05/25/2020; ... After you have the certificate installed, you have to upgrade the Group Policy (or Client Configuration settings for software updates in Configuration Manager) to use the address and SSL port of the WSUS server. I want to locate the WSUS server in our DMZ. I find that once an organisation does this they are amazed how this discovers a number of “hiding” computers on their network that have never been patched. Hi Nebby, there is a real easy and simple workaround where you could hardcode of WSUS into the servers/workstation registry. Thanks for the attention though. WSUS tracks activity in the database so that both know what has changed since a client last scanned and will only send metadata that is updated since then. I think the admin of this site is actually working hard in support of his web site, I developed these best practices and helped a client implement them to improve their compliance. Typically Microsoft Office patches fall under this category. So to ensure that your servers don’t auto install patches configured the “Configure Automatic Updates” setting to the option “3 – Auto download and notify for install” in the global “Servers” GPO you have applied to all your servers (see image below). Xpress encoding is enabled in IIS ApplicationHost.config with this line under the element and a registry setting: , HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Update Services\Server\Setup\IIsDynamicCompression. Before I begin this article might be, for some of you, this will be well know information and it might all seem rather logical. Users are notified of downloaded updates (yellow shield icon) and have a window of opportunity to do the installs at a time convenient to them. Set the scheduled time. “. No that should not matter… Run a GPRESULT /R report on the computer to see when updates should be applied… Of course the computer will need to have some updated pending for them to install…, It’s definitely something to do with the way the group is configured because if I put the computer account directly in the scope it picks up the settings and the GPO is applied. The example below applies the target group “Workstations Sydney” in the GPO called “Workstations Sydney” (notice the same name) which would be applied on the OU “Workstations\Sydney” (Assuming you are using my genius Group Policy Object naming convention). Chandra, approvals are made on the Upstream server, downstream is more of a Read Only WSUS server and a gateway for remote servers and computers to get updates/configurations from. You actually understand how to bring an issue to light This article is a continuation of the other blog post I have previously published at Best Practice: How to deploy software using Group Policy. If you don’t enable this option you will quickly find that you need to manually categorise even new computer that reports into the WSUS server. This effectively means you only need to transfer the file once to a site but have it used many time thus saving a whole heap of WAN bandwidth. The table above shows that each round will have its own Group Policy Object that will be security filtered using a security groups. Now also take a look at the “Keep the GPO’s name consistent with the OU names” section in my Best Practice: Group Policy Design Guidelines – Part 2 post you can see how the WSUS Target Groups are also very consistent (but not the same) as the OU’s that the computer are located. If clients change to a different WSUS server that uses a different database, the client will have to do a full scan. Open up Group Policy Management console and decide whether to use an existing GPO or creating a new one. what they are talking about over the internet. When I make this reference note that I am talking about any client of the WSUS Server, which could mean a “client” is either a server or workstation. It might tempt you to change the this setting to 1 hour. Even though WSUS v3 now has the ability to have nested target groups it still has the same restriction that all target groups must be made unique. The script can also decline updates that contain Preview or Beta in the update title. Next you need to create a Group Policy object at the highest level possible that will apply to all your workstations in your organisation. I have placed my own notes at the bottom of nearly each of the policy settings explaining how a new WSUS admin might want to configure it out of the gate. A Warning…  You may remember that Group Policy refresh can take up to 2 hours approx. It’s a very easy on the eyes which makes it much more enjoyable for me to come here and visit more often. Of course doing this negates the effect of being able to target a set group of computers. If you do opt to do this you will need to allow port 443 open on the firewall and you will need to install the root certificate for you internal certificate server on your DMZ host. Best practices for patching laptops that are not always connected to the Intranet. To make this an easy process just export all the registry keys from “HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\WindowsUpdate” (Yes I know this is not strictly a Group Policy) of a domain configured client with the settings you want to use. The time you take to approve test patches to your workstations and terminal servers is also is a major difference to your servers as often you need to get these patches