Multiple WSUS servers installed in either of two modes:
Autonomous mode: upstream WSUS servers share updates with downstream servers, but updates must be approved at each WSUS server
Replica mode: upstream WSUS servers share updates with downstream servers, and all updates can be approved at an upstream server for replication downstream.
Server-side targeting:
You manually move computers into their WSUS group.
Client-side targeting:
Via GP, local GP, or registry, you can specify a WSUS group for the client computer to place itself in.
1.2.1 Install and configure the Windows Server Update Services (WSUS) role
Server Manager, Add roles and features
Select Windows Server Update Services.
WSUS requires RSAT tools and IIS to be installed
Check WSUS Services.
Check either WID Database if you will not be using a dedicated SQL server, or Database if you will. WID is a "Windows Internal Database"
Select a path to store updates.
Powershell install:
install-windowsfeature updateservices -includemanagementtools
This will also install, if not installed already, IIS Web server (Web-Server) and associated role features, .Net Framework 4.5(NET-Framework-45-ASPNET), RSAT, RSAT-Role-Tools and associated UpdateServices-RSAT feature for WSUS cmdlets/console. It also installs Windows Process Activation Service(WAS and WAS-Config-APIs)
Also Note that this will install the WID database(UpdateServices-WidDB & Windows-Internal-Database) by default. If you need to use a SQL server, install the feature updateservices-DB.
Post-install initial configuration:
Run the WSUS tool from Server Manager tools.
It will verify the path where you want to store updates
Choose Upstream Server: either MS Update or another WSUS server. use SSL is recommended. This is where you can set the upstream mode.
Specify a proxy server if needed.
The configuration will attempt to download WSUS information from MS update to configure further
Choose the update languages
Choose products for which you want updates from the upstream
Choose the type of updates, drivers, etc you want to download from the upstream.
Set sync Schedule. Manual or automatic
Finished: You can manually force an upstream sync now and/or launch the WSUS console.
Server Options:
Update Source and Proxy Server, Products and Classifications, Update Files and Languages, Synchronization Schedule, Microsoft Update Improvement Program:
You set these up in the intial configuration above. They can be changed here.
Update Files(And Languages): Languages was done in inital config. But Update Files lets you
choose to either store files locally or not. if not, computers install from MS Update.
Store locally options:
Download update files only when updates are approved: Deselect to download all updates
regardless of approval
Download express installation files: faster download and install
Download files from MS update: If WSUS uses upstream server, this option makes
the WSUS server download updates from MS update instead.
Automatic Approvals: Setup automatic approval rules for classifications and computer groups.
Computers: This is where you choose how updates are assigned to computers:
Use the update services console: server-side targeting
Use Group Policy or registry settings: client-side targeting
Server Cleanup Wizard: cleans up WSUS server for old computers, updates, and files
Reporting Rollup: Here you can configure whether downstream servers should send their
update/computer statuses sent upstream for central management in replica mode.
E-mail notifications
Personalization: Configure reporting rollup display, validation errors, to-do list display
WSUS configuration wizard: reruns the initial configuration.
Viewing status reports on computers and other wsus reports:
You must have Microsoft Viewer 2008 installed. Download from MS if not installed.
Microsoft Viewer 2008 requires .net 2.0 You can install 3.5(includes .net 2 and 3)(Net-Framework-Features) using server manager, add roles and features, feature install.
Approving Updates:
You can activate updates while viewing computer reports, or in the Updates menu.
Powershell:
Pipe get-wsusupdate into approve-wsusupdates
Powershell WSUS configuration:
http://technet.microsoft.com/library/hh826166
http://blogs.technet.com/b/heyscriptingguy/archive/2013/05/27/use-the-updateservices-module-to-manage-wsus.aspx
WSUS troubleshooting:
Server logs:
Application event log
c:\Program Files\Update Services\Logfiles\change.log
c:\program files\update services\logfiles\softwaredistribution.log
Client troubleshooting:
logs:
c:\windows\windowsupdate.log
c:\windows\softwaredistribution\reportingevents.log
reset updates due to corrupted update or other reason:
(wuauserv is the windows update service)
net stop wuauserv
delete everything in c:\windows\softwaredistribution
net start wuauserv
wuauclt /detectnow
This will query the WSUS server and check for updates
wuauclt /detectnow /resetauthorization
This expires a locally stored cookie with WSUS information, therefore it contacts the wsus server for fresh info and check for unpdates. Used when certain changes are made. For instance, if you change client-side targeting you may need to gpupdate /force on the client and then wuauclt /detectnow /resetauthorization
Extra note: I learned the hard way that you should run a Server Cleanup fairly often on WSUS server, depending on how much data you are storing. Besides the console server option, you can also do this in powershell with the invoke-wsusservercleanup cmdlet.
