by August 4, 2005 0 comments

If you are a medium to large organization with a large IT infrastructure, one of the most important things that you do on your network is set up a patch management software. This software manages the download of the required patches from the Internet (usually from the vendor’s public patch site) and stores them locally. Once this is done, the rest of the computers on your network can download the patches from the local server rather than from the Internet-saving you a whole lot of Internet bandwidth.


Applies to: Network administrators

USP: Use the latest Windows Software Update Services to download patches for all MS applications and distribute them locally

Primary Link:

Google keywords: WSUS

Microsoft has just released a new version of its patch-management software. WSUS or Windows Software Update Services allows the server to download patches for all major Microsoft software. To install and configure WSUS, you require Win 2000 Server or Windows Server 2003. On both these you will also need to update the BITS (Background Intelligent Transfer Service) to version 2.0-the update is available from the same place from where you can download WSUS. Once this is done, you can start installing WSUS. On Windows 2003, make sure you’ve installed the IIS Web server as well, since this is required for distributing the patches to the clients. During the install, make sure you select to download the patches to the server and point it to a disk that has enough free space. When the installation is complete, you can browse the WSUS administration and configuration site by going to
http://localhost/wsusadmin on the server itself. Once the site loads, there are a number of configuration settings that you can perform.

The first thing you will need to do is set up the Internet connection to download updates from the MS update site. If there is a proxy server in your network, you will need to go to Options>Synchronization Options screen and set the proxy information. Then, select the products you wish to update in your network. This is where WSUS scores over the previous version. WSUS now supports dynamic software version plug-ins. This means that MS can include a new software (such as MS Exchange Server) into the automatic updates list on their server and your local server will start picking them up as well. You can configure this list by selecting the ‘Products Change’ button and turning the software you wish to update on or off. You can also change the kind of updates to pick up-Critical, Security, Optional etc. By default, WSUS downloads only Critical and Security updates. Also make sure you select patches only for the language you wish to update, otherwise updates for all languages for each patch will be downloaded.

Once you have configured the minimum settings we just discussed, it is time to synchronize the server. Select the ‘Synchronize Now’ link and wait for the download to finish. This may take a very long time when you do it for the first time depending on your Internet connection speed. WSUS now allows you to create ‘Computer Groups’, each with its own set of patch management rules. For instance, you can create a computer group that consists of only servers of your network, another group for notebook users and yet another for desktops. You can assign computers to these groups either from your ADS (if available) or by manually adding them by name to the groups in WSUS. WSUS also gives you an option to do offline updates by exporting the updates to media for a branch office that has no or low network connectivity. By exporting the updates to media, you can send them the updates and they can import the new updates into their local WSUS server (without requiring the Internet) and start distributing the updates on their network. All clients need to have the WSUS client installed and configured to point to the new WSUS server. The WSUS client is a part of all the latest services packs-for Win 2000/XP/2003. However, WSUS also creates an installable copy of the client on the server that can be used to update specific clients if required.

Once the client is installed, they need to be configured to point to the new WSUS server. For this, you can do it through ‘Group Policy’ if you have an ADS or by using registry settings on networks without ADS. For using Group Policy, install the WUAU.adm administrative template in the console. At the minimum, enable the ‘Configure Automatic Updates’, set it as ‘Auto download and schedule the install’. Also select the ‘Specify Intranet Microsoft update service location’ and enter the URL to the WSUS server in both boxes-say
http://wsusserver. These settings will get you up and running with WSUS based patch management on your network. We shall take a look at some more advanced options of WSUS next month.

Vinod Unny, Enterprise InfoTech

No Comments so far

Jump into a conversation

No Comments Yet!

You can be the one to start a conversation.

Your data will be safe!Your e-mail address will not be published. Also other data will not be shared with third person.