Professional Documents
Culture Documents
Configuring a Microsoft
Windows Server Update
Services 3.0
Configuring Microsoft Windows Server Update Services 3.0
Table of Contents
Configuring Microsoft Windows Server Update Services 3.0 .................................................. 1
Exercise 1 Perform configuration of WSUS Server ......................................................................................................2
Exercise 2 Managing Updates in a WSUS environment ...............................................................................................4
Exercise 3 Configuring reporting in a WSUS Environment ..........................................................................................9
Exercise 4 Maintaining a WSUS Server ...................................................................................................................... 12
Configuring Microsoft Windows Server Update Services 3.0
Page 1 of 12
Configuring Microsoft Windows Server Update Services 3.0
Exercise 1
Perform configuration of WSUS Server
Scenario
In this exercise you will complete the setup of a WSUS 3.0 Server. The server will be configured to hold the updates
for the domain. You will then perform the initial configuration and synchronization of the WSUS 3.0 Server to
ensure that the latest updates are available to clients. Additionally you will review reports to see which updates are
actually stored locally.
You will apply a policy which ensures that all the updates for Windows Server 2003 and Windows Vista computers
are available for approval, however you will not download all the content immediately. You will ensure you are only
downloading the updates that are apply to computers on your network and therefore not taking up space with extra
languages, operating systems and products which you are not using.
Note: This exercise requires the following computer: Server1
Page 2 of 12
Configuring Microsoft Windows Server Update Services 3.0
Tasks Detailed Steps
e. On the Microsoft Update Improvement Program page, check Yes, I would like
to join the Microsoft Update Improvement Program. Click Next.
f. On the Choose Upstream Server page, ensure the default of Synchronize from
Microsoft Update is selected and then click Next.
g. On the Specify Proxy Server page, click Next.
Note: At this point you would normally click Start Connecting, to obtain the list of
Products and Classifications available for download. The initial synchronization has
been performed for you already in the lab environment.
h. On the Connect to Upstream Server page, click Cancel.
i. On the Cancel WSUS Server Configuration Wizard dialog box, click Yes to
cancel the configuration.
2. Modify WSUS 3.0 Note: In this task you will manually change the settings for the products, updates and
Server Settings synchronization times. These are actions that you would take when you have a new
operating system, product or language installed in your Network or if you needed to
remove support for older products. In this task you will exclude updates for Windows
XP and the remove the language of Hungarian. In this exercise you will also modify
the schedule to enforce a policy of checking for updates to ensure that synchronization
occurs every hour. In addition, you will also remove the default Auto Deployment rule
so that the updates will not be automatically approved at this time.
Note: Perform this task on the Server1 computer
Note: The Windows Server Update Services Configuration Wizard should be open
from the previous step however if it is not open, navigate to Start – All Programs –
Administrative Tools – Microsoft Windows Server Update Services 3.0.
a. In Update Services, in the navigation pane, click Options.
b. In the contents pane, click Products and Classifications.
c. In the Products and Classifications dialog box, on the Products tab, uncheck
Windows XP.
d. On the Classifications tab, select Tools, and then click OK.
e. In the contents pane, click Update Files and Languages.
f. In the Update Files and Languages dialog box, on the Update Languages tab,
uncheck Hungarian and then click OK.
g. In the contents pane, click Synchronization Schedule.
Note: Saving file and language settings may take several minutes. If the OK button is
not available, wait 30 seconds, then try again.
h. In the Synchronization Schedule dialog box, select Synchronize automatically.
i. Change the First Synchronization time to 7:00:00AM. Change the
Synchronizations per day to 24 and then click OK.
j. To modify the automatic approval process, in the contents pane, click Automatic
Approvals.
k. On the Update Rules tab, select Default Automatic Approval Rule and then
click Delete.
l. Click OK to close the Approval Rules dialog box.
Note: In this task you have configured the server synchronization. To ensure that the
clients update themselves you would also need to configure a client-side schedule –
either manually or via group policy.
