Microsoft Patch Management WSUS 3.0 Group Policy Deployment (Part 3)

Note: The domain name, computer name etc. that i have used are for demo and a standalone lab only.

We are now ready to use Group Policy to deploy updates.

First, go to active directory users and computers and create 2 OU (Organizartional Units)

Update Group - Computers must be located on this OU

Update Test Group - Computers for update testing must be located on this OU

Open Group policy management and create 2 GPO (Group Policy Object) under the "Update" and "Updates Test" Groups.

To edit GPO right click on it and select EDIT.

Under computer configuration >>> Administrative Templates >>> Windows Components >>> Windows Update.

IMPORTANT: Both GPO settings of groups should be configured same as below, except for "Target group name for this computer". The value for WSUS Deploy Updates GPO should be "Deploy Updates"

If you are finished configuring the GPO. Launch again the Active Directory Users and Computers. Move the computers that you have chosen to be tested for new updates to the "Update Test Group".

On my case, the machine with the computer name "BBC5C249A514424".

Now going back to the WSUS 3.0 server. The computer should now be detected and should be on the list of Test Updates.

Let us now select and approve one update. Right click on it and select Approve.

Right click Test Updates and choose Approved for install.

The update is now approve to be deployed to those machines under Test Updates group.

To learn more, go to WSUS Home

To learn more about GPO, go to Windows Server Group Policy website

Microsoft Patch Management WSUS 3.0 Configuration (Part 2)

Note: The domain name, computer name etc. that i have used are for demo and a standalone lab only.

Launch the Windows Server Updates Services.

Select Options to view all WSUS configuration. We have to setup this first one by one.

Select Update Source and Proxy Server. Choose "Synchronize from Microsoft Update". The server must be allowed in your firewall to be able to download updates from microsoft website.

If you are using a proxy server to access the internet. Tick the "Use a proxy..." and enter the credentials if needed.

The product and classification option allow us to choose the updates for the specific products that we want and the classification of updates to download such as critical, security, commulative, service packs etc.

Choose "Store update files locally...". We also choose to download update files only when the updates are approved.

Choose download updates only in these languages ex. English. Downloading updates in all languages will consume more disk space.

We will be using Manual Synchronizarion for testing, but you can change it later according to your desired schedule.

We choose "Use Group Policy ..." to allow us the group management using GPO.

Now that we have configured WSUS server. We will prepare the groupings on how the machines will acquire updates from our WSUS.

Microsoft recommends to test all the patches prior to deploying it to all computers in your organization. We might encounter some OS or third party application issues after installing some updates.

In some cases, you would want to choose 3 or more computers from every departments who are using different applications to test the new updates. If no issue arises, then you may deploy it to all the machines in your organization.

As an example, we will create 2 groups:

Test Updates - Machines on this group are chosen to deploy and test updates.

Deploy Updates - Machines on this group are all the machines on your organization.

IMPORTANT: For new updates, approved only the installation to Test Updates group.

When finished preparing the groups. Click "Synchonize now" to get the list of available updates based on the products and classification that we have chosen.

NOTE: After the synchronization, WSUS server only lists the available updates. Updates will be automatically downloaded once we have approved it.

Proceed to Part 3 which covers the client update deployment via Group Policy.

Microsoft Patch Management WSUS 3.0 Installation (Part 1)

Note: The domain name, computer name etc. that i have used are for demo and a standalone lab only.

This is for the starters who want to implement microsft patch management using WSUS 3.0 and to control clients updates using Group Policy.

On this demo, we will be using Windows 2003 Server Standard with Service Pack 1. This machine must be a member of a domain.

These are the requirements prior to installing WSUS 3.0:

Microsoft IIS must be installed
Windows Installer 3.1 or later
Microsoft .Net Framework 2.0
Background Intelligent Transfer Service (BITS) 2.0
Microsoft Management Console (MMC) 3.0
Microsoft Report Viewer 2008 Redistributable

After installing all the requirements, we can now download and launch WSUS 3.0 installation.

Choose "Full server installation including Administration Console"

Choose "I accept the terms..." and click next

Click Next...

Let's leave the directory to the default. Click Next...

If the server you are installing is hosting other web services, you may choose the create WSUS website otherwise use the existing IIS default.

Click Next...

Click Finished.

Installation is now complete. Let us now proceed to Part 2, which covers the configuration.