deploying Microsoft Windows Server Update Services


Microsoft Windows Server Update Services 3.0 Operations Guide


Table 21: Windows Server Update Services 3.0


SKILLS AND TRAINING RESOURCES

of this appendix list the suggested training and skill assessment resources available. This list is not exhaustive; there are many third-party providers of such skills. The resources listed are those provided by Microsoft.

For further information on WSUS 3.0, see http://www.microsoft.com/wsus

Resource Location Description

http://go.microsoft.com/fwlink/?LinkId=71191 This overview introduces WSUS 3.0 and provides information about features, and server and client computer requirements

http://go.microsoft.com/fwlink/?LinkId=71190 This guide provides basic instructions for getting started with WSUS 3.0

http://go.microsoft.com/fwlink/?LinkId=86416 This document describes how to deploy, install and configure WSUS 3.0

http://go.microsoft.com/fwlink/?LinkId=86697 This document describes how to administer and troubleshoot WSUS 3.0

: Windows Server Update Services 3.0


Page 72

ESOURCES

of this appendix list the suggested training and skill assessment resources party providers of such skills. The

This overview introduces WSUS 3.0 and provides information about features, and server and client computer requirements

This guide provides basic instructions for getting started with WSUS 3.0

This document describes how to deploy, install and configure WSUS 3.0

This document describes how to administer and troubleshoot WSUS 3.0

http://www.microsoft.com/wsus

http://technet2.microsoft.com/WindowsServer/logredir.aspx?MODE=CT&CTT=ToExternal&target=http%3A%2F%2Fgo.microsoft.com%2Ffwlink%2F%3FLinkId%3D71191&referrer=http%3A%2F%2Ftechnet2.microsoft.com%2Fwindowsserver%2Fen%2Flibrary%2F632f98ac-9d45-480b-b801-996b714cebd01033.mspx&reldir=en%2Flibrary





APPENDIX B

PART I Terms and Abbreviations

Abbreviation Definition

API Application Programming Interface

AU Automatic Updates

BITS Background Intelligent Transfer Service

CA Certification Authority

DC Domain Controller

DNS Domain Name System

GPMC Group Policy Management Console

GPO Group Policy Object

IIS Internet Information Services

IP Internet Protocol

IPSec Internet

KB Microsoft Knowledge Base

MOF Microsoft Operations Framework

MMC Microsoft Management Console

MPLS Multi-Protocol Label Switching

MSDN Microsoft Developer Network

MSF Microsoft Solutions Framework

MSI Microsoft Windows Installer

MSRC Microsoft Security Research Cente

NAT Network Address Translation

NIC Network Interface Card

OU Organisational

PDF Portable Document Format

POP Point of Presence

SDK Software Development Kit

SLA Service Level Agreement

SMS Systems Management Server

SP Service Pack

SPN Service Principal Name

SSL Secure Sockets Layer

SUS Software Update Services

TCO Total Cost of Ownership

UI User Interface


DOCUMENT INFORMATION

Terms and Abbreviations

Definition

Application Programming Interface

Automatic Updates

Background Intelligent Transfer Service

Certification Authority

Domain Controller

Domain Name System

Policy Management Console

Group Policy Object

Internet Information Services

Internet Protocol

nternet Protocol Security

Microsoft Knowledge Base

Microsoft Operations Framework

Microsoft Management Console

Protocol Label Switching

Microsoft Developer Network

Microsoft Solutions Framework

Microsoft Windows Installer

Microsoft Security Research Center

Network Address Translation

Network Interface Card

Organisational Unit

Portable Document Format

Point of Presence

Software Development Kit

Service Level Agreement

Systems Management Server

Service Pack

Service Principal Name

Secure Sockets Layer

Software Update Services

Total Cost of Ownership

User Interface


Page 73


Abbreviation Definition

URL Uniform Resource Locator

WAN Wide Area Network

WSUS Windows Server Update Services

WUA Windows Update Agent

Table 22: Terms and Abbreviations

PART II References

Reference Document

R1. Windows Server Update Services 3.0 Design Guidehttp://www.microsoft.com/industry/healthcare/technology/hpo/security/wsus.aspx

R2. MSF Process Model Whitehttp://www.microsoft.com/downloads/details.aspx?FamilyID=e481cb0bfc886956790e&DisplayLang=en

R3. MOF Executive Overviewhttp://www.microsoft.com/technet/itsolutions/cits/mo/mof/mofeo.mspx

R4. Deploying Microsoft Windows Server Update Serviceshttp://go.microsoft.com/fwlink/?LinkId=86416

R5. Microsoft Windows Server Update Services 3.0 Operations Guidehttp://go.microsoft.com/fwlink/?LinkId=86697

R6. Chapter 6 – Managing Microsoft Certificate Services and SSLhttp://www.microsoft.com/technet/prodtechnol/windows2000serv/technologies/iis/maintain/featusability/c06iis.mspx.