out due a zero day vulnerability. Windows Server 2008; Microsoft Server Apps; 9 Comments. Exchange Servers) then simple go through the same process in the about “Implement a WSUS Update Test Group of Computers” section giving it what ever name is appropriate (see images below). Thank you. So subgroups in WSUS just use the subgroup name and not in Group\Subgroup format with client side targeting: http://t.co/yvkJ5OzR. procedures for notifying users so that they can plan their work accordingly and avoid unexpected downtime Don’t Disable GPOs. Last Modified: 2013-05-03. Now that you have selected your test workstation, added them to the test security group and have them in the “Workstations Test” WSUS group you are right to start testing update to this group of computers. Instead, consider using a configuration of 2-4 servers sharing the same SQL server database. 2- When i use the “WSUS Workstation test” Global group on security filtering (and add my machine into it), I got a Denied GPO (Access Denied (Security Filtering), but it’s working fine when i put directly the machine account on security Filtering… I’m not sure how to address this to Microsoft, but it’s a bug. If 10,000 clients report into the server every 22 hours and you set this policy to 1 hour that will increasing the load to be equivalent of 220,000 clients. Remote Desktop Servers… a.k.a. 2. In conjunction with this setting I would also recommend that you set the “Configure Automatic Updates” to option 2 so that by default you are NOT inadvertently pushing out any patches to any computers. TIP: I would recommend that you create a separate GPO as i normally don’t like to modify the “Default” group Policy Objects. WSUS) is Microsoft free tool they provide for deploying patches and updates. 2. One of the first things you should do once you have installed WSUS and performed the first sync is enabled the Group Policy computer group assignment. After you have the certificate installed, you have to upgrade the Group Policy (or Client Configuration settings for software updates in Configuration Manager) to use the address and SSL port of the WSUS server. The reason you do this is that you only want to have these policies enabled when you want to schedule the update to your servers (perhaps once a month). Use Group Policy to Update Multiple Computers. I also believe that even if you have bought and implemented System Center Configuration Manager in your environment then you are probably still better off using WSUS for manage you updates for your Microsoft software. This has a number of bandwidth savings on your network as it server to deliver patches to the clients over even the slowest of network links… But of course some updated (like service packs) can be quite large and therefore you may want to consider configuring the “Set up a work schedule to limit the maximum network bandwidth used for BITS background transfers” setting. The following command will turn it off. In your GPO: 1. set your GPO's to Enforced. Did you hire out a developer to create your theme? Therefore I have generally found that all computers fall under 3 main categories, Workstations, Terminal Servers and Servers. So after read the above section about patch approval groups you might not consider that you have to approve Microsoft Office patches to your servers and vice versa approve Exchange or SQL patches to your workstations…  But you would be wrong. Your test policy should now look something like the image below. I will go into more detail on this further on in the “Top level Patch Approval Groups” section but for now just ignore the server and terminal server target groups…. SO… DONT change this setting unless you do have a case to change. It's ok to keep them around if you're still deploying them. Therefore, the metadata returned will usually be less than when the scan is initiated by Configuration Manager. In this next part I will discuss some guidelines I use when designing a Group Policy Object infrastructure. One advantage of this method of allowing any client to connect is that clients in a DMZ can be configured to report into a DMZ server that is hosted on the internal network. However if it work as advertised then this will go a long way to ensure that computers that are patched even when turned off, largely negating the need to send a Wake On LAN to patch clients afterhours. This leads to the WSUS console being more responsive, but does not affect the client scan. This is because you have safety in numbers. TIP: Make sure that the computers you have selected to perform patch testing are a good cross section of your environment. 