Configuring Microsoft Windows Server Update Services

Microsoft Virtual Labs
Configuring a Microsoft
Windows Server Update
Services 3.0
Configuring Microsoft Windows Server Update Services 3.0
Table of Contents
Configuring Microsoft Windows Server Update Services 3.0 .................................................. 1
Exercise 1 Perform configuration of WSUS Server ......................................................................................................2
Exercise 2 Managing Updates in a WSUS environment ...............................................................................................4
Exercise 3 Configuring reporting in a WSUS Environment ..........................................................................................9
Exercise 4 Maintaining a WSUS Server ...................................................................................................................... 12
Configuring Microsoft Windows Server

Update Services 3.0
After completing this lab, you will be better able to:
Objectives Configure a WSUS Server
Modify an existing WSUS Configuration
Manage WSUS clients and updates
Determine update status
Work with update status reporting
Configure server cleanup and update notifications
In this lab you will learn to use Microsoft Windows Server Update Services 3.0
Scenario to build a software update infrastructure for your network. You will first
configure a WSUS server. You will then go through the process of reviewing
and approving updates. Next you will configure Group Policy to ensure that
client computers are configured to use your WSUS server and that updates are
delivered correctly to clients. Finally you will configure reporting and perform
WSUS server maintenance.
Note: The steps in this lab are intended to provide an overview of the technology
presented. They are not intended to, and may not follow, Microsoft best
practices or guidance on the technology presented.
Before working on this lab, you must have:
Prerequisites • An understanding of the Microsoft Windows environment.
• An understanding of MMC (Microsoft Management Console).
• An understanding of Active Directory.
• An understanding of group policy.
Estimated Time to 60 Minutes

Complete This Lab
Server1
Computer used in this Lab
Server2
The password for the Contoso\Administrator account on this computer is:

P@ssw0rd.
Page 1 of 12
Exercise 1
Perform configuration of WSUS Server
Scenario
In this exercise you will complete the setup of a WSUS 3.0 Server. The server will be configured to hold the updates
for the domain. You will then perform the initial configuration and synchronization of the WSUS 3.0 Server to
ensure that the latest updates are available to clients. Additionally you will review reports to see which updates are
actually stored locally.
You will apply a policy which ensures that all the updates for Windows Server 2003 and Windows Vista computers
are available for approval, however you will not download all the content immediately. You will ensure you are only
downloading the updates that are apply to computers on your network and therefore not taking up space with extra
languages, operating systems and products which you are not using.
Note: This exercise requires the following computer: Server1
Tasks Detailed Steps

