Windows server update service. Installing and configuring WSUS

Twitter

And/or software installed on child terminals, from relatively recently can be performed using a special tool, abbreviated as WSUS. What it is? In fact, this software is a unique release that allows you to stop using each computer on the local network to use an independent Internet channel for installing updates. We will talk further about how it all works and what settings need to be set.

Windows Server Update Services: what is it and why is it needed?

If we talk about this service in simple language, it can be described as software for automatic update OS and software installed exclusively on the server to which other user terminals are connected, united into a single local or virtual network.

Since Microsoft releases updates for its products with enviable regularity, they need to be installed on all machines on the network, which is quite problematic if there are more than a dozen of them. In order not to deal with such things on each individual terminal, you can use the WSUS Offline Update function, when the main update is installed only on the server, and then “distributed” to all other computers.

The advantages of this approach are obvious, because the use of Internet traffic is reduced (the network is not loaded when downloading) and time is saved on installing updates, which when correct setting software on the central server will be produced automatically.

Installation Requirements

The WSUS service cannot be configured or used without meeting a number of initial conditions. Here you should pay attention to the main components that you will need to initially download and install on the server, if they are missing.

The following components can be identified as priorities:

Windows Server modification OS not lower than 2003 (at least with the first service pack);
.NET platform Framework versions not lower than 2.0;
roles IIS server 6.0 or higher;
Report Viewer from Microsoft modification 2008;
SQL Server version 2005 with the second service pack;
Management Console from Microsoft modification 3.0.

Installation process

Actually, installing WSUS also involves reserving a free disk space on the server in the amount of about 100 GB (the location of the update storage folder is indicated in the first step after running the main installer).

Web Server Database Settings

In principle, the installer itself, by default, offers to install internal databases, but to simplify the process, you can use an existing database server.

IN in this case you will need to register it yourself network name, corresponding to the terminal identifier on the network. The first two options can be used either to receive updates from the Microsoft server, or from internal server. True, there is also a third option - installing databases on a remote terminal. But this scheme is mainly used only in cases where it is necessary to distribute updates to remote branches from an additional update server.

Port selection

At the next stage of the WSUS installation, the configuration involves selecting a port. This must be taken very carefully, since entering incorrect values can only lead to the fact that the entire circuit will not work.

Please note that port 80 is suggested for use by default. You can, of course, leave it, but it is better (and this is confirmed by practice) to use port number 8530 (8531). But this approach is only applicable when required manual setting proxy.

Selecting updates

The next step in installing WSUS is to configure the settings for receiving updates from the upstream server. In other words, you need to indicate exactly where updates will be downloaded from.

There are two options: either synchronize with the server Microsoft updates, or with another remote terminal. It's better to use the first option.

Setting up WSUS in a domain

You can install any of the proposed list, but English must be selected, since without this, correct downloading and distribution of updates is not guaranteed.

Product selection

Now for WSUS Offline Update you must specify which software products are to be updated. According to most experts, when choosing, it is advisable not to be greedy and to mark the maximum possible number of items on the list.

But you shouldn’t get carried away either. It is better to mark only what is really necessary. For example, if Office 2003 is not installed on any machine on the network, then there is no point in specifying its update.

At the next stage, WSUS update will prompt you to select software classes for which updates will be downloaded first. Here it's your choice. In principle, you don’t have to check the boxes to install driver updates, tools, and new features. Once completed, a time is set for the selected updates to be downloaded and installed.

Console Settings

Now you should call the console and first of all set up manual synchronization so that all available files are downloaded. this moment updates.

After this, you will have to start setting up groups of terminals. It is recommended to create two categories of computers. One will contain servers, the other - regular workstations. This setting will allow you to limit the installation of updates on servers.

Since all terminals visible on the network are currently in the category of unassigned computers, you will have to manually distribute them into the appropriate groups.

At the next stage WSUS setup involves creating special update rules, which is done in the automatic approval section. For workstations, it is advisable to set an automatic approval rule, and for servers you will need to additionally mark one more corresponding line. In addition, it is not recommended for servers to select absolutely all updates, as this can lead to malfunctions.

Setting update options in group policies

When pre-setting After completing the basic settings, there are a few more steps to complete regarding permissions and approvals.

To do this, you need to use which is easiest to call through the “Run” console (Win + R) with the gpedit.msc command, and not use the “Control Panel” or the administration section.

