Deploying Updates with WSUS

WSUS overview

In order to make the user's Windows system and other Microsoft products more secure and stable, Microsoft will not periodically roll out the latest updates on the site for users to download and install, and users can obtain these programs in the following ways:

• To manually connect to the Microsoft Update Web site
• Automatic Update via Windows system

However, both of these approaches may have the following drawbacks within the enterprise.

• impact on network efficiency : If every computer inside the enterprise updates itself, it will increase the burden on the external network.
• interference with existing software : If the software used within the enterprise conflicts with the update program, the user downloading and installing the update themselves may affect the proper operation of the software or the update program.

WSUS is a product that resolves the above issues, and within the enterprise, you can download updates from the Microsoft Update Web site centrally through the WSUS server, and after you complete the testing of these updates, determine that there is no adverse effect on the internal computers of the enterprise, after passing the network management approval process, Deploy the program to the client.

System Requirements for WSUS

For the basic WSUS architecture, both the WSUS server and the client computer must meet the appropriate conditions to enjoy the benefits of WSUS.

You can install WSUS in Windows Server 2012 by adding new roles. Before you install WSUS, you need to install the following components.

• Microsoft report Viewer Redistributable: The WSUS server needs to produce various reports through him, such as update status reports, client computer status reports, and synchronous processing results reports. Need to be downloaded to the Microsoft website.
• NET Framework 2.0: The Report Viewer requires the Net framework.

Note: The system partition of the WSUS server and the file system that installs the WSUS disk partition must be NTFS.

The WSUS client computer must support the Automatic Updates feature, which is supported by Windows SP4 clients later.

You can take advantage of the WSUS server's built-in WSUS management console to perform administrative work on the WSUS server, and you can manage the WSUS server on other computers. However, you need to install the WSUS console on these computers, but these computers must have the following components installed:

• Microsoft. NET Framework 2.0 or later
• Microsoft Management Console 3.0 or later
• Micrsoft report Viewer Redistributable 2008 or later

How WSUS features and works deploy updates with a computer group

If you are able to group your enterprise internal client computers appropriately, you can more easily and explicitly deploy the updates to the specified computers. The system defaults to 2 computer groups, that is, all computers and unassigned computers, and when the client computer contacts the WSUS server for the first time, the system defaults to meeting the computer's 2-member group. You can add more groups in the. You can create test computer groups, and new patches are deployed to test computer groups, and no problems are applied to the business computer group.

The architecture of the WSUS server

You can also create a more complex WSUS server architecture, that is, create multiple WSUS servers, and set up one of the WSUS servers to obtain updates from the Microsoft Web site, but other servers do not directly connect to the Microsoft Web site, but instead get programs from upstream group servers. The downstream server obtains updates from the upstream server.

There are two modes of connecting a WSUS server by going up and down the same way.

• Autonomous mode : The upstream WSUS server shares the update with the downstream server, that is, the downstream server obtains updates from the upstream server, but does not include the update approval status, computer group information. Therefore, the downstream server must decide for itself whether to approve these updates and to create the required computer groups by itself.
• Replica mode : The upstream server shares updates with downstream servers, updating approvals and computer group information. Downstream servers can obtain data from upstream servers, and all projects that can be managed on the upstream server cannot be managed by the downstream server, such as the approval status of new programs that cannot be changed on its own.

Note that the computer group information described above is only for the computer group itself and does not contain members of the computer group, and must be managed on a downstream server to manage group memberships, which are added to all computers and groups of unassigned computers by default when the client computer contacts the downstream WSUS server for the first time.

The upstream and downstream WSUS server can be used as a serial connection according to the requirements of the corporate network environment.

The use of upstream and downstream WSUS server threaded architecture, but also need to take into account the different language updates, for example, if the upper server at Headquarters, Headquarters needs Simplified Chinese procedures, and downstream of the branch office, the branch needs to be in English, although the company needs the language is Simplified Chinese, When you must select a colleague from the upstream server in the company, download the Chinese and English version of the update program. Upstream servers that connect to the Microsoft Web site must download updates for all languages that are required by the downstream server, or the downstream server will not be able to obtain updates for the language that you want.

Note: This upstream and downstream series, it is advisable not to exceed 3 layers (although theoretically no layer limit), because each additional layer, will increase the delay time, thus lengthening the update process to each computer time.

Select a location for database and storage updates

You can use the built-in database of Windows Server 2012 or Microsoft SQL Server 2005 SP2 to build the database. Each WSUS server has its own separate database, which is used to store the following information:

• Settings information for the WSUS server.
• Describes the metadata of each update. The following data is included in the Metada:

  the properties of the Updater : for example, the name of the update, the description, the associated Knowledge Base article number, and so on.

  applicable rules : Used to determine whether the update is applicable to a computer.

  Installation Information : For example, the command line parameters required for installation.

• The relationship between the client computer and the update program.

However, the above database does not store the update file itself, you must choose the storage location of the update program files, there are two options.

stored on the local hard disk of the WSUS server : At this point, the WSUS server downloads updates from the Microsoft Web site and stores them on the local hard disk. This approach allows the client to obtain updates directly from the WSUS server without downloading to the Microsoft Web site, which saves network bandwidth.

