Windows Server Update Services (WSUS) is a free update
management solution from Microsoft. WSUS allows for the central
distribution and deployment of updates and functions as a local area
network version of the Microsoft Update servers located on the
Internet. WSUS 3.0 Service Pack 2 (SP2) is a role that you can add to
a computer running the Windows Server 2008 R2 operating system. You
can also download and install WSUS on computers running previous
versions of the Windows Server operating system, though in this case
WSUS is an add-on program rather than a role built into the operating
system, as is the case with Windows Server 2008 R2.
You can accomplish update deployment goals by deploying
WSUS:
-
WSUS allows you to control which updates you deploy to
computers in your organization. Updates published by Microsoft are
not deployed to clients unless specifically approved by the WSUS
administrator.
-
WSUS allows an organization to make more efficient use of
Internet bandwidth. Rather than have update files downloaded
separately to each computer, updates are downloaded to the WSUS
server and distributed centrally.
As Figure 1 shows, WSUS
can be used to deploy critical updates, definition updates, drivers,
feature packs, security updates, service packs, tools, update rollups,
and updates. By default, WSUS synchronizes only Critical Updates,
Definition Updates, and Security Updates. WSUS does not allow you to
deploy updates for third-party applications.
WSUS Servers as Update Locations
Clients running the Windows 7 operating system can retrieve
updates from a WSUS server or from the Microsoft Update servers.
Sometimes the Microsoft Update servers are preferable to a server on
the organizational network. For example, if a worker is using a
portable computer from her home office for an extended period of
time, she should download updates from the Microsoft Update servers
rather than across a VPN or DirectAccess connection. The client’s
bandwidth to the Microsoft Update servers through her ISP is likely
to provide more capacity than her bandwidth to the WSUS server on
the organizational network.
As an Enterprise Desktop Administrator, you have the following
choices for deploying and approving updates for the Windows 7
clients in your organization:
-
Microsoft Update used as source
of update files and approvals. This is the default configuration of computers running
Windows 7. In this configuration, an administrator does not
have central control over which updates are approved or
disallowed.
-
Microsoft Update used as source
of update files. WSUS server used for update approvals. You
configure computers to use this option by setting them to use
the WSUS server and then configuring the WSUS server so that
it does not store updates locally.
-
WSUS server used as source of
update files and approvals. The typical WSUS deployment has both updates and
approvals coming from the same location. You configure clients
to use the WSUS server through Group Policy.
You can choose from several ways to deploy WSUS. The way that
you choose often depends on issues of bandwidth utilization and
administrative responsibility. In a single WSUS deployment, you
deploy a WSUS server on the organizational network that synchronizes
with the Microsoft Update servers on the Internet. Clients on the
organizational network retrieve updates directly from this server.
The WSUS server administrator approves updates for distribution.
This is the most common type of WSUS deployment, and a single WSUS
3.0 SP2 server can function as the update server for up to 25,000
computers running the Windows 7 operating system.
In general, this type of deployment does not work well for
organizations that have a large number of branch offices because
branch office client computers each have to retrieve updates from
the central WSUS server over a WAN link. Although you can configure
clients in branch offices to retrieve only approval data from the
head office WSUS server, a single WSUS server can function either as
an approvals-only server or as an approvals and updates server. A
single WSUS server cannot function as an approvals-only server for
one group of clients and an approvals and updates server for another
group of clients. This is why many organizations deploy multiple
WSUS servers, allowing bandwidth efficiencies to be realized in each
branch office.
The options for the deployment of multiple WSUS servers are as
follows:
-
Replica WSUS
server. A replica WSUS server is a server that retrieves the
list of update approvals and WSUS groups from a WSUS server
above it in the WSUS hierarchy. This method is appropriate
when update approvals are handled centrally for the
organization. A replica WSUS server can obtain updates from
the parent WSUS server or from the Microsoft Update servers on
the Internet, or it can force WSUS clients to retrieve
approved updates from the Microsoft Update servers.