Here you need to go through the computer configuration and policies to get to the administrative templates, where you can find the “Update Center”. In it we are interested in the parameter responsible for specifying the location of the update service on the intranet. Calling double click edit menu, services must be enabled and the server address must be specified, which usually looks like http://SERVER_NAME, where SERVER_NAME is the name of the server on the network. You can not use this combination, but simply register the server IP. After the setup is completed, after some time the child machines will begin to receive update packages.

Possible mistakes

WSUS errors are most often associated with too many servers being enabled. unnecessary updates, as mentioned above.

However, an equally common problem is that updates are not installed on all network child terminals. In this case, you need to open the automatic approvals section and set for them exactly the type of group policies that corresponds to the automatic installation of critical updates operating system and security systems. Accordingly, you can create your own new rule indicating products and update installation parameters (you can even use manual approval).

Finally, if you don't produce full reset settings of WSUS, after which the entire procedure for setting parameters will have to be repeated, it is strongly recommended to clean the server at least once a month (for this, a function of the same name is provided in the form of a “Wizard”). Such steps will help remove unclaimed updates from the system, as well as significantly reduce the size of the database itself (it is clear that the larger the database, the more longer time required to access it, plus an excessive load on the server’s computing capabilities and distribution of updates over the network).

In some cases, it may help to set policies other than the default (Default Group Policy), but to create a new type with all activated parameters from the list of those available by entering network address server (with port 8530 enabled).

In the case when so-called mobile workstations are used, similar settings can be made in the section of local security policies, specifying the appropriate parameters. If everything is done correctly, only critical updates will be installed for the Server terminal group, and absolutely all updates that were selected at the initial setup stage will be installed for computers included in the Workgroup group (or a category with a different name).

Instead of a total

Actually, this is where we consider the issue of setting up the service automatic update WSUS can be finished. So that everything works and does not cause concern system administrator in the future, you should pay attention to the initial conditions associated with the installation additional components. It is believed that it is better to use the server version of the OS not 2003, but 2008 R2 or higher, and also pay attention to the platform. NET Framework version 4, not 2.0). In addition, you should pay special attention to proxy settings and port selection, since port 80 by default may not work. Finally, one of the most important aspects settings is the selection of groups of terminals and updates installed on them. Otherwise, as a rule, there should be no problems, although when downloading heavy updates big size at poor quality Communication short-term failures and errors in the distribution of updates over the network can still be observed. By the way, you also need to clean the server from time to time. If for some reason the automatic tool does not have a positive effect, you can at least try to delete temporary files manually from the SDTemp directory. By at least, even such a trivial step will immediately reduce the load not only on the server itself, but also on child terminals, and on the network as a whole.

Windows Server Update Services (WSUS) - update server for operating systems and Microsoft products. A very useful console if there are more than 10 computers in the office. It is useful in that it allows you to “distribute” updates from ONE server to all computers on the network, i.e., not every individual computer has to download the Internet channel, but one server downloads updates and “distributes” them across the network to all workstations and servers.

Initially, in Windows 2003, it was necessary to download the WSUS distribution kit from the Microsoft website, with the advent of Ms Windows 2008 and Ms and Windows 2008 R 2, this need disappeared, because The WSUS role has appeared, although you can download the distribution kit from the Microsoft website the old fashioned way.

To install you need to do minimum requirements, namely:
Operating system: Windows Server 2003 SP1 and higher.
Additional server roles: IIS 6.0 and higher (for Windows Server 2008, when adding a role, it will prompt you to install it)
Additional updates OS: Microsoft .NET Framework 2.0, Microsoft Management Console 3.0.
Additional programs: Microsoft Report Viewer, SQL Server 2005 SP1 (WSUS can install internal Windows service Internal Database).
It is necessary to take into account the space on your hard drive; I would recommend a minimum of 100 GB, depending on what settings you have in WSUS.
So, no matter which way you install (using a distribution or adding a role), the steps will be the same.

After the installation starts, you must click Next several times. I will focus on the main steps:
We indicate where the updates will be stored (disk with at least 100 GB of free space)

Specify the folder where the update database will be stored (2-4 GB of free space).

Very important step selecting the port on which the update will be distributed; by default, port 80 is used, but I do not recommend using it, because this port is often used by other applications. It's better to create a WSUS service website and use port 8530.

After installing the Wsus service, you need to configure it correctly; again, let's look at the basic steps:
We choose where we will get updates from, if this is the first server with Wsus, then we select synchronization from the Microsoft Update Center.

