Installing and Configuring a Software Update Infrastructure

One of the challenges most network administrators face is the need to distribute software updates to servers and workstations. In small environments, visiting each computer to perform the installation of an update might take only a few hours. However, in medium to large networks, administrators need a secure, reliable, and efficient way of distributing updates as they are released.

One of the options available for distributing updates is Software Updates Services (SUS). SUS consists of two components: the server and the client. The server (which can be running Windows 2000 or Windows Server 2003) downloads updates from Microsoft and stores them locally. As soon as the updates are posted to the Windows Update site, they are downloaded and the network administrator is notified that they are available. The clients can then download the updates from the server instead of retrieving them from the Windows Update site. One of the benefits of using SUS is that updates can be tested before being deployed. This eliminates the possibility that clients will download updates before they have been tested and approved by the network administrator.

Note

Microsoft has recently updated SUS and it is now replaced by Windows Server Update Services (WSUS). You can read more about this product on the Windows Server Update Services website (http://www.microsoft.com/windowsserversystem/updateservices/default.mspx). The information in the following section pertains to both SUS and WSUS.

Installing and Configuring Software Update Services

Software Update Services (SUS) are installed on a server to centralize the distribution of software updates. Before you install SUS, make sure that the computer meets the hardware and software requirements outlined in the following lists:

Pentium III 700MHZ
512MB of RAM
6GB free space to store updates

Note

A computer running SUS with the minimum hardware requirements listed here is capable of supporting up to 15,000 clients.

The software requirements to run SUS are as follows:

Windows 2000 SP2 or higher, or Windows Server 2003
IIS 5.0 or higher
Internet Explorer 5.5 or higher

Also keep in mind that SUS must be installed on an NTFS partition. The system partition of the SUS host must also be formatted with NTFS. If the computer does not meet the software requirements just outlined, the SUS setup program will not permit you to install the software.

Installing Software Update Services

After you have determined that your computer meets all the requirements, you are ready to begin the installation of SUS. The software can be downloaded for free from Microsoft's website.

After SUS has been downloaded, you can run setup using the following steps:

1.	Double-click the executable called `Sus10sp1.exe`. This launches the setup program for Software Update Services with Service Pack 1. Click Next.
2.	Accept the licensing agreement and click Next.
3.	Select the type of installation. Performing a typical installation installs SUS with the default settings. Click Next.
4.	The next window displays the URL that clients will use to connect to the SUS server. Click Install.
5.	Click Finish. The SUS administration website opens, from which you can configure your SUS server.

Configuring Software Update Services

If you choose a typical installation, the SUS server is automatically configured with specific default settings:

The SUS server is configured to retrieve software updates from the Microsoft Windows Update servers.
The proxy server configuration is set to automatically detect settings.
Content that is downloaded is stored locally.
All packages are available in all supported languages.
Any approved packages that are later updated are not automatically approved.
Clients locate the server using its NetBIOS name.

If the default settings are sufficient, you do not need to reconfigure the SUS server. If you need to make configuration changes, an SUS server can be configured using the SUS web administration tools. You can access the administration tools in two ways. You can access the administration site using the following URL: http://SUSAdmin. You can also access the web page by clicking Start, Administrative Tools, and selecting Microsoft Software Update Services (see Figure 4.7). To begin configuring the SUS server, click the Set Options link.

Figure 4.7. Microsoft Software Update Services Administration website

From the Set Options page shown in Figure 4.8, you can configure three different options. Under Select a Proxy Server Configuration, you can specify how the SUS server accesses the Internet.

Figure 4.8. The Set Options page

Choose one of the following options based on your network configuration:

Do Not Use a Proxy Server to Access the Internet Select this option if the SUS server does not use a proxy server to connect to the Internet.
Use a Proxy Server to Access the Internet Select this option if the SUS server accesses the Internet through a proxy server.
Automatically Detect Proxy Server Settings Select this option if your network supports automatic discovery of proxy server settings.
Use the Following Proxy Server to Access the Internet Select this option if the network does not support automatic configuration of proxy settings. Specify the address or port number of the proxy server. You can also specify the user account and password that the SUS server should use if credentials are required.

The next section enables you to specify the name that clients will use to locate the SUS server. You can specify the NetBIOS name of the SUS server, or, if clients on the network do not support NetBIOS, you can specify the DNS name or the IP address.

The final section on the Set Options window enables you to configure the location from which the SUS server will get software updates. An SUS server can retrieve software updates directly from Microsoft, or it can retrieve them from another SUS server. To have the SUS server retrieve updates from Microsoft, select Synchronize Directly from the Microsoft Windows Update Servers. To have the SUS server retrieve updates from another SUS server, select Synchronize from a Local Software Update Services Server and specify the name of the server.

An administrator can also change how the SUS server handles updated content. This enables you to specify what the SUS server should do when software packages that are previously approved are updated. You can select from two options:

Automatically Approve New Versions of Previously Approved Updates.
Do Not Automatically Approve New Versions of Previously Approved Updates. I Will Manually Approve These Later.

If you want to test an update before it is downloaded and installed by clients, you should select the second option (Do Not Automatically Approve New Versions of Previously Approved Updates. I Will Manually Approve These Later). This means that any software packages that you previously approved but that have been updated by Microsoft require approval again by the administrator before clients can install them.

