Introducing Windows Server Update Services (WSUS)

   Windows Server Update Services or WSUS is a Windows Server feature which allows system administrators to control how and when updates are installed within the network. WSUS is a great way to centrally administer and monitor servers and workstations and determine what are the best updates to install. WSUS connects to Microsoft’s updates and downloads the updates on your server.You can then test each update and determine if they will be deployed within your network. In a WSUS infrastructure, each workstation will run the Windows Update client which verifies if the latest updates are installed. Before downloading any update, the client will verify the digital signature and the Secure Hash Algorithm of each update. The reason for doing this is to ensure that the updates are legitimate and signed by Microsoft.
The WSUS settings can be centrally administrated using Group Policy Management console. The policies can be found under Computer Configuration/Policies/Administrative Templates/Windows Components/Windows Update node. There are many configurable policies available in this section so I will let you explore each of them:
WSUS options
   Note that besides these policies, you can also enable user-based windows updates settings. Just follow the same path and you will discover 3 more options available (note that I’m using a Windows Server 2012 version):
WSUS settings
   When planning to deploy a WSUS infrastructure you’ll need to consider several things. If you are using a single network location it’s ideal to use one server but, if your network spans several geographical areas, you should deploy a server in every location and build a hierarchical infrastructure. Clients are connecting to the WSUS server using either HTTP or HTTPS to download updates. You should use only one server to directly connect to Microsoft’s website and from there other WSUS servers should copy their updates. The connection between the WSUS server and Microsoft’s website is made using the HTTP protocol. The most important aspect to consider when deploying a WSUS infrastructure is the bandwidth consumption. Some updates or service packs have several hundreds of megabytes so the overall network bandwidth can be severely affected if multiple computers are downloading updates.
   You would also need to consider WSUS replication and update approvals. You can choose to deploy a replica WSUS server in each location or an individual server. A replica server acts just like the main WSUS server. This means that settings configured on the main server are applied to the second machine.
   Disk space is another factor that needs consideration. If you choose to store updates locally then, your WSUS server would require several GB of free space depending on the number of updates or language packs needed. The server will also host a local database containing the list of updates stored on the local disk.
   When implementing updates in a large enterprise, one important aspect is to ensure that each workstation has received the latest updates and is protected against external attacks. The health state of your network devices can be verified using different tools available with Windows distributions: NAP, WSUS console, SMS (Microsoft Systems Center Configuration Manager) or NAP (we’ve learned how to verify windows updates with NAP in a previous article).
That’s it for this short introduction about WSUS. In the next article we will continue discovering this awesome feature available with Windows OS. Wish you all the best and have a great day!

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s