Sunday 17 June 2012

Deploying Windows Server Update Services

For the next stage in the lab build, I wanted to look at Windows Server Update Services.  This would allow centralised management of the patching process for a growing server estate.

I deployed a new VM from the 2008 R2 template, naming it RSMSGWSUS1.  From server manager I went into add roles, then selected WSUS.  WSUS requires some IIS components which get selected automatically too.
After clicking next about 10 times the WSUS installer launches.
I don't have any other WSUS servers, so I'll be downloading direct from Microsoft.
I'm not running a proxy server (at least for the moment), and I'm only interested in English Language updates.
On selecting products to update, I enabled pretty much everything bar Bing.
I enabled all classifications of updates.
 I scheduled it to check for updates, daily, at 01:00.
After that it's next again a couple of times and the installer runs.
After that, I performed a reboot, opened up the management console and allowed the initial synchronisation to complete.
Next, I wanted computers to be added to WSUS automatically, so logged onto one of the DC's and opened up group policy management.
From here I chose to create a new Group Policy, and named it WSUS GPO.
From there, I went into edit, and navigated to Computer Configuration\Policies\Administrative Templates\Windows Components\Windows Update\.
Then, under Configure Automatic Updates,I enabled the policy, and set updates to download automatically and notify to install.
I then went into Specify Intranet Microsoft update service location, and enabled the policy, and pointed it at the WSUS server.
Next, as I want this GPO to apply domain wide, I linked it to to root of the domain via drag and drop in the main console.
Finally, I modified the Security Filtering options to apply to the groups "Domain Computers" and "Domain Controllers".
I then went back into the WSUS console, and waited for the GPO to take effect by itself, to verify it was working as desired.
To actually view reports in WSUS, you need to install the report viewer redistributable package, currently available here.  A short while later, all VM's I had domain joined had appeared in WSUS.
I hadn't run windows update since I the initial deployment of these 6 VM's, so I approved any outstanding updates and connected to each VM, running a wuauclt /detectnow.  A bunch of reboots later, and one workaround for an update that will appear as needed but never install, and everything was listed as 100%.

No comments:

Post a Comment