448 Chapter 9 Managing Software Updates Lesson Review You can use the following questions to test your knowledge of the information in Lesson 1, “Understanding Windows Server Update Services.” The questions are also available on the companion CD if you prefer to review them in electronic form. NOTE Answers Answers to these questions and explanations of why each answer choice is correct or incorrect are located in the “Answers” section at the end of the book. 1. You are a systems engineer for an enterprise video production company. Your organi- zation has six offices and a centralized IT department that manages all of the 1200 cli- ent computers. Each of the offices has about 200 computers. The WAN uses a hub-and- spoke architecture, with each of the five remote offices connected directly to the head- quarters. How would you design the WSUS architecture? A. Deploy a WSUS server to each office. Configure the WSUS servers to be managed by each office’s local IT support department. B. Deploy a WSUS server at the headquarters. Configure all client computers to retrieve updates directly from Microsoft. C. Deploy a WSUS server at the headquarters. Configure all client computers to retrieve updates directly from the WSUS server. D. Deploy a WSUS server to each office. Configure the WSUS servers at the remote offices to be replicas of the WSUS server at the headquarters. 2. You are a systems administrator configuring an update infrastructure for your organiza- tion. You need to use Group Policy settings to configure client computers to download updates and install them automatically without prompting the user. Which Group Pol- icy setting should you enable and configure? A. Allow Automatic Updates Immediate Installation B. Configure Automatic Updates C. No Auto-Restart For Scheduled Automatic Updates D. Enable Client-Side Targeting Lesson 1: Understanding Windows Server Update Services 449 3. You are currently evaluating which of the computers in your environment will be able to download updates from WSUS. Which of the following operating systems can act as WSUS clients (even if they require a service pack)? (Choose all that apply.) A. Windows 95 B. Windows 98 C. Windows 2000 Professional D. Windows XP Professional 450 Chapter 9 Managing Software Updates Lesson 2: Using Windows Server Update Services With Windows Server 2008, you can install WSUS using Server Manager and manage it with the Update Services console. This newest version of WSUS includes a significant number of new features and user interface changes, and, even if you are familiar with earlier versions, you should complete this lesson so that you understand exactly how to manage the software. After this lesson, you will be able to: ■ Install WSUS on a computer running Windows Server 2008. ■ Configure computer groups, approve updates, and view WSUS reports. ■ Troubleshoot both client and server problems installing updates. ■ Manually remove problematic updates from client computers. Estimated lesson time: 40 minutes How to Install Windows Server Update Services WSUS is a free download available at http://www.microsoft.com/wsus. Follow the instructions available at that Web page to install the latest version of WSUS for Windows Server 2008. After installation you must synchronize the updates from Microsoft Update by following these steps: 1. Click Start, Administrative Tools, and then Microsoft Windows Server Update Services. The Update Services console appears. 2. In the console tree, select the server name. In the details pane, click the Synchronize Now link. Synchronization will take several minutes (and could take more than an hour). After synchro- nization completes, you can begin to manage WSUS. How to Configure Windows Server Update Services After installing WSUS and beginning synchronization, configure WSUS by following these steps: 1. Fine-tune the WSUS configuration by editing WSUS options. 2. Configure computer groups to allow you to distribute updates to different sets of com- puters at different times. Lesson 2: Using Windows Server Update Services 451 3. Configure client computers to retrieve updates from your WSUS server. 4. After testing updates, approve or decline them. 5. View reports to verify that updates are being distributed successfully and identify any problems. The sections that follow describe each of these steps in more detail. How to Configure WSUS Options Though the setup wizard prompts you to configure the most important WSUS options, you can configure other options after the initial configuration by selecting the Options node in the Update Services console, as shown in Figure 9-3. Figure 9-3 Configuring WSUS options You can configure options in the following categories: ■ Update Source And Proxy Server Configure the upstream WSUS server or configure the WSUS server to retrieve updates from Microsoft. You configure this during installation and rarely need to change it unless you modify your WSUS architecture. ■ Products And Classifications Choose the Microsoft products that WSUS will download updates for. You should update these settings when you begin supporting a new product or stop supporting an existing product (such as an earlier version of Microsoft Office). ■ Update Files And Languages Select where updates are stored and which languages to download updates for. 452 Chapter 9 Managing Software Updates ■ Synchronization Schedule Configure whether WSUS automatically synchronizes updates from the upstream server and how frequently. ■ Automatic Approvals Configure updates for automatic approval. For