Lesson 2: Automating Updates with Microsoft Software Update Services
While you can download and install hotfixes and service packs manually, Windows 2000 also supports automated methods to simplify this process. These include the following methods:
Windows Update is a Web-based interface that displays updates for a computer and allows users to install their choice of updates.
Automatic Updates is a feature of Windows Update that notifies users of critical updates and optionally installs updates automatically.
Software Update Services (SUS) provides a service similar to Windows Update for enterprises and allows administrators to manage the installation of available updates.
Update computers using Windows Update and Automatic Updates
Install and manage Software Update Services
Configure clients to update through Software Update Services
Using Windows Update
Windows Update is a Web-based service that scans the local computer, determines which updates have not been installed, and then displays potential updates and provides a convenient interface for installing them.
Accessing Windows Update
You can access the Windows Update site with the shortcut installed by default in the Start menu, or by going to the Windows Update site at http://windowsupdate.microsoft.com/. Once the site is displayed, you click the Scan For Updates link to scan the computer.
After the scan completes, Windows Update displays a list of available updates. Critical updates and new service packs are listed first, followed by non-critical operating system updates and updated hardware drivers. Click the Add button next to an update description to add the update to the list of updates to install. After you are finished adding items, click the Review And Install Updates link to install the updates.
Some updates have special installation needs. In particular, some updates must be installed separately. Windows Update will inform you in these cases, so you can install the update and restart the computer before installing additional updates.
Using the Windows Update Catalog
While Windows Update is a convenient service for computers that have Internet connections, it is not useful for a computer that does not have an Internet connection. To service computers that are not connected to the Internet, you can use the Windows Update Catalog, which provides local copies of the available updates.
Once you have local copies of the updates on a computer that is connected to the Internet, you can distribute those updates to computers that are not connected to the Internet by using a local network or removable media such as CD-R. The Windows Update Catalog can then be configured on those machines to use the local sources for installation rather than connect to the Internet.
You can enable the Windows Update Catalog from the Windows Update page. Click Personalize Windows Update and then select the Display The Link To The Windows Update Catalog check box to enable the catalog.
After you choose an operating system and hardware device from the Windows Update Catalog, the catalog displays a complete list of available updates. You can customize the display of updates to include only certain categories of updates or you can search for updates by keyword.
Using the catalog, you can add updates to a basket, as you do in the standard Windows Update, enter a download location, and download all of the updates in a single operation. You can then distribute the updates to the appropriate computers.
Unlike Windows Update, the catalog does not determine whether an update is needed or is compatible with the destination computer. Ensure that you, as administrator, install only the appropriate updates for each computer and that you install using a user account with the permissions required to overwrite operating system files.
You can use the Qfecheck.exe utility, described in Lesson 1, to determine which updates have already been installed on a computer.
Using Automatic Updates
In computers with Windows 2000 Service Pack 3 or Windows XP Service Pack 1 installed, Critical Update Notification, a utility that periodically checked the Windows Update Web site for critical updates to a computer, has been replaced by Automatic Updates. This service expands the original concept of the Critical Update Notification utility by not only notifying users of updates, but also downloading and installing them automatically if desired.
Automatic Updates downloads updates directly from http://www.microsoft.com and stores them in a temporary directory on each computer until they are installed. For large enterprises or for those that do not have a direct connection to the Internet, this default behavior is not always desirable. Automatic Updates can also act as a client for Microsoft Software Update Services (SUS), described later in this lesson, which allows administrators to establish a local server that can distribute updates.
Installing Automatic Updates
To obtain Automatic Updates, either install the Windows 2000 Service Pack 3, Windows XP Service Pack 1, or install the Automatic Updates feature separately using Windows Update.
Configuring the Automatic Updates Client
After the Automatic Updates feature is installed on a computer, an Automatic Updates option is added to Control Panel. This provides access to the Automatic Updates dialog box. To enable automatic updates, select the Keep My Computer Up To Date option within this dialog box. You can also choose one of three notification options:
Notify before downloading any updates and before installing them. Use this option if controlling connections to the Internet is required.
Download automatically, then notify before installing updates. Use this option if you want to retain administrative control over which updates are installed.
Download automatically, and install updates automatically at the selected daily or weekly interval. Use this option for completely automatic updating.
You can also control the update policies of Automatic Updates by using Group Policy, which is detailed in the next section.
Installing and Configuring Software Update Services
Microsoft Software Update Services (SUS) provides the same benefit on local servers as the Windows Update servers provide on the Internet. It allows you to make your choice of updates available to clients using Automatic Updates. The SUS server synchronizes with the Windows Update server to obtain the latest updates, and multiple SUS servers can synchronize with each other.
Installing Software Update Services
SUS has complex requirements, and Microsoft recommends dedicating a server to it. SUS requires a Windows 2000 Server computer configured as a stand-alone server or member server. It cannot be installed on a domain controller. It also requires Internet Information Services (IIS).
