Part 3.a: Install and Configure Windows Server Update Services (WSUS)
A WSUS skep in its natural environment.
WSUS is great for managing Microsoft product Updates. It can also be extended by utilizing something called local publishing. Local Update Publisher utilizes this extensible feature to create packages for deployment utilizing WSUS.
How does WSUS work?
WSUS is a patch server who’s client is already installed on any supported Windows machine; the Automatic Updates service (aka Windows Update Automatic Update service). This client can be configured by Group Policy.
The Automatic Update service (“update client”) utilizes another service to receive the Windows Updates (“updates”) called the Background Intelligent Transfer service (“BITS”). BITS uses HTTP and HTTPS to “[facilitate] prioritized, throttled, and asynchronous transfer of files between machines using idle network bandwidth”. Packages delivered from WSUS to the update client are received using BITS over HTTP by default. Implementing HTTPS requires a certificate that is trusted by your client to be attached to the WSUS “web site,” which we will get to later.
Server 2003 SP2+ are supported. Specific things must happen on Windows Small Business Server.
All of the following must be installed on the server:
- At least Internet Information Services (IIS) 6.0
- At least Microsoft .NET Framework 2.0
- At least Microsoft Management Console 3.0
- At least Microsoft Report Viewer Redistributable 2008
1) Go to start> run> and run:
2) Click Next (don’t worry, this doesn’t disconnect networking)
3) Highlight “Application server” and click Next to trigger sysocmgr.exe to run with an autogenerated setup parameters file.
4) Click through until you’ve reached the end. Note that when serving WSUS with IIS7 (Windows Server 2008+), the following must be installed:
- HTTP Static Content
- Windows authentication
- Dynamic content compression
- IIS Metabase Compatibility
Install Microsoft Report Viewer Redistributable 2008:
1) Download the Microsoft Report Viewer Redistribute 2008 package.
2) Install it.
1) Find and download the latest WSUS installer. As of December 20th, 2012 the following package is latest, it is 3.0 SP2:
2) Install the WSUS package:
This will make two directories, the first to store the downloaded updates, the second to store the Windows Internal DB files. Everything MUST be uncompressed (NTFS).
mkdir d:\wsus\wsuscontent mkdir d:\wsus\db compact /q /u d:\wsus 2>&1 >NUL WSUS30-KB972455-x86.exe /q CONTENT_LOCAL=1 CONTENT_DIR="d:\wsus\wsuscontent" WYUKON_DATA_DIR="d:\wsus\db" DEFAULT_WEBSITE=0 CREATE_DATABASE=1 MU_ROLLUP=0
If you would like to tail the install log, it is located:
3) You must install a hotfix for WSUS 3.0 SP2 that will solve a problem when using .NET Framework 4.0 and writing custom updates and an error that metadata only updates cannot be expired or revised. This
4) Add local firewall rules:
netsh firewall add portopening TCP 8530 WSUS_http [scope = CUSTOM addresses = [CIDR notation of allowed subnets]] netsh firewall add portopening TCP 8531 WSUS_https [scope = CUSTOM addresses = [CIDR notation of allowed subnets]]
5) The WSUS server is configured to get updates from Microsoft’s Windows Update servers at the following hostnames over ports 80 and 443:
download.microsoft.com ntservicepack.microsoft.com stats.microsoft.com windowsupdate.microsoft.com wustat.windows.com *.windowsupdate.microsoft.com *.update.microsoft.com *.download.windowsupdate.com *.windowsupdate.com
I’ve configured our proxies to allow sessions accessing these URLs to bypass some scanning, as they are generally trusted.
Secure the WSUS server install:
There are several options to secure your WSUS installation’s OS, IIS site, SQL Server, and TCP/IP stack settings. I will cover just the IIS settings, as the server I have deployed WSUS on is serving additional purposes and using the Windows Internal DB.
- Backup all the sites hosted by IIS:
cscript c:\windows\system32\iisback.vbs /backup /b WSUSAdmin
This script calls IIsComputer.BackupWithPassword.
%windir%\system32\inetsrv\appcmd.exe add backup "WSUSAdmin"
- Logging is enabled by default. Rotation and management of logs can be done using this tool or this tool.