When an SUS server connects to the Microsoft Windows Update site, it can download two types of content. First, it downloads a file that describes the list of packages (Aucatalog1.cab). Second, it downloads the actual software packages.

As an administrator, you can choose whether the SUS server should download the packages or just the catalog file. If the SUS server downloads only the catalog file, any clients that are configured for Automatic Updates first check the list of approved packages from the local SUS server and then connect to the Windows Update servers to download the approved packages. You can also choose to download the packages and store them locally on the SUS server. If the updates are stored locally on the SUS server, any clients configured for Automatic Updates will download the approved software packages directly from the local SUS server. On this screen, you can also specify the locales that will be downloaded by selecting each language that you need to support on the network.

Installing and Configuring Automatic Client Update Settings

For SUS to work, clients need to install a special version of Automatic Update software. When the updated version of Automatic Update is installed, clients can download updates from a server running SUS, and the updates can be installed at a preconfigured interval. The updated version of Automatic Update can run on Windows 2000 and later platforms.

Installing Automatic Client Update

The Automatic Update client can be installed in a number of ways. You can run the setup locally on each client computer, or you can choose to perform a centralized deployment. Installing the client locally is a very simple process. Simply download the client from Microsoft's website and run the WUAU22.msi file. To install the client automatically using Active Directory, perform the following steps:

1.	Click Start, point to Administrative Tools, and click Active Directory Users and Computers.
2.	Right-click the appropriate Organizational Unit and click Properties.
3.	From the Group Policy tab, click Edit to use an existing group policy object, or click New to create a new one.
4.	Under Computer Configuration, select Software Settings.
5.	Right-click Software Installation, point to New, and click Package.
6.	Locate the `WUAU22.msi` file and click Open.
7.	The Deploy Software window appears. Click Assigned and click OK.

Configuring Automatic Client Update Settings

After you've installed the Automatic Updates software, you can configure the settings using the software interface on the client or through a Group Policy Object.

A few steps must be completed before you can configure Automatic Updates via a Group Policy Object. First, you must load the Automatic Update policy settings template. To do so, open the appropriate Group Policy Object. Under either Computer Settings or User Settings, right-click Administrative Templates and click Add. Type in the name for the Automatic Updates ADM file (WUAU.adm) located in the Windows\inf directory and click Open.

After you have completed these steps, you can begin configuring the Automatic Updates Group Policy Object settings for clients on the network. Table 4.1 summarizes the settings that are available (see Figure 4.9).

Figure 4.9. Automatic Update group policy settings

Table 4.1. Automatic Update Settings
Group Policy Setting	Description
Configure Automatic Updates	Three options are available: Notify for Download and Notify for InstallAn administrative user (member of the Local Administrators group) is notified before the download and installation of any updates. This means that an administrator must approve any new updates before they are downloaded and installed. Auto Download and Notify for InstallUpdates are automatically downloaded, and an administrative user is notified before installation. Auto Download and Schedule the InstallUpdates are automatically downloaded and scheduled for installation.
Specify Intranet Microsoft Update Service Location	With this option, administrators can define the SUS server from which clients will retrieve updates. You can also specify which server clients will send statistics to, such as the successful installation of an update.
Reschedule Automatic Updates Scheduled Installation	If automatic updates are configured to install at a particular time and the scheduled time passes, an administrator can use this option to configure when the installation will occur next.
No Autorestart for Scheduled Automatic Updates Installation	This option can be used to prevent Automatic Updates from restarting a computer when a user is logged on.

If an environment does not employ Active Directory, Automatic Update settings can be configured only by instituting various Registry entries to make the needed changes.

To define which SUS server clients you should use to retrieve updates and send status information to, add the following entries under HKEY_LOCAL_MACHINE\ Software\Policies\Microsoft\Windows\WindowsUpdate:

WUServer This specifies the location of the server from which updates will be downloaded. The SUS server is identified by HTTP name, such as http://SUSserver.
WUStatusServer This specifies the location of the server to which the client will send status information. Again, the server is identified by HTTP name.

To configure other settings, such as the day and time that updates should occur, add the following entries under HKEY_LOCAL_MACHINE\Software\Policies\ Microsoft\Windows\WindowsUpdate\AU:

UseWUServer This specifies that the client must use an SUS server to obtain updates. Set the value to 1 for clients for Automatic Updates to use an SUS server.
AUOptions Use this option to configure whether the local administrator should be notified of downloads and installations, as well as whether updates should be installed on a defined schedule. The possible values are 2 (notify of download and installation), 3 (automatically download and notify of installation), or 4 (automatic download and schedule installation).
ScheduledInstallDay This defines the day that updates should be installed. The values range from 0 to 7, where 0 indicates every day and 17 indicate specific days of the week (1 = Sunday and 7 = Saturday).
ScheduledInstallTime This defines the time of day that updates should be installed. The value is specified in 24-hour format.
RescheduleWaitTime This defines when updates should occur when the predefined scheduled time has passed. The value is specified in minutes (160).
NoAutoRebootWithLoggedOnUsers This defines whether Automatic Updates can reboot a computer when a user is logged on. Set this value to 1 to enable the logged-on user to choose whether to reboot the computer.
NoAutoUpdate This enables or disables automatic updates.