Windows Server Update Services Essentials

Patch Management for the Enterprise Introducing Microsoft Windows Server Update Services Software Update Services vs. Windows Server Update Services 0 Summary 0 Solutions Fast Track 0 Frequently Asked Questions Microsoft Windows Server Update Services (WSUS) is the answer to all of your problems as long as they are centered on patch management. Patch management is the systematic application of updated code to operating systems and certain Microsoft applications, to repair a defect until the...

Introduction

Windows Software Update Services (WSUS) has a client-server relationship therefore, client software must be configured and rolled out in order for clients to properly communicate and eventually become updated by the server. Clients can be rolled out to your target audience in a few different ways. The differences in topology, Active Directory design, and layout, whether to use Active Directory or not, and the physical location of clients are factors in deciding how to activate client machines...

Typical Server Installation

Now it is time to install WSUS.You have patched your servers, and hopefully you have verified that your server meets the minimum requirements, and all decisions have been made about the database location. Now, find the WSUS installation media or the directory where you saved the WSUSSetup.exe download.The following steps assume you are using the downloaded version (since it is typically the most up-to-date) 1. Launch the WSUS setup file. The setup file will begin extracting the components to a...

Approving an Update for Installation with a Deadline

You will now see how to use a deadline to force an update to be installed at a certain time. In this section, we are going to install the Update for Outlook 2003 Junk Email Filter (KB902953). We are going force the install to occur on September 9, 2005 at 5 00 P.M. Open the WSUS administration console by typing http wsus_server_name wsusadmin (where wsus_server_name is the name of your WSUS server), as shown in Figure 6.23. Click on the Updates button in the upper right-hand corner of the...

Configuring WSUS for SSL

The first step in using SSL is to obtain a digital certificate for your server. A number of certificate authorities are available on the Internet for this purpose, including the following Verisign (www.verisign.com) Digicert (www.digicert.com) Digital certificate prices vary from vendor to vendor. Each WSUS server in your environment requires its own certificate, so you must plan carefully when deciding if SSL is the way to go. Once you have selected a vendor, you must create a certificate...

Update Files and Languages

At this point you can synchronize your WSUS server however, before starting the first synchronization it is a good idea to verify that WSUS is downloading updates in the correct language.You also need to choose where WSUS will store updates, when it will download updates, and the types of update files to be used. Language support is configured from the Synchronization Options page shown in Figure 6.7. Scroll down to the section labeled Update Files and Language and click the Advanced...

Configuring Firewalls

In a typical environment, not much has to be done to the firewall configuration in order to allow the WSUS server to download updates from Microsoft. Many environments allow most protocols to go outbound from the inside (trusted) network, but this is not always the case. Some organizations, such as the government and the military, may only allow access via certain protocols and ports, or to a particular list of preapproved sites. If the restriction within your organization is port-based...

Creating a New GPO for WSUS

We will now use Active Directory Users and Computers to create a GPO at the domain level to push down the new WSUS settings. This could also be accomplished using the Group Policy Management Console, but the steps would look a bit different. There are ten total settings that can be configured for WSUS. For this example, we are configuring every machine to automatically download updates and install them at 3 00 A.M. without forcing a reboot. Best Practices According to Microsoft_ Microsoft...

Sharing Remote Content on SUS Server

One drawback of an across-the-wire upgrade is that you must copy all of the SUS updates across the network to your WSUS server. This is still better than having to download them all from the Internet, but it is not as quick as when doing an in-place upgrade. Before you can copy over the updates, you must share the folder on the SUS server containing the updates. The following walks you through this process. Sharing the Content Folder on the SUS Server 1. Double-click on My Computer from the...

Viewing Updates

After configuring WSUS to download the correct updates and synchronize with Microsoft's servers, you are ready to view your updates. The home page for the WSUS administration console provides a summary of the total number of updates on your server (see Figure 6.15). It shows you how many updates are approved, not approved, and declined. It also shows you how many updates your computer needs and how many total computers are missing updates. The home page allows you to look at a glance to see...

