Friday, October 24, 2008

WSUS versus Microsoft Updates Website

Whew, I know it's been forever since I've updated this blog but I have been insanely busy lately. Started a new job back in June and have been stacked with projects, not to mention documentation!

Anyway, wanted to make some notes on WSUS v3, which I've recently implemented here at Bolinger, Segars, Gilbert & Moss. Firstly, once you install WSUS you're probably thinking: "What is the difference between configuring WSUS vs just using the Microsoft website?" Well, they are completely separate.

Now, before I get too far ahead of myself, WSUS is Windows Server Update Services which can be downloaded for free from Microsoft's website HERE. Basically you install it on a server on your domain with IIS and configure Group Policy settings to point all your client workstations (and servers) to it. For more information on configuring Group Policy for use with WSUS please visit this website.

Now, once you have the WSUS services installed, you'll need to run the wizard on the admin console to configure the products you want to recieve updates for. This is critical, because if you select products you don't need you'll have to sort through them later as there is no way to remove them from your list once downloaded. You can however, rerun the wizard to exclude unwanted software from future updates. Anyway, so then once you've run the wizard, you'll need to manually approve/deny each update (there are quite a few of them) even if your clients already have the update.

I would recommend configuring different groups for different updates such as a group for servers and a group for workstations so you can keep everything organized. Once you have approved some updates, you can either wait until the server asks for updates (provided you have group policy configured to point to the WSUS server) which is about every 16-22 hours by default, or you can test your setup by connecting to a server or workstation and opening up the command line and typing 'wuauclt.exe /detectnow'. This will manually force a query to the WSUS server for approved updates.

Ok, you already have everything set up, now to deal with the Windows Updates website. You may or may not want users connecting to the website to get updates, this is purely a personal or company based mandate. If you do not want users to use the website, you have several options. If you have an internet filter on your network just block the website, otherwise you'll need to configure the GPO setting under 'user configuration/administrative templates/start menu and taskbar/remove links and access to Windows Update'. This basically prevents users from connecting to the Windows Update Web Site and also blocks the activex control used if the user connects to the website manually. Bear in mind this affects administrators and non-administrators alike so use with caution!