Information Systems:WSUS

From uniWIKI
Jump to navigation Jump to search

WSUS – Windows Software Update Service

The WSUS application is provided to IT administrators for free from Microsoft. The application is installed on the Smithers server, on top of its Windows Server 2012R2 operating system. The purpose of the WSUS application is to provide a managed local version of the Windows Updates website that consumers use to get patches from Microsoft. WSUS presents all of the patches that have been created by Microsoft for all of its products going back at least 14 years. Since it is not practical to download everything for all products, WSUS allows an IT administrator to choose not only which products get patches, but also which patches get applied to client machines. The client machines ( in the context of WSUS )include all desktops and laptops plus all the Windows based servers. The client machines are configured to query the WSUS application based on settings applied from GPO objects in Active Directory. Machines not connected to AD don’t use WSUS.

The GPO settings instruct the client machines to query the WSUS application every 4 hours for any new patches. If there are patches, then they are downloaded right away and set to install at midnight of whichever day the patches were given authorization to install. The one exception to that is for the Windows servers. They download the patches when they are detected and then install on Saturday at midnight. In most cases one or more patches will require a reboot and that happens automatically after the last patch is installed for the server or the desktops/laptops. If the laptop, for example, is powered off, the patches get installed the next day when it is turned on. Microsoft publishes patches and updates on the Second Tuesday of every month. The number of patches and updates do vary but sometimes there are many and it may be advisable and wise to delay the installation of them for a week or two, to allow Microsoft to fix any defects in the published patches. Critical security patches that fix vulnerabilities by “unauthenticated remote attackers” should be installed as soon as possible.

It is important to review the patches and updates that are published by Microsoft each month. Even though WSUS is currently configured to only present patches for products we use, there are instances where a particular version of a product or an architecture of a product does not apply. When that happens, that patch or update can be declined from the WSUS GUI. Patches that don’t apply to any of our machines should not be downloaded to the WSUS database because they only take up valuable hard drive space. An example of this is when an update to Internet Explorer is published for the Itanium architecture. Since we have no servers with Itanium processors, that patch should be declined and not downloaded.

Other Important Information

  • Dictionary updates for Microsoft Office should be declined because they take up very large amounts of hard drive space ( on Smithers ) which is disproportional to their usefulness
  • Once per year, the superseded updates need to be removed from the WSUS database. The command for this is inside the settings GUI
  • It is important to remove old decommissioned computers from the WSUS GUI as well as place newly installed computers into the correct WSUS group
  • It is very rare that new Microsoft products are installed at UWD, but when they are, the corresponding product needs to be added into WSUS, otherwise it will not be recognized as needing updates. Same goes for when old Microsoft products are removed – they need to be removed from WSUS to save on disk space.
  • There is no technical support from Microsoft for WSUS as it is a free product. There are many public websites that contain useful tips and those are the only available option for sorting out technical problems. That being said, WSUS is highly reliable and is the industry standard for enterprise grade patching of Microsoft software. If an IT administrator is not using WSUS, then they are doing it wrong.
  • Microsoft has changed functionality in WSUS installed on Server 2012R2 for Windows10 clients. Make sure that if we deploy Windows10 clients they are getting the right patches in the correct manner from the WSUS server
  • Feature updates have a .esd file extension, and therefore for IIS to pass it along, .esd needs to be added to the MIME file types on the WSUS server.
Retrieved from "https://owl.unipharm.com/mediawiki/index.php?title=Information_Systems:WSUS&oldid=14049"