I installed WSUS 3.0 SP2 on a Windows Server 2003 R2 box a little while ago for a couple of reasons. Firstly, to save bandwidth, it didn’t make sense for all the computers on my network to download the same updates from Microsoft, less of an issue if you only have a couple of PC’s, but I have quite a few. And secondly, when you want the updates, they are an awful lot quicker as the machine is only having to grab them from the WSUS server on your network and not over the internet.
Occasionally in the past users would restart their machines in the day, and there were loads if updates required, this machine would then take and age to download them before it could install them, thus making the user quite unhappy, or at least they pretended to be unhappy that they couldn’t do any work. Also, it’s worth nothing that asking them to make the tea with their now extra spare time does normally not go down too well.
The installation is dead easy, grab a copy of WSUS here, it’s free, so you might aswell.
You won’t need to adjust too much, you can change the Automatic Approval level to automatically distribute critical updates for example, and any others will require your approval before they will be distributed. You can also enable email notifications, so that you are notified when ever new updates are ready for approval.
Once installed you need to make sure your firewall on the WSUS machine is set to allow HTTP (80) and HTTPS (443) access to the box. I also created an internal DNS entry, “windowsupdate.mynetworkname” and then I could use this in the Group Policy to tell it where to grab the updates from (If I ever change the IP down the line, this makes it much easier).
The Group Policy side of things is very easy also. I created a separate GPO for WSUS and could then assign it to the machines as necessary, I actually created different objects for Desktops, Laptops and then IT machines, as I some of the IT team wanted more control over when the updates took place, I also didn’t want updates automatically restarting my core servers.
For a more in depth explanation of these settings, please see the TechNet site here.
Once you have it all installed the group policy should take effect and you can leave it to do its job. If you want to force a connection from your machine to the WSUS server (assuming the GPO has been applied = “gpupdate /force”) then you can do so by typing:
“wuauclt /detectnow”
And
“wuauclt /reportnow”
If you then check in the WSUS console, you should see your machine appear and the status of its updates.
To rule out any DNS and firewall issues, you should be able to access these pages from any machine requiring updates:
- http://WSUSServer/SimpleAuthWebService/SimpleAuth.asmx
- http://WSUSServer/clientwebservice/susserverversion.xml