Keeping Your Network Updated With WSUS.
So you’ve just finished rolling out 500 new desktops using disk imaging. How are you going to keep them updated? As you know, Microsoft releases updates on the second Tuesday of each month. You need a way to approve and install these updates on all your desktops and servers, and you need to do it quickly because the time between release of the update and an exploit being developed is shrinking.
You’ve got a couple of options:
- Allow each user to go to Windows Update and select and install their own updates. That would put an enormous strain on your network as each update is downloaded 500 times and you need to rely on the users actually doing this.
- Configure Automatic Updates on each machine. Still strains your network and you don’t know what is really being installed.
- Do nothing and hope for the best.
A better option is to use the free Windows Server Update Services from Microsoft to install a Windows Update server on your internal network. This allows all your clients and servers to get their updates from the local WSUS server. There are numerous benefits to using WSUS:
- It saves bandwidth since each update is only downloaded once from the Internet and then stored locally.
- It allows you to investigate and authorize updates before they are installed.
- You can group your machines and install different updates to different groups.
- You can force the machines to only use your local WSUS server and not allow users to download updates from Windows Update.
- You can force updates to be installed within a specific timeframe.
- You can use WSUS to update Office, Exchange, SQL, ISA and other Microsoft products.
- The whole thing can be controlled using Group Policy.
- You can create detailed reports showing which updates are needed by which machines.
- The WSUS software is free!
All you need is a moderately powered Windows Server 2003 box to run it on (Remember, most of the month the machine won’t be doing anything). Installing and configuring WSUS is not complicated and there are many, many articles available about how to do it.
Once you have your WSUS server set up, you can use Group Policy to force the clients to use it and configure how and when they install updates. All you need to do is analyze and approve the updates when they are released and assign them to the groups you created. WSUS handles notifying the clients and pushing the updates out to them.
The WSUS team maintains a blog with some good information (although it’s not updated that often).
Using WSUS gives you complete control over keeping your network updated. If you run a really large network, you should check out the new System Center Configuration Manager 2007, which is the updated version of SMS. It is a full featured network management system that does update management and much, much more.
Download WSUS 3.0
We also covered 3rd party programs that will keep your small workgroup or individual computers updated via firefox here.
| Print article |
about 4 years ago
once you set it up wsus is a great tool and resource. it can be used for ad or workgroup machines. it has also proven very helpful in a network not connected to the internet and instances where the server gets net and the workstations dont. like in a school lab or what not. thank you for the reminder to set mine up. it was in my new years resolution list. i should just add it back to this years.
do you have a good batch file or Command to edit the registry for a workgroup machine to use the wsus server?
about 4 years ago
ninjaadmin – I’ve only used WSUS in a domain. Check out these articles.
http://www.windowsnetworking.com/kbase/
WindowsTips/Windows2003/AdminTips/Admin/
DeployWSUSUpdatestoaWorkgroup.html
http://msmvps.com/blogs/athif/archive/
2005/09/14/Manually_Configure_WUA.aspx
(Both of those URLs are wrapped because they were getting cut off)
HTH
Peter
about 4 years ago
@Ninja here is a script you need to cut and paste into notepad.
Then save it as a .reg file and then run it on any machine you want to add to your WSUS roster. Replace the 192.168.x.x with your wsus server ip and the stuff below are the options we use on our domain.
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate]
“WUServer”=”http://192.168.x.x”
“WUStatusServer”=”http://192.168.x.x”
“ElevateNonAdmins”=dword:00000001
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU]
“NoAutoUpdate”=dword:00000000
“AUOptions”=dword:00000004
“ScheduledInstallDay”=dword:00000002
“ScheduledInstallTime”=dword:0000000c
“UseWUServer”=dword:00000001
“RescheduleWaitTimeEnabled”=dword:00000001
“RescheduleWaitTime”=dword:00000005
“NoAutoRebootWithLoggedOnUsers”=dword:00000001
“DetectionFrequencyEnabled”=dword:00000001
“DetectionFrequency”=dword:00000001
“AutoInstallMinorUpdates”=dword:00000001
“RebootRelaunchTimeoutEnabled”=dword:00000001
“RebootRelaunchTimeout”=dword:00000005
about 4 years ago
PD – can u tell me more about System Center Configuration Manager 2007. Whats sms?
about 4 years ago
AlfredE – I don’t know much about SMS. My network isn’t large enough to warrant it.
I can tell you it is a very sophisticated network management tool. It will do updates, but that is just the start of it. It does software and hardware inventories, software deployment, OS deployment, reporting and much more. The current version of SMS is being replaced with System Center Configuration Manager 2007.
You can get more information and a trial here.
about 4 years ago
Oh thank you PD for getting back to me. I have looked into this but have not found any definitive answers on what this can do for my 300 computer domain.
I am going to see if I can find some more information. and if you do find out anything can u update this here? thanks you again. i am from India how about u?
about 4 years ago
USA!
about 3 years ago
I know this is an old thread… but i am still confused about something, we have a WSUS server, but any user can click on Windows update or Microsoft Update and bypass the WSUS? I ‘m sure this can not be right…Surely those links should point to the WSUS? Can some one please clarify?
about 3 years ago
That can be disabled via Group policy or redirected.
about 3 years ago
http://technet.microsoft.com/en-us/library/cc720539.aspx
about 3 years ago
Thanks guys i have it all sorted now… The problem was that we set up users to be local Admins and if you are a local admin then you bypass the WSUS when you click the Windows Update link.
Thanks Again
about 3 years ago
Good to know. Thanks for getting back to us Henry and letting us know the outcome!