Page 3 of 12
Configuring Microsoft Windows Server Update Services 3.0
Exercise 2
Managing Updates in a WSUS environment
Scenario
In this exercise you will take the completed synchronization of updates of the WSUS 3.0 Server and begin to
automate the process of updating clients. This will be done by configuring computer groups to assign updates to and
then assigning computers to those groups. This can be done manually but in a large scale environment, this can be a
large load to manage, in this exercise you will leverage group policy to automate the process of assigning computers
to computer groups.
By leveraging group policy, the clients can be configured centrally to update via the WSUS 3.0 server. You will
modify the existing Test Computers Policy to ensure that all machines in the Test Computers OU will be mapped to
the WSUS Server rather than gaining updates from the external Windows Updates server.
After approving an update for the Test Labs Computer group, you will then force a deployment to the client machine
and view the report to observe that the updates have completed successfully.
Note: This exercise requires the following computers: Server1 and Server2
Page 4 of 12
Configuring Microsoft Windows Server Update Services 3.0
Tasks Detailed Steps
c. In the Group Policy Management Console dialog box, click OK.
d. In Group Policy Management on the Action menu, click Edit.
e. In Group Policy Object Editor, expand Computer
Configuration/Administrative Templates/Windows Components, and then
click Windows Update.
f. In the Contents pane, click Configure Automatic Updates and then on the
Action menu, click Properties.
g. In the Configure Automatic Updates Properties dialog box, click Enabled, in
the Configure automatic updating selection, select Auto Download and
schedule the install, leave the default day and time unchanged and then click OK.
h. In the Contents pane, click Specify intranet update service location and then on
the Action menu, click Properties
i. In the Specify intranet Microsoft update service location Properties dialog box,
click Enabled, in Set the intranet update service for detecting updates and Set
the intranet statistics server, type http://server1 and then click OK.
j. Close Group Policy Object Editor.
k. Close Group Policy Management .
Note: Perform the following steps on the Server2 computer
l. Log on as Administrator with a password of P@ssw0rd.
m. On the Start menu, click Run, type CMD and then click OK.
n. At the command prompt, type the following command and then press ENTER.
Gpupdate /force
o. To force the detection by WSUS of the client, at the command prompt, type the
following command and then press ENTER
wuauclt.exe /detectnow
Note: Perform the following steps on the Server1 computer
p. In the Update Services console, in the navigation pane, click Computers.
q. In the Update Services console, in the Actions pane, click Refresh.
r. In the Update Services console, in the explorer pane, under the heading of All
Computers, click Computers with no status.
Note: On the next detection cycle, Server2 will report status which will contain
information on which updates are already installed and which are needed.
3. Modifying default Note: In this task you will modify WSUS Server 3.0 to use Group Policy or registry
settings for adding settings to assign computer group membership. This is used to leverage Group Policy
clients to a target or settings to facilitate assigning group membership automatically. You will then
group modify Group Policy settings to force all the machines in the Test Computers OU to be
added to the Test Lab Group.
Note: Perform this task on the Server1 computer
a. In Updates Services console, in the navigation pane, click Options.
b. In the contents pane, click Computers.
c. In the Computers dialog box, on the General tab select Use Group Policy or
registry settings on computers and then click OK.
d. On the Start menu, click Run, type GPMC.MSC and then click OK.
e. In Group Policy Management, navigate to and expand Test Computers OU and
then select Test Computers Policy.
Page 5 of 12
Configuring Microsoft Windows Server Update Services 3.0
Tasks Detailed Steps
f. If the Group Policy Management Console dialog box pops up, click OK.
g. In Group Policy Management on the Action menu, click Edit.
h. In Group Policy Object Editor, expand Computer Configuration, expand
Administrative Templates, expand Windows Components, and then click
Windows Update.
i. In the contents pane, double click Enable client-side targeting.
j. In the Enable client-side targeting Properties dialog box, click Enabled, in
Enable client-side targeting and Target group name for this computer, type
Test Lab and then click OK.
Note: The client side targeting value must exactly match a computer group name on
the WSUS server or it will be placed in the unassigned computers group. Mistyping
the client side targeting value is a common configuration error.