The languages you choose should be English (required) + those languages that are found on your network.

We select the products that will be updated (you should indicate only those that you use, otherwise meaningless updates will take up space on your hard drive).

Select the product classes that will be updated.

The basic settings are completed, let's move on to additional settings, setting up the WSUS console directly. For convenience, I would recommend creating 2 groups of computers, one group will have servers, the other will have workstations (this is done so that you can limit the installation of updates for servers).

Initially, all computers will be located in Unassigned computers, then you need to manually move the computers to the required groups. For workstations, I recommend installing all updates; to do this, go to “ Options - Automatic approval" and make the following rule.

And for servers we make a rule for approval only critical updates(For servers, it is highly not recommended to install all updates, as this can cause disruptions in their operation, I have encountered this more than once).

Now it is necessary to make changes to all computers on the network so that they know where to “get” updates from. This is done using group policies. Go to the domain controller " Start – Administration – Management group policy " Select the policy that operates in the domain (Default Group Policy by default) or create a new one. Click right click and select " Change" In the window " Group Policy Management Editor"let's go" Computer Configuration – Policies – Administrative Templates – Windows components– Windows Update" Below are ready-made and tested settings. Where the red line is, enter the name or IP address of your server on which WSUS is installed.

in Russian:

If within the infrastructure there are workstations that are not part of the domain (for example, mobile workstations), but the update service for these workstations is necessary, then it is possible to specify this service in " Local policy security».
IN command line type gpedit.msc and perform the same operations that were described above for group policy in the domain.
A few minutes after all the procedures, network computers will begin to appear in the Wsus console in the Unassigned computers group. According to their operating system you move them to the desired group(Server or Workgroup). Let me remind you that according to our settings, all updates will be installed on computers that are in the Workgroup group, only critical ones for servers.

February 10

WSUS ( Windows Server Update Services) is needed for automatically downloading patches, service packs and other gadgets from the Microsoft website, and distributing this content inside local network. Those. administrators do not need to download patches separately and install them on each machine. It is enough to install WSUS on the server, configure it, and also configure work machines to use this server. The update is downloaded once to the server itself and is installed from there further on the local network. Also, using WSUS significantly saves traffic on the Internet, used for downloading updates and system patches.

WSUS is free product, however, you must have the correct license for the server OS, as well as licenses Windows Client Access (CAL) per each workstation, which is updated from the WSUS server. Microsoft provides free opportunity use of the update service for your software products during the entire support period software product. The necessary updates are available via the Internet to all users of software products.

Installing WSUS

Within Windows Server 2008 there is a role Windows server Server Update Services.

For Windows Server 2003, the following system requirements for installing WSUS 3.0 SP1:

Operating system: Windows Server 2003 SP1 and higher.
Additional server roles: IIS 6.0 and higher
Additional OS updates: Microsoft .NET Framework 2.0, Microsoft Management Console 3.0.
Additional programs: Microsoft Report Viewer, SQL Server 2005 SP1 (WSUS can install the Windows Internal Database service).

Despite the fact that the service is practically not demanding on the processor and random access memory, it requires a fair share of disk space. Preferably 40 GB or more. Ultimately, the amount of disk space consumed will depend on the number of products that need to be updated and the number of infrastructure updates required.
If during installation the server does not satisfy system requirements, a warning window will appear, which will describe what needs to be installed.

Setting up a WSUS server

For normal operation server, you need to specify a number of parameters that are made using the “Wizard Windows settings Server Update Services"

In the “Select an upstream server” window, you must select the “Synchronize with Microsoft Update” option.

When applying a proxy server to a corporate environment, in the “Proxy Server Configuration” window, you must specify the IP address, port number and authentication parameters on the proxy server.

In the “Select languages” window, you must select the “Download updates only on the following languages» Be sure to select “English”. The choice of other languages must be made based on the systems installed in the company; usually they also add “Russian”. There is no need to select "Download updates in all languages, including new ones" as this will increase the number of updates stored on disk space.

In the Select Products window, you must select the products installed within your corporate environment.

IMPORTANT! Never install all products, as this may cause the size of the stored updates to increase and the updates will not be used. It is necessary to methodically and consistently select only those products that are used within the corporate environment.

In the “Select classes” window, you need to specify only those classes that require updates. Since specifying extra classes significantly increases the size of stored updates.