The hard disk of the WSUS server must have enough space to store the update files, with a minimum of 20g of free space. More space is actually needed.

stored on the Microsoft Web site : The WSUS server does not download updates from the Microsoft Web site at this time, in other words, when you perform synchronization between the WSUS server and the Microsoft Web site, The WSUS server downloads only the updated metadata data from the Web site and does not download the update itself.

Therefore, when you approve a client that can install an update, the client is itself connected to the Web download. You can select this option if the number of client computers is not large, or if the connection between the client and the WSUS server is slow, but the connection to the network is faster.

Deferred download updates

WSUS allows you to postpone downloading the update files, which means that the WSUS server will download the update metadata before downloading the update files. Update files are downloaded only after you approve the program, which saves bandwidth and the amount of hard disk space used by the WSUS server. Microsoft recommends that you adopt a deferred download update, which is also the default value.

Using Quick Install Files

When a client computer installs an update, it may already have an older version of the update file, and the difference between the old file and the new update may be small. If the client is able to download only the difference between the new version and the old one, and then update it by merging the differences into the old file, you can reduce the amount of data downloaded from the WSUS server and reduce the burden on the enterprise's internal network.

In this way, however, the files downloaded by the WSUS server from the Microsoft Web site are larger because the file must contain the differences between the new updates and the older versions themselves, so the WSUS server consumes external network bandwidth when it downloads files.

For example, if the original size of the update is 100MB and no express installation is used, the server downloads 100mb files from the Microsoft Web site, and the client also downloads 100MB of data from the server. With a quick install, this file becomes a larger 200MB (assuming). Although the WSUS server must download a file size of 200MB from Microsoft, the client downloads only 30MB of data from the WSUS server, and the system does not use the Express installation file by default.

Install the WSUS server

The AD domain environment is not required to build WSUS, but in order to fully manage the client's automatic Update settings with Group Policy, it is recommended to use an AD domain environment.

We will use the environment shown to illustrate. Install a domain-controlled dc,wsus server as a member server, the computer name is WSUS, and in addition, multiple clients in the diagram can be win7,win8 and so on, we assume that they are also joined to the domain.

1. Direct installation of Report Viewer 2012 latest version and CLR Typer for SQL 2012

http://www.microsoft.com/zh-cn/download/details.aspx?id=35747

http://go.microsoft.com/fwlink/?LinkID=239644&clcid=0x409

1. Add Features

2. Requires the NET Framework

3. Select the database. Using the built-in database, check the database if you want to use SQL database.

4. Select storage location

5. Web Server Select Default

6. Wait until the installation is complete

7. Choose to have the WSUS server synchronize with Microsoft Update to have the server download updates and metabase, and so on, directly from the Microsoft Web site.

8. If the server needs to be networked through a proxy server inside the enterprise, enter the relevant information.

9. Click Start connection to get updates related information from the Windows Update Web site.

10. Select Download language

11. Select the update product that you want to be under. The default system will select updates for Office and Windows, because it is an experimental environment with fewer points

12. Select the type of download you want

13. Select manual or Automatic synchronization. Select Automatic synchronization, you need to set the time of the first synchronization and the number of synchronizations per day.

14. Perform the first sync work

15. You can view the current synchronization progress.

16. If you want to synchronize manually, select Synchronize now in sync selection

    If you want to change manual synchronization to automatic synchronization, you need to set up a synchronization schedule. All of the settings that were previously installed can be changed through the options interface. You cannot store the changed settings until the synchronization is complete, and you need to wait for the synchronization to complete before you change the settings.

Set up Automatic Updates for clients

We want to enable client computers to download updates through the WSUS server, which can be done in two ways.

Group Policy : In an AD domain environment, you can set it through Group Policy.

Local Computer Policy : If there is no AD domain environment, or if the client computer is not joined to a domain, it can be set through local computer policy.

We use Group Policy to illustrate. Create a Gpo,wsus policy in the domain, and then use this GPO to set up automatic update configuration for all client computers within the domain.

1. New Group Policy

1. Expand Computer Configuration-policies-Administrative Templates-windows components. Select Enable to configure Automatic Updates.

• notify download and notify installation : The logged-in System administrator is notified before downloading the update, and he decides whether to download it now or not, and notifies the system administrator when the download is complete and before it is ready for installation, and at his discretion.
• automatically download and notify the installation : Automatically download the update, after the download is complete and before the installation will notify the logged on system administrator, and then at his own discretion whether to install now.
• automatically download and schedule the installation : Updates are automatically downloaded and automatically installed at the specified time. You need to specify the installation time.
• allow local administrators to select Settings : This option allows local administrators on the client to choose the update mode themselves via the Control Panel.

1. Select Specify the intranet Microsoft update service location, and then specify that the client obtain the update from the WSUS server, and also set the client to report the update results to the WSUS server, both of which enter http://wsus:8530.

