WSUS – Making Windows updates nice and simple

Back in June last year we started to look at the feasibility of implementing WSUS (Windows Server Update Services) on our network. We had originally hoped to implement the system during the last summer period but unfortunately other work and the approaching FOH moves over took us and the project was put on the side. Luckily summer is nearly here once again and WSUS is back on the agenda.

One of the big advantages of our virtualisation programme is that we are starting to free up spare physical servers that we can then use for new services such as WSUS. Core Services have kindly given me the loan of the old server “Lee” so that I can run up a WSUS test server. The WSUS plans became even more important when Microsoft released Pack 3 for Windows XP earlier this week. The prospect of having several thousand workstations all downloading a 300mb file and having to face nearly an hour long installation didn’t seem particularly appealing. WSUS can make this whole process a lot easier for both IT Services and Edge Hill staff/students. Once setup we will be able to control the update process and (in the first instance) stop Service Pack 3 from automatically installing. Every summer the IT staff spend a lot of time re-ghosting and updating the staff and student computers so that they have the latest software installed and ready for September. This year we will be rolling out Office 2007 so it seemed logical to update to Service Pack 3 at the same time. Once our manual re-ghosting has been completed we can then mop up any other computers by having the WSUS server force down the Service Pack 3 update. So how do we do that??

I wanted to give a little breakdown of how WSUS works. The package is installed on a Windows server (in our case 2003) and downloads the Windows Update catalogue to the server’s hard drive. We then attach computers to the server using registry or group policy settings and from there we get a report of their status. How is that useful you ask.. well from the console we can see which updates our computers have installed and which they are missing. We can then authorize new updates and then distribute them to all of the computers attached to the WSUS server. If you look at this picture you can see some my test clients connected to the server reporting their various update statuses.

wsus clients small

Once we have a number of clients reporting their status we can get more detailed reports so that we can identify which computers have no updated and keep an eye out for any that have had problems installing a certain update. On the image below you can see a simple report which tells us the number of updates successfully install, the number pending and other useful information such as the service pack status and pc name.

wsus report

Leave a Reply

Your email address will not be published. Required fields are marked *