From the course: Career Essentials in System Administration by Microsoft and LinkedIn
Windows Server Update Services
From the course: Career Essentials in System Administration by Microsoft and LinkedIn
Windows Server Update Services
- [Instructor] Windows Server Update Services is a server role you add to any Windows Server. It is an included management role that creates a management interface in the server manager tools menu. This gives you centralized update management. Prior to a centralized system, users got their updates directly from Microsoft. This can use a lot of bandwidth and cause users to install updates that may be harmful to some of their applications. Microsoft created WSUS to solve both of those issues by automating updates by first having the sysadmin approve them. We can deploy WSUS a couple of different ways. We can install all features onto a single server that will download and update patches to Windows computers. The second option is to have an upstream and downstream server to download the updates and then push them out to users. After updating group policy to tell clients to get updates from the WSUS server, you can then decide which updates to download for Microsoft and approve for clients. You can also set up auto-approval rules for specific groups or types of updates, such as security ones. Once the updates are deployed, you can use reporting to make sure the updates have been installing correctly to the users' computers. I'm in a Windows server where I can install Windows Server Update Services. We just need to go into server manager, as you see here, and then click on add roles and features. The wizard will pop up and we'll go to install a new role, which will be WSUS. And here we see it's the last option in the list. Click to add features. Click next. If you have a SQL server, you can connect to it that way, because it does require a database, or it can use the WID connectivity, which is the Windows Internal Database, which it will install. I'll go ahead and choose that, since I don't have a SQL server, and click next. Now we need to store the updates in a location. I'm just going to put in SQL and \updates, and that's where the update files will be sent. And I'll click install. Installation usually just takes a few minutes, and once it's done and we choose the type of updates that we would like, it will download those updates into that updates folder. Now, you're going to need a lot of space based on how many different operating systems you're going to be protecting, so I recommend at least one terabyte of free space into any location that you use to download the updates. Once the updates are installed and ready to go, you can go into group policy and tell the clients to look to the WSUS server instead of Microsoft to get their updates. Then, instead of having all the clients go out to the internet individually, they'll all go to this one server to get their updates, and you'll be able to approve any updates individually or by type all at once to be sent out to the clients, or to be blocked in case there may be an issue. What a lot of sysadmins will do is, they'll set up a sandbox area where they can install all those updates, and then once they know that the updates aren't going to cause any problems with existing applications in security, then they'll go ahead and approve them for the users. The installation is complete, I'll click close, and now I'll click on the triangle you see here at the top and choose to launch the post-installation tasks. Now it's time to run through the update services configuration wizards, so I'll click next. And here's the option for the upstream server. So if we have another server that's going to be an upstream server that's going to connect to Microsoft, we can choose that here. Otherwise, if this is the upstream server, or we only have a single server, as we do here, we'll choose synchronize with Microsoft update. I'm not using a proxy server, but if you are, go ahead and choose that. Now, choosing the language is really important, because if you choose a lot of different languages, you're going to need a lot more storage space, and that's because it's going to duplicate all the different updates in all the different languages, so be sure just to choose the languages that you need. That portion of the installation typically takes about 30 minutes, so be prepared for that. Now we can see all the different languages that you can use. I'm going to just choose English and click next. And now we're going to see all the different products that we can choose to have updated. Don't choose all products unless you have a lot of storage space and you feel that you need it. Otherwise, just choose the ones that you need. By default, you're going to see Windows is checked, as well as everything underneath it, so I'm going to uncheck that and then check just the operating systems that I'm concerned about. I'm going to choose Windows 11, because at this point, there's not a lot of updates for that, so it's good for demonstration purposes. Here's where we can choose the classifications. We can see critical updates, definitions, and security updates are all checked. Definition updates will have to do with Microsoft defender on Windows computers for anti-malware. I'm going to choose just the critical updates for the demonstration purposes, so it goes a little more quickly, and then I have the option to synchronize manually or automatically. I'm going to choose manually, but I suggest you try to do it automatically, as it will do a lot of the work for you. And the synchronization's going to begin when I check this box. All synchronization means is that it's going to download the latest files from Microsoft and put them into that updates folder that I designated earlier. And then tomorrow, if you have it set to automatic, it will do it again. It will make sure that the database that I have on my server is synchronized with the database at Microsoft. It doesn't mean that I'm pushing out the updates to the clients at that point I'm going to expand my server updates, click on all updates, and what you want to do is, you want to check where it says approval. If you just choose unapproved, you're not going to see any of the updates, because you haven't actually unapproved anything. So we're just going to put in any except declined, and under status, we're going to put in any as well, and that way, you'll actually see the updates once they synchronize. And again, this can also take quite a while to happen, depending on how many boxes and languages you checked. After you set up group policy to push out the information to all the clients, where to look for updates, you're going to see all those clients here in unassigned computers. After that, you can go in and you can create groups by right clicking on all computers and choosing add computer group. I'll call one Win11. And then you can put those in there, and then once you go to the updates, you can approve specific updates for specific groups, rather than all updates for all groups, and this will allow you to set up your sandbox where you can choose all the updates just for those computers, run your tests, and then you can come back to this area and choose which operating systems should get which updates. Another area I like to go to is the options area, and in options, you can go to products and classifications, and you can add additional operating systems and applications that you might have missed in the beginning. So if things change in your organization, you can add them in here. You can also add additional files and languages, and you can go to where it says automatic approvals. This area can really save you a lot of time. So what you can do, for instance, by default, it's already set up, when an update is in critical or security, it's going to be automatically approved for all computers. You can go in and change that from all computers to, say, Win 11 computers or whichever groups that you'd like, and you can also change which type of update should be automatically approved. So what this means is that if there's a critical update or a security update, it doesn't have to go through the approval process, where you have to right click on it and choose to approve or deny it. What's going to happen is it's automatically going to approve it and push it out to the clients. This can be a big time saver for these type of updates that you may not want to have to approve yourself manually and you want to get them out right away. It's also a little bit of a risk, because some critical updates and security updates can cause problems as well. If I decide I want to choose that, I'll check the box and click OK. WSUS provides control and automation to your patching and update needs.