Automating Updates

Microsoft provides a free server utility application called Software Update Service that helps with automating updates on servers and desktop systems. This product is designed to supplement the Windows Update Service by allowing you to cache updates and patches locally and authorize their local machine to update from this source. This not only reduces bandwidth consumption but it allows you a greater degree of control about when a patch can be installed. This is available as a standalone product or as a plug in to Systems Management Server 2.0.

Software Update Service Tuning: Using NTFS Permissions and Machine Groups

By default a patch can only be "globally" allowed or disallowed . This means that after you authorize a given patch, any and all systems that attach to the SUS system will apply the patch. An easy way to add a level of filtering is to create groups of machine accounts for particular types of servers. You might create a "SQL Servers" group and add the SQL servers to it. Then you could take advantage of NTFS permissions on a patch file and only allow SQL Servers to apply the patch. This would prevent Web Servers from installing SQL patches unnecessarily. This process requires that you perform a bit of research on the intent of each patch being released by Microsoft but that process should already be occurring in the test lab. After a patch is deemed stable for the network you would assign the group permissions and then authorize the update.

Using SUS with Systems Management Server

The Software Update Service is also available as an add-in for SMS 2.0. This version has greatly enhanced functionality. Instead of being limited to Windows 200x systems and Windows XP it extends support back to Windows NT 4.0 SP4. It also leverages the SMS environment to integrate logging and reporting as well as throttled replication. Perhaps the greatest benefit is the ability to leverage the system profiling performed by SMS. You could literally authorize a patch for any system running SQL 7.0 SP2 that also has a Web Server running but doesn't have FTP running. This allows for tremendous control of patch distribution and an amazing degree of reporting and auditing.

Enabling SUS with Group Policy Objects

Although usage of SUS can be configured in a manual manner, a clever administrator can take advantage of Group Policy Objects (GPOs) to configure systems to use the SUS server. You shouldn't limit yourself to using SUS only on servers. SUS is an excellent way to ensure that desktops are kept up-to-date on patches and security fixes as well. To configure a GPO to point clients to an SUS server follow these steps:

1. Download the WUAU.adm template from Microsoft.

2. Click Start, and then click Run.

3. Type GPEDIT.msc to load the Group Policy snap-in.

4. Under Computer Configuration, right-click Administrative Templates.

5. Click Add/Remove Templates, and then click Add.

6. Enter the name of the Automatic Updates ADM file: %windir%\inf\WUAU.adm.

7. Click Open, and then click Close to load the wuau.adm file.

In the GPO editor choose Computer Configuration, Administrative Templates, Windows Components, Windows Update. There are two options that need to be configured:

• Configure Automatic Updates

• Specify Intranet Microsoft Update Service Location

By setting these two parameters you can configure hosts to contact a specified SUS server for their updates.