example, you can configure critical updates to be automatically approved. You should use this only if you have decided not to test updates for compatibility—a risky decision that can lead to com- patibility problems with production computers. ■ Computers Choose whether to place computers into groups using the Update Services console or Group Policy and registry settings. For more information, read the following section, “How to Configure Computer Groups.” ■ Server Cleanup Wizard Over time, WSUS will accumulate updates that are no longer required and computers that are no longer active. This wizard helps you remove these outdated and unnecessary updates and computers, freeing disk space (if you store updates locally) and reducing the size of the WSUS database. ■ Reporting Rollup By default, downstream servers push reporting information to upstream servers, aggregating reporting data. You can use this option to configure each server to manage its own reporting data. ■ E-Mail Notifications WSUS can send an e-mail when new updates are synchronized, informing administrators that they should be evaluated, tested, and approved. In addi- tion to configuring those e-mail notifications, you can use this option to send daily or weekly status reports. ■ Microsoft Update Improvement Program Disabled by default, you can enable this option to send Microsoft some high-level details about updates in your organization, including the number of computers and how many computers successfully or unsuc- cessfully install each update. Microsoft can use this information to improve the update process. ■ Personalization On this page you can configure whether the server displays data from downstream servers in reports. You can also select which items are shown in the To Do list that appears when you select the WSUS server name in the Update Services console. ■ WSUS Server Configuration Wizard Allows you to reconfigure WSUS using the wizard interface used for initial configuration. Typically, it’s easier to configure the individual settings you need. How to Configure Computer Groups In most environments, you will not deploy all updates to all clients at once. To give you control over when computers receive updates, WSUS 3.0 allows you to configure groups of computers and deploy updates to one or more groups. You might create additional groups for different models of computers or different organizations, depending entirely on the process you use for Lesson 2: Using Windows Server Update Services 453 deploying updates. Typically, you will create computer groups for each stage of your update deployment process, which should resemble this: ■ Testing Deploy updates to computers in a lab environment. This will allow you to verify that the update distribution mechanism works properly. Then you can test your applica- tions on a computer after the updates have been installed. ■ Pilot After testing, you will deploy updates to a pilot group. Typically, the pilot group is a set of computers belonging to your IT department or another computer-savvy group that is able to identify and work around problems. ■ Production If the pilot deployment goes well and there are no reported problems after a week or more, you can deploy updates to your production computers with less risk of compatibility problems. You can configure computer groups in one of two ways: ■ Server-side Targeting Best suited for small organizations, you add computers to com- puter groups manually using the Update Services console. ■ Client-side Targeting Better suited for larger organizations, you use Group Policy set- tings to configure computers as part of a computer group. Computers automatically add themselves to the correct computer group when they connect to the WSUS server. Whichever approach you use, you must first use the Update Services console to create com- puter groups. By default, a single computer group exists: All Computers. To create additional groups, follow these steps: 1. Click Start, Administrative Tools, and then Microsoft Windows Server Update Services. The Update Services console appears. 2. In the console tree, expand Computers, and then right-click All Computers (or the com- puter group you want to nest the new computer group within). Choose Add Computer Group. The Add Computer Group dialog box appears. 3. Type a name for the computer group, and then click Add. 4. Repeat steps 2 and 3 to create as many computer groups as you need. Server-side Targeting To add computers to a group using server-side targeting, follow these steps: 1. In the console tree of the Update Services console, expand Computers, All Computers, and then select Unassigned Computers. Then, in the details pane, right-click the computer you want to assign to a group (you can also select multiple computers by Ctrl-clicking) and choose Change Membership. 454 Chapter 9 Managing Software Updates 2. In the Set Computer Group Membership dialog box, select the check box for each group that you want to assign the computer or computers to. Click OK. The computers you selected will be moved to the specified computer groups. Client-side Targeting You use Group Policy objects (GPOs) to add computers to computer groups when you enable client-side targeting. First, configure the WSUS server for client-side targeting by following these steps: 1. Click Start, Administrative Tools, and then Microsoft Windows Server Update Services. The Update Services console appears. 2. In the console tree, select Options. In the details pane, click Computers. 