Managing a Software Update Infrastructure

Objective:

Manage software update infrastructure

No matter how well it seems that software is written, there is always a need for bug fixes and security patches. In addition, there never seems to be an end to the need for updated drivers and minor feature upgrades. Sometimes it seems that the system administrator's job never ends.

Microsoft Update

The later versions of Windows included the Windows Update feature, later updated to Microsoft Update. Microsoft Update is used to keep your Windows system and selected components up-to-date by connecting to the Microsoft Update website over the Internet and automatically downloading and installing security fixes, critical updates, and new drivers. These updates are used to resolve known security and stability issues with the Windows operating system.

Although relying on Microsoft Update is fine if you have only a few computers, in an enterprise environment, it leaves much to be desired. Consider the following:

• Most of the updates require the user to have administrative rights on the computer. This is rarely allowed in an enterprise environment.

• The updates have not been tested in the user's specific environment. If an update has a conflict with other software on the network, it can bring the company to its knees.

• Each computer is responsible for downloading its own updates. This can be bandwidth intensive if you have a large environment.

Note: Windows Update

Although the Windows Update website still exists, the Microsoft Updates website provides the same patches in addition to patches for Microsoft Office and the Microsoft line of server-based applications.

Windows Server Update Services

Fortunately, Microsoft has provided the Windows Server Software Update Services (WSUS) to assist the system administrator in managing updates in the small- to medium-sized enterprise environment.

Microsoft WSUS is a service that can be installed on an internal Windows 2000 or Windows Server 2003 server that can download all critical updates as they are posted to Microsoft Update. Administrators can also receive email notification when new critical updates have been posted.

The client computers and servers can be configured through Group Policy or the Registry to contact the internal WSUS server for updates, instead of going out over the Internet to the Microsoft servers. WSUS is basically an internal version of the Microsoft Update service, with the exception that the network administrator has the option to control which updates get downloaded from Microsoft and which ones get installed on the computers in the environment.

WSUS allows administrators to quickly and easily deploy most updates to Windows 2000 or Windows Server 2003 servers as well as desktop computers running Windows 2000 Professional or Windows XP Professional.

You can install multiple WSUS servers in your environment, both for load balancing or for test purposes. For example, you can set up a WSUS server to automatically download all the latest updates from Microsoft. After they have been downloaded, you can distribute the updates to test computers to verify compatibility with the existing software. After the updates have been tested, they can be published to the production environment.

A basic WSUS configuration is shown in Figure 18.1. In this example, the WSUS server in the headquarters is configured to run a scheduled synchronization with the Microsoft Update website. The administrator then publishes the updates to a group of test computers. After testing has been completed, the approved updates on the HQ server are distributed to the other WSUS clients in the enterprise.

Figure 18.1. A basic WSUS configuration, including test computers.

This type of configuration is enabled by utilizing Computer Groups. Computer groups allow the administrator to segregate computers in different groups with different deployment rules. In our previous example, the test computers would be in a separate group, and the rest of the computers in the organization would be in a different group.

Another example would be to separate servers from workstations. Although most workstations can be patched just about any evening, servers usually work around the clock, so they would need a scheduled maintenance window.

You can also utilize a downstream WSUS server, as shown in Figure 18.2. In this configuration, the Upstream WSUS server obtains all the updates from the Microsoft website. The downstream servers then receive the approved updates from the upstream website. This configuration is typically used in organizations that have multiple sites connected by a WAN. Because the downstream WSUS servers don't have to access the Internet, and can only download approved updates from the upstream WSUS server, his gives the administrator more control over the patching process, and reduces the required bandwidth. However, the remote administrators will still be allowed to change some configuration settings, including adding additional computer groups.

Figure 18.2. The upstream server approves all updates.

Another typical configuration is shown in Figure 18.3. In this configuration, traveling laptop users or VPN clients are assigned to a separate computer group on a designated WSUS server. The users assigned to this group will get their approvals from their assigned WSUS server, but they will obtain their updates directly from the Microsoft Update website. This allows the administrator to control which patches are installed on these machines, but doesn't require the administrator to supply the storage space or the bandwidth required to download the patches.

Figure 18.3. Remote clients download directly from Microsoft Update.

WSUS requires a SQL database to hold its configuration information and a catalog of the updates. A copy of WMSDE for Windows Server 2003 is included with the WSUS installation and should be used for most installations of WSUS. Unlike the previous versions of the Microsoft SQL Desktop Engine (MSDE), WMSDE is not limited to 2GB. Windows 2000 Server installations can either use MSDE for small installations or SQL Server for larger environments.