Complete the following 2 Note: In this task you will complete an install of Windows Server Update Services 3.0
tasks on: and configure the updates to be received from Microsoft Update. In order to complete
the installation process you will need to log onto the server using an account that is a
member of the local Administrators group. Only users who are members of the local
Server1 Administrators group can install WSUS 3.0.
1. Complete Note: By installing WSUS 3.0 into the environment, you are enabling clients to
Configuration of download and install updates to Microsoft products from a central source and
WSUS 3.0 ensuring that administrators have the ability to approve updates for their
environment.
Note: The installation has been completed for you using the default WSUS installation
options for Windows Server 2003 R2 . The settings used include installing Microsoft
SQL Server 2005 Embedded Edition for the WSUS 3.0 database, storing updates
locally and using the IIS default Web site on Port 80. You will use the initial wizard to
configure the settings.
Note: WSUS Server has been configured with the following pre-requisites installed:
• Windows Server 2003 Service Pack 1 or later
• Microsoft Internet Information Services (IIS) 6.0 or later
• Background Intelligent Transfer Service (BITS) 2.0 or later
• Windows Installer 3.1 or later
• Microsoft .NET Framework 2.0
• Microsoft Report Viewer 2005
• Microsoft Management Console 3.0
Note: Perform this task on the Server1 computer.
a. To open the Windows Server Update Services Configuration Wizard, on the Start
menu navigate to All Programs – Administrative Tools – Microsoft Windows
Server Update Services 3.0.
b. In the navigation pane, navigate to Update Services/Server1/Options.
c. In the options pane, click WSUS Server Configuration Wizard to launch the
configuration wizard.
d. On the Before You Begin page, review the items that would need to be
preconfigured in a live environment. Click Next.
Page 2 of 12
e. On the Microsoft Update Improvement Program page, check Yes, I would like
to join the Microsoft Update Improvement Program. Click Next.
f. On the Choose Upstream Server page, ensure the default of Synchronize from
Microsoft Update is selected and then click Next.
g. On the Specify Proxy Server page, click Next.
Note: At this point you would normally click Start Connecting, to obtain the list of
Products and Classifications available for download. The initial synchronization has
been performed for you already in the lab environment.
h. On the Connect to Upstream Server page, click Cancel.
i. On the Cancel WSUS Server Configuration Wizard dialog box, click Yes to
cancel the configuration.
2. Modify WSUS 3.0 Note: In this task you will manually change the settings for the products, updates and
Server Settings synchronization times. These are actions that you would take when you have a new
operating system, product or language installed in your Network or if you needed to
remove support for older products. In this task you will exclude updates for Windows
XP and the remove the language of Hungarian. In this exercise you will also modify
the schedule to enforce a policy of checking for updates to ensure that synchronization
occurs every hour. In addition, you will also remove the default Auto Deployment rule
so that the updates will not be automatically approved at this time.
Note: Perform this task on the Server1 computer
Note: The Windows Server Update Services Configuration Wizard should be open
from the previous step however if it is not open, navigate to Start – All Programs –
Administrative Tools – Microsoft Windows Server Update Services 3.0.
a. In Update Services, in the navigation pane, click Options.
b. In the contents pane, click Products and Classifications.
c. In the Products and Classifications dialog box, on the Products tab, uncheck
Windows XP.
d. On the Classifications tab, select Tools, and then click OK.
e. In the contents pane, click Update Files and Languages.
f. In the Update Files and Languages dialog box, on the Update Languages tab,
uncheck Hungarian and then click OK.
g. In the contents pane, click Synchronization Schedule.
Note: Saving file and language settings may take several minutes. If the OK button is
not available, wait 30 seconds, then try again.
h. In the Synchronization Schedule dialog box, select Synchronize automatically.
i. Change the First Synchronization time to 7:00:00AM. Change the
Synchronizations per day to 24 and then click OK.
j. To modify the automatic approval process, in the contents pane, click Automatic
Approvals.
k. On the Update Rules tab, select Default Automatic Approval Rule and then
click Delete.
l. Click OK to close the Approval Rules dialog box.
Note: In this task you have configured the server synchronization. To ensure that the
clients update themselves you would also need to configure a client-side schedule –
either manually or via group policy.
Page 3 of 12
Exercise 2
Managing Updates in a WSUS environment
Scenario
In this exercise you will take the completed synchronization of updates of the WSUS 3.0 Server and begin to
automate the process of updating clients. This will be done by configuring computer groups to assign updates to and
then assigning computers to those groups. This can be done manually but in a large scale environment, this can be a
large load to manage, in this exercise you will leverage group policy to automate the process of assigning computers
to computer groups.
By leveraging group policy, the clients can be configured centrally to update via the WSUS 3.0 server. You will
modify the existing Test Computers Policy to ensure that all machines in the Test Computers OU will be mapped to
the WSUS Server rather than gaining updates from the external Windows Updates server.
After approving an update for the Test Labs Computer group, you will then force a deployment to the client machine
and view the report to observe that the updates have completed successfully.
Note: This exercise requires the following computers: Server1 and Server2