Bandwidth Options

One of the benefits of using WSUS is the ability to manage updates and therefore manage bandwidth usage efficiently. Related to bandwidth, you have four specific options to work with in WSUS.You can defer download, filter updates, use express installation files, and use Background Intelligent Transfer Server (BITS) 2.0. The out-of-the-box configuration of WSUS downloads all updates in all languages. Aside from being a large download, there is a high likelihood that you do not need all of the...

Completing a Remote SQL Installation

In Installing Supporting Applications, we left the SQL server installation in limbo. Now that you have an understanding of how a typical WSUS installation is completed, you can finish the front-end back-end configuration. In a typical installation, you would normally complete this piece before configuring the back-end server however, switching the order will not affect the installation. With the front-end installation, you still need to determine where the updates will be stored, how the server...

Managing Updates

WSUS administrators spend most of their time managing updates, which are broken down into three general phases viewing updates, approving updates, and testing updates. These phases follow a logical progression view which updates are available, approve WSUS to detect which machines need updating, and have WSUS update your test machines followed by your production machines. The viewing updates phase is where you look at which updates have been released. You can view all available updates or you...

Unattended Server Installation

In certain situations where either physical access or access via Remote Desktop is either not possible or is unreasonable (such as across slow network links), using an unattended installation of WSUS may be necessary. Microsoft has made unattended installations of WSUS very easy for even the novice command line user. As simple as it is, don't be fooled it still has all the functionality and flexibility as the graphical user interface (GUI) installation. Before performing an unattended...

Contributing Authors

Jonathan Hassell is an author, consultant, and speaker residing in Charlotte, NC. Jonathan's previous published works include RADIUS and Learning Windows Server 2003 for O'Reilly Media and Hardening Windows for Apress. His work is seen regularly in popular periodicals, such as Microsoft's TechNet Magazine, PC Pro, SecurityFocus, and Windows IT Pro Magazine. He speaks around the world on topics such as networking, security, and Windows administration. Tony Piltzecker (CISSP, MCSE, CCNA, CCVP,...

Using NTBackup to Restore WSUS

Now that we have backed up WSUS, we will show you how to restore it using NTBackup. We will restore the c WSUSWSSQL WSUS folder and the e WSUS WsusContent folder to their original location. 2. Select Run from the Start menu. 3. Type ntbackup into the Open box. 5. Click on the Restore and Manage Media tab as shown in Figure 6.43. Figure 6.43 Restoring from Backup Backup Utility - Restore and Manage Media V eteome Ba kup Restore and M anage Media S chedule Jobs 1 Expand the desred medio item,...

Selfupdate

Just as Microsoft took us from SUS to WSUS, they plan to further improve and increase the functionality of WSUS as we know it today.This means that when new versions of WSUS come out or newly supported features for WSUS are integrated, clients may need an updated client version to be compatible. As discussed earlier, most of the AU clients have the ability to Selfupdate themselves to the latest version. Each WSUS-compatible AU client is configured to look at what is called the self-update tree...

Approving Updates

After downloading and viewing your updates, you need to approve them. Until you approve your updates, WSUS will not do anything with them.The term approve updates is a little misleading. When you hear approve updates, you probably assume that you are allowing WSUS to install an update. As logical as this may sound, it is incor rect. Approving an update just means you are telling WSUS what action to take with the update. Installing the update it just one of the possible approved actions. You...

Copying the WSUS Metadata

The last step in configuring a disconnected WSUS server is to copy the WSUS metadata from the export server to the import server. Unfortunately, there is neither a wizard nor a graphical user interface (GUI)-based means of exporting and importing the metadata. However, Microsoft has provided a command line utility for performing this task. By default, the utility is installed into the Program Files Update Services Tools directory. In the final section of this chapter, we walk through moving...