   After the setting is complete, the policy must be applied to clients within the domain to be valid, and client computers will be applied every 90-120 minutes by default. Execute the gpupdate/force command on the client computer.

   After the application is complete, you must also wait for the client to contact the WSUS server before you can see these clients in the WSUS administration console. However, you will need to wait 20 minutes to proactively contact the WSUS server. Executes the Wuauclt/detectnow command on the client computer.

Approving updates

In the WSUS administration interface you can see all the client machines, and if there are still machines displayed, you can expect to perform Group Policy refresh commands on those computers.

Note: If the client has a new update status that can be reported, and you want to report it immediately, perform wuauclt/reportnow on the client computer.

Create a new computer group

To facilitate the use of the WSUS administration console to deploy the required updates for client computers, it is recommended that you group your computers. For example, to create a group called the business Unit computer and move the computers that belong to the business unit to this group.

1. Select Add Computer Group.

1. Move computers that are subordinate to the reorganized Computer group to the business Unit computer group that you just created.

Approving updates for installation

After all updates that are downloaded by WSUS are approved, the client computer can install the update, which is assumed to approve a security update so that the business group computer installs the update.

Because WSUS delays downloading updates by default, the WSUS server only downloads updates for metadata when it synchronizes with Microsoft Update. The update is not downloaded until we approve the update program. Since we have just approved the above update, the WSUS server is about to start downloading this update and must wait until the download is complete before the client computer can begin installing the update.

, the Approval column appears installed 1/3, indicating that there are currently 3 computer groups, only one of the groups has been approved to install this update.

The client will not connect to the server every 17.6-22 hours by default to check for updates that are downloaded and can be checked manually using Wuauclt/detectnow. Check to make updates based on Group Policy settings.

The client can update the check time by automatically updating the detection frequency through Group Policy. You can modify this value if you want the client computer to automatically detect it earlier.

Whenever a client checks for an available download, it automatically prompts for updates in the lower right corner.

Reject Update Program

Click Deny on the right side of a program, and the system will dismiss its approval, and the report data related to this update in the WSUS database will be deleted, as well as the update is not visible on this interface. If you want to see an update that is rejected, click Reorganize after you select rejected from the approval office.

Automatic approval of updates

You can set the automatic approval of downloaded updates when the WSUS server synchronizes with Windows Update. For example, if you want all downloaded security updates and important updates to be automatically approved for all computers: Click Automatic Approval in the options, and check the default automatic approval rules in the foreground map. If you also want to apply this rule to updates that have already been synchronized, click Allow rules.

After you click the Advanced tab, you can also change the following settings.

• WSUS update : can be used to set whether updates for the WSUS product itself are automatically approved.
• Update revisions

  automatic approval of revised revisions of approved updates: If an approved update has a future revision, the update for this revision is automatically approved.

  automatically reject updates when new revisions cause updates to be in the past: When a new revision occurs in the future and the old version expires, the outdated old update is automatically rejected.

Group Policy settings for Automatic Updates

This site describes more group policies for automatic Updates to further manage how client computers communicate with the WSUS server. Configure it by creating a different GPO, and try not to set it through the built-in Defult Domain Policy GPO.

Configure Automatic Updates

This policy is used to configure how clients download and install updates.

Specify the intranet Microsoft Update service location

Used to specify that client computers obtain updates from the WSUS server.

Automatic Update frequency

Used to set how often the client is connected to the server to check for new updates.

Allow immediate installation of Automatic Updates

When the update is downloaded and ready for installation, it is determined when the update is made based on the policy of Automatic Updates configured. When this policy is enabled, some new programs are installed immediately. These updates refer to updates that do not disrupt Windows services and do not restart Windows systems.

To re-schedule an Automatic Updates scheduled installation

If the installation update is performed by scheduling a point in time, but the time arrives, the client computer does not boot. This policy is used to set how much time is required after the client computer restarts to install the update.

Allow client target settings

All computers that apply this setting are automatically joined to the specified computer group and do not need to be manually joined by an administrator.

, all computers are automatically joined to the business group computer.

Allow signature updates from the intranet Microsoft Update service location

If this policy is enabled, client computers can download updates developed and signed by third parties from the WSUS server, and if not enabled, clients can only download Microsoft-signed updates.

Remove links and access to Windows Update

Although WSUS clients can be updated through the WSUS server, system local administration can still connect to the Microsoft Update Web site privately through Windows Update on the Start menu. To reduce this situation, we recommend that you remove the Windows Update link for the client computer through this policy. When the connection to the Start menu finishes is not displayed, the update check Update for the control panel is also invalidated.

User Configuration-policies-Administrative Templates-Start menu and taskbar

Turn off access to all Windows Update features

If you enable this policy, clients will be prevented from accessing the Microsoft Update Web site, for example, the Windows Update Web site cannot be accessed by the client through the window updates link in the Start menu, and is not accessible directly in the browser by entering the Windows Update Web page. However, the client can still get it through WSUS.

Computer Configuration-policies-Administrative Templates-system-internet Communication Management-internet communication settings

Deploying Updates with WSUS