Subscribe to Windows IT Pro
May 24, 2005 12:00 AM

Let WSUS Ease Your Patch-Deployment Hassles

Here's how to start using Microsoft's latest update-delivery service
Douglas Toombs
Windows IT Pro
InstantDoc ID #46171
Rating: (6)

Defining Patch Options for Groups
Using the Install and Remove options, in conjunction with groups of test computers, gives you an easy mechanism to test new patches within your organization. You can push new patches to a selected group of test systems, evaluate the servers and their applications to make sure everything is still running properly, then deploy the patches throughout the rest of the organization.

The ability to group together sets of computers is a new feature of WSUS—one that SUS sorely lacked. SUS administrators typically didn't want to deploy the same set of patches to their servers that they'd deploy to desktops (for example, most servers don't need to have Windows Media Player—WMP—patched), so they invented creative workarounds for that situation, usually involving running multiple SUS servers within their organization. WSUS removes the need for using multiple SUS servers by letting administrators group computers together according to criteria that suit their organization. When you approve a patch for installation, you can define different options for different groups of computers. For instance, you might want to have servers detect only whether or not a patch is necessary initially, whereas end-user desktops have the patch installed automatically. You can designate multiple actions for each patch that WSUS stores and distinguish those actions by groups of computers.

Besides defining the appropriate detect, install, and remove options that you want to apply to a patch, you can define a date and time by which WSUS and Automatic Updates will force an installation if it hasn't already taken place. This capability is a lifesaver when the CIO wants a guarantee that the latest security hotfix can be deployed throughout the enterprise within a certain timeframe. To set a deadline for a patch, click the None option next to the Deadline field, which Figure 6 shows. Doing so displays the Edit Deadline dialog box that Figure 7 shows.

Basically, you have three options when it comes to considering a deadline for a patch: Let users apply it whenever they want to; let users apply it whenever they want to, but force an installation if a certain date and time pass; or force an installation immediately. To let users apply the patch when they want, simply leave the Deadline field set to None when you select to install a patch. To ensure that users perform an installation by a specific date and time, set the deadline in the Edit Deadline dialog box. After the specified deadline has passed, users will be required to install the patch. Finally, to force a patch out throughout your organization as quickly as possible, simply set date and time values to the current date and time, and all systems will start working on the update as soon as possible.

Configuring Clients
You'll need to make some configuration changes to Automatic Updates clients so that they can receive patches deployed by WSUS. You must reconfigure the clients to talk with your WSUS server instead of the default Windows Update server that Microsoft manages. By default, the Automatic Updates client will always try to attach to Microsoft's Windows Update server. However, with WSUS, you're effectively running your own version of Windows Update, so you'll need to reconfigure the client accordingly.

If you've ever configured Automatic Updates before, you might be thinking that you don't remember seeing anywhere that you could add or change a server name. You're right; to make these changes, we'll need to go into the registry. Start the registry editor and navigate to the HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows subkey. Under this subkey, you might find the WindowsUpdate subkey in your configuration. Don't worry if you don't see it; it might not exist on some systems because it isn't created by default. Create the HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate subkey, if it doesn't already exist. This subkey will be the container for two values that we'll create: one to tell Automatic Updates that it should look for a WSUS server, and another to tell Automatic Updates where it can find the WSUS server.

Next, under the WindowsUpdate subkey, you'll need to create a subkey called AU, then for the AU subkey a REG_DWORD value called UseWUServer that has a value of 1 (true). This value tells Automatic Updates to use a custom WSUS server instead of the standard Windows Update server that Microsoft maintains.

While you're still in the AU subkey, create an additional value of type REG_DWORD and name it AUOptions. This value defines how you want the Automatic Updates client to behave: Simply notify users that patches are available, notify and download the patches, or do a full installation. I recommend that you initially enter a value of 3 (notify and download); you can change the value later, if necessary.

Next, navigate back to the HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate subkey and add two REG_SZ values named WUServer and WUStatusServer. For both values, enter the URL for your WSUS server, as Figure 8 shows. These values tell Automatic Updates where it can find your custom WSUS server.

