Which server can be used to install windows updates for your organization?
|
 Show
Publisher SummaryThe chapter explores windows server update services (WSUS), which is an enabling technology solution that supports a patch-management process. This process can be applied as widely or as narrowly as the business culture can tolerate; business processes require it. WSUS is being used successfully in localized or specialized environments and as an enterprise-wide update infrastructure. A patch is designed to address a particular software defect or security flaw. It may not be the best fix, but it is a way to keep the software running until the next full release. There are a number of patch-management solutions in the market. Microsoft offers Microsoft Update as a free service, WSUS as a free download to bring the service inside the firewall, and systems management server (SMS) as a comprehensive systems management system that includes Security Patch Management. It discusses how WSUS enables organizations to take the application and operating system update functionality of Microsoft Update and move it from outside the firewall to inside, giving the organization the ability to test, approve, schedule, and deploy updates to the latest Microsoft products consistently across the enterprise in a controlled manner. WSUS is a free solution from Microsoft that can be used to keep Windows-based workstations and servers up-to-date with the latest security patches and bug fixes for both the operating system and desktop and server applications. The potential for a loss of reputation and hence the possible loss of business may be enough justification for implementing a patch-management process and software solution. Cited by (0)Copyright © 2006 Elsevier Inc. All rights reserved. From the course: Career Essentials in System Administration by Microsoft and LinkedIn Windows Server Update Services“ - [Instructor] Windows Server Update Services is a server role you add to any Windows Server. It is an included management role that creates a management interface in the server manager tools menu. This gives you centralized update management. Prior to a centralized system, users got their updates directly from Microsoft. This can use a lot of bandwidth and cause users to install updates that may be harmful to some of their applications. Microsoft created WSUS to solve both of those issues by automating updates by first having the sysadmin approve them. We can deploy WSUS a couple of different ways. We can install all features onto a single server that will download and update patches to Windows computers. The second option is to have an upstream and downstream server to download the updates and then push them out to users. After updating group policy to tell clients to get updates from the WSUS server, you can then decide which updates to download for Microsoft and approve for clients. You can also set up auto-approval rules for specific groups or types of updates, such as security ones. Once the updates are deployed, you can use reporting to make sure the updates have been installing correctly to the users' computers. I'm in a Windows server where I can install Windows Server Update Services. We just need to go into server manager, as you see here, and then click on add roles and features. The wizard will pop up and we'll go to install a new role, which will be WSUS. And here we see it's the last option in the list. Click to add features. Click next. If you have a SQL server, you can connect to it that way, because it does require a database, or it can use the WID connectivity, which is the Windows Internal Database, which it will install. I'll go ahead and choose that, since I don't have a SQL server, and click next. Now we need to store the updates in a location. I'm just going to put in SQL and \updates, and that's where the update files will be sent. And I'll click install. Installation usually just takes a few minutes, and once it's done and we choose the type of updates that we would like, it will download those updates into that updates folder. Now, you're going to need a lot of space based on how many different operating systems you're going to be protecting, so I recommend at least one terabyte of free space into any location that you use to download the updates. Once the updates are installed and ready to go, you can go into group policy and tell the clients to look to the WSUS server instead of Microsoft to get their updates. Then, instead of having all the clients go out to the internet individually, they'll all go to this one server to get their updates, and you'll be able to approve any updates individually or by type all at once to be sent out to the clients, or to be blocked in case there may be an issue. What a lot of sysadmins will do is, they'll set up a sandbox area where they can install all those updates, and then once they know that the updates aren't going to cause any problems with existing applications in security, then they'll go ahead and approve them for the users. The installation is complete, I'll click close, and now I'll click on the triangle you see here at the top and choose to launch the post-installation tasks. Now it's time to run through the update services configuration wizards, so I'll click next. And here's the option for the upstream server. So if we have another server that's going to be an upstream server that's going to connect to Microsoft, we can choose that here. Otherwise, if this is the upstream server, or we only have a single server, as we do here, we'll choose synchronize with Microsoft update. I'm not using a proxy server, but if you are, go ahead and choose that. Now, choosing the language is really important, because if you choose a lot of different languages, you're going to need a lot more storage space, and