Windows Server Update Services (WSUS): Configuration. WSUS Offline Update

For server versions of Windows, updating of the system and / or software installed on the child terminals from a relatively recent time can be performed using a special tool, which was abbreviated as WSUS. What it is? In fact, this software is a unique release, allowing you to refuse to use each computer included in the local network, an independent Internet channel for installing updates. About how this all works, and what settings need to be set, then we'll go on.

Windows Server Update Services: what is it and why?

Speaking of this service in plain language, it can be described as software for automatic updating of OS and software installed exclusively on a server to which other user terminals connected to a single local or virtual network are connected.

As Microsoft updates for its products with an enviable regularity, they need to be installed on all machines on the network, which is problematic if there are more than a dozen of them. In order not to deal with such things at each individual terminal, you can use the WSUS Offline Update function, when the main update is installed only on the server, and then "distributed" to all other computers.

The advantages of this approach are obvious, because the use of Internet traffic is reduced (when downloading the network is not loaded) and it saves time to install updates, which if the software is correctly configured on the central server will be made automatically.

Installation requirements

For WSUS, configuration and use are not possible without a number of initial conditions. Here you should pay attention to the main components that you will need to download and install on the server, if they are not available.

The following components can be distinguished as priorities:

• OS modification of Windows Server is not lower than 2003 (at least with the first service pack);
• Platform. NET Framework version not lower than 2.0;
• The IIS 6.0 server role or higher;
• Report Viewer from Microsoft 2008;
• SQL Server 2005 with the second service pack;
• Management Console from Microsoft Modification 3.0.

Installation process

Actually, the WSUS installation also assumes the reservation of free disk space on the server in the amount of about 100 GB (the location of the update storage folder is indicated in the first step after the main installer starts).

Next, the database location is set as a separate directory (it's better to allocate about 2-4 GB).

Web server database settings

In principle, the installer itself suggests installing internal databases by default, but you can use the existing database server to simplify the process.

In this case, you will need to register your network name corresponding to the terminal ID in the network. The first two options can be used either to receive updates from a Microsoft server or from an internal server. However, there is also a third option - installing databases on a remote terminal. But this scheme is used mainly only in cases where it is necessary to distribute updates to remote branches from an additional update server.

Port selection

In the next stage of the WSUS installation, the configuration assumes that the port is selected. This should be treated very carefully, since the input of incorrect values can only lead to the fact that the whole scheme will not work.

Note that the default port is 80. You can, of course, leave it, but it's better (and this is confirmed by practice) to use the port number 8530 (8531). But this approach is only applicable if manual proxy configuration is required.

Selecting updates

The next step in the WSUS installation is configuring the settings for getting updates from the upstream server. In other words, you need to specify where the updates will be downloaded from.

There are two options: either to synchronize with the Microsoft update server, or with another remote terminal. It is better to use the first option.

Configure WSUS in the domain

Next, for the correct operation of the service being installed, you must select the languages that are used on the network.

You can install any of the suggested list, but English must be selected without fail, since without it correct loading and distribution of updates is not guaranteed.

Product selection

Now for WSUS Offline Update, you should specify which software products are to be updated. As most experts believe, when choosing it is desirable not to be greedy and note the maximum possible number of items on the list.

But do not get involved too. It is better to note only what is really needed. For example, if no version of Office 2003 is installed on any machine on the network, then you do not need to specify its update.

The WSUS update in the next step will prompt you to select the software classes for which the updates will be downloaded first. There - at your choice. In principle, you can not set the checkboxes to install updates for drivers, tools and new features. When finished, the time is set when the selected updates are downloaded and installed.

Console Settings

Now you need to call the console and first of all set the manual synchronization so that all available updates are downloaded.

After that, you have to start configuring the terminal groups. It is recommended to create two categories of computers. In one server will be located, in the other - the usual workstations. This setting will limit the installation of updates to servers.

Since all the terminals visible in the network are currently in the category of unassigned computers, they will have to be manually assigned to the corresponding groups.

The next step is to configure WSUS to create special update rules, which is done in the auto-approval section. For workstations, it is desirable to set an automatic approval rule, and for servers one will have to additionally mark one more corresponding line. In addition, it is not recommended for servers to select absolutely all updates, as this can lead to malfunctions.

Setting Update Options in Group Policies

When the presetting of the main parameters is completed, you should perform several more actions related to permissions and approvals.

To do this, you need to use the Group Policy Editor, which is easiest to call via the Run (Win + R) console with the gpedit.msc command, rather than using the Control Panel or the administration section.

Here you need to get to the administrative templates through the computer and policy configuration, where to find the "Update Center". In it, we are interested in the parameter that is responsible for specifying the location of the update service on the intranet. Calling the editing menu by double-clicking the service, you need to enable and specify the server address, which usually looks like http: // SERVER_NAME, where SERVER_NAME is the name of the server on the network. You can not use this combination, but simply register an IP server. After the configuration is completed, after a while, the child machines will receive the update packages.

Possible mistakes

WSUS errors are most often attributed to the fact that there are too many unnecessary updates for servers, as mentioned above.

However, an equally common problem is the fact that updates are not installed on all networked child terminals. In this case, you need to open the section of automatic approvals and set the type of group policies for them, which corresponds to the automatic installation of critical updates of the operating system and security system. Accordingly, you can create your own new rule with the products and settings for installing updates (you can even use manual approval).

Finally, if you do not perform a full reset of the WSUS settings, then the entire procedure for setting the parameters will have to be done anew, it is strongly recommended that at least once a month the server be cleaned up (the "Master" function of the same name is provided for this). Such steps will help to remove unclaimed updates from the system, as well as to significantly reduce the size of the database itself (it is understandable that the more the database is, the more time it takes to access it, plus the excessive load on the server's computing capabilities and the distribution of updates over the network).

In some cases, the default policy setting may be assisted by creating a new type with all the activated parameters from the list of available ones by entering the network address of the server (with port 8530 enabled).

In the case where so-called mobile workstations are used, similar settings can be made in the section of local security policies, specifying the appropriate parameters. If everything is done correctly, only critical updates will be installed for the Terminal Server group, and for computers that are part of the Workgroup group (or a category with a different name), absolutely all updates that were selected at the initial stage of the configuration.

Instead of the total

Actually, here you can finish the question of setting up the automatic update service WSUS. For everything to work and not cause any concern to the system administrator in the future, you should pay attention to the initial conditions associated with the installation of additional components. It is believed that the server version of the OS is better to use not the 2003, but 2008 R2 or higher, and also pay attention to the .NET Framework version 4, not 2.0). In addition, you should pay special attention to the proxy settings and the choice of ports, because port 80 by default may not work. Finally, one of the most important aspects of configuration is the selection of terminal groups and the updates that are installed on them. In the rest, as a rule, there should not be any problems, although when loading large-scale heavy updates with poor quality of communication, short-term failures and distribution errors on the network can still be observed. By the way, you need to clean the server from time to time. If the automatic tool for some reason has no positive effect, you can at least try to delete the temporary files manually from the SDTemp directory. At least, even such a trivial step will immediately reduce the load not only on the server itself, but also on the daughter terminals, and on the network as a whole.