Of course, manually making registry changes to every workstation and server in your organization could be a considerable task. Therefore, I recommend that you use Group Policy to set these parameters, or distribute a .reg file within your organization (perhaps through a logon script) to apply the changes to each system you maintain.

While you're twiddling around in the registry to set these values, you might also want to change some of the other standard Automatic Updates client parameters. Those parameters, which Web Table 1 lists are stored in the HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU subkey.

Worry-Free Patching
Now you can sit back, relax, and watch WSUS do all the patch-deployment work for you! As long as you have a correctly configured implementation, WSUS can retrieve patches for you, approve them, and require them to be installed throughout your organization. The headaches of patching are a thing of the past, and I know that I sleep a little better knowing that I have a tool like WSUS available to help me when I need it most.

Project Snapshot: How to
PROBLEM: Patch deployment has typically been a nuisance that Windows administrators have endured. Microsoft's Windows Server Update Services (WSUS), now available as a Release Candidate (RC), makes distributing software fixes easy—and it's straightforward to install, too.
WHAT YOU NEED:
  • Server running Windows Server 2003 or server running Windows 2000 Server and Microsoft IIS that supports Background Intelligent Transfer Service (BITS) 2.0
  • WSUS RC
  • 8GB free disk space

DIFFICULTY: 2.5 out of 5
PROJECT STEPS:
  1. Download the WSUS RC.
  2. Install WSUS.
  3. Choose download options, such as national language(s) and patch types to download.
  4. Perform initial synchronization.
  5. Review patches for approval.
  6. Define computer groups and patch options for them.
  7. Make necessary configuration changes to Automatic Updates clients.



Related Content:

ARTICLE TOOLS

Comments
Add A Comment
  • tekjunkie
    6 years ago
    Feb 18, 2006

    Has anynone sucessfully migrated for SUS to WUS. If so are there any issues I should be aware of??

    Thanks

  • Anonymous User
    7 years ago
    Jun 20, 2005

    Wardo: Create a new database with no tables in it, and point WSUS at it. You should be able to find many free tools for managing MS SQL Databases.

    (OR Download SQL Express Edition Beta and the Management tools for it (they are not backwards compatible, and distributed separatly at the moment).

  • wardo
    7 years ago
    Jun 08, 2005

    I tried installing the WSUS one our Windows 2000 Server doing the updates that are listed in the article. I ran across a problem that is becoming a more common problem. When using SQL server desktop, WSUS install only gives me an option to choose a database to use (not create a new one). This is limiting because the only database on this server is one that is being used by our tape backup and I want to keep these databases separate. I haven’t been able to figure a way around this as of yet.

  • reginald
    7 years ago
    Jun 02, 2005

    There's a group policy that you could configure for sus server address, which I'm assuming will work with wsus.

    Computer\\administrative templates\\windows components\\windows updatesSpecify intranet windows update service = enabled

    I think you have to install xp sp2 and update group policy if I remember right for that container to show up. Once that container shows up, it will configure 2000 sp3, xp sp2, and 2003 automatic updates options.

  • Aleksandr
    7 years ago
    Jun 02, 2005

    Have you ever heard of LanDesk and Co.? I mean the article is nice, but you start it like there is no alternatives to WUS. We have been waiting for WUS for a long time - it was too long so we got LanDesk. And SMS Server did that all anyway a long time ago. So maybe you should mention "most administrators would have assumed that **** FREE ***** large-scale, rapid deployment of patching just wasn't possible."

You must log on before posting a comment.

Are you a new visitor? Register Here

advertisement

advertisement

Dev Pro Left-Brain SharePoint Pro SQL Server Pro SuperSite for Windows Windows IT Pro

© 2012 Penton Media, Inc.

Home About Us Advertise Customer Service Privacy Statement Subscribe/Renew Terms Of Use

Windows is a trademark of the Microsoft group of companies. Windows IT Pro is used by Penton Media Inc. under license from owner.