WSUS allows you two options for storing updateslocal or remote storage. In the local storage option, all approved updates are downloaded from Microsoft Updates and stored on your WSUS server. When your clients need an update, they obtain it from the store on the WSUS server. With Remote Storage, no updates are downloaded to your WSUS server. When the clients need an update, they download the approved updates directly from the Microsoft Updates site.

For those remote sites where there isn't an administrator available to manage the WSUS servers, you can install replicas. A WSUS replica server is a mirrored installation of the upstream server. Unlike in the downstream configuration we discussed earlier, you can't add additional Computer Groups to a replica server.

Installing Windows Server Update Services

WSUS is not included with Windows Server 2003; instead, it must be downloaded from the Microsoft website at http://go.microsoft.com/fwlink/?LinkId=47374. The requirements for WSUS for up to 500 clients are as follows:

• Windows 2000 Service Pack 2 or later.

• IIS 5.0 or later.

• Internet Explorer 6.0 or later.

• CPU 1GHz or higher.

• 1GB RAM.

• Both the system partition and the partition on which you install WSUS on must be formatted as NTFS.

• 1GB of free space on the System partition formatted as NTFS.

• 6GB of hard drive space. 30GB recommended.

• Minimum of 2GB of free space on the volume where the Windows SQL Server 2000 Desktop Engine (WMSDE) is installed.

• Background Intelligent Service (BITS) 2.0.

• Microsoft .NET Framework 1.1 SP1.

• Ports 80 and 443 must be open on the firewall between the WSUS server and the Internet.

To install WSUS, use the procedure in Step by Step 18.1.

Note: Windows Server 2003 SP1

BITS 2.0 and .NET Framework 1.1 SP1 are included in Windows Server 2003 SP1 and later.

Step by Step 18.1 Installing WSUS 1. Locate the downloaded WSUS installation file and then double-click it to start the installation. 2. From the Setup Wizard screen, click the Next button to continue. 3. Select the I Accept the Terms in the License Agreement option button and click the Next button to continue. 4. On the Select Update Source screen, shown in Figure 18.4, you choose whether to store updates on the WSUS server or have your clients download them from Microsoft Updates. Accept the default, and then click Next. Figure 18.4. Choose where to store approved updates. 5. The Database Options screen appears. You have the option of letting WSUS install the WMSDE, or you can point WSUS to an existing SQL server. Accept the default of installing WMSDE by clicking the Next button. This is shown in Figure 18.5. Figure 18.5. Choose what database to use. 6. The Web Site Selection screen appears. You can select to use the default website or create your own. Accept the defaults and click the Next button to continue. 7. The Mirror Update Settings screen appears, as shown in Figure 18.6. If you are creating a hierarchy of WSUS servers, you would specify a server to obtain updates from. Because this is the first server in the hierarchy, click the Next button to continue. Figure 18.6. Enter the original server if creating a WSUS hierarchy. 8. The Ready to Install screen appears. Review the URL and then click the Next button to continue. 9. When the installation completes, click the Finish button to end the procedure.

After the installation procedure has completed, you can connect to the SUS Administration page by entering http://servername/WSUSAdmin. From the WSUS Administration page, you can synchronize the server with the Microsoft Update site and configure various options. This initial synchronization is required so that you will be able to view the available updates. By default, the synchronization procedure will display updates for all products in all languages. To save on bandwidth, you can go to the Synchronizations page and select only the products and languages that you want to see.

Note: WSUS Administrators

The WSUS installation added a new local group, WSUS Administrators. You must be a member of this group or the local Administrators group to configure and manage WSUS.

To synchronize WSUS with the Microsoft Windows Update site, use the procedure in Step by Step 18.2.

Step by Step 18.2 Synchronizing WSUS 1. Enter http://servername/SUSAdmin in your web browser. This opens the WSUS Administration web page shown in Figure 18.7. Figure 18.7. The WSUS Administration web page 2. In the upper-right pane of the web page, click the Options icon. 3. The Options page, shown in Figure 18.8, allows you to change the configuration options that you selected during the initial installation of WSUS. In addition, it also provides you with settings to configure the WSUS server to operate behind a proxy server, and assign computer groups. Notice that there is also an option to specify a local WSUS server to synchronize with. Figure 18.8. The Options page allows you to control the configuration of your WSUS server. 4. From the Synchronization Options page, shown in Figure 18.9, you can click the Change buttons under products or Update Classifications to limit the updates that will be downloaded. Figure 18.9. The Synchronization Options page allows you to filter what updates are downloaded. The default is to download updates for all operating systems in all languages. 5. Scroll down to the bottom of the page and select the Advanced button in the Update Files and Languages area. 6. When prompted, acknowledge the warning message. This opens the Advanced Synchronization Options dialog shown in Figure 18.10. Click OK to save. Figure 18.10. The Advanced Synchronization Options page. Notice that the default is to download updates only after they have been approved. 7. Select the option to download only those updates that match the locale of this server. Click the OK button to save. 8. This returns you to the Synchronization Options page. You have the option to synchronize immediately or to synchronize on a scheduled basis. Click the Synchronize Now button to continue. 9. The updates are downloaded to your WSUS server. This might take a while depending on the options you've selected and the number of updates currently available. A progress bar is displayed to indicate the progress. 10. When the synchronization with the Microsoft Update site is complete, click the OK button.