Backing Up and Restoring WSUS Servers

0 WSUS does not contain a separate tool for performing backups and restores. 0 Backups are performed using ntbackup or another third-party backup solution. 0 You must backup both the metadata and the update files. 0 By default, the metadata is stored in the WSUS database in the cAWSUSWSSQLSWSUS directory. 0 The update files are stored in the WSUS WsusContent directory on the drive selected to hold updates. 0 If your client's are pulling updates from Microsoft's servers, you will not have any...

Log Files

Like most clients, the AU client generates its own log files, using them to track current computer settings, updated changes, scheduled downloads and deployments, client communication failures, installation failures, service restarts, and so on. The log files are the best place to start when troubleshooting AU client problems. The following sections discuss two log files and shows how to enable verbose logging when you want a lot more detail regarding troublesome issues. As it receives and...

Disconnected Networks

If your organization includes WSUS servers on disconnected networks, you can follow a two-step export and import process (see Figure 9.4) to update those replica servers.This process requires additional management overhead, but it does guarantee update consistency between all WSUS servers however, there can be a high degree of lag time for this type of asynchronous synchronization. Good planning will optimize the process and minimize the time it takes to synchronize WSUS servers on disconnected...

Sample Disconnected Networks

The following sections discuss three different disconnected network scenarios remote office, a demilitarized zone (DMZ), and a lab environment. One common disconnected network is a remote office (see Figure 10.1). Some businesses must have a presence in remote locations of the world because they need to have a physical address in that location in order to do business (e.g., an insurance company needs to have an office on a tropical island in order to do business there) however, it may not be...

Accessing the WSUS Administration Console

If you forget the Uniform Resource Locator (URL) to manage your WSUS server, there is a link to it on the WSUS server. Go to the Start menu and navigate to Administrative Tools. The shortcut labeled Microsoft Windows Server Update Services will open the WSUS Web console. Figure 6.1 Opening the WSUS Administration Console IIBB S O 8ack - I - j V Search Favoilw Meda & - ,, S Home L datcs depots Computers Optms < 3) Hep Welcome to Windows Server Update Services You can use WndjK Sesver Update...

Configuring Products and Update Classifications Supported by WSUS

We'll now discuss the steps used for choosing which products and update classifications will be supported by WSUS. In this example, we configure WSUS to download all update classifications, and we will choose to only support Exchange Server 2003, Office 2003, and the Windows Server 2003 family. 1. From the Synchronization Options page, scroll down to the Product and Classifications section shown in Figure 6.11. Figure 6.11 Choosing Products and Classifications Figure 6.11 Choosing Products and...

Technical Editor and Lead Author

Brian Barber (MCSE, MCP+I, MCNE, CNE-5, CNE-4, CNA-3, CNA-GW) is coauthor of Syngress Publishing's Configuring Exchange 2000 Server (ISBN 1-928994-25-3), Configuring and Troubleshooting Windows XP Professional (ISBN 1-928994-80-6), and two study guides for the MSCE on Windows Server 2003 track (exams 70-296 ISBN 1-932266-57-7 and 70-297 ISBN 1932266-54-2 ). He is a Senior Technology Consultant with Sierra Systems Consultants Inc. in Ottawa, Canada. He specializes in IT service management and...

Capacity Requirements

Some companies will implement WSUS on an existing server others may purchase one or more additional servers to run WSUS in the enterprise. Ensuring that your servers exceed minimum requirements will avoid problems down the line, especially if your organization is growing and adding computers on a regular basis (see Table 2.1). Table 2.1 WSUS Server Minimum Server Capacity Table 2.1 WSUS Server Minimum Server Capacity 3GHz or better (dual processors for 10,000 clients or more) The WSUS server is...

Update Storage

Before you can decide how to store updates, it is important to understand the update components. Previously, we mentioned updates and metadata these two elements work together.The updates are the actual updates that are installed on client computers.These can be large files, depending on the nature or extent of the update. Metadata, on the other hand, simply provides information about what the updates are useful for. The metadata also includes End User License Agreements (EULAs). Storing the...