Note: Perform the following steps on the Server2 computer
k. Switch to Server2 machine, On the Start menu, click Run, type CMD and then
click OK.
l. At the command prompt, type the following command and then press ENTER.
Gpupdate /force
m. To force the detection by WSUS of the client, at the command prompt, type the
following command and then press ENTER
wuauclt.exe /detectnow
Note: Perform the following steps on the Server1 computer
n. In Update Services, navigate to Update Services/Server1/Computers/All
Computers/Test Lab.
o. In the contents pane, in Status, select Any, and then click Refresh
Note: The Server2.contoso.com computer account will be listed.
p. Close Group Policy Object Editor.
q. Close Group Policy Management.
Complete the following 2 Note: In this task you will approve an update and deploy it to the Servers computer
tasks on: group, the same update you will block from installing in the Test Lab computer group.
In addition you will assign and approve a different update to the Test Lab computer
group. You will then create a new custom view to display the update status.
Server1
Note: Perform this task on the Server1 Computer
4. Approve and deploy
a. In Updates Services console, expand Updates. This will display the summary of
updates to client
updates that are in the environment.
computers
b. In the navigation pane, click All Updates.
c. In the contents pane, in Status, select Any and then click Refresh.
d. Select the update Security Update for Windows Server 2003 (KB921883) in the
list and in the Actions pane, select Approve...
e. In Approve Updates click the icon beside Servers and select Approved for
Install.
f. In the Approve Updates click the icon beside Test Lab and select Not Approved.
g. Click OK to accept the changes and close the Approve Updates window.
h. After the Approval Progress has completed, click Close.
i. Select the update Update for Windows Server 2003 (KB922582) in the list and in
Page 6 of 12
Configuring Microsoft Windows Server Update Services 3.0
Tasks Detailed Steps
the Actions pane, select Approve...
j. In the Approve Updates click the icon beside Test Lab and select Approved for
Install.
k. In the Approve Updates click the icon beside Servers and select Not Approved
and then click OK.
l. After the Approval Progress has completed click Close.
m. In the navigation pane, click Updates. The default view is now displayed with the
summary of the environment.
n. On the Actions pane, click New Update View….
o. In Step 1: Select Properties, select Updates are approved for a specific group.
p. In the Step 2: Edit the properties box click on the underlined a specific group. In
the Choose Computer Groups dialog box select Servers. Click OK.
q. In Step 3: Specify a name box type the name, Server Updates and then click OK.
r. In the Navigation pane, select Server Updates.
Note: By default there will be nothing displayed as the default is to only show
Unapproved updates
s. From the Approval drop down box select Any Except Declined, in Status, select
Any and then click Refresh.
5. Configure automatic Note: In this task you will automate the process of approving updates by adding a rule
approval of updates to automatically approve critical and security updates. This rule will ensure that all
to client computers the deployments of the Critical Updates and Security Updates are processed
automatically to all the computers in the Test Lab computer group.
Note: Perform this task on the Server1 Computer.
a. In Microsoft Windows Server Updates Services console, click Options.
b. In the content pane, click Automatic Approvals.
c. In the Automatic Approvals dialog box, click New Rule.
d. In the Add Rule dialog box, select When an update is in a specific classification
in Step 1: Select Properties.
e. In Step 2: Edit the properties, click any classification.
f. In the Choose Update Classifications dialog box deselect all items except for
Critical Updates and Security Updates then click OK.
g. In Step 2: Edit the properties, click all computers.
h. In the Choose Computer Groups dialog box deselect all items except for Test
Lab then click OK.
i. In Step 3: Specify a name, enter the name of Test Lab Important Updates then
click OK.
j. Click OK to save the changes.
Complete the following Note: In this task you will test the automated process of the update deploying to the
task on: client machine. This will give you the opportunity to test the previously created rule to
ensure that the updates are applied.
Note: Perform this task on the Server2 Computer.
Server2
6. Observe install of
a. On the Start menu, click Run, type CMD and then click OK.
