Why you should upgrade to Windows Update Server (WSUS) 3.0

It is important that you keep your systems up-to-date with updates and security patches. If your system is not kept up-to-date, it may not run as reliable as it should and it would not be as resistant against viruses and other forms of DoS attacks.

You could manually login into each computer within your organization and go to the http://update.microsoft.com website to download and install the updates. Unfortunately, if you have 100s of computers, this approach is impractical because of the labor and because 100s of computers downloading patches also use valuable bandwidth. In addition, you often want a way to control what updates get applied since updates may cause problems with certain applications.

Another option is to configure each computer for automatic updates. To enable automatic updates, open the System Properties using the Control Panel and select the Automatic Updates tab. Select Automatic (recommended). Unfortunately, 100s of computers downloaded patches may use valuable bandwidth and you do not have a way to control which updates get applied or not.

To overcome these problems, you can setup a Windows Server Update Services (WSUS) server to provide a central point for client computers and servers to acquire updates. With WSUS, you can also update Microsoft Office, Microsoft SQL, Microsoft Exchange and other Microsoft applications.

WSUS is provided for free from Microsoft. A minimum requirement for a server to handle 500 clients would be a Pentium III processor with 1 GB of RAM. You will also need 1 GB disk space on the system volume and 30 GB for security packages. You will also need a SQL server. If you do not have a dedicated SQL server, you can download and install SQL Server 2000 Desktop Engine (MSDE) or SQL 2005 Express.

After WSUS is installed, the WSUS server will need to be able to communicate with the Microsoft update sites so that it can download the updates. To configure WSUS, you will be using the WSUS administration Web site located at http://servername/WSUSAdmin, where servername is the DNS name of the server on which WSUS is installed. You can also open Administrative Tools and click Microsoft Windows Server Update Services. To run the WSUS console, you must be a member of the WSUS Administrators or the local Administrators security groups on the server on which WSUS is installed.

These are the five primary administrative tasks for managing WSUS.

• Review status information, such as computers requiring updates.
• Review and approve updates for distribution to clients.
• Generate reports on the status of updates, computers, synchronization, and WSUS settings.
• Manage computers and computer groups.
• Configure WSUS options for synchronization, automatic approval, and assigning computers to groups.

By default, only critical updates and security updates are downloaded. You can select specific products and update classifications such as Microsoft Office, Microsoft Exchange, Microsoft SQL and so forth. You can also limit the versions of Windows that it will update and the languages that are available to limit the size of the database and archive of the updates.

To limit which computers get updates and which updates those computers, you define computer groups. This allows you to configure test computers for updates before rolling out updates to all computers. After a client computer makes contact with the WSUS server for the first time, it will be listed on the Computers page of the WSUS administration site. You must approve them to initiate deployment of updates. You then typically use group policies to configure how those updates are being pushed.

After the updates have been downloaded from Microsoft or another WSUS server, you will need to approve which updates will be propagated to the client computers. When you approve updates, you can choose to install, detect only, remove or decline. After detection, you can view how many computers do not have the update installed and need it. If the number of needed for an update is zero, then all client computers are up-to-date. The install approval option installed the update for the selected computers groups. By default, updates are not downloaded until they are approved for installation. Using the WSUS console, you can run reports to show how many computers have been updated, a list of those computers updated, the status of computers and synchronization results.

The newest version of WSUS is 3.0, which is far superior to previous versions, especially when installing the WSUS for larger organizations where the SQL server is its own dedicated box. I also need to point out that if you are WSUS to update both Windows and Office, there have been so many updates and updates to the updates released that there are some problems with earlier versions of WSUS to keep track of the updates that resulting in PC performance problems. In those cases, you should consider upgrading to 3.0.

For those who are taking the Windows Server 2003 Server exam, you may get a question about Software Update Service (SUS). SUS has been retired and replaced by WSUS. WSUS offers more updates than just Windows, provide reporting capabilities, and give administrators more control over the update process.

For some information on setting up the WSUS and a quick look at the group policies, you should considering purchasing70-290 Exam Cram: Managing and Maintaining a WIndows Server 2003 Environment 2nd Edition by by Dan Balter and Patrick Regan.