Client Self Update Problems

If you are having problems directly on the client with the Automatic Updates software, look at the following suggestions and procedures Verify that your clients are pointed to the WSUS server. (See Chapter 7 for detailed instructions on configuring this option through the Registry or Group Policy.) Make sure the selfupdate tree exists on the WSUS server. This virtual directory holds the latest WSUS client. To ensure that the self-update tree is working properly, issue the following at the...

Solutions Fast Track

0 By way of Group Policy, Active Directory is the core delivery mechanism for WSUS client configurations settings. 0 The wuau.adm ADM is the brains of all WSUS configuration information. 0 Try to design your OU structure around WSUS client update needs, enabling GPOs with common WSUS settings at the top level and using more client-specific WSUS GPOs closer to the clients home OU. 0 Use and familiarize yourself with the GPMC to help you manage and troubleshoot your GPO infrastructure. 0 Use...

Group Policies in Active Directory

Through a domain-based Group Policy, direct clients to the WSUS server should use the following procedure 1. Open the Default Domain Policy GPO in Active Directory Users and Computers and click the Edit button. 2. Expand Computer Configuration Administrative Templates I Windows Components. 3. Select Windows Update.The right pane will contain several options that pertain to the AU client (see Figure 5.10). These options are described here in more detail Configure AU This option specifies whether...

The wuauadm File

The WSUS wuau.adm file is the core of all WSUS client configuration settings.This template can be configured globally via Group Policy, or locally via local machine policy. Windows 2000 Server, Server 2003, and XP class operating systems all ship with this file, located under the windir inf directory. This file may be different for each Windows client however, as clients check into the WSUS server the first time, they are updated to the latest AU client as well as the latest local template...

Centralized vs Distributed Environments

WSUS deployments are supported in both centralized and distributed environments. Each management model enables you to manage the distribution of updates throughout your organization.The model you choose depends on a variety of factors, including available administrative resources, connectivity, and Active Directory design.You should also consider your organization's cultural and political climate when choosing between the two models. In some cases, it may make more sense to centralize WSUS...

Getting All Your Software Together

Use the links on Table 4.2 and Table 4.3 to download all of the required software before you begin installing WSUS. Create a support folder on your hard drive and save all of the software there. This way, as you are working through this chapter, you will have everything you need to follow all of the exercises. If you are running WSUS on Windows 2000 Server and do not have a Microsoft SQL Server, you must install the MSDE manually. If you are installing WSUS on Windows Server 2003, the WSUS...

Distributed vs Central Management

You may want to go further than just chaining servers together. For example, what if you want to synchronize not only updates and meta-information but also the actual configuration information and management data WSUS can be deployed in two different management models. These models allow you to manage how the actual patch management process operates within your network, without forcing you to deploy the solution in a way that doesn't make sense for you.You can also choose more than one...

Applying WSUS for Clients via Group Policy

If you have already configured a Group Policy Object (GPO) for use with WSUS, then the changes you make will not take very long. From either a Domain Controller, server or workstation with the Administrator tools loaded 1. Click Start I Administrative Tools I Active Directory Users and Computers. 2. Right-click either the domain name (in this case, widgets.ads) or the organizational unit (OU) where you have applied the GPO. Click Properties. 3. Select the Policy where WSUS settings have been...

Migrating SUS Approvals and Content

After configuring WSUS, you are ready to migrate SUS approvals and content. Migrating content is the process of copying over all of the physical update files that WSUS will push to the clients. This way, you do not have to download all of the updates again, which will save a lot of time and bandwidth. Approvals refer to the status of what to do with your updates, meaning do you want them to be installed, not installed, removed, and so forth. The benefit of migrating approvals is that you do not...