- Remove the Custom HTTP header:
#first get the correct path to the IIS meta resource/web site config: cscript c:\inetpub\adminscripts\adsutil.vbs enum /p w3svc #it's probably the one with the number(s) [below NNNNNNNN] cscript c:\inetpub\adminscripts\adsutil.vbs set /w3svc/NNNNNNNN/root/HttpCustomHeaders ""
%windir%\system32\inetsrv\appcmd.exe set config /section:httpProtocol /-customHeaders.[name='X-Powered-By',value='ASP.NET']
- Remove custom error pages:
#first get the correct path to the IIS meta resource/web site config: cscript c:\inetpub\adminscripts\adsutil.vbs enum /p w3svc #it's probably the one with the number(s) [below NNNNNNNN] cscript c:\inetpub\adminscripts\adsutil.vbs set /w3svc/NNNNNNNN/root/HttpErrors ""
%windir%\system32\inetsrv\appcmd.exe set config /section:httpProtocol /+httpErrors.[clear]
- Go to start> run>
- Go to ServerName/Options in the tree
- Click on WSUS Server Configuration Wizard and the bottom.
- Next> Next> Keep Synchronize from Microsoft Update bulleted, Next> Next>
- Clicking Start Connecting will synchronize the list of products available for update, the updates’ types, and available languages. This will take about five minutes. Next>
- Bullet Download updates only in these languages, and select the languages you wish to update ONLY. This saves a lot of space. Next>
- Select the products you wish to patch. Next>
- Select the classification type you wish to download. I suggest: Critical, Definition, Security, Update Rollups, Updates. Next>
- Bullet Synchronize automatically and select an appropriate time (3AM?), and Synchronize once per day. Next>
- When you are ready to synchronize with Microsoft, check off Begin initial synchronization and click Next. Otherwise, the synchronization will take place when you had scheduled it in the previous step. You can also choose to install Express Updates, which will cache a large amount of data (10-150GB) on you WSUS server [available through Options> Update Files and Languages> Download express installation files]. You may also want to consider using bandwidth throttling on your gateway device, if available for HTTP and HTTPS traffic from your server to the above destinations. svchost.exe and WSUSService.exe will write files to `d:\wsus\wsuscontent`. Progress can be reviewed through the console `ServerName\Synchronizations`. Also, a fellow created a nice GUI to parse the output of the following command, so you can track download progress:
bitsadmin.exe /list /allusers /verbose
- Go to start> run>
- In the tree, go to ServerName\Computers\All Computers> Right-click> Add Computer Group
- Input the name of a group.
- Create a group policy object, following whatever normal procedure: start> run> gpmc.msc. You may right click on the OU that contains your computers somewhere below and click Create and Link a GPO Here…
- Create a name for the GPO, I’ll use [Site name] – WSUS and BITS
- Right click the GPO, and click edit.
- In the tree, navigate to: Computer Configuration\Adminsitrative Templates\Windows Components\Windows Updates\ and configure the following. Most of these settings are to my preference, consider “auto-download and schedule the install” to be important when dealing with several other options.
* Required option
‡ The setting value is suggested by me only. You must decide what is relevant for the target computers.
Setting Value * Allow signed content from intranet Microsoft update Enabled * Configure Automatic Updates Enabled*‡ – Configure automatic updating 4 – Auto download and schedule the install [this will actually schedule the /install/, the “auto download” to will take place soon after the update arrives at the WSUS server itself]‡ – Scheduled install day Every Friday‡ – Scheduled install time 23:00 * Enable client-side targeting Enabled* – Target group name for this computer Here you will chose the WSUS computer group name. It is applicable to automatic approvals policy that is explained in “Configure automatic update approval policies” below. ‡ No auto-restart with logged on users for scheduled automatic updates installations Enabled. [for safety] ‡Re-prompt for restart with scheduled installations Enabled [for safety]‡ – Wait the following period before prompting again with a scheduled restart 480 [for safety] ‡Reschedule Automatic Updates scheduled installations Disabled, which will cause updates that were missed to re-install at the next scheduled installation time. [for safety] * Specify intranet Microsoft update service location Enabled* – Set the intranet update service for detecting updates This should be the URL for the root of the WSUS site.* – Set the intranet statistics server This should be the URL for the root of the WSUS site. ‡ Allow Automatic Updates immediate installation Obviously, will cause CPU utilization which will appear to be “random slowness” to your users. ‡ Allow non-administrators to receive update notifications This notify and allow non-administrators to install most updates. ‡ Do not display “Install updates and shut down” option… Enabling this, as well as the ACPI wake up are okay.