To install SUS, first download the server software from the Microsoft Web site. SUS is provided as a file, Sussetup.msi, that uses the Windows Installer to install the service. Run this program to begin the installation. A wizard guides you through the installation process.
Configuring Software Update Services
Once you have installed SUS, you can use its Web-based configuration system. To access this system, browse to the http://localhost/SUSAdmin/ page in Internet Explorer. Click the Options link to set up the basic SUS options. At a minimum, you must specify whether to use a proxy server for Internet access, and whether to synchronize updates from the Microsoft Windows Update servers or from another SUS server.
Synchronizing Updates
To synchronize SUS with Windows Update, click the Synchronize option in the SUS administration page, and then click the Synchronize Now button. The first synchronization may take a few minutes (or even longer on a slow Internet connection) because it must download the current catalog of updates and all pending updates. You can also click the Synchronization Schedule button to configure a schedule for regular synchronization.
Approving Updates
Once updates have been downloaded, you must approve them before they will be made available to clients. This approval process allows you to pre-test updates before deploying them across the enterprise. To approve updates, click the Approve Updates option in the SUS administration page. The list of downloaded updates is displayed, and you can choose the updates to approve. The updates you approve will be installed by clients running Automatic Updates on their next scheduled connection to the SUS server.
You can also remove approval from updates that have been previously approved. However, this does not remove them from any clients that have already installed the update. You would do this to prevent an update from being installed on new computers if that update conflicts with third-party software that is essential.
Configuring Automatic Updates Clients
For clients to poll the local SUS server rather than the Windows Update servers, you must configure each client to use the SUS server. You configure clients across the network using Group Policy. The Automatic Updates installation includes a template, Wuau.adm, that you can configure and deploy to configure Automatic Updates settings. The template is stored in the \inf folder within the Windows directory. To use the template, create a new Group Policy for the organizational unit (OU) that contains the computers that require automatic update settings. Add the template to the policy's Administrative Templates section. This adds two new policies under the Windows Update heading:
Configure Automatic Updates. Allows you to set Automatic Updates options, as described earlier in this lesson, for all computers in the OU.
Specify Intranet Windows Update Server Location. Allows you to specify a server name for Automatic Updates to contact. Specify the SUS server here.
You can also use the Wuau.adm template and Group Policy to automatically configure Automatic Updates without installing an SUS server if you don't mind having clients directly download updates from http://www.microsoft.com. To do this, install the Wuau.adm template and configure the GPO options without installing or specifying an intranet SUS server.
Practice: Using Software Update Services
In this practice, you test the Windows Update and Windows Update Catalog features and configure Automatic Updates settings. You can perform these tasks from any Windows 2000 computer with Service Pack 3 or the Automatic Updates add-on installed.
Exercise 1: Managing Automatic Updates
In this exercise, you use Windows Update and the Windows Update Catalog to download and manage updates, and configure a computer to use the Automatic Updates feature.
To install updates with Windows Update
Perform this procedure on any Windows 2000 computer.
Choose Windows Update from the Start menu, or browse to http://windowsupdate.microsoft.com. The Windows Update page appears, as shown in Figure 14.13.
Figure 14-13. Windows Update
Click the Scan For Updates link to begin the scan.
Click the Review And Install Updates link. A list of available critical updates appears, as shown in Figure 14.14.
Figure 14-14. Windows Update displays the list of critical updates
By default, all critical updates are selected to be installed. Click the Remove button to remove any update you do not want to install.
Click the Install Now button to begin the installation. The license agreement for the updates appears.
Click Accept to begin downloading and installing the updates.
The updates are installed. This might take several minutes and depends on the speed of the Internet connection.
Click OK to restart the computer and complete the installation.
To download updates with the Windows Update Catalog
Perform this procedure from any Windows 2000 computer connected to the Internet.
Choose Windows Update from the Start menu, or browse to http://windowsupdate.microsoft.com. The Windows Update page appears.
Select the Personalize Windows Update link in the left column. The Windows Update options are displayed, as shown in Figure 14.15.
Figure 14-15. Windows Update personalization options
Select the Display The Link To The Windows Update Catalog Under See Also check box, and click Save Settings. Your settings are saved, and the Windows Update Catalog link appears in the left column.
Click the Windows Update Catalog link in the left column. The Windows Update Catalog page appears.
Click the Find Updates For Microsoft Windows Operating Systems link. A list of operating systems appears, as shown in Figure 14.16.
Figure 14-16. Windows Update Catalog
Select Windows 2000 Family from the list, and click Search. A list of categories appears.
Click the Critical Updates And Service Packs link. A list of updates appears, as shown in Figure 14.17.
Figure 14-17. Windows Update Catalog search results
Click Add to add one or more updates to the basket.
Click the Go To Download Basket link. The updates you selected are listed.
Click Browse, and select a destination for the downloaded files.
Click Download Now.
The updates are now downloaded to your selected location.
To enable and configure Automatic Updates
Perform this procedure from a Windows 2000 computer with Service Pack 3 installed.