Configuring WSUS

After installing WSUS, you should connect to the console and configure it.You can access the administration console by going to Start All Programs Administrative Tools Microsoft Windows Server Update Services on the WSUS server or by using Internet Explorer on any machine and going to http WSUSServer portnumber WSUSAdmin (where WSUSServer is the name of your WSUS Server and portnumber is the port number used by WSUS). For example, you could get to WSUS on the server DC1 by going to http dc1...

Status of Updates Report

The Status of Updates report delivers a view of the status for all of your approved updates. This report only provides information about updates that are of approval type installed or detect only.You can narrow the results by selecting the status to be used as filter criteria. By default, the report displays an alphabetical list of approved updates.You can filter the display by approval action and computer group by making appropriate selections that achieve the desired result under View and...

GPO Location and the Use of OUs

The use of OUs is critical for organizing your clients when designing how you want to deploy your WSUS updates. Remember that when you create a GPO and link it to a particular OU, all of the machines under that OU apply the settings in your GPO. This could become a potential problem if there are machines in the same OU requiring different installation and reboot schedules. To help design your GPO placement strategy in Active Directory, first separate your servers and your workstation clients...

Databases

The type of database you install depends greatly on the type of organization you work in, as well as several other factors including the number of clients, hardware specifications, and so on.Typically for larger enterprises, there is at least one SQL server already existing, as well as a DBA who takes care of it.You should discuss the situation with your DBA prior to installation. He or she may wish to install the database on an instance of SQL on an existing SQL server (or SQL server cluster)...

Client Side Targeting Issues

You might find that there are some difficulties when using client-side targeting to assign computers to groups for use with WSUS. Here are some points to check if you are having trouble in this area Make sure that your clients are configured to use client-side targeting (see Figure 11.4). (See Chapter 5 for how to configure the console for such activity.) Figure 11.4 Configuring Clients for Client-Side Targeting Figure 11.4 Configuring Clients for Client-Side Targeting Check to ensure that the...

Storing Updates

All updates consist of two parts updatefiles and metadata.The update files are the actual files used to update a client computer and the metadata is the information about the update. Keeping the metadata separate from the actual update files reduces synchronization time with Microsoft's servers. Since WSUS only has to synchronize the information about the updates and not the updates themselves, it can finish initial synchronizations much quicker. This gives you all of the information you need...

Configuring Proxy Settings for WSUS

In this section, you will configure your WSUS server with the correct proxy settings to get out to the Internet. To continue, you must know the name or Internet Protocol (IP) address of your proxy server and what port it is listening over. If you are not using a proxy server or do not require authentication to access the Internet, you may skip this step. 1. Launch the WSUS Web Administration Console by typing http server-name 8530 WSUSAdmin into the address bar of your Internet browser (where...

Database Selection

In many cases, selecting the database is usually a fairly straightforward decision. WSUS requires the use of a database however, you do not have to purchase a separate database for this function, because you can obtain one of the three databases listed in this section at no charge (they come with the operating system or can be downloaded for free).The WSUS database is used to store WSUS server configuration information, update metadata (what each update is used for), and information about...

Superseding and Superseded Updates

Some updates are meant as replacements for other updates. Notice that the Update for Outlook 2003 Junk Email Filter (KB902953) supersedes the other updates for each tab (see Figure 6.28). An update may supersede another update for many reasons.The most popular reasons are enhancements or improvements to the original update. Just because a superseding update is released, don't assume you should automatically decline the previous update. The superseding update might not work with all operating...

Local Group Policy

Although Local Group Policy is last in the priority order when discussing LSDO, it is the highest in priority when dealing with non-ACTIVE DIRECTORY clients. Since there are no Site or Domain-specific GPO's on a stand-alone machine, the Local Group Policy is the one place to set and manage your WSUS policy settings. To configure your stand-alone clients for WSUS updates, follow these steps using your local machine GPO Editor (formally known as the Group Policy Editor in Windows 2000) 1. Click...