3. In the Computers dialog box, select Use Group Policy Or Registry Settings On Com- puters. Then, click OK. Next, configure GPOs to place computers in the correct computer group. You will need to cre- ate separate GPOs for each computer group and configure each to apply only to the appropri- ate computers. 1. Open the GPO in the Group Policy Management Editor. 2. In the console tree, select the Computer Configuration\Policies\Administrative Tem- plates\Windows Components\Windows Update node. 3. In the details pane, double-click the Enable Client-Side Targeting policy. 4. In the Enable Client-Side Targeting Properties dialog box, select Enabled. Then, type the name of the computer group you want to add the computer to and click OK. After the client computers apply the Group Policy settings, restart the Windows Update ser- vices, and contact the WSUS server; they will place themselves in the specified group. Quick Check 1. What protocol do Windows Update clients use to retrieve updates from an update server? 2. Should an enterprise use client-side targeting or server-side targeting? Quick Check Answers 1. HTTP. 2. Enterprises should use client-side targeting, which leverages Group Policy settings to configure which updates client computers retrieve. Lesson 2: Using Windows Server Update Services 455 How to Configure Client Computers The section “Windows Update Client” in Lesson 1, “Understanding Windows Server Update Services,” described the different Group Policy settings available to configure how clients retrieve updates. The following steps provide instructions for performing the minimal amount of configuration necessary (which is sufficient for many organizations) for WSUS clients to download updates from your WSUS server. 1. Open the GPO you want to use to distribute the configuration settings. In the Group Pol- icy Management Editor, select the Computer Configuration\Policies\Administrative Templates\Windows Components\Windows Update node. 2. In the details pane, double-click Specify Intranet Microsoft Update Service Location. The Specify Intranet Microsoft Update Service Location Properties dialog box appears. 3. Select Enabled. In both the Set The Intranet Update Service For Detecting Updates box and the Set The Intranet Statistics Server box, type http://WSUS_Computer_Name. Click OK. 4. Double-click Configure Automatic updates. The Configure Automatic updates Properties dialog box appears. 5. Select Enabled. Configure the automatic update settings. For example, to have updates automatically installed, from the Configure Automatic Updating drop-down list select 4 - Auto Download And Schedule The Install. Click OK. With these Group Policy settings enabled, clients will retrieve and optionally install updates from your WSUS server. How to Approve Updates Unless you have configured automatic approval, updates are not approved by default. To man- ually approve updates, follow these steps: 1. Click Start, Administrative Tools, and then Microsoft Windows Server Update Services. The Update Services console appears. 2. In the console tree, expand the server name, and then expand Updates. Select one of the following options: ❑ All Updates Displays all updates. This is the most convenient option for approv- ing updates. ❑ Critical Updates Displays only critical updates, which are high-priority updates, such as bug fixes, that are not security related. ❑ Security Updates Displays only updates that fix known security problems. ❑ WSUS Updates Displays updates related to the update process. 456 Chapter 9 Managing Software Updates 3. On the toolbar at the top of the details pane, from the Approval drop-down list, select Unapproved, as shown in Figure 9-4. You can also use this list to view updates that you have approved or declined. Figure 9-4 Viewing updates that require approval 4. From the Status drop-down list, select Any. Click Refresh to display the updates. NOTE Sorting updates To sort updates so that newer updates appear first in the list, right-click the column headings, and then select the Release Date column. Then, click the Release Date column header to sort by that date. 5. Select the updates that you want to approve. You can select multiple updates by Ctrl- clicking each update. Alternatively, you can select many updates by clicking the first update and then shift-clicking the last update. Press Ctrl+A to select all updates. Right- click the selected updates, and then choose either Approve (to distribute the update to clients the next time they check for updates) or Decline (to prevent the update from being distributed). 6. If the Approve Updates dialog box appears, select the computer group you want to apply the updates to, and then choose Approved For Install. Repeat to apply the update to mul- tiple computers. Click OK when you are done. Lesson 2: Using Windows Server Update Services 457 7. To define a deadline (after which an update must be installed and users will not be given the option of delaying the update), right-click the computer group, choose Deadline, and then select the deadline. 8. Click OK. 9. If a license agreement appears, click I Accept. NOTE Removing updates If you’ve previously applied updates to computers, you can choose Approved For Removal to remove the update. Most updates do not support automated removal, however, and WSUS will report an error in the Approval Progress dialog box. To remove these updates, follow the instructions in “How to Remove Updates” later in this lesson. The Approval Progress dialog box appears as WSUS applies the updates. 