Complete the following Note: In this task you will configure computer groups to be used to target updates to
task on: specific computers. There are two default groups in WSUS – All Computers and
Unassigned Computers. By default when a client computer contacts a WSUS server it
is assigned to both of these groups. You will create two new groups in this exercise, a
Server1 test group named Test Lab for our test lab and a server group named Servers to target
1. Create new computer our server computers.
groups for targeted Note: Perform this task on the Server1 computer
updates.
Note: The Windows Server Update Services Configuration Wizard should be open
from the previous step however if it is not open, navigate to Start – All Programs –
Administrative Tools – Microsoft Windows Server Update Services 3.0.
a. In the navigation pane, expand Computers and then click All Computers.
b. In the Actions pane, click Add Computer Group….
c. In the Add Computer Group dialog box, in Name, type Test Lab, and then click
Add.
d. Repeat step b and c to add the group Servers.
e. Expand All Computers to view the additional groups.
Complete the following 2 Note: In this task you will configure a client computer to point to the WSUS server to
tasks on: obtain the updates as approved by the administrator. This can be accomplished in two
ways, either by modifying the local group policy object (GPO) or by using Active
Directory and Group Policy to configure the clients for updates. In this task the Group
Server1 and Policy will also be modified to ensure that update settings are applied and updates are
Server2 retrieved from the WSUS Server.
2. Mapping clients to Note: After performing the update you will force the application of the Group Policy
obtain updates from and then also force the client to manually initiate detection of the WSUS Server.
the WSUS 3.0 Server Note: Perform this task on the Server1 computer
a. On the Start menu, click Run, type GPMC.MSC and then click OK.
b. In Group Policy Management, navigate to and expand
Forest:Contoso.com/Domains/Contoso.com/Test Computers OU and then
select Test Computers Policy.
Page 4 of 12
c. In the Group Policy Management Console dialog box, click OK.
d. In Group Policy Management on the Action menu, click Edit.
e. In Group Policy Object Editor, expand Computer
Configuration/Administrative Templates/Windows Components, and then
click Windows Update.
f. In the Contents pane, click Configure Automatic Updates and then on the
Action menu, click Properties.
g. In the Configure Automatic Updates Properties dialog box, click Enabled, in
the Configure automatic updating selection, select Auto Download and
schedule the install, leave the default day and time unchanged and then click OK.
h. In the Contents pane, click Specify intranet update service location and then on
the Action menu, click Properties
i. In the Specify intranet Microsoft update service location Properties dialog box,
click Enabled, in Set the intranet update service for detecting updates and Set
the intranet statistics server, type http://server1 and then click OK.
j. Close Group Policy Object Editor.
k. Close Group Policy Management .
Note: Perform the following steps on the Server2 computer
l. Log on as Administrator with a password of P@ssw0rd.
m. On the Start menu, click Run, type CMD and then click OK.
n. At the command prompt, type the following command and then press ENTER.
Gpupdate /force
o. To force the detection by WSUS of the client, at the command prompt, type the
following command and then press ENTER
wuauclt.exe /detectnow
p. In the Update Services console, in the navigation pane, click Computers.
q. In the Update Services console, in the Actions pane, click Refresh.
r. In the Update Services console, in the explorer pane, under the heading of All
Computers, click Computers with no status.
Note: On the next detection cycle, Server2 will report status which will contain
information on which updates are already installed and which are needed.
3. Modifying default Note: In this task you will modify WSUS Server 3.0 to use Group Policy or registry
settings for adding settings to assign computer group membership. This is used to leverage Group Policy
clients to a target or settings to facilitate assigning group membership automatically. You will then
group modify Group Policy settings to force all the machines in the Test Computers OU to be
added to the Test Lab Group.
Note: Perform this task on the Server1 computer
a. In Updates Services console, in the navigation pane, click Options.
b. In the contents pane, click Computers.
c. In the Computers dialog box, on the General tab select Use Group Policy or
registry settings on computers and then click OK.
d. On the Start menu, click Run, type GPMC.MSC and then click OK.
e. In Group Policy Management, navigate to and expand Test Computers OU and
then select Test Computers Policy.
Page 5 of 12
f. If the Group Policy Management Console dialog box pops up, click OK.
g. In Group Policy Management on the Action menu, click Edit.
h. In Group Policy Object Editor, expand Computer Configuration, expand
Administrative Templates, expand Windows Components, and then click
Windows Update.
i. In the contents pane, double click Enable client-side targeting.
j. In the Enable client-side targeting Properties dialog box, click Enabled, in
Enable client-side targeting and Target group name for this computer, type
Test Lab and then click OK.
Note: The client side targeting value must exactly match a computer group name on
