WSUS 3.0: Deployment and First Configurations (Part I)
Fortunately there’s a lot of information on Microsoft WSUS official site about almost anything you want to know about how to get started with this powerful tool:
This post it’s intended to help about the WSUS first configurations and recommendations about how to use it.
When you install WSUS, the configuration wizard it’s pretty much self explained and with the Step-by-Step guide you shouldn’t have any problem.
The first warning that we can make at this point it’s about the “Specify Proxy Server” step. If you have one on your network, like an ISA Server 2006, remember that this server use the 8080 port when it works as a proxy. Configure this port on the WSUS, otherwise your connection will fail.
Always remember when you are selecting the languages of the updates and the products that you want to receive these updates, you should only select the ones that you actually need. Otherwise the duration of all synchronizations with Windows Update and the WSUS server will increase significantly.
The first synchronization of the WSUS server always takes a lot of time.
When you have your WSUS server online it’s time to configure your environment. Here are some of the best practices:
· Test phase first
Before applying any patch on your users’ computers or servers, you must always have a stage environment. Replicating all base computers or servers from which you will apply these updates. For example, using some Virtual Machines.
· Different users and different computers means different policies
If you are working with different type of clients on your organization (like with different OS, different schedules, etc) you should consider to set these clients with different policies to apply those updates.
You can accomplish this assigning, first, different Organization Units for workstations, mobiles, servers, etc. And then applying the correct Group Policies to each organization unit. You will add more layers to these configurations by creating different computers groups for approving updates.
· No computer, by any circumstance, must use Windows Update over the Internet
Apply different GPO levels that can assure you that any user or computer that it was just added to your domain use your WSUS server as the update point.
For example, in this case we apply a GPO for the domain that only specifies that the Windows Update process should be done only with our WSUS server; and on the different OUs of contoso.com we apply more restrictive policies for each case.
· Keep track of the updating process
Installing and configuring WSUS on your network won’t magically solve or improve all of the updates implementation. Be careful on the policies that you apply on which users and follow periodically the patching process. WSUS 3.0 improves significantly the reports view, making it easier to find out how many computers needs important updates.
Like this example: Shows all Vista Security Updates that are not installed yet on your computers groups.
I’ll be revisiting some of these best practices in other posts.