Extra note: It looks like 2012 is lacking a lot of cmdlets necessary for most
powershell configurations, but the previous links list the ones you can
use if you need some quick and dirty command line configs. If you're
trying to do a post-install initial configuration, your best bet is to
use the console installed on GUI 2012 or windows 8. When I first wrote
these notes,I had thought they would add more by R2 but that does not
seem to be the case.
1.2.2 configure group policies for updates
Configuring client computers to access the WSUS server:This
can be done through GP or local GP edit(gpedit.msc) or registry. This must be
done regardless of whether you use server-side targeting or client-side
targeting.
local GP(gpedit.msc)
Local Computer Policy -> Computer Configuration ->Administrative Templates -> Windows Components -> Windows Update
GP
Computer Configuration ->Policies -> Administrative Templates -> Windows Components -> Windows Update
Registry
http://technet.microsoft.com/en-us/library/dd939844%28v=ws.10%29.aspx
First you must enable Automatic Updates. This is done using the Configure Automatic Updates setting in GP and local GP. You can also enable AU by using the control panel/Windows Updates.
Next you have to assign the WSUS server on a client.This is done in GP and local GP using the "Specify intranet Microsoft update service location" setting. Check the Enabled and enter your WSUS server in both intranet update service field and intranet statistics server field. You should preface the url with http or https. (Note that using SSL requires more complex setup on the server). It's important to note that WSUS 4 on 2012 defaults to port 8530 for http and 8531 for https. So you must also specify the port. Depending on your network setup, you can use server name or FQDN. Example:
http://wsusserver.contoso.com:8530
Other GP settings:
"Do not display 'Install Upates and Shutdown' option in Shutdown Windows dialog'"
"Do not adjust default option to 'Install Updates and Shut Down' in Shut Down Windows dialog'"
"Enable Windows Update Power Management to automatically wake up the system to install
scheduled updates"
"Automatic Updates detection frequency"
"Allow non-administrators to receive update notifications"
"Turn on Software Notifications"
"Allow Automatic Updates immediate installation"
"Turn on recommended updates via Automatic updates"
"No auto-restart with logged on users for scheduled automatic updates"
"Re-prompt for restart with scheduled installations"
"Delay Restart for scheduled installations"
"Reschedule Automatic Updates scheduled installations"
"Enable client-side targeting": see 1.2.3
"Allowed signed updates from an intranet MS update service location"
Extra note: Before WSUS 4, WSUS would default to port 80 unless there was a web site already on port 80. Then it would use 8530. In 2012, WSUS 4 just installs to 8530 regardless.
1.2.3 configure client-side targeting
Set the "Enable client-side targeting" to the WSUS group you want this group policy to apply to. Any computers affected by the GP will place themselves in that WSUS group.
You can also configure using the registry:
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate
TargetGroup should be set to the group you want
\AU key value UseWUServer needs to be set to 1
1.2.4 configure WSUS synchronization
I already covered a lot of this in 1.2.1
Use Synchronization menu to see current synchronizations.
Select products and classifications to synchronize
Classifications:
Critical Updates, Definition Updates, Drivers, Feature Packs, Security Updates, Service Packs, Tools, Update Rollups, Updates
Configure Update files
Setup manual or automatic synchronization on Synchronization Schedule option
Powershell:
Disable a product:
get-wsusproduct -titleincludes "SQL Server" | set-wsusproduct -disable
To enable, run set-wsusproduct without -disable switch
Same with classification except get-wsusclassification does not include -titleincludes parameter, so you must pipe through where-object
Enable Drivers classification:
get-wsusclassification | where -filterscript {$_.classification.title -eq "Drivers" | set-wsusclassification
set-wsusserversynchronization only allows configuration of upstream servers/MS update. No options for scheduling.
Set server to sync from MS Update:
set-wsusserversynchronization -syncfrommu
Configure an upstream server to synch from on port 1337 using SSL:
set-wsusserversynchronization -useservername UpWsus -portnumber 1337 -UseSSL
Configure an upstream server by piping in
1.2.5 configure WSUS groups
All computers will always show all computers. New computers are also assigned to Unassigned Computers, unless configured via client-side targeting.
Right click All Computers and Add a new computer group.
Server side targeting requires you to manually move computers from unassigned computers by right clicking and "Change Membership"
Powershell:
There doesn't seem to be a powershell cmdlet to configure groups.
Add a computer to a group:
get-wsuscomputer -nameincludes "WDSserver" | add-wsuscomputer -targetgroupname "Windows 2012"
Extra note: Another errata in MOAC 70-411 book. They give example Add-Wsuscomputer -computer PC1 to add Pc1 to a targetgroup. Add-wsuscomputer requires an input object piped from get-wsuscomputer. A string won't work.
1.2.6 (R2) Manage patch management in mixed environments
I still have not worked out what this R2 added objective is asking for.
No comments:
Post a Comment