There is also an option to specify a local WSUS server to synchronize with. Along with this option is a check box that specifies that only approved items should be synchronized. These options are used in the scenario with multiple WSUS servers that we covered earlier. Using these options allows you to download updates only to a single server. The updates are tested and approved by the HQ WSUS server. By configuring your other WSUS servers to point to this central server and to synchronize only approved updates, you can reduce the traffic on your network.

Note: Initial Synch

The initial WSUS synchronization can potentially take a long time, depending on how many products and languages you are supporting. It's best to schedule the first WSUS synchronization for either overnight or over a weekend.

Computer Groups

Earlier in the chapter, we briefly discussed Computer Groups. Computer Groups allow you to target a group of computers with different patches on a different schedule than other groups. This is handy, so that if your development group is in the final stages of readying a release and have "frozen" their test machines, you won't inadvertently install patches that could interfere with their test cycle.

By default, all computers are automatically added to the All Computers Group and the Unassigned Computers group. When a computer is assigned to a specific group, it is automatically removed from the Unassigned Computers group. All computers registered with WSUS will remain in the All Computers group until they are removed from the WSUS environment.

There are two ways to assign a computer to a group in WSUS:

• Manually assigning it to a group using the WSUS console

• Using Group Policy (or a Registry key) to assign a Computer Group name to the contents of an OU

Unfortunately, you can use one or the other method, but not both. To select the method of assigning computers to groups, use the process in Step by Step 18.3.

Step by Step 18.3 Selecting Group Targeting 1. Enter http://servername/SUSAdmin in your web browser. This opens the WSUS Administration web page. 2. In the upper-right pane of the web page, click the Options icon. 3. From the Options page, click the Computers Options icon. This opens the Computers Options page, shown in Figure 18.11. Figure 18.11. The Options page allows you to control how you will assign computers to your Computer Groups. 4. Select the Use Group Policy option button, and then click the Save Settings icon. 5. In the upper-right pane of the WSUS console, select the Computers icon. This opens the Computers page, as shown in Figure 18.12. Figure 18.12. The Computers page allows you to configure your Computer Groups. Note the warning message. 6. Click the Create a Computer Group icon. Enter a name for your Computer Group, and click OK to save.

Configuring Clients for Automatic Updates

After the updates have been synchronized and approved, and the Computer Groups configured, the updates are ready to be distributed to the clients. To connect to the WSUS server, the client should have the Automatic Update software installed. The correct version is included with the following:

• Windows XP Service Pack 1 or later

• Windows 2000 Service Pack 3 or later

• All versions of Windows Server 2003

These versions of the Automatic Updates client don't support WSUS, but they will automatically self-update to a version that does. Older versions of the Windows Update client do not support WSUS at all. For older operating systems, you will have to download the updated client from the WSUS web page at http://www.microsoft.com/windowsserversystem/updateservices/default.mspx.

By default, the Microsoft Windows client and server operating systems are configured to obtain updates from the Windows Update site; they must be reconfigured to obtain updates from the Microsoft Updates site or a WSUS server.

Although you can manually edit the Registry of Windows servers and clients to use a WSUS server, that process is time consuming and error prone. The most efficient way to make this change is via Group Policy.

We're going to target your test server that's installed in the Workstations OU using the procedure in Step by Step 18.4.