the WSUS server or it will be placed in the unassigned computers group. Mistyping
the client side targeting value is a common configuration error.
k. Switch to Server2 machine, On the Start menu, click Run, type CMD and then
click OK.
l. At the command prompt, type the following command and then press ENTER.
Gpupdate /force
m. To force the detection by WSUS of the client, at the command prompt, type the
n. In Update Services, navigate to Update Services/Server1/Computers/All
Computers/Test Lab.
o. In the contents pane, in Status, select Any, and then click Refresh
Note: The Server2.contoso.com computer account will be listed.
p. Close Group Policy Object Editor.
q. Close Group Policy Management.
Complete the following 2 Note: In this task you will approve an update and deploy it to the Servers computer
tasks on: group, the same update you will block from installing in the Test Lab computer group.
In addition you will assign and approve a different update to the Test Lab computer
group. You will then create a new custom view to display the update status.
Server1
Note: Perform this task on the Server1 Computer
4. Approve and deploy
a. In Updates Services console, expand Updates. This will display the summary of
updates to client
updates that are in the environment.
computers
b. In the navigation pane, click All Updates.
c. In the contents pane, in Status, select Any and then click Refresh.
d. Select the update Security Update for Windows Server 2003 (KB921883) in the
list and in the Actions pane, select Approve...
e. In Approve Updates click the icon beside Servers and select Approved for
Install.
f. In the Approve Updates click the icon beside Test Lab and select Not Approved.
g. Click OK to accept the changes and close the Approve Updates window.
h. After the Approval Progress has completed, click Close.
i. Select the update Update for Windows Server 2003 (KB922582) in the list and in
Page 6 of 12
the Actions pane, select Approve...
j. In the Approve Updates click the icon beside Test Lab and select Approved for
Install.
k. In the Approve Updates click the icon beside Servers and select Not Approved
and then click OK.
l. After the Approval Progress has completed click Close.
m. In the navigation pane, click Updates. The default view is now displayed with the
summary of the environment.
n. On the Actions pane, click New Update View….
o. In Step 1: Select Properties, select Updates are approved for a specific group.
p. In the Step 2: Edit the properties box click on the underlined a specific group. In
the Choose Computer Groups dialog box select Servers. Click OK.
q. In Step 3: Specify a name box type the name, Server Updates and then click OK.
r. In the Navigation pane, select Server Updates.
Note: By default there will be nothing displayed as the default is to only show
Unapproved updates
s. From the Approval drop down box select Any Except Declined, in Status, select
Any and then click Refresh.
5. Configure automatic Note: In this task you will automate the process of approving updates by adding a rule
approval of updates to automatically approve critical and security updates. This rule will ensure that all
to client computers the deployments of the Critical Updates and Security Updates are processed
automatically to all the computers in the Test Lab computer group.
Note: Perform this task on the Server1 Computer.
a. In Microsoft Windows Server Updates Services console, click Options.
b. In the content pane, click Automatic Approvals.
c. In the Automatic Approvals dialog box, click New Rule.
d. In the Add Rule dialog box, select When an update is in a specific classification
in Step 1: Select Properties.
e. In Step 2: Edit the properties, click any classification.
f. In the Choose Update Classifications dialog box deselect all items except for
Critical Updates and Security Updates then click OK.
g. In Step 2: Edit the properties, click all computers.
h. In the Choose Computer Groups dialog box deselect all items except for Test
Lab then click OK.
i. In Step 3: Specify a name, enter the name of Test Lab Important Updates then
click OK.
j. Click OK to save the changes.
Complete the following Note: In this task you will test the automated process of the update deploying to the
task on: client machine. This will give you the opportunity to test the previously created rule to
ensure that the updates are applied.
Note: Perform this task on the Server2 Computer.
Server2
6. Observe install of
a. On the Start menu, click Run, type CMD and then click OK.
Updates on client b. At the command prompt, type the following command and then press ENTER.
machine
Gpupdate /force
c. To force the detection by WSUS of the client, at the command prompt, type the
Page 7 of 12
Note: At this point the Updates shield will appear to advise that updates are ready to
be installed on Server2. You can now continue to the next exercise.
Page 8 of 12
Exercise 3
Configuring reporting in a WSUS Environment
Scenario
In this exercise you will configure reporting from the WSUS 3.0 server to enhance existing reports. You will use
target the reporting by creating a custom report that will display the results of updates from the Test Labs computer
group and also targeting computers that have Windows Vista or Windows Server 2003 installed.
You will also add the CEO’s user account into the WSUS Reporting group, this will enable the CEO to create and
view reports but be unable to change any configurations in WSUS.
In addition you will configure WSUS 3.0 to email reports on a regular basis to the administrator.