10. Examine any errors displayed in the Approval Progress dialog box, and then click Close. How to Decline Updates After approving necessary updates, you can decline updates that you do not want to install on computers. Declining updates does not directly affect client computers; it only helps you orga- nize updates in the WSUS console. To decline updates, follow these steps: 1. In the Update Services console, right-click the update you want to decline, and then choose Decline. 2. In the Decline Update dialog box, click Yes. To review updates that have been declined, from the Approval drop-down list in the Windows Update console, select Declined. Then click Refresh. How to View Reports You can view detailed information about updates, computers, and synchronization using the Reports node in the Update Services console, as shown in Figure 9-5. [...]... 2, Windows Server 2003 R2, Windows Vista, and Windows Server 20 08 can act as forwarding computers NOTE Forwarding events from Windows XP and Windows Server 2003 Before computers running Windows XP or Windows Server 2003 can act as forwarding computers, you must install WS-Management 1.1 For more information, see http://go .microsoft. com/fwlink/ ?LinkId=10 089 5 The sections that follow describe step-by-step... must have a Windows Firewall exception for the HTTP protocol As described later in this lesson, you might also need to create a Windows Firewall exception on the collecting computer, depending on the delivery optimization technique you choose Only Windows Vista, Windows Server 20 08, and Windows Server 2003 R2 can act as collecting computers Only Windows XP with Service Pack 2, Windows Server 2003 with... running Windows Vista or Windows Server 20 08, follow these steps: 1 Click Start and then Control Panel Click the System And Maintenance link, and then click the Windows Update link 2 Click View Update History Windows Update displays the complete list of installed updates, as demonstrated by Figure 9 -8 You can double-click any update to view more detailed information Lesson 2: Using Windows Server Update... you should be familiar with Microsoft Windows networking and be comfortable with the following tasks: ■ Adding roles to a Windows Server 20 08 computer ■ Configuring Active Directory domain controllers and joining computers to a domain ■ Basic network configuration, including configuring IP settings You will also need the following nonproduction hardware, connected to test networks: ■ A computer named... minutes, Windows Update will attempt to contact your update server To make Windows Update begin querying the WSUS server, run the following command: wuauclt /a Although the WindowsUpdate.log file provides the most detailed information and should typically be the first place you look when troubleshooting, you can view high-level Windows Update-related events in the System event log, with a source of WindowsUpdateClient... Windows has always stored a great deal of important information in the event logs Unfortunately, with versions of Windows released prior to Windows Vista, that information could be very hard to access Event logs were always stored on the local computer, and finding important events among the vast quantity of informational events could be very difficult With Windows Vista, Windows Server 20 08, and Windows. .. started on Windows Server 20 08 computers 476 Chapter 10 Monitoring Computers ❑ Configuring a Windows Remote Management HTTP listener ❑ Creating a Windows Firewall exception to allow incoming connections to the Windows Remote Management service using HTTP This exception applies only to the Domain and Private profiles; traffic will still be blocked while the computer is connected to Public networks Next,... example, to add the computer SERVER1 in the contoso.com domain, you would run the following command: net localgroup “Event Log Readers” server1 $@contoso.com /add Configuring the Collecting Computer To configure a computer running Windows Vista or Windows Server 20 08 to collect events, open a command prompt with administrative privileges Then, run the following command to configure the Windows Event Collector... Applications And Services Logs \Microsoft\ Windows\ WindowsUpdateClient\Operational log The Windows Update service adds an event to this log each time it connects to or loses connectivity with a WSUS 462 Chapter 9 Managing Software Updates server, checks for updates (even if no updates are available), as shown in Figure 9-7 , and experiences an error Figure 9-7 Verifying that the Windows Update client found... step-by-step how to configure computers for event forwarding Configuring the Forwarding Computer To configure a computer running Windows Vista or Windows Server 20 08 to forward events, follow these steps: 1 At a command prompt with administrative privileges, run the following command to configure the Windows Remote Management service: winrm quickconfig Windows displays a message similar to the following (other . apply.) A. Windows 95 B. Windows 98 C. Windows 2000 Professional D. Windows XP Professional 450 Chapter 9 Managing Software Updates Lesson 2: Using Windows Server Update Services With Windows Server 20 08, . for Windows Server 20 08. After installation you must synchronize the updates from Microsoft Update by following these steps: 1. Click Start, Administrative Tools, and then Microsoft Windows Server. Figure 9-3 . Figure 9-3 Configuring WSUS options You can configure options in the following categories: ■ Update Source And Proxy Server Configure the upstream WSUS server or configure the WSUS server