R7. Overview of IPSec Deploymenthttp://go.microsoft.com/fwlink/?LinkId=45154

R8. Group Policy for Healthcare Desktop Managementhttp://www.microsoft.com/industry/healthcare/technology/hpo/desktop/grouppolicy.aspx

R9. Windows Installer 3.1 v2 (3.1.4000.2435)http://support.microsoft.com/kb/893803/

R10. An update package that includes BITS 2.0 and WinHTTP 5.1 is available for Windows Server 2003, for Windows XP, and for Windowshttp://support.microsoft.com/kb/842773

R11. Peer Caching http://go.microsoft.com/fwlink/?LinkId=79432

R12. How DNS Works http://technet2.microsoft.com/WindowsServer/en/library/19a63021abaf82e7fb7c1033.mspx?mfr=true

R13. Re-index the WSUS 3.0http://go.microsoft.com/fwlink/?LinkId=87027

R14. Feature Pack for Microsoft SQL Server 2005http://go.microsoft.com/fwlink/?LinkI

R15. sqlcmd Utility http://go.microsoft.com/fwlink/?LinkId=81183


Definition

Uniform Resource Locator

Wide Area Network

Windows Server Update Services

Windows Update Agent

References

Windows Server Update Services 3.0 Design Guide: http://www.microsoft.com/industry/healthcare/technology/hpo/security/wsus.aspx

MSF Process Model White Paper http://www.microsoft.com/downloads/details.aspx?FamilyID=e481cb0b-ac05-42a6-bab8-fc886956790e&DisplayLang=en

MOF Executive Overview http://www.microsoft.com/technet/itsolutions/cits/mo/mof/mofeo.mspx

Deploying Microsoft Windows Server Update Services 3.0 http://go.microsoft.com/fwlink/?LinkId=86416

Microsoft Windows Server Update Services 3.0 Operations Guide http://go.microsoft.com/fwlink/?LinkId=86697

Managing Microsoft Certificate Services and SSL http://www.microsoft.com/technet/prodtechnol/windows2000serv/technologies/iis/maintain/featusability/

Overview of IPSec Deployment http://go.microsoft.com/fwlink/?LinkId=45154

Group Policy for Healthcare Desktop Management: http://www.microsoft.com/industry/healthcare/technology/hpo/desktop/grouppolicy.aspx

Installer 3.1 v2 (3.1.4000.2435) http://support.microsoft.com/kb/893803/

An update package that includes BITS 2.0 and WinHTTP 5.1 is available for Windows Server 2003, for Windows XP, and for Windows 2000 http://support.microsoft.com/kb/842773



index the WSUS 3.0 Database http://go.microsoft.com/fwlink/?LinkId=87027

Feature Pack for Microsoft SQL Server 2005 http://go.microsoft.com/fwlink/?LinkId=70728



Page 74

Version

1.0.0.0

3.1

1.0

1.1

1.1

http://www.microsoft.com/technet/prodtechnol/windows2000serv/technologies/iis/maintain/featusability/

1.0.0.0

An update package that includes BITS 2.0 and WinHTTP 5.1 is available for Windows Server 2003, for

Nov-2005

http://www.microsoft.com/industry/healthcare/technology/hpo/security/wsus.aspx






http://www.microsoft.com/technet/prodtechnol/windows2000serv/technologies/iis/maintain/featusability/c06iis.mspx

http://www.microsoft.com/technet/prodtechnol/windows2000serv/technologies/iis/maintain/featusability/c06iis.mspx


http://www.microsoft.com/industry/healthcare/technology/hpo/desktop/grouppolicy.aspx

http://support.microsoft.com/kb/893803/

http://support.microsoft.com/kb/842773








Reference Document

R16. SQL Server TechCenter http://technet.microsoft.com/en

R17. Windows Server Update Services SDKhttp://go.microsoft.com/fwlink/?LinkId=85713

R18. Using WSUS Views http://msdn2.microsoft.com/en

R19. Welcome to the Windows Server Update Services Communityhttp://www.microsoft.com/technet/windowsserver/wsus/community/default.mspx

R20. Update Management Processhttp://www.microsoft.com/technet/security/topics/patchmanagement/secmod193.mspx

Table 23: References


SQL Server TechCenter – Microsoft SQL Server http://technet.microsoft.com/en-gb/library/bb545450.aspx

Windows Server Update Services SDK http://go.microsoft.com/fwlink/?LinkId=85713


Welcome to the Windows Server Update Services Community http://www.microsoft.com/technet/windowsserver/wsus/community/default.mspx

Update Management Process http://www.microsoft.com/technet/security/topics/patchmanagement/secmod193.mspx


Page 75

Version

01-Jun-2007

http://technet.microsoft.com/en-gb/library/bb545450.aspx



http://www.microsoft.com/technet/windowsserver/wsus/community/default.mspx

http://www.microsoft.com/technet/security/topics/patchmanagement/secmod193.mspx

Date post:	26-Jun-2020
Category:	Documents
Upload:	others
View:	4 times
Download:	0 times

MSHPO - Windows Server Update Services...

Documents