Complete the following 3 Note: In this task you will use the built in reporting tools to create a report on the
tasks on: status of updates and of the client update status. You can use these reports to examine
what updates have been applied to your environment. This could be used to document
the update status of the machines in the network. For ease of distribution, you will
Server1 export this in both Excel and PDF format.
1. Using built-in Note: Perform this task on the Server1 computer.
reporting
a. In Updates Services console, click Reports.
b. In the contents pane, under the heading of Update Reports, click Update Status
Summary.
c. In the Updates Report window, click on Any computer group, deselect all
options except for Test Lab and then click OK.
d. In the Updates Report window, click on Needed, Failed, Unknown Status,
select Any, and then click OK.
e. In the Updates Report window, click Run Report.
f. In the Updates Report window, click on the Disk icon next to the 100% and
select Excel.
g. In the Save As dialog box, click Save.
h. Close the Updates Report window.
i. In the contents pane, under the heading of Computer Reports, click Computer
Detailed Status.
j. In the Computers Report window click on Any product and deselect all options
except for Windows Server 2003 and Windows Vista. Click OK.
k. In the Computers Report window, click Run Report.
l. In the Computers Report window, click on the Disk icon and select Acrobat
(PDF) file.
m. In the Save As dialog box, accept the default by clicking Save.
n. Close the Computers Report window.
Note: In addition to the above reports, you can further manipulate the reporting by
adjusting which status, classification or product to report on.
2. Configuring a user as Note: In this task you will give the CEO, Don Hall, access to be able to run reports
a reports-only user in from within WSUS 3.0. He will only be able to generate reports and will not be able to
WSUS 3.0 change any settings or approve any updates. This is useful for situations when you
have a non-administrator who requires access for reporting purposes.
Page 9 of 12
Note: You will complete this task by adding Don Hall’s account into the WSUS
Reporters group. This group is created by default when WSUS 3.0 is installed on a
machine.
Note: Perform this task on the Server1 computer.
a. On the Start menu navigate to All Programs - Administrative Tools - Active
Directory Users and Computers.
b. In Active Directory Users and Computers, navigate to the Users folder.
c. Double-click the group object WSUS Reporters and then click the Members tab.
d. Click Add, and in Enter the object names to select, type Don Hall. Click Check
Name.
e. Click OK to add Don Hall to the group.
f. Click OK to save the settings and close the WSUS Reporters Properties dialog
box.
Note: On a member server, the WSUS Reporters group would be a local group
instead of the domain group that is used here. In this case the WSUS Reporters group
is a domain group as we have installed WSUS onto a domain controller.
3. Configuring e-mail Note: In this task you will use the built-in tools in WSUS 3.0, you will use the built-in
reporting tools to create email notifications of new updates and status reports.
Note: Perform this task on Server1 computer
a. In Updates Services console, click Options.
b. In the contents pane, click E-Mail Notifications.
c. In the E-Mail Notification Options dialog box, on the General tab configure the
settings shown in the following table.
Setting Value
Send e-mail notification when Checked
new updates are synchronized
Recipients administrator@contoso.com
Send status reports Checked
Frequency Weekly
Send reports at 7:00:00pm
Recipients administrator@contoso.com
d. Click on the E-Mail Server tab and configure it as shown in the following table.
Setting Value
Outgoing e-mail server (SMTP) server1
Port Number 25
Sender name Administrator
E-Mail address administrator@contoso.com
e. On the E-Mail Server tab, click Test.
f. In the E-Mail Notification Options dialog box, click Close.
g. In the E-mail Notification Options dialog box, click OK.
h. In the Start menu, navigate to All Programs, Outlook Express.
i. In Outlook Express , click Inbox, open the WSUS: Test E-Mail Notification
Page 10 of 12
From SERVER1 and examine the contents.
j. Close Outlook Express.
Page 11 of 12
Exercise 4
Maintaining a WSUS Server
Scenario
In this exercise you will complete continuing maintenance actions on the WSUS 3.0 server. This will include
cleaning up the environment to purge old records. This maintenance action will delete old clients from the
environment (ones that have not been in contact with the WSUS 3.0 server for more than 90 days). You will also
purge old superseded updates from the database and updates that were declined. This maintenance will ensure that
space is freed on the server thereby ensure better space management.
Should this action not be taken then updates that are no longer required will still be stored. An example would be if
you had retired all your Windows 2000 servers, then the updates that are required for Windows Server 2000 would
no longer need to be retained. Using the Server Cleanup wizard make the overall maintenance more streamlined.
To ensure best practices for disaster recovery you will also back up the WSUS database and the configurations that
you have implemented.

Complete the following Note: In this task you will use the built-in tools in WSUS to firstly cleanup the server
task on: to remove out of date and unused update files, old revisions of updates, superseded
updates and computers that are no longer active. The purging of old updates and
computers is done so as to ensure that space is not used for updates that are no longer
Server1 required or applicable.
1. Performing cleanup Note: Perform this task on Server1 computer
maintenance
a. In Updates Services console, click Options.
b. In the contents pane, click Server Cleanup Wizard.
c. In WSUS Server Cleanup Wizard, accept the default setting for the cleanup and
click Next.
d. The Server Cleanup Wizard will now complete and return results of the items that
have been cleaned up.
e. Click Finish.
Page 12 of 12

Configuring Microsoft Windows Server Update Services

Uploaded by

Document Information

Original Description:

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Configuring Microsoft Windows Server Update Services

Uploaded by

Copyright:

Available Formats

Microsoft Virtual Labs

Configuring Microsoft Windows Server

Estimated Time to 60 Minutes

The password for the Contoso\Administrator account on this computer is:

Tasks Detailed Steps

Tasks Detailed Steps

Tasks Detailed Steps

Tasks Detailed Steps

You might also like