In the “Synchronization schedule settings” window, you must select a synchronization time. WSUS synchronization does not involve downloading updates. In this case, synchronization will only update information from the Microsoft Update server."

After the first synchronization, you need to open the WSUS console and select "Options". In “Settings”, open the “Files and update languages” item.

In the “Update Files” tab of the “Update Files and Languages” window, you must specify how the update files will be stored. Since we want to reduce the size of Internet traffic, we must select “Store update files locally on this server” and ALWAYS select the items “upload update files to the server only after the update is approved” and “Download express installation files.” The item “Upload update files to the server only after the update is approved” is necessary, since by default the server will download ALL updates that it deems necessary for the selected products. However, since over time many updates accumulate in the Service Pack, most likely they will not be needed and will take up disk space.

After all the settings, you need to add computers to the WSUS service.

Adding computers to WSUS

If you have a domain, then all you need to do is register the WSUS service in its group policy and select computer update rules.

This is done as follows " Start - Administrative Tools - Group Policy Management" Select the policy that is valid in the domain (Default Group Policy by default). Right-click and select “Edit”.

In the “Group Policy Management Editor” window, go to “ Computer Configuration – Policies – Administrative Templates – Components Windows - Update Windows" Select the item “ Specify the location of the update service on the Intranet".

In the “Properties: Specify the location of the update service on the Intranet” window, specify the “Enabled” parameter and in the line “Specify the update service on the intranet to search for updates” enter a line like: http:// [ ip address or DNS name update server on the network]. Copy the address into the “Specify intranet statistics server” window. Within the Group Policy Editor, there are tips in the Explain window.

You also need to define an update policy. This is done through the “Setting up automatic updates” item.

In the “Properties: Setting up automatic updates” window, specify the “Enabled” option and the parameters “Setting up automatic updates”, “Scheduled installation - day”, “Scheduled installation - time”. The Explanation window contains a description of all the parameters for servers and it is advisable to set the option “2 - notifications about download and installation”, which will allow administrators to choose when updates are installed on servers.

At the command line, type gpedit.msc and perform the same operations that were described above for group policy in the domain.

After some time, the computer will appear in the “ Computers – All computers – Unassigned computers" at "Condition: Any".

Update management

To see and approve necessary updates You need to select the following filter items in “Updates – All Updates”: “Approval: Unapproved” and Status: Required” and click “Update”.

IMPORTANT! To check for necessary updates, always make sure that the filter settings are set to “Approval: Unapproved” and Status: Required,” otherwise you risk downloading updates you don’t need, or not downloading them at all. If the filter in the “Approval: Unapproved” and Status: Required settings shows an empty field, then all necessary updates for computers have already been approved and are on the server.

After approval, updates will appear on the computer after some time according to the rules configured in the security policy.

Quite often there is a need to force the computer to check for updates on the update server. There is a program for this wuauclt.exe, which is launched via the command line. To check for updates, you must run it with the key / detectnow (wuauclt.exe /detectnow ). To send a status report (very often necessary when connecting to the update server for the first time), you must run with the key / reportnow (wuauclt.exe /reportnow ).

Installing Windows Server Update Services on Windows platform 2008 R2 is not a difficult task. You just need to remember that the distribution kit for WSUS itself no longer needs to be downloaded from the Microsoft website. This server is installed the same way as most others Windows services Server 2008 R2 - via installation server roles.

It should be noted that you may still need the WSUS installation package, but only if you want to install separate administration console to one of the workstations. In this case, you can download it from here.

Setting up a WSUS server

So let's start the installation. We will assume that you have already installed the Windows 2008 R2 operating system and are logged in as account with local administrator rights. Before installation, you should make sure that the server is connected to the network and the Internet is accessible from it (this is important).

1. Open the “Server Manager” snap-in. Then, in the left panel, open the “Roles” branch, and in the right panel, launch the “Add Roles” wizard (see figure below):

2. After selecting the “Windows Server Update Services” list line, a wizard window will appear prompting you to add the Web server service, as well as necessary components. We agree with this proposal and click “Next” three times.

3. The next step is actually installing the WSUS service. Click “Next” and then “Install”. At this point, the server will begin downloading from the Internet and installing the service. During the installation process, you will be required to accept the terms of the license agreement:

We will install this package later.