-
Autonomous WSUS
server. An autonomous WSUS server can retrieve update files from
a WSUS server above it in the WSUS hierarchy, but approvals
are handled by a local administrator. This allows local
administrators to manage the approval process but also allows
efficiencies in terms of update bandwidth utilization.
-
Independent WSUS
server. WSUS servers are managed independently from one another
and do not draw updates or approvals from a source on the
organizational network.
When WSUS 3.0 SP2 is installed on a computer running the
Windows Server 2008 R2 operating system, the BranchCache feature can
be enabled. This allows Windows 7 Enterprise and Ultimate clients
located in branch offices to leverage peer caching as a method of
optimizing update distribution. Rather than clients on the branch
office network independently downloading the same update from the
head office WSUS server, one client downloads the update and then
shares the update installation files with other clients on the
branch office network. This allows organizations to deploy a single
WSUS server in a head office location and still enjoy the bandwidth
efficiencies at branch office sites.
You can use BranchCache in hosted cache mode in
branch office locations where there is a computer running the
Windows Server 2008 R2 operating system. Hosted cache mode makes
peer caching more reliable than the alternative, which is distributed cache
mode. Hosted cache mode is more reliable because a
server (which is in theory always available) hosts a copy of the
cache. In branch office locations where there is no computer running
the Windows Server 2008 R2 operating system, you can use only
BranchCache distributed cache mode. Distributed cache mode is not as
reliable as hosted cache mode because clients hosting updates in
their local cache might be switched off when other clients attempt
to access the same update, requiring those clients to contact the
head office WSUS server.
You should note that clients that have the Windows 7
Professional or Windows Vista operating systems installed cannot
access updates through BranchCache. Clients using these operating
systems must retrieve updates directly from WSUS or Microsoft Update
servers.
To use BranchCache with WSUS, ensure that you have performed
the following steps:
-
Ensure that the WSUS server has the Windows Server 2008 R2
operating system installed. Ensure that the BranchCache feature
is enabled.
-
Configure the clients at the branch office to retrieve
updates from the BranchCache-enabled WSUs server using the
Specify Intranet Microsoft Update Service Location
policy.
-
Configure the clients at the branch office with the
appropriate BranchCache policies. If there is a server with the
Windows Server 2008 R2 operating system located at the branch
office, you can use the Hosted Cache mode. If no branch office
Windows Server 2008 R2 server is present, clients will need to
use Distributed Cache mode.
When you approve an update on a WSUS server, you choose the
WSUS groups that the update deploys to. WSUS groups are collections
of computer accounts that allow you to stagger the deployment of
updates to computers; you do not have to deploy them to every
computer at the same time. WSUS servers have two computer groups by
default: the All Computers and the Unassigned Computers group. When
clients are set so that they use a specific WSUS server without
additional configuration, they are automatically added to the
Unassigned Computers group. WSUS computer groups have the following
properties:
-
WSUS groups can be organized
hierarchically. Groups lower in the hierarchy automatically inherit
update approvals from groups closer to the top of the
hierarchy, although you can also configure inheritance blocks
where necessary.
-
You can assign computers to
multiple WSUS groups. Assigning computers to multiple WSUS groups allows you
to be more selective about the deployment of updates. For
example, in an organization that has only a single WSUS
server, you could create a group structure that allowed
approval based on which department the computer was in and
approval based on location. Figure 2 shows a
computer assigned to multiple WSUS groups.
-
Computers are assigned to the
Unassigned Computers group by default. Unless a computer is already assigned to a WSUS group,
it belongs to the Unassigned Computers group, as shown in
Figure 3.
WSUS groups are separate from Active Directory security
groups. Administrators can manually assign computers to groups using
the WSUS console after the computer has contacted the WSUS server.
Large numbers of computers can be added to existing WSUS groups
using the Enable Client-Side Targeting Group Policy item. Figure 4 shows the Enable Client-Side
Targeting policy configured so that the computers that the policy
applies to are made members of both the Accounting and Research WSUS
groups. If a group that does not exist on the WSUS server is
specified in the client-side targeting policy, the WSUS computer
account is added to the Unassigned Computers group.