- In the tree, navigate to: Computer Configuration\Administrative Templates\Network\Background Intelligent Transfer Service and configure the following.
- Configure the “Limit the maximum network bandwidth for BITS background transfers” policy by adjusting the schedule.
- Take a look at additional settings for BITS to understand what’s relevant to the target computers’ BITS versions (such as the various peer caching options). A lot of additional options are only available to gpmc.msc in Windows Vista+/2008+ due to the usage of bits.admx, and only target BITS v3.5+ (Windows Vista+/2008+).
- In the tree, navigate to: Computer Configuration\Administrative Templates\Network\Background Intelligent Transfer Service and configure the following:
* Required option
‡ The setting value is suggested by me only. You must decide what is relevant for the target computers.
Setting Value * Allow BITS Peercaching Enabled ‡ Limit maximum network bandwidth used for Peercaching Same rules apply as above, value is in bits per second.
- start> run:
- Navigate to ServerName\Options> Click Automatic Approvals.
- Click New Rule.
- Under Step 1, and configure as follows:
Setting Value When an update is in a specific classification Adjust as you wish, but I suggest: Critical, Definition, Security, Update Rollups, Updates. When an update is in a specific product Adjust as you wish, but I suggest: any product, as WSUS will only push updates for products for which it has updates. Set a deadline for the approval The decision to use this option is up to you, and I have mentioned what it does and the “dangers” several times on this page already. This is a very useful option to guarantee update compliance, but requires that you make sure your users understand that their computers will “restart nightly” (even though that isn’t the case), and to save work every day. Approve the update for [insert group name(s) here] This is where you designate which computers this automatic approval policy will apply. Refer to the last few steps of create WSUS computer groups, and assigning computers to these groups.
- Once finished, click OK. The policy is pushed from the WSUS server to the WSUS client, so it does not need to replicate down to the client via group policy.
- Download and extract WSUS Cleanup to %programfiles%\WSUS_Cleanup_CL. As of December 28th, 2012 the latest version is 2.
- Create a batch file that will perform the cleanup:
echo "%programfiles%\WSUS_Cleanup_CL\WSUS_Cleanup_CL.exe" %computername% f 8530 superseded expired obsolete compress files DB 2^>^&1 ^> %temp%\wsus_maint.log > "%programfiles%\WSUS_Cleanup_CL\wsus_schtask.bat"
- Create a scheduled task to will perform a WSUS server cleanup:
schtasks /create /sc weekly /mo 1 /tn wsus_server_cleanup /st 20:00 /tr "%programfiles%\WSUS_Cleanup_CL\wsus_schtask.bat"
- In the WSUS admin console, navigate to the Update Services/WSUSSERVER/Updates tree, right-click and click “Import Updates…”.
- Search and find the update you wish to import.
- Add to basket.
- View basket.
- Check Import directly into Windows Server Updates Services
- Click Import.
- The ActiveX performs the API calls to import the metadata and the update to the WSUS installation
Configure WSUS to receive updates from Microsoft:
Understanding AD OU design and group policy object application:
I would expect that you’ve already designed your AD and understand what group policy is. If you don’t, please research both of those things and come back.
My general suggestion for AD design is: Site\[business unit OU]\[Workstation and Users OU]
You do not need to rely simply on your OU design to apply group policies, but instead populate AD Security group objects with Computer objects, then enable the “Apply Policy” ACL right to the GPOs you wish the policies to apply. Access to the ACL is available within the group policy’s delegation advanced options (you will need to remove the Everyone and Authenticated Users ACEs if they are present, since they contain the Computer objects that are part of the domain).