Updates on client b. At the command prompt, type the following command and then press ENTER.
machine
Gpupdate /force
c. To force the detection by WSUS of the client, at the command prompt, type the
Page 7 of 12
Configuring Microsoft Windows Server Update Services 3.0
Tasks Detailed Steps
following command and then press ENTER
wuauclt.exe /detectnow
Note: At this point the Updates shield will appear to advise that updates are ready to
be installed on Server2. You can now continue to the next exercise.
Page 8 of 12
Configuring Microsoft Windows Server Update Services 3.0
Exercise 3
Configuring reporting in a WSUS Environment
Scenario
In this exercise you will configure reporting from the WSUS 3.0 server to enhance existing reports. You will use
target the reporting by creating a custom report that will display the results of updates from the Test Labs computer
group and also targeting computers that have Windows Vista or Windows Server 2003 installed.
You will also add the CEO’s user account into the WSUS Reporting group, this will enable the CEO to create and
view reports but be unable to change any configurations in WSUS.
In addition you will configure WSUS 3.0 to email reports on a regular basis to the administrator.
Page 9 of 12
Configuring Microsoft Windows Server Update Services 3.0
Tasks Detailed Steps
Note: You will complete this task by adding Don Hall’s account into the WSUS
Reporters group. This group is created by default when WSUS 3.0 is installed on a
machine.
Note: Perform this task on the Server1 computer.
a. On the Start menu navigate to All Programs - Administrative Tools - Active
Directory Users and Computers.
b. In Active Directory Users and Computers, navigate to the Users folder.
c. Double-click the group object WSUS Reporters and then click the Members tab.
d. Click Add, and in Enter the object names to select, type Don Hall. Click Check
Name.
e. Click OK to add Don Hall to the group.
f. Click OK to save the settings and close the WSUS Reporters Properties dialog
box.
Note: On a member server, the WSUS Reporters group would be a local group
instead of the domain group that is used here. In this case the WSUS Reporters group
is a domain group as we have installed WSUS onto a domain controller.
3. Configuring e-mail Note: In this task you will use the built-in tools in WSUS 3.0, you will use the built-in
reporting tools to create email notifications of new updates and status reports.
Note: Perform this task on Server1 computer
a. In Updates Services console, click Options.
b. In the contents pane, click E-Mail Notifications.
c. In the E-Mail Notification Options dialog box, on the General tab configure the
settings shown in the following table.
Setting Value
Send e-mail notification when Checked
new updates are synchronized
Recipients administrator@contoso.com
Send status reports Checked
Frequency Weekly
Send reports at 7:00:00pm
Recipients administrator@contoso.com
d. Click on the E-Mail Server tab and configure it as shown in the following table.
Setting Value
Outgoing e-mail server (SMTP) server1
Port Number 25
Sender name Administrator
E-Mail address administrator@contoso.com
e. On the E-Mail Server tab, click Test.
f. In the E-Mail Notification Options dialog box, click Close.
g. In the E-mail Notification Options dialog box, click OK.
h. In the Start menu, navigate to All Programs, Outlook Express.
i. In Outlook Express , click Inbox, open the WSUS: Test E-Mail Notification
Page 10 of 12
Configuring Microsoft Windows Server Update Services 3.0
Tasks Detailed Steps
From SERVER1 and examine the contents.
j. Close Outlook Express.
Page 11 of 12
Configuring Microsoft Windows Server Update Services 3.0
Exercise 4
Maintaining a WSUS Server
Scenario
In this exercise you will complete continuing maintenance actions on the WSUS 3.0 server. This will include
cleaning up the environment to purge old records. This maintenance action will delete old clients from the
environment (ones that have not been in contact with the WSUS 3.0 server for more than 90 days). You will also
purge old superseded updates from the database and updates that were declined. This maintenance will ensure that
space is freed on the server thereby ensure better space management.
Should this action not be taken then updates that are no longer required will still be stored. An example would be if
you had retired all your Windows 2000 servers, then the updates that are required for Windows Server 2000 would
no longer need to be retained. Using the Server Cleanup wizard make the overall maintenance more streamlined.
To ensure best practices for disaster recovery you will also back up the WSUS database and the configurations that
you have implemented.
Page 12 of 12