Step by Step 18.4 Configuring a WSUS Groups GPO 1. Open the Group Policy Management Console. Right-click the Kansas City\Workstations OU and select Create and Link a GPO Here from the pop-up menu. 2. When the New GPO prompt appears, enter the name WSUS Groups, and click OK. 3. The new GPO will appear in the Group Policy Objects container, and as a linked object under the OU folder. 4. Right-click the new GPO and select Edit from the pop-up menu. The Group Policy Editor MMC appears. 5. Click Computer Configuration, click Administrative Templates, click Windows Components, and then click the Windows Update folder, as shown in Figure 18.13. Figure 18.13. The Group Policy Object Editor, showing the configurable policy options for Windows Update. 6. Double-click the Enable client-side targeting entry and select Enabled. Enter the name of the computer group you just created, and then click the OK button to save. 7. Double-click the Specify Intranet Microsoft Update Service Location entry and select Enabled. Enter the name of the WSUS computer in the format http://servername in both fields, and then click the OK button to save (see Figure 18.14). Figure 18.14. This policy points your Automatic Update clients to your WSUS server, both for updates and to record statistics. 8. Double-click the Configure Automatic Updates entry, and then select the Enabled option from the Properties dialog box (see Figure 18.15). Configure an appropriate schedule and then click the OK button to save. Close the Group Policy Object Editor. Figure 18.15. The Configure Automatic Updates policy, showing the options available for scheduling. The default is every day at 3:00 a.m. 9. On your test server, log on using the administrator account. 10. Open a command window and enter gpupdate /force. 11. Wait a minute or so, and then enter wuauclt /detectnow. (This command forces the client to contact the WSUS server.) 12. Open the WSUS Administration web page. 13. In the upper-right pane of the web page, click the Computers icon. 14. The computers in the OU that you just applied the GPO to should be displayed. Figure 18.16. The Computers page of the WSUS console, showing the assigned computers and their associate groups.

The other Group Policy options shown back in Figure 18.13 are used to control whether the computer performs an autorestart after it installs an update that requires a reboot or waits until a scheduled reboot. The last option controls whether the updates are automatically installed when the computer is first started after it has missed an update window (for example, if the computer was scheduled for an update at 3:00 a.m. but was turned off).

By default, each client computer checks in with the WSUS server at a 22-hour interval with a random offset of 0 to 30 minutes. When the client checks in, it receives any new WSUS configuration settings and saves its individual statistics to the WSUS database. This interval can be changed via Group Policy.

Approving Updates

Not all the updates apply to the computers on your network. Also, there is the possibility that one of the fixes might actually break something in your environment. Fortunately, WSUS can be configured to not make any updates available until after you have approved them. This gives you the opportunity to select which updates you want to distribute and to test them before you release them to your production environment.

To approve WSUS updates so that they can be distributed to your clients, use the procedure in Step by Step 18.5.

Step by Step 18.5 Approving WSUS updates 1. Open the WSUS Administration web page. 2. In the upper-right pane of the web page, click the Updates entry. 3. From the Updates page, shown in Figure 18.17, you can select the updates you want to make available to your clients. After selecting the desired updates, click the Change Approval button. Figure 18.17. The Approve Updates page allows you to control which updates are made available to your clients. A brief description of each update is supplied, along with any prerequisites. For more information, you can click the Details hyperlink supplied with each entry. 4. You receive a warning prompt telling you that the selected list will replace all previously approved updates. Click the Yes button to continue. 5. If a license agreement is required for any of the updates, it is displayed. Read the agreement and then click the Yes button. Click the Synchronize Now button to continue. 6. When prompted, click the OK button to save the list.

Managing Updates

Unfortunately, Microsoft doesn't provide much in the way of tools to manage WSUS. WSUS is intended for the small- to medium-sized enterprise. All the configuration options are available from the web console. For larger enterprises, Microsoft recommends that you implement the System Management Server (SMS) product. SMS provides much more powerful update capabilities, including expanded operating system support, hardware and software inventory, and remote control management capabilities.

However, unlike its predecessor, Software Update Services (SUS), WSUS provides four main reports to track the status of updates:

• Status of Updates This report lists and provides the status of all approved updates, broken down by computer and computer group.

• Status of Computers This report lists the patch status of all computers.

• Synchronization Results This report shows the results of the last synchronization, including synchronization errors, new updates available, revised updates, and expired updates.

• Settings Summary This report provides a list of the WSUS configuration settings.

To run a Status of Computers report, follow the procedure in Step by Step 18.6.

Step by Step 18.6 Running a WSUS Status of Computers report 1. Open the WSUS Administration web page. 2. In the upper-right pane of the web page, click the Reports entry. 3. From the Reports page, select the Status of Computers icon. 4. As you can see in Figure 18.18, you can select the computer group you want to see, along with other filtering options such as Installed, Needed, and so on. When you've made the appropriate selections, click the Apply button. Figure 18.18. The Status Of Computers report allows you to control what Computer Group to see and how much information is displayed in the report. 5. If desired, you can select the Print Report icon to obtain a hard copy of the report.

In addition to the previously mentioned reports, WSUS can supply compliance reports to track the compliance status of a computerwhether all the required updates have been installed on that computer, and by Updatewhether the update has been installed on all of the computers that require it.

Unlike the other reports that are available from the Reports page, these reports are run by selecting the desired computer on the Computers page and the selected update on the Updates page.