WSUS

1.What is WSUS?
2. The Architecture

Server and Client

3.History
4.The Scale
5. How to use the GPs

6.Requirements
7.Planning
8.Auditing and Security
9.Installation And
Configuration.
 downloading process, the
updates will be available to
windows systems. Then the pre-
configured windows update client
will download necessary updates
and if configured properly, will
install them. This service can be
distributed as required to scale to
fit the business level. The latest
WSUS available is WSUS 3.0 with
SP1. This is included with
Windows Server 2008. It has a
varietyof services. The most
significant improvement is that
there is no need to manage this
using the web browser. Instead,
we can configure it to control and
automate, which computer to
Background receive which updates.

This is the
Private version of MS update
service as they call it. As the
name implies it is used to
automatically download updates
to windows systems. T he most
important task of the service is to
Distribute updates with efficient
usage of the bandwidth and
offering total control to the
admins and ease there task.
When the service is up it will
connect to the to the Microsoft
Update site and with the approval
and the administratively
configured priority it will do the
rest. The best thing is that “ This
is fully automatic”. After the

The client component communicates
with the server by verifying the DS
using SHA1 hash algorithm, notifies
and installs if configured. And it can
restart the pc and automatically install
the updates by scheduling. It is able to
awake a pc from sleep mode also if the
hardware supports. (In the earlier OSs,
this client is known as Automatic
Update Client- in Windows XP and
Windows 2000.)
Scale and Architecture………
WSUS can be scale to fit and serve
small to multinational huge enterprises.
Scalability………....
Scalability is a vital factor for any
organization. So a Microsoft has
considered this fact also when
designing WSUS. Say that if you have a
regional office with more than 10
computers and each have an IT
department. Then you will need a
single WSUS server at each regional
office and separate servers for IT
departments that require control over
how updates are approved.
The best practice is to back-up the
server to avoid a failure situation. If a
failure occurs you have to replace the
server within a week. Though it doesn’t
affect on the users, it may not be able
to deal with the time-critical updates
which is required by the systems.
Designing the
Architecture.
When designing, you have to consider
the scale of the company.
Organization with a single office.
As we discussed earlier we can use a
single WSUS server regardless of the
number of client pcs. The design of the
WSUS is smart because it will wait until
the network not busy and it
intelligently shares the bandwidth with
other systems. AMAZING! So the
impact on the network is minimized.
Organizations with Multiple
Offices.
What happens with the company which
has multiple offices?
If we use a single server what happens
is, because of the usage of WAN links
to distribute the updates, especially
huge packets flowing through, the
overall performance of the link is
degraded. To avoid this we have to
configure a WSUS server at each
regional office to distribute updates for
busy clients. The best practice is to
mirror the hierarchy of the WAN.
 It is obvious to have the autonomy. You
have to do only a simple thing. Do not
configure servers as replica. Instead of
that configure each server as
autonomous systems to allow
approval and management at each
specific server.

US

UK Russia

South Africa
Sri Lanka
India

This illustrates the hierarchy. The

efficient way to handle updates. (With
out autonomy)

Now in this hierarchy the one who gets

the updates directly from Microsoft is
the US Server.

Other would be configured as replicas.

The downstream servers would pull the
updates from the upstream servers. If
there is an office that is located at a far
away, connect it to the nearest WSUS
server. Or if it has fast internet
connection download updates directly
from the Microsoft servers.

Organizations with Multiple IT

Departments.