Event Logs

The Windows Event Log is another useful place to go to for a quick investigation into AU installations, pending installations, or client reboots. The AU client logs everything to the System Event log under one of two Event Log sources You can use your Event log file to filter by source, and to show only one of the three event sources at a time. If you are filtering using Windows Update Agent, you will probably see many events relating to the successful installation of an update, and whether or...

Choosing the Languages Supported by WSUS

In this section, we will choose the language supported by WSUS and configure the download options. By default, all languages are supported.You can choose to have WSUS use the same language locale of the local server or you can choose the language from a list. This step should be done immediately after installing WSUS, as it will reset the download state for all updates. For this example, we are using the English language. We are configuring WSUS to store updates locally and to use express...

WSUS Client Settings

There is a chance that your WSUS clients do not all share the same update requirements. Different software installations, scheduled downtimes, and Service Level Agreements (SLAs) are all good reasons to have different WSUS client settings, which is why it is important to identify similar clients so that they can be grouped together to fit into similar WSUS Computer Groups. As the Computer Groups are assigned specific software updates, all clients in that group will receive updates based on the...

Contents

Chapter 1 Windows Server Update Services Essentials. . 1 Patch Management for the Enterprise 2 What Is Patch Management 3 Why Do We Need It 5 What System Is Best for You 6 Introducing Microsoft Windows Server Update Services . . . .7 Features Software Update Services vs. Windows Server Update Services 10 New Features in WSUS 11 Summary Solutions Fast Track 14 Frequently Asked Questions 15 Chapter 2 Preparing for WSUS 17 Assessing Your Current Infrastructure 18 Geographic Considerations 19...

Some Independent Advice

If you are updating computers over a slow network, be sure to enable Express Installation Files. Think of it this way you have to download it from Microsoft only once, but you have to deploy it across your network every time. The day may come when you will need to change the hard disk used by WSUS for storing updates.This is easy to do if you started with the minimum of 6GB. Microsoft also provides a command line tool called WSUSUtil.exe that can be used to move the location of our update...

Preparing for WSUS

Assessing Your Current Infrastructure Selecting a WSUS Management Preference Designing the WSUS Environment 0 Summary 0 Solutions Fast Track 0 Frequently Asked Questions This chapter focuses on preparing you to design your Windows Software Update Services (WSUS) implementation. The foundation begins with a thorough assessment of your current infrastructure so that you know exactly how your network is laid out and how it is organized from geographic locations to organizational units (OUs) to...

Decommissioning SUS

It does not hurt to leave SUS in place for a while to make sure that WSUS is working as expected.You can use SUS for your production machines and use WSUS for your test environment. After successfully testing WSUS, you can decommission SUS. This involves stopping the Web site in the IIS Management Console and changing the WSUS port to 80.You do not have to use port 80 for WSUS to work, but it is recommended so that machines installed with the SUS client will automatically...

System Policy

If you are one of the unfortunate administrators stuck maintaining a large legacy NT 4.0 domain and are worried about automating updates, stop worrying. WSUS can still provide a means of controlling and automating the updates to clients that are in your NT 4.0 domain and that meet the WSUS client requirements (i.e., Windows XP, XP SP1, XP SP2, Windows 2000 SP3, and Windows 2000 SP4.Windows Server 2003 does not support legacy system policies. Although you can use one of the previously discussed...

Client Version History

The AU client is made up of a few different files. For the purpose of this discussion, we concentrate on the three core AU files and their functions wuauclt.exe (WSUS Auto Update Client) wuaueng.dll (WSUS Auto Update Engine) wuaserv.dll (WSUS Auto Update Service) On a healthy AU client, all of these files are the same version however, not all clients have the same file versions. The AU client has gone through some upgrades, mostly to help improve the process and work more efficiently with...

Certificates on the Cheap

One way to get around the expense of digital certificates is to build your own Certificate Authority (CA) using a Windows 2003 server, which comes packaged with either Windows Server 2003 Standard or Windows Server 2003 Enterprise editions. We will use an internal Windows CA for the remainder of this chapter. For more information on building a Windows 2003 CA, visit If you have trouble copying that link, go to http www.microsoft.com technet and type certificate authority windows 2003 in the...