In Control Panel, double-click Automatic Updates. The Automatic Updates dialog box appears, as shown in Figure 14.18.
Figure 14-18. Automatic Updates
Select the Keep My Computer Up To Date check box.
Select the Download The Updates Automatically And Notify Me When They Are Ready To Be Installed option.
Click OK to exit the Automatic Updates dialog box.
Automatic Updates are now enabled for the local computer.
Exercise 2: Using Software Update Services
In this exercise, you install SUS on a server, configure its settings, and configure a group of clients to access the server for updates.
To install Software Update Services
Perform this procedure from a member server.
Click the Sussetup.msi file to launch the installer. The Microsoft Software Update Services Setup Wizard displays an introductory page.
Click Next to continue.
Accept the license agreement, and click Next. The Choose Setup Type page appears, as shown in Figure 14.19.
Figure 14-19. Choose the installation type
Click the Typical button, and click Next.
Click Next to begin the installation.
SUS is installed. The installation might take several minutes. During the installation, the Internet Information Services Lockdown Wizard runs to set up secure IIS settings, as shown in Figure 14.20.
Figure 14-20. The Internet Information Services Lockdown Wizard
When the completion screen appears, click Finish to exit the installer.
To configure Software Update Services
Perform this procedure from the SUS server.
Browse to http://localhost/SUSAdmin/. The SUS administration pages are displayed, as shown in Figure 14.21.
Figure 14-21. Software Update Services configuration
Select whether to use a proxy server for Internet access, and specify the server if necessary.
Click Set Options. A scrollable list of options appears.
Specify the name that clients use to contact the server. The default choice is the NetBIOS name of the server, which is usually sufficient.
Choose the server from which to synchronize content. Select the Synchronize Directly From The Microsoft Windows Update Servers option, as shown in Figure 14.22.
Figure 14-22. Software Update Services options
Select whether to automatically approve new versions of updates you previously approved.
Choose a location to store the updates, and select the languages for which you want to synchronize updates.
Click Apply to save the settings.
Click the Synchronize Server link in the left column. The Synchronize Server page appears, as shown in Figure 14.23.
Figure 14-23. Software Update Services synchronization
Click the Synchronize Now button to begin synchronization.
The catalog is downloaded, followed by the latest updates. The download process can take several minutes.
To configure clients using Group Policy
Perform this procedure from the domain controller.
Click Start, point to Programs, point to Administrative Tools, and click Active Directory Users And Computers. The Active Directory Users And Computers management console appears.
Select the Information Technology organizational unit under Departments in the console tree.
From the Action menu, choose Properties. The Information Technology Properties dialog box appears.
Select the Group Policy tab. The Group Policy properties dialog box is displayed, as shown in Figure 14.24.
Figure 14-24. Group Policy properties dialog box
Click New, and name the new policy Automatic Updates.
Click Edit to edit the new GPO. The Group Policy management console appears, as shown in Figure 14.25.
Figure 14-25. Group Policy management console
In the console tree, select Administrative Templates under Computer Configuration.
From the Action menu, choose Add/Remove Templates. The Add/Remove Templates dialog box appears.
Click Add. A list of available templates appears, as shown in Figure 14.26.
Figure 14-26. Adding a template to the policy
Select wuau.adm from the list, and click Open.
Click Close to close the Add/Remove Templates dialog box.
In the console tree, expand Administrative Templates, Windows Components, and select Windows Update.
Double-click the Specify Intranet Microsoft Update Service Location policy. The policy settings are displayed, as shown in Figure 14.27.
Figure 14-27. Specifying the service location
Select the Enabled option, and then type http:// followed by the name of the server running SUS in the update service and statistics server boxes, and click OK.
Click Close to close the Properties dialog box.
Close the Group Policy console, and then click Close to close the Information Technology Properties dialog box.
The new settings will be configured as each client refreshes its Group Policy.
Lesson Review
The following questions are intended to reinforce key information in this lesson. If you are unable to answer a question, review the lesson and try the question again. Answers to the questions can be found in the appendix.
Which Windows Update feature notifies users of critical updates and optionally installs updates automatically?
What two sources can be used to obtain the latest updates using Automatic Updates?
What service provides a local version of the Windows Update service?
How can clients be configured to update using an SUS server?
Where are notification settings for Automatic Updates managed?
Lesson Summary
Windows Update is a Web-based service provided by Microsoft that scans a computer's installed software, determines needed or available updates, and optionally allows you to install them.
The Windows Update Catalog allows you to display the complete list of available updates for operating systems. This is useful for obtaining updates for a computer that doesn't have Internet connectivity.
The Automatic Updates feature is available in Windows 2000 Service Pack 3 and Windows XP. This service automatically contacts the Windows Update servers to determine needed updates, notifies the user when updates are available, and can install updates automatically.
Microsoft Software Update Services (SUS) is a server component for Windows 2000 Server that locally provides the same service as Windows Update. Clients can be configured to use the local SUS server for Automatic Updates.