Practical And Practice.
HOW THE GROUP POLICY
ENFORCES WSUS…………
……
Group policy is the best way to
distribute the settings . These settings
are located at ……
• Type Start
• Then type R
• In the box type Gpedit.msc
• Expand Computer
Configurations\Policies\Administrativ
e Templates\ Windows
components\Windows Updates.
• There you can see some
properties………
• Specify Intranet Windows
Update Location
Specifies a WSUS server to host
updates from the Microsoft Update
Web sites.
• Configure Automatic Updates…
……
Specifies whether this computer
will receive security updates and
other important downloads
through the Windows automatic
updating. Also this can be
configured to allow prompting
users to download or to automate
the download task
• Automatic Update Detection
Frequency Specifies the hours
that Windows will use to determine
how long to wait before checking
for available updates. The exact
wait time is determined by using
the hours specified here minus
zero to twenty percent of the hours
specified. By default it is a random
time between 17 hours and 22
hours.
• Allow Non-Administrators To
Receive Update Notifications
Specifies whether, when logged
on, non-administrative users will
receive update notifications based
on the configuration settings for
Automatic Updates. Non
Administrators can use WU Client.
• Allow Automatic Updates
Immediate Installation
Specifies whether the Automatic
Updates should automatically
install certain updates that neither
interrupt Windows services nor
restart Windows.
• Turn on Recommended
Updates Via Automatic
Updates
Determines whether the client pcs
install both recommended and
critical updates. This driver
updates.
• No Auto-Restart For Scheduled
Automatic Updates
Specifies that to complete the
installation the restarting should
be done by a logged on user.
• Re-Prompt For Restart With
Scheduled Installations
Specifies how often the prompting
procedure occurs. Other configs
 might delay this. But, WUC will
prompt the use the user in the way
which the frequency is configured
• Delay Restart For Scheduled
Installations.
• UPDATE SOURCE-As we discussed
WUC wait-time before restarting.
• Reschedule Automatic Updates
Scheduled Installations
Wait-time after the system started,
to begin the missed installation. If
not specified after a minute from
the boot, it will begin.
• Enable Client-Side Targeting
• APPROVAL AND CONFIGURATION
Specifies which group the
computer belongs. This can not be
used with SUS
• Enables Windows Power
Management To Automatically
Wake Up The System To Install
Scheduled Updates
If there are supported hardware,
by configuring this option the
computers will automatically start
up and install the updates if and
only if there is an update available.
• Allow Signed Updates From An
Intranet Microsoft Update
Service Location
Verifies XP SP1 or other OS verifies
that the certificate is a signed one-
Microsoft or None-Microsoft.
Additionally there are some more
options available in User
Configurations.
An important one is Remove
Access To All Windows Update
Feature.
Planning The
Installation
earlier, we have to consider the
bandwidth issues. I f we are about
to use a high speed LAN, it s good
to configure one WSUS server to
download updates from one of
Microsoft’s Servers to retrieve
updates from that Server. Or you
can configure each server to use
the internet to update themselves
REPLICA
If you are planning to use a
hierarchy, you
can choose to synchronize
approval, settings, computers and
groups from a parent server, and
this is called a replica.
Or you can configure to obtain
complete autonomy.(If you have
more than one IT department).
Update Storage
If u choose to install updates
locally, WSUS server will require at
least 6GB and this will vary
depending of the languages and
the clients will also reduce
bandwidth by downloading
updates across LAN.
Database
Installations require at least 3GB of
windows internal database.
Typically it is 1GB.
Website Selection.
WSUS requires IIS, because it uses
http or https if u configured
certificates.
You can us the default site or you
can create one.
Languages and Products
Selection.
You have to decide the languages
ad products which you have
currently installed such as ISA.
 Deploying Updates
With WSUS Configuring IIS 7.0
After installing IIS 7.0 on Windows Server 2008,
you will need to update the IIS configuration file.
Exercise1 Install WSUS 1. Open the IIS configuration file:
1. Download and install WSUS %WINDIR%\system32\inetsrv\applica
on Dcsrv1 following the tionhost.config
instructions at 2. In the <system.webServer><modules>
http://www.microsoft.com/W tag, remove <add
SUS. name="CustomErrorModule">, if it is
present.
To install IIS 7.0 on Windows Server 2008 3. In the <system.webServer><modules>
1. Start the Server Manager (click Start, click tag, add <remove
Run, and then type CompMgmtLauncher). name="CustomErrorModule">.
2. In the tree view, select Roles, then in the Roles The resulting tag should look like this:
pane click Add Roles. <system.webServer>
<modules>
3. In the Add Roles Wizard, click Select Server <remove name="CustomErrorModule">
</modules>
Roles, select the Web Service (IIS) check box, </system.webServer>
click Next, and then click Next again.
At this time you may see a message box Add
features required for Web Server (IIS)? Click 2. Click Start->Administrative
Add Required Features. Tools->Microsoft Windows
4. In the Select Role Services window, make sure Update Service.
that the following services are selected: 3. The Update Console
•Common HTTP Features (including Static Appears.
4. Select the computer Dcsrv1.
Content)
•ASP.NET, ISAPI Extensions, and ISAPI In the details panel clicks
Synchronize Now.
Features (under Application Development)
•Windows Authentication (under Security)
•IIS Metabase Compatibility (under
Management Tools, expand IIS 6
Management Compatibility)

5. Click Next, and then review your selections.

6. Click Install.

2.Configuring Client
Computers To
Retrieve Updates
Note:-
Client self-update
WSUS uses IIS to update most client computers
automatically to WSUS-compatible Automatic
Updates software. To accomplish this, WSUS
Setup creates a virtual directory named
Selfupdate under the Web site running on port 80
of the WSUS server. This virtual directory, called
the self-update tree, contains the WSUS-
compatible Automatic Updates software.
Using the WSUS custom Web
site
If you configure WSUS on a custom port, you
must have a Web site running on port 80. The
Web site on port 80 does not have to be dedicated
to WSUS. In fact, WSUS uses the site on port 80
only to host the self-update tree.
Malicious programs can target port 80 for HTTP
traffic. If WSUS is using a custom port, you can
temporarily shut down port 80 throughout your
network, but still be able to distribute updates to
combat malicious programs.
If you already have a Web site on the computer
where you intend to install WSUS, you should
use the setup option for creating a custom Web
site. This option puts the WSUS Web site on
port 8530. This port is not configurable.
If you change the WSUS port number after
WSUS installation, you must manually restart the
IIS service.
Accessing WSUS on a custom port
If WSUS is using a custom port to communicate
with clients, you must use a custom URL to
access the WSUS Web service. Use the following
instructions to configure WSUS when it is
running on port 8530.
•Include a custom port number in the URL
directing the client computer to the WSUS
server (for example,
http://WSUSServerName:portnumber).
• Open GPO.
• Go to Computer
Configurations\Policies\Administrativ
e Templates\ Windows
components\Windows Updates.
• In details panel, double click
Specify Intranet Windows
Update Location
• Select Enable. In both the set
Intranet Update Service For
Detecting Updates box and set
the Intranet Statistics Server Box,
type http://Dcsrv1. Click ok.
• Double click, Configure Automatic
Updates dialog box appears.
• Select Enabled.