that's because it's going to duplicate all the different updates in all the different languages, so be sure just to choose the languages that you need. That portion of the installation typically takes about 30 minutes, so be prepared for that. Now we can see all the different languages that you can use. I'm going to just choose English and click next. And now we're going to see all the different products that we can choose to have updated. Don't choose all products unless you have a lot of storage space and you feel that you need it. Otherwise, just choose the ones that you need. By default, you're going to see Windows is checked, as well as everything underneath it, so I'm going to uncheck that and then check just the operating systems that I'm concerned about. I'm going to choose Windows 11, because at this point, there's not a lot of updates for that, so it's good for demonstration purposes. Here's where we can choose the classifications. We can see critical updates, definitions, and security updates are all checked. Definition updates will have to do with Microsoft defender on Windows computers for anti-malware. I'm going to choose just the critical updates for the demonstration purposes, so it goes a little more quickly, and then I have the option to synchronize manually or automatically. I'm going to choose manually, but I suggest you try to do it automatically, as it will do a lot of the work for you. And the synchronization's going to begin when I check this box. All synchronization means is that it's going to download the latest files from Microsoft and put them into that updates folder that I designated earlier. And then tomorrow, if you have it set to automatic, it will do it again. It will make sure that the database that I have on my server is synchronized with the database at Microsoft. It doesn't mean that I'm pushing out the updates to the clients at that point I'm going to expand my server updates, click on all updates, and what you want to do is, you want to check where it says approval. If you just choose unapproved, you're not going to see any of the updates, because you haven't actually unapproved anything. So we're just going to put in any except declined, and under status, we're going to put in any as well, and that way, you'll actually see the updates once they synchronize. And again, this can also take quite a while to happen, depending on how many boxes and languages you checked. After you set up group policy to push out the information to all the clients, where to look for updates, you're going to see all those clients here in unassigned computers. After that, you can go in and you can create groups by right clicking on all computers and choosing add computer group. I'll call one Win11. And then you can put those in there, and then once you go to the updates, you can approve specific updates for specific groups, rather than all updates for all groups, and this will allow you to set up your sandbox where you can choose all the updates just for those computers, run your tests, and then you can come back to this area and choose which operating systems should get which updates. Another area I like to go to is the options area, and in options, you can go to products and classifications, and you can add additional operating systems and applications that you might have missed in the beginning. So if things change in your organization, you can add them in here. You can also add additional files and languages, and you can go to where it says automatic approvals. This area can really save you a lot of time. So what you can do, for instance, by default, it's already set up, when an update is in critical or security, it's going to be automatically approved for all computers. You can go in and change that from all computers to, say, Win 11 computers or whichever groups that you'd like, and you can also change which type of update should be automatically approved. So what this means is that if there's a critical update or a security update, it doesn't have to go through the approval process, where you have to right click on it and choose to approve or deny it. What's going to happen is it's automatically going to approve it and push it out to the clients. This can be a big time saver for these type of updates that you may not want to have to approve yourself manually and you want to get them out right away. It's also a little bit of a risk, because some critical updates and security updates can cause problems as well. If I decide I want to choose that, I'll check the box and click OK. WSUS provides control and automation to your patching and update needs. ContentsWhat type of server handles Windows updates?Windows Server Update Services (WSUS) is a component of Windows Server. WSUS is installed as a server role and you can deploy a single instance. Or it can be configured in a distributed topology to serve endpoints that are separated on different networks or physical locations.
Which servers server apps can be used to push Windows updates to client machines?Windows Server Update Services (WSUS) is a Windows server role that can plan, manage and deploy updates, patches and hotfixes for Windows servers, client operating systems (OSes) and other Microsoft software.
What is Windows Server Update Services used for?What is WSUS? WSUS is also known as Windows Server Update Services, and its first version is called Server Update Services (SUS). It helps distribute updates, fixes, and other types of releases available from Microsoft Update.
Which Windows Server Tool is used to obtain Windows updates and then distributing those updates to client machines?The WSUS infrastructure allows automatic downloads of updates, hotfixes, service packs, device drivers and feature packs to clients in an organization from a central server or servers.
|
