WSUS – Making Windows updates nice and simple

Back in June last year we started to look at the feasibility of implementing WSUS (Windows Server Update Services) on our network. We had originally hoped to implement the system during the last summer period but unfortunately other work and the approaching FOH moves over took us and the project was put on the side. Luckily summer is nearly here once again and WSUS is back on the agenda.

One of the big advantages of our virtualisation programme is that we are starting to free up spare physical servers that we can then use for new services such as WSUS. Core Services have kindly given me the loan of the old server “Lee” so that I can run up a WSUS test server. The WSUS plans became even more important when Microsoft released Pack 3 for Windows XP earlier this week. The prospect of having several thousand workstations all downloading a 300mb file and having to face nearly an hour long installation didn’t seem particularly appealing. WSUS can make this whole process a lot easier for both IT Services and Edge Hill staff/students. Once setup we will be able to control the update process and (in the first instance) stop Service Pack 3 from automatically installing. Every summer the IT staff spend a lot of time re-ghosting and updating the staff and student computers so that they have the latest software installed and ready for September. This year we will be rolling out Office 2007 so it seemed logical to update to Service Pack 3 at the same time. Once our manual re-ghosting has been completed we can then mop up any other computers by having the WSUS server force down the Service Pack 3 update. So how do we do that??

I wanted to give a little breakdown of how WSUS works. The package is installed on a Windows server (in our case 2003) and downloads the Windows Update catalogue to the server’s hard drive. We then attach computers to the server using registry or group policy settings and from there we get a report of their status. How is that useful you ask.. well from the console we can see which updates our computers have installed and which they are missing. We can then authorize new updates and then distribute them to all of the computers attached to the WSUS server. If you look at this picture you can see some my test clients connected to the server reporting their various update statuses.

wsus clients small

Once we have a number of clients reporting their status we can get more detailed reports so that we can identify which computers have no updated and keep an eye out for any that have had problems installing a certain update. On the image below you can see a simple report which tells us the number of updates successfully install, the number pending and other useful information such as the service pack status and pc name.

wsus report

WSUS – Windows Server Update Services

One of our aims for this blog is to provide more information on our current projects and some of the things that we have planned for the future. In this entry I’d like to talk a little about one of the projects we are currently working on, a system called WSUS.

In a world where our computers are only as secure as the last patch, it can be a nightmare to keep all of our workstations safe from the numerous threats roaming the internet. While the majority of this battle is fought by our Anti Virus software, Windows Updates are still essential to ensuring a truly secure Windows environment.

The only problem with Windows Updates comes from their annoying inconsistency. Some patches will interrupt you in the middle of you work and insist on rebooting your computer right there and then while other sit uninstalled for weeks waiting for you to click the little yellow shield.

From a business perspective there is another flaw. In an institution like Edge Hill we have hundreds of computers contacting Windows Update every single day. While not all of these connections will be downloading files this still accounts for a lot of traffic. Now consider the release of a new patch, even a small one such as a 5meg file, this same file is being downloaded hundreds and hundreds of times over by computers nearly all located within a single square mile of Lancashire. Obviously this isn’t efficient.

The solution lies with a software package called Windows Server Update Services (WSUS). This software can be installed onto a Windows Server and provides a local source for all Windows Updates throughout the network. Instead of hundreds of connections all going out to Microsoft we have one server that downloads the file and then distributes it internally to all of the computers around campus.

That in itself is pretty neat but WSUS has a lot more to offer. The management console imports information from all of the client computers around the network. This allows our technicians to see areas that need updating or where there are potential security risks.

WSUS is a very powerful system and we hope it will provide a much better way for us to manage the Windows Update process. We are currently in the process of performing testing and so far everything looks good. Hopefully we will be able to install a permanent WSUS server over the summer and provide for all of our Windows Update needs.