James Bannan18 September 2006, 8:24 AM
Windows Server Update Services 3.0 will now mirror updates for products other than Windows and Office in your LAN. But once you have WSUS 3.0 up and running, how do you set desktop PCs to use it? Here's the step-by-step guide.
In a previous article, I covered the major overhaul Microsoft is giving Windows Server Update Service (WSUS) with version 3.0.
It will now mirror updates for products other than Windows and Office within your LAN environment which mitigates the problem of individual desktops downloading the same patches over and over again from Microsoft's public servers.
So how do you set your PCs to use WSUS instead of Microsoft's public Windows Update servers?
The actual configuration can be distributed to desktops via domain group policy if you have an Active Directory server, or by installing local group policy settings on PCs in a LAN without a domain controller (a Workgroup environment).
You can even drop the necessary config straight into the registry by means of a regedit file.
In order to self-update from a WSUS server, clients need to be running at least Windows 2000 SP3, Windows XP SP1, or Windows Vista.
The process for connecting a Vista-based client to the WSUS server is very similar to Windows 2000/XP - not much has changed behind the scenes.
The relevant service on Windows XP is the Automatic Updates service, whereas on Windows Vista it’s the Windows Update service.
To configure Vista using Group Policy, launch either Domain Security Policy from the Active Directory server (if the client is a member of the domain), or launch Group Policy Object Editor from the local workstation (if it’s a standalone workgrouped computer - Start, Run, GPEDIT.MSC).
The Windows Update administrative template needs to be present in the policy editor. It should automatically be available, in Computer Configuration, Administrative Templates, Windows Components, Windows Update. If it’s not there, click on Administrative Templates, and go to Action, Add/Remove Templates. Click Add, and in the Policy Templates dialogue box click on WUAU.ADM and select Open.
In the Windows Update box there are only two options which need to be configured for the client to talk to the server:
- Configure Automatic Updates - set this to “Enabled” and choose one of the automatic updating options. “3 - Auto download and notify for install” is the default, and this will automatically download available updates and will prompt the logged-on admin user to install them. Option 4 will do the same, but it will force installation at a specified time and date. This is useful for machines with non-admin users.
- Specify intranet Microsoft update service location - set this to “Enabled”, and type in the URL of the WSUS server. This is actually the URL of the WSUS service as defined in IIS. Generally it’s just http://servername or http://ipaddress. If you’re using the non-standard WSUS port, this needs to be specified too (eg: http://servername:8530).
If you jump into the registry (Start, Run, REGEDIT) and navigate to HKLM\SOFTWARE\Policies\Microsoft\WindowsUpdate, all the options you just configured will be represented in registry keys, strings and DWORDS.
You could, therefore, simply pull those keys out and apply them to a default software image rather than changing group policy.This approach has certain advantages in environments where group policy isn’t used, just as peer-to-peer workgroups, but generally speaking domain group policy is the way to go.
Even in non-Microsoft environments, such as Netware/Linux, there are still tools to apply Microsoft group policy to Windows-based machines. Central control is always a good thing.
And that’s pretty much it. On domain machines, the updated policy refreshes every 90 minutes with a random offset of 0-30 minutes, and the client should communicate with the WSUS server approximately 20 minutes after that. If you’re impatient, go Start, Run and type “gpupdate /force” on the client computer.
If you’ve used local group policy or registry entries, the changes take effect immediately, and the client will communicate in about 20 minutes. Again, if you want to speed things up, go to Start, Run and type “wuauclt.exe /detectnow”, and the client will force communications with the WSUS server.
Once the client has registered with the server, you can run status reports on it and see what updates have been applied, and which ones are outstanding. The functionality really is very much the same as the current builds of WSUS and automatic updates, so it’s good to know that for administrators, WSUS 3.0 and Windows Vista is very much a case of business as usual.
