Windows Server 2008 : Using Windows Server Update Services

- How To Install Windows Server 2012 On VirtualBox
- How To Bypass Torrent Connection Blocking By Your ISP
- How To Install Actual Facebook App On Kindle Fire
2/26/2011 4:45:50 PM
One of the main drawbacks to Windows security has been the difficulty in keeping servers and workstations up to date with the latest security fixes. For example, the security fix for the Index Server component of IIS was available for more than a month before the Code Red and Nimbda viruses erupted onto the scene. If the deployed web servers had downloaded the patch, they would not have been affected. The main reason that the vast majority of the deployed servers were not updated was that keeping servers and workstations up to date with the latest security patches was an extremely manual and time-consuming process. For this reason, a streamlined approach to security patch application was required and realized with the formulation of Windows Server Update Services (WSUS).

Understanding the Background of WSUS: Windows Update

In response to the original concerns regarding the difficulty in keeping computers properly patched, Microsoft made available a centralized website called Windows Update to which clients could connect, download security patches, and install those patches. Invoking the Windows Update web page remotely installed an executable, which ran a test to see which hotfixes had been applied and which were needed, based on the Microsoft components installed on the machine. Those that were not applied were offered up for download, and users could easily install these patches.

Windows Update streamlined the security patch verification and installation process, but the major drawback was that it required a manual effort to go up to the server every few days or weeks and check for updates. A more efficient, automated process was required.

Deploying the Automatic Updates Client

The Automatic Updates client was developed to automate the installation of security fixes and patches and to give users the option to automatically “drizzle” patches across the Internet to the local computer for installation. Drizzling, also known as Background Intelligent Transfer Service (BITS), is a process in which a computer intelligently utilizes unused network bandwidth to download files to the machine. Because only unused bandwidth is used, there is no perceived effect on the network client itself.

All currently supported versions of Microsoft clients include the Automatic Updates client built in to the OS.

Understanding the Development of Windows Server Update Services

The Windows Update website and the associated client provided for the needs of most home users and some small offices. However, large organizations, concerned about the bandwidth effects of hundreds of machines downloading large numbers of updates over the Internet, often disabled this service or discouraged its use. These organizations often had a serious need for Windows Update’s capabilities. This fact led to the development of Software Update Services (SUS), which was later improved into the new product, Windows Server Update Services (WSUS).

WSUS started as a free download from Microsoft that effectively gives organizations their own, independent version of the Windows Update server. The latest version of WSUS runs on either a Windows Server 2003 SP1 or greater machine that is running Internet Information Services. Clients connect to a central intranet WSUS server for all their security patches and updates.

WSUS is not considered to be a replacement technology for existing software deployment solutions such as System Center Configuration Manager (SCCM), but rather it is envisioned as a solution for mid- to large-size businesses to take control over the fast deployment of security patches as they become available. It also offers a myriad of reports for administrators.

Examining WSUS Prerequisites

Deploying WSUS on a dedicated server is preferable, but it can also be deployed on a Windows Server 2008 R2 server that is running other tasks, as long as that server is running Internet Information Services. The following list details the minimum levels of hardware on which WSUS will operate:

  • Windows Server 2003 SP1/SP2 or greater

  • Internet Information Services (IIS)

  • Background Intelligent Transfer Service (BITS)

  • Windows Internal Database role or SQL Server 2005 installed locally or on a remote server

  • Microsoft .NET Framework 2.0 or greater

Installing WSUS on a Windows Server 2008 R2 Server

The installation of WSUS is very easy, as it is installed as a server role from Server Manager. The guided setup will install WSUS and any required components.

To complete the initial installation of WSUS, follow these steps:

Launch Server Manager.

In the Roles Summary pane, select Add Roles to start the wizard.

Click Next.

Select Windows Server Update Services, and click Next.

The Add Role Services and Features Required for Windows Server Update Services window prompts for additional components to install, if necessary. Required components are the Web Server (IIS) web server and management tools, the Windows Process Activation Service Process Model, and the .NET environment. Click Add Required Role Services to continue.

Click Next.

Read the Introduction to Web Server (IIS) overview, and click Next.

Click Next to select the default role services to install for Web Server (IIS).

Read the Introduction to Windows Server Update Services overview, and click Next.

Read the summary of installation selections, and click Install.

Server Manager shows “Searching for Updates” and “Downloading” while it connects to the Microsoft download site and downloads the most recent version of WSUS. It also installs Web Services (IIS) and the Windows Process Activation Service, if needed.

The Windows Server Update Services Setup Wizard displays during the installation progress. Click Next.

Read and accept the license agreement, and click Next.

If prompted that Report Viewer 2005 is not installed, click Next to continue (certain reports will be unavailable without this downloadable add-on).

Check the Store Updates Locally check box, and enter a location in which to store them, as shown in Figure 1. This location must be large enough to hold a large number of downloadable patches. Click Next to continue.

Figure 1. Installing WSUS.

Select Install the Windows Internal Database on This Computer or Use an Existing Database Server on a Remote Computer if you want to use an external SQL server.

Select to Use the Existing IIS Web Site. Click Next to continue.

Click Next after reviewing the settings on the Ready to Install page.

The installation completes in Server Manager and, after the Finish button is clicked, the WSUS Configuration Wizard is displayed. Read the information and click Next.

Click Next to join the Microsoft Update Improvement Program.

Select Synchronize from Microsoft Update, and click Next.

Configure your proxy server settings, if necessary, and click Next.

