Configuring WSUS 3.0 on Windows Server 2008 - Configuring WSUS
(Page 3 of 4 )
After the synchronization process is done, the Choose Languages screen will pop up. Here you can select the languages of patches that are to be downloaded. On the next screen you can select the software products in which you are interested, in terms of patches, hot-fixes, and all kinds of other patch metadata. You should tick all of the software applications that are already being used or probably will be used in the future.
Then you are asked to specify the kinds of updates you want to synchronize. Here once again, it is advisable to think big and long-term. Generally the following three are the most often selected: Critical Updates, Definition Updates, and Security Updates. Automatic Updating is basically composed of these hot-fixes, so these are the heart of the entire system. But don’t limit yourself to only these; just see which ones look fine.
Moving on, you need to schedule when the synchronization happens. As a general rule, it is often recommended to pick a time when most of the bandwidth is free and there is little to no workload at all. In a corporate environment that’s probably around 02:00—03:00 AM. Be aware that a random offset will be added after the amount.
The configuration process is almost done. The initial synchronization will begin and the WSUS Administration MMC snap-in is brought up. The process of synchronization is quite slow, depending of course on your network bandwidth. But this doesn’t mean that you can sit back and relax. While it is downloading you should configure Automatic Updates via domain-based GPOs and enforce them on client PCs.
This is important, because you actually need to add client computers into WSUS. From now on, the Automatic Updates repository is the central server located on your local network. The entire schedule for when, how frequently, and via which repository to launch Automatic Updates must be configured now. This can be easily done if your domain is based on Active Directory Group Policies. If your network doesn’t implement a domain, then simply configure it via the Local Group Policies.
Create a new GPO or use an existing one in which you’re going to configure Automatic Updates. Add the WSUS Administrative Template (“wuau.adm”) into the specific GPO. Configure appropriately and pay close attention to the field where you need to point the client computers to the WSUS central server. This is the web site link of WSUS (the one we picked during installation) on your intranet.
Furthermore, once the GPO is configured, then you need to link it to the domain (if it isn’t already, as in the case of existing GPOs), enforce the policies, and manually force an update to the Group Policy. Just run the following command: “gpupdate /force.” This command immediately updates the policies instead of waiting about 90 minutes. You can also force Automatic Updates by running “wuauclt.exe /detectnow.”. By doing so, Automatic Updates will contact the WSUS central server right away!
If everything is configured right and the policies with the appropriate configurations are deployed, then as soon as the Automatic Updates contacts the WSUS Server located on your intranet, you should notice activity in the WSUS Administration MMC snap-in. Now you can create individual computer groups, because as you can clearly see, all of the client computers are going to be added under the “Unassigned Computers” group.
There are two possible ways to group the computers, either server-side targeting where the administrator manually categorizes the client computers into the correct group, or client-side targeting; that is, Group Policy and/or Registry-based. The latter is generally recommended, and you can individually add the name of the appropriate group as entries in the policies of the correct GPO. Creating groups is optional, though. They are useful in those situations where patches are deployed only on test groups.
And finally, from the WSUS Administration MMC snap-in, you need to set up the Approval Rules. As soon as the client computers begin synchronizing with the WSUS server, you can already see complex and thorough reports. You can set up automatic approval for various types of updates (such as always approve security patches) but also on specific groups and so forth. There’s a lot of flexibility. You can also specify deadlines for particular deployment jobs. Be sure to play around with reports as well!
As a final side note, don’t hesitate to look for help from the official TechNet site of Microsoft. WSUS is very thoroughly documented, and there are a lot of guides that lead you through specific scenarios. This guide covers client computer configuration based on GPOs. And there are many, many more. Configuring WSUS isn’t that tough.
Next: Closing Thoughts >>
More BrainDump Articles
More By Barzan "Tony" Antal