5. The next step is to indicate the location of the folder where the updates will be stored. You can accept the suggested option or specify a different folder. This folder d.b. on disk with file NTFS system. Make sure there is enough space there. As an example for estimation, I will inform you that Windows updates for servers and workstations in two languages (Russian, English) will require approximately 40 - 60 GB. I don’t recommend saving...

6. MS SQL database is used to operate WSUS 3.0. You can use an internal database or use an existing one on your network:

The WSUS service address is also indicated here, which will be required when setting up service clients.

9. That's it... at this point, the installation process itself can be considered complete.

10. But the master’s work will continue. The next step is to directly configure the update service:

11. The following wizard steps will help you do initial settings WSUS services. You will need to specify which server this WSUS server will synchronize from. Possible options: Microsoft server or upstream WSUS server

12. It is necessary to specify the proxy server settings during synchronization:

13. In the next step we will connect to the Microsoft server (or upstream server). This may take a few minutes:

If this process fails, check the proxy server settings you entered earlier. Make sure the Microsoft server or upstream WSUS server is reachable from that server and try again.

15. At the next step you will be asked to select products Microsoft, for which updates will be downloaded

16. Also, you need to select update classes:

The update download process will take a long time. The initial download will take several hours and can amount to several tens of gigabytes. In order to reduce the amount of traffic, the WSUS server can be “fed” the update catalog from another server. This is especially true in cases where the WSUS server is deployed on a LAN that has access to the Internet over a slow communication channel.

If you did anything wrong during the server setup process, open Windows console Server Update Services and select "Options" in the left pane. In the central panel you can manually change individual settings or rerun the WSUS Server Configuration Wizard.

To install, you must meet the minimum requirements, namely:
Operating system: Windows Server 2003 SP1 and higher.
Additional server roles: IIS 6.0 and higher (for Windows Server 2008, when adding a role, it will prompt you to install it)
Additional OS updates: Microsoft .NET Framework 2.0, Microsoft Management Console 3.0.
Additional programs: Microsoft Report Viewer, SQL Server 2005 SP1 (WSUS can install the Windows Internal Database service).
It is necessary to take into account the space on your hard drive; I would recommend a minimum of 100 GB, depending on what settings you have in WSUS.
So, no matter which way you install (using a distribution or adding a role), the steps will be the same.

After the installation starts, you must click Next several times. I will focus on the main steps:
We indicate where the updates will be stored (disk with at least 100 GB of free space)

Specify the folder where the update database will be stored (2-4 GB of free space).

A very important step is choosing the port on which the update will be distributed; by default, port 80 is used, but I do not recommend using it, because this port is often used by other applications. It's better to create a WSUS service website and use port 8530.

The languages you choose should be English (required) + those languages that are found on your network.

We select the products that will be updated (you should indicate only those that you use, otherwise meaningless updates will take up space on your hard drive).

Select the product classes that will be updated.

And for servers we make a rule to approve only critical updates (For servers it is highly not recommended to install all updates, as this can cause disruptions in their operation, I have encountered this several times).

Now it is necessary to make changes to all computers on the network so that they know where to “get” updates from. This is done using group policies. Go to the domain controller " Start - Administrative Tools - Group Policy Management" Select the policy that operates in the domain (Default Group Policy by default) or create a new one. Right-click and select “ Change" In the window " Group Policy Management Editor"let's go" Computer Configuration – Policies – Administrative Templates – Windows Components – Windows Update" Below are ready-made and tested settings. Where the red line is, enter the name or IP address of your server on which WSUS is installed.

in Russian:

If within the infrastructure there are workstations that are not part of the domain (for example, mobile workstations), but the update service for these workstations is necessary, then it is possible to specify this service in " Local security policy».
At the command line, type gpedit.msc and perform the same operations that were described above for group policy in the domain.
A few minutes after all the procedures, network computers will begin to appear in the Wsus console in the Unassigned computers group. According to their operating system, you move them to the desired group (Server or Workgroup). Let me remind you that according to our settings, all updates will be installed on computers that are in the Workgroup group, only critical ones for servers.

Windows server update service. Installing and configuring WSUS

Windows Server Update Services: what is it and why is it needed?

Installation Requirements

Installation process

Web Server Database Settings

Port selection

Selecting updates

Setting up WSUS in a domain

Product selection

Console Settings

Setting update options in group policies

Possible mistakes

Instead of a total

Installing WSUS

Setting up a WSUS server

Adding computers to WSUS

Update management

Setting up a WSUS server

Popular articles

Latest articles

Sections

Pages

Special projects

Contacts