Keeping Your Network Updated With WSUS.
Written by Karl L. Gechlik | AskTheAdmin.com on August 28, 2007 – 8:15 am -
You’ve got a couple of options:
- Allow each user to go to Windows Update and select and install their own updates. That would put an enormous strain on your network as each update is downloaded 500 times and you need to rely on the users actually doing this.
- Configure Automatic Updates on each machine. Still strains your network and you don’t know what is really being installed.
- Do nothing and hope for the best.
A better option is to use the free Windows Server Update Services from Microsoft to install a Windows Update server on your internal network. This allows all your clients and servers to get their updates from the local WSUS server. There are numerous benefits to using WSUS:
- It saves bandwidth since each update is only downloaded once from the Internet and then stored locally.
- It allows you to investigate and authorize updates before they are installed.
- You can group your machines and install different updates to different groups.
- You can force the machines to only use your local WSUS server and not allow users to download updates from Windows Update.
- You can force updates to be installed within a specific timeframe.
- You can use WSUS to update Office, Exchange, SQL, ISA and other Microsoft products.
- The whole thing can be controlled using Group Policy.
- You can create detailed reports showing which updates are needed by which machines.
- The WSUS software is free!
All you need is a moderately powered Windows Server 2003 box to run it on (Remember, most of the month the machine won’t be doing anything). Installing and configuring WSUS is not complicated and there are many, many articles available about how to do it.
Once you have your WSUS server set up, you can use Group Policy to force the clients to use it and configure how and when they install updates. All you need to do is analyze and approve the updates when they are released and assign them to the groups you created. WSUS handles notifying the clients and pushing the updates out to them.
The WSUS team maintains a blog with some good information (although it’s not updated that often).
Using WSUS gives you complete control over keeping your network updated. If you run a really large network, you should check out the new System Center Configuration Manager 2007, which is the updated version of SMS. It is a full featured network management system that does update management and much, much more.
Tags: networking, windows
Posted in Uncategorized |
By ninjaAdmin on Aug 28, 2007 | Reply
once you set it up wsus is a great tool and resource. it can be used for ad or workgroup machines. it has also proven very helpful in a network not connected to the internet and instances where the server gets net and the workstations dont. like in a school lab or what not. thank you for the reminder to set mine up. it was in my new years resolution list. i should just add it back to this years.
do you have a good batch file or Command to edit the registry for a workgroup machine to use the wsus server?
By PD on Aug 28, 2007 | Reply
ninjaadmin - I’ve only used WSUS in a domain. Check out these articles.
http://www.windowsnetworking.com/kbase/
WindowsTips/Windows2003/AdminTips/Admin/
DeployWSUSUpdatestoaWorkgroup.html
http://msmvps.com/blogs/athif/archive/
2005/09/14/Manually_Configure_WUA.aspx
(Both of those URLs are wrapped because they were getting cut off)
HTH
Peter
By Karl L. Gechlik on Aug 28, 2007 | Reply
@Ninja here is a script you need to cut and paste into notepad.
Then save it as a .reg file and then run it on any machine you want to add to your WSUS roster. Replace the 192.168.x.x with your wsus server ip and the stuff below are the options we use on our domain.
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate]
“WUServer”=”http://192.168.x.x”
“WUStatusServer”=”http://192.168.x.x”
“ElevateNonAdmins”=dword:00000001
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU]
“NoAutoUpdate”=dword:00000000
“AUOptions”=dword:00000004
“ScheduledInstallDay”=dword:00000002
“ScheduledInstallTime”=dword:0000000c
“UseWUServer”=dword:00000001
“RescheduleWaitTimeEnabled”=dword:00000001
“RescheduleWaitTime”=dword:00000005
“NoAutoRebootWithLoggedOnUsers”=dword:00000001
“DetectionFrequencyEnabled”=dword:00000001
“DetectionFrequency”=dword:00000001
“AutoInstallMinorUpdates”=dword:00000001
“RebootRelaunchTimeoutEnabled”=dword:00000001
“RebootRelaunchTimeout”=dword:00000005
By AlfredE on Aug 28, 2007 | Reply
PD - can u tell me more about System Center Configuration Manager 2007. Whats sms?
By PD on Aug 29, 2007 | Reply
AlfredE - I don’t know much about SMS. My network isn’t large enough to warrant it.
I can tell you it is a very sophisticated network management tool. It will do updates, but that is just the start of it. It does software and hardware inventories, software deployment, OS deployment, reporting and much more. The current version of SMS is being replaced with System Center Configuration Manager 2007.
You can get more information and a trial here.
By AlfredE on Aug 30, 2007 | Reply
Oh thank you PD for getting back to me. I have looked into this but have not found any definitive answers on what this can do for my 300 computer domain.
I am going to see if I can find some more information. and if you do find out anything can u update this here? thanks you again. i am from India how about u?
By Anonymous on Sep 2, 2007 | Reply
USA!