Command Line Tools

There are a few command-line tools that can help you identify problems, query for information, or speed up the detection update process. The following is a list of these tools WSUS Client Diagnostics Tool (ClientDiag.exe) Downloadable from Microsoft's Web site. Wuauclt.exe Part of the Windows source code after an AU client is installed. Gpudate.exe and Secedit.exe Gpupdate.exe is part of Windows XP and Windows Server 2003 source code. Secedit.exe is built into Windows 2000 source code....

Disk Cloning Gotchas

WSUS uses the client SID or ClientID to register and monitor it as a unique member of its world. As you may know, when a machine is cloned, the SID stays the same. Although, when joined to the domain, the DomainSID of a computer will change, the local SID will not. It is highly recommended that you run a SID generator against newly cloned machines before deployment. Most cloning software companies have their own SID generation utilities. Microsoft has a free utility called sysprep that can be...

Updating Windows Clients

Tables 7.8 and 7.9 show the different combination of product versions and their updated classifications. Table 7.8 WSUS Products and Product Versions Table 7.8 WSUS Products and Product Versions Tables 7.8 and 7.9 show the different combination of product versions and their updated classifications. Windows 2000, Windows Server 2003, Windows Server 2003 Datacenter Edition, Windows XP, Windows XP x64 Edition, and Windows XP 64-Bit Edition Version Table 7.9 WSUS Update Classifications A broadly...

Applying WSUS for Clients Manually

Windows Update Services Name

The process for applying changes to use SSL manually on clients is not as easy as changing it on a GPO.To address various client types, the following procedure assumes a Windows 2000 client 2. Next, open the registry editor.Type regedit in the Run window. 3. Drill down into the tree to the following subkey WindowsUpdate. 5. In the main window, the following keys appear (Default), WUServer, and WUStatusServer (see Figure 8.16). 6. Open the WUServer and WUStatusServer keys one at a time, and...

Using the REG Command for a Quick Display of Client Setup

The quickest way to identify WSUS client settings is to create a simple script file that can be used to query the registry keys you are interested in, and pipe them to the console for quick review. This can be used for troubleshooting purposes or for random audits of your WSUS clients, to make sure that you are not having GPO inheritance, blocking, or conflict problems. To remotely query your WSUS computer's registry, you need the reg.exe command-line utility, which is part of the Windows...

Using Client Side Targeting

By using client-side targeting, WSUS can figure out how to assign computers to different groups by looking at Group Policy or Registry keys on each machine to automatically collect computers into a group. Client-side targeting saves you the trouble of manually adding computers, moving them around in groups, and generally resorting to tedious administrative methods. To enable this, use Group Policy to configure the AU software on each computer. Enable the client-side targeting option by clicking...

Using Computer Groups

Computer groups are an important part of the most basic WSUS systems. Computer groups enable you to target updates to specific sets of computers that share some common criteria. WSUS ships with two default groups, called All Computers and Unassigned Computers. When each client computer initially contacts the WSUS server, the server adds it to both these groups. Of course, it is very likely that you will want to create your own computer groups, since you can control the deployment of updates...

Local Machine Registry

Regardless of the front end, almost all software configurations ultimately end up manipulating the Windows registry for final client configuration commitments. That being said, you can edit the registry directly to configure your WSUS-specific client configuration needs. In situations where Group Policy is not available due to the lack of an active Directory domain and where configuring local policy becomes too tedious because of each logical machine visit, a few scripting techniques might help...

Managing Computer Groups

The heart of WSUS management is the capability to target updates to groups of client computers. WSUS provides a mechanism to help you ensure that the right computers get the rights updates at the right time. In fact, computer groups ensure that client computers receive their updates in a consistent manner on an ongoing basis. Computers will always belong to two groups. Every computer belongs to the All Computers group. However, they will also belong to the Unassigned Computers group until you...