Click Start Connecting to save settings and download update information. This might take several minutes. Click Next.

Select the update language(s), and click Next.

Select the products for which you want updates, and click Next.

Select the classifications of updates you want to download, and click Next.

Configure the schedule that you want WSUS to synchronize with the Microsoft Update servers or select Synchronize Manually. Click Next.

Ensure that Begin Initial Synchronization is selected, and click Finish.

Review the installation results, click Close, and close Server Manager.

WSUS administration is performed from the WSUS MMC. This console is the main location for all configuration settings for WSUS and is the sole administrative console. It can be accessed from Administrative Tools, Microsoft Windows Server Update Services 3.0 SP1, or directly from Server Manager.

Automatically Configuring Clients via Group Policy

The configuration of the Automatic Updates client included with all current versions of Windows can be streamlined by using a group policy in an Active Directory environment. Windows Server 2008 R2 domain controllers automatically contain the proper Windows Update Group Policy extension, and a group policy can be defined by following these steps:

Open Group Policy Management (Start, All Programs, Administrative Tools, Group Policy Management).

Navigate to the organizational unit that will have the group policy applied, right-click the name of the organizational unit, and choose Create a GPO in This Domain, and Link It Here.

Enter a name for the GPO, such as WSUS GPO. You also have the option to start from the settings of an existing GPO. Click OK.

Right-click on the newly created GPO, and select Edit to invoke the Group Policy Management Editor.

Expand the Group Policy Management Editor to Computer Configuration\Policies\Administrative Templates\Windows Components\Windows Update.

Double-click the Configure Automatic Updates setting.

Set the group policy to be enabled, and configure the automatic updating sequence as desired. The three options given—2, 3, and 4—allow for specific degrees of client intervention. For seamless, client-independent installation, choose option 4, as shown in Figure 2.

Figure 2. Configuring Windows Update Group Policy settings.

Schedule the interval that updates will be installed, bearing in mind that some updates require reboots.

Click Next Setting to configure more options.

Click Enabled to specify the web location of the WSUS server. Entering the fully qualified domain name of the server is recommended. Enter both settings (usually the same server), and click OK to save the Group Policy settings. Click Next Setting.


Organizations that choose to use a custom web IIS website are required to use Port 8530 for client access to WSUS. In this case, enter the web location with the port number, such as, for both settings.

Enter how often the client checks for updates, and then click Next Setting.

Review the remaining option settings and configure as desired. Click OK when you are finished.

Repeat the procedure for any additional organizational units. (The same group policy can be linked in more than one location.)


Organizations that do not use Active Directory or group policies have to manually configure each client’s settings to include the location of the WSUS server. This can be done through a local policy or manually through Registry settings, as defined in the WSUS Help.

Deploying Security Patches with WSUS

Depending on the settings chosen by the group policy or the Registry, the clients that are managed by WSUS automatically download updates throughout the day and install them at a specified time. Some computers might be configured to allow for local interaction, scheduling proper times for the installation to take place and prompting for “drizzle” downloading.

Clients that are configured to use WSUS are not prompted to configure their Automatic Update settings, and they are grayed out to prevent any changes from occurring. Users without local administrative access cannot make any changes to the installation schedule, although local admin users can postpone forced installs.


Generally, it is good practice to allow servers to control the download and installation schedule, but to force clients to do both automatically. Depending on the political climate of an organization, this might or might not be a possibility.

  •  Programming .NET Security : Programming XML Signatures (part 3) - Verifying an XML Signature
  •  Programming .NET Security : Programming XML Signatures (part 2) - Embedding Objects in the Signature
  •  Programming .NET Security : Programming XML Signatures (part 1) - XMLDSIG Explained & Signing an XML Document
  •  Windows Server 2008 : Examining File-Level Security
  •  Server 2008 : Hardening Server Security
  •  Server 2008 : Using the Integrated Windows Firewall with Advanced Security
  •  Server 2008 : Deploying Physical Security
  •  Programming .NET Security : Programming Digital Signatures (part 3) - Using the Signature Formatter Classes
  •  Programming .NET Security : Programming Digital Signatures (part 2) - Using the Implementation Class
  •  Programming .NET Security : Programming Digital Signatures (part 1) - Using the Abstract Class
    Top 10
    - Microsoft Visio 2013 : Adding Structure to Your Diagrams - Finding containers and lists in Visio (part 2) - Wireframes,Legends
    - Microsoft Visio 2013 : Adding Structure to Your Diagrams - Finding containers and lists in Visio (part 1) - Swimlanes
    - Microsoft Visio 2013 : Adding Structure to Your Diagrams - Formatting and sizing lists
    - Microsoft Visio 2013 : Adding Structure to Your Diagrams - Adding shapes to lists
    - Microsoft Visio 2013 : Adding Structure to Your Diagrams - Sizing containers
    - Microsoft Access 2010 : Control Properties and Why to Use Them (part 3) - The Other Properties of a Control
    - Microsoft Access 2010 : Control Properties and Why to Use Them (part 2) - The Data Properties of a Control
    - Microsoft Access 2010 : Control Properties and Why to Use Them (part 1) - The Format Properties of a Control
    - Microsoft Access 2010 : Form Properties and Why Should You Use Them - Working with the Properties Window
    - Microsoft Visio 2013 : Using the Organization Chart Wizard with new data
    - First look: Apple Watch

    - 3 Tips for Maintaining Your Cell Phone Battery (part 1)

    - 3 Tips for Maintaining Your Cell Phone Battery (part 2)
    programming4us programming4us