This option is very helpful if you want to granular control over which computers approve updates. A critical point here is the usage of the “Set a deadline for approval” option within WSUS Automatic Approvals. The “deadline” is the time at which the deployed update is forced to install, which may or may not force a restart of the client system (depending on the update). This can be dangerous, but should be okay for workstations, as long as you communicate properly with your users’ human managers, etc.
Configure WSUS client management:
The update clients will report in to the WSUS referencing their membership to a computer group. These groups must be created in the WSUS console. I usually create a group per-site, per-business unit, or server/host role. A computer group will help designate approved updates, and should be used in conjunction with automatic approvals to streamline the update process.
Understanding BITS’s use of Peer Caching and BranchCache:
Peer caching allows BITS clients that are on the same subnet, in the same domain, to act as the source for BITS files. The feature is only available in to participants with BITS v3.0 or BITS v4.0 (Windows Vista+, Server 2008+).
BranchCache is a feature that utilizes and is available to BITS v4.0 clients only, and is useful when dealing with clients that are located over a WAN. BranchCache is a client/server implementation where the server caches data from a configured peer server(s) that can be retrieved by BranchCache members/clients (see “distributed cache,” which uses BITS) or by other client protocols (like SMB, as in accessing a file share on a BranchCache member). I won’t cover configuring BranchCache for WSUS/BITS, but this is a great blog post that covers configuring WSUS’s SQL DB, network load balancing, and BranchCache (configuring BranchCache for directories shared over SMB that happen to store the updates downloaded by WSUS); choosing to have the files “distributed across peer client computers (distributed cache mode) or centrally hosted on a server (hosted cache mode).”
Since WSUS utilizes BITS, BITS’s peer caching and Windows BranchCache’s distributed cache mode can be used together to greatly improve download speed and decrease bandwidth utilization used by the client/server download transactions of WSUS server.
Peer caching settings can be distributed to computers via group policy.
Configuring Group Policy for WSUS and BITS settings:
Group policy is used to add computers to WSUS computer groups, as well as configure the remainder of the automatic update settings. If you haven’t, review the above section Understanding AD OU design and group policy object application.
Limit BITS bandwidth:
By default, BITS utilizes all of what it assumes is the total available bandwidth available to your host; which it gathers from the speed of your NIC (as in 1Gbps). You may want to use a group policy to control the maximum speed at which BITS can operate (although throttling takes place as usual regardless).
According to the previous section, you may decide to implement peer caching. These options are only available through gpmc.msc on Windows 7+/2008+ due to the usage of bits.admx, and only target BITS v3.5 (Windows Vista+/2008+).
Configure automatic update approval policies:
Referring to the above, you may or may not want to automatically approve updates for some groups. Additionally, you may or may not want to force updates to be installed to computer group (at the cost of forcing a restart on the computer, before what’s referred to as an “update deadline”).
Schedule WSUS server cleanup and DB maintenance:
There are a variety of ways to trigger a WSUS server cleanup, including the GUI option through the console, powershell scripts, and direct API calls. I’ve chosen to use a piece of software that is open source and available at Microsoft’s CodePlex called simply WSUS Cleanup. WSUS Cleanup features the option to execute an arbitrary sql file against the Windows Internal DB instance that houses the WSUS DB. The sql file is located at %programfiles%\WSUS_Cleanup_CL\DB_maint.sql and contains the script written by Microsoft.
Updating the WSUS:
There are a few updates that should be applied to WSUS 3.0 SP2, most importantly KB2720211 (inclusive to KB2734608) which increases the default key length of a self-generated key to above 1024 bits. This key length will matter during our Part 3.b if you choose to not use a CA.
Stopping the target hosts from accessing Windows Update directly:
There is a group policy setting that stops targeted Windows clients from accessing Windows Updates features of Windows, only allowing WSUS access:
Administrative Templates\System\Internet Communication Management\Internet Communication settings: "Turn off access to all Windows Update features"
It might be better to block access from your clients to the host list previously mentioned in the section “Install WSUS” in step 4.
Importing updates from the Microsoft download catalog: