Friday, July 15, 2005

Controlling your Patch Management with WSUS


If you haven't heard yet, Windows Server Updated Service is available for download... for free!, it's 100% compatible with your Windows Small Business Server 2003 SP1 server. Currently, the SBS writing team is working hard to get a documentation out the door to aid you with the installation and configuration of WSUS on SBS 2003 SP1.

But, why wait?

It's certainly not hard by any means, simply download the setup.exe file, and launch it on your SBS server, then just follow the defaults, and you're pretty much finished. However, if you have premium, you'll need to tell WSUS your proxy server.

Finally, you need to configure the clients to look at the server for their updates. This is the tricky part. There are two major steps, granting access to the website, and configuring the group policy.

To grant access to the clients to update themselves
  1. In the Server Management Console, drill down into Advanced management, and into the default website

  2. You'll have to do this for both the SelfUpdate and ClientWebService virtual directories. Right-click, choose Properties, click on the Directory Security tab, then IP Address and choose Granted Access for all IP addresses

Now your website is ready

Pointing the clients to the server via Group Policy
  1. Create and link a new Group Policy Object on the domain level

  2. In the Group Policy Object Editor, Expand Computer Configuration, Administration Templates, Windows Components and select Windows Update

  3. Double-click Configure Automatic Updates, click Enabled and ensure Auto download and schedule the install

  4. Then double click Specify Intranet Microsoft Update Service location and choose Enabled and type in http://{servername}:8530 into both boxes and click OK

  5. Finally, double-click No auto-restart for scheduled Automatic Update installations


And that's all there is to it. You'll need the latest service pack for Windows 2000, or SP1 or 2 for XP for this to work. Also, as you recall, you have to wait for a period of time before policy actually takes place, or you can use the gpupdate /force to force the policy to take place.

Now, even happier patching ...

8 comments:

Anonymous said...

ahhh,

but it doesnt work with DELL or HP OEM pre-installs of SBS 2003.

any way of getting this resolved ?

Sean Daniel said...

Ah yes, we are aware of this issue and we're currently working on a solution to the problem.

Anonymous said...

Please post if you come up with a work around as it is causing considerable problems for my company at the minute.

Anonymous said...

Does WSUS work on SBS03 without SBS SP1?

Sean Daniel said...

Yes it does, but it's STRONGLY recommended for you to migrate to SBS SP1

selector said...

What exactly is the issue with Dell/HP OEM builds of SBS 2003?

I am running SBS 2003 OEM + SP1 on a Dell server and did manage to get WSUS working.

Chris said...

I might have found a fix here:

http://www.sbsusers.org/melbourne/alerts4.htm

Now I just have to see if it works

Chris

Sean Daniel said...

Actually, I've posted the (almost) official steps here.

Enjoy!