1- Add the port to “Specify intranet Microsoft update service location” with version WSUS 6.3 (2012R2) with http://wsus.domainname.local:8530 because you gonna run into 404 error on the WindowsUpdate.log. Very frustrating. Allow Automatic Updates immediate installation – What you might not realise is that some patches that are released from Microsoft do not require the computer to be rebooted. In your Deadline you will be able to set a deadline date. For information about declining superseded updates and other WSUS maintenance items, see the Complete guide to Microsoft WSUS and Configuration Manager SUP maintenance article. Use Group Policy to Update Multiple Computers. Click in Application Pools. Now also take a look at the “Keep the GPO’s name consistent with the OU names” section in my Best Practice: Group Policy Design Guidelines – Part 2 post you can see how the WSUS Target Groups are also very consistent (but not the same) as the OU’s that the computer are located. BITS). The image below is what the GPO’s would look like if the same round in the above table were implemented: Also note that these GPO’s are normally not “Link Enabled” (see image below). You would use the following Target Group Structure…, You might also notice in the above image I also have “Terminal Servers” and “Servers” at the top level of the WSUS Structure. approve option is disabled. Windows Server Update Service (a.k.a. Disable Automatic Updates through GPO. Since the title of the question is "best practices" specific for WSUS, I would suggest (and this is totally off-the-wall) to make sure you enable only the necesary updates and not enable the download process during work-hours. These are in no particular order of importance and you might chose to implement only some of these setting depending on your environment. Sysadmin. (However there is a way to do something similar using Group Policy). In this case I recommend that you have a standing change control approval or understanding that all new patches will be automatically to the test computers as soon as they come in to start the testing process as quickly as possible. Here I will tell you to go visit my Best Practice: Active Directory Structure Guidelines – Part 1 post where I talk about the number of ways you can build your OS structure. Note: See I also have the “Servers WSUS Test” group created for testing patches to the servers in my environment. Customize and use this script in your environment to decline Itanium architecture updates. May just you please prolong them a bit from subsequent time? When the Automatic Updates Agent scans, or you click Check for Updates in Control Panel, the agent sends criteria to retrieve only those updates Approved for Install. However if I have workstations under various top level OU’s then you will need to link the policy at the top of the domain. Let’s start with the description of the server policy – ServerWSUSPolicy. Note: If you think that the patch rollout will take multiple reboots note that you will need to manually initiate the second patch update and reboot to install any remaining patches… Generally you should know if this is required after you have deployed you test patches. Nonetheless, the posts are very brief for novices. I am also going to assume that you are familiar with WSUS and already have it deployed in your organisation…, Having implement WSUS for an environment of over a combination of 10,000 servers and workstations I can truly say that this tool scales really well. If you have additional real-world examples of how these policy settings might impact a new WSUS admin, please comment below. WSUS implements an internal cache that retrieves the update metadata from the database. If a GPO is linked to an OU and you don’t want it to be applied, delete the link … Don’t disable GPOs. Configuration Manager client scans put more demand on WSUS than the stand-alone Automatic Updates. Therefore you normally can take more time to test the patches to these servers. Generally speaking the vast majority of clients for your WSUS server will be workstations and as such you probably DON’T want to manually installed patches on these computers simply because you have much better stuff to do with your time. Citrix Servers… a.k.a. To enable this to happen however you do a few things: TIP: Change “HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\WindowsUpdate\TargetGroup” value in the registry key to “Servers DMZ”. In my previous article In this article Best Practice:Active Directory Structure Guidelines – Part 1 I spoke about some of the guidelines I personally use when developing an Active Directory OU structure. I know that this might not be practically to implement this utopia design for most environments but if you strive to have at least a consistent naming and structure to you organisation I find that it makes finding, troubleshooting and configuring your environment a whole lot easier…. Servers in the same round will be patches at the same time and therefore will generally not be dependant on other servers in the same round. Therefore if you apply a 3am reboot to all your clients in the world it will take 24 hours before all the clients have installed the update. Can i just confirm that the computer account is in an OU that has the GPO (with security filtering) linked…? Workstations Sydney) as all the computers in the test group will be targeted using “Workstations Test”. On your WSUS server. I had to disable them because they werent working and preventing computers from being detected and patched. This being the case… You can set a policy at the very top level of your domain using the “Specify intranet Microsoft update service location” setting to configure every computer on your domain to point to the WSUS servers. A word of warning… Time in the “Configure Automatic Updates” setting applies the reboot sechduled to the client based on the time and time zone of the client. For reference, in an environment that had around 17,000 updates cached, we have seen greater than 24 GB of memory needed as the cache is built until it stabilized (at around 14 GB). With Windows 10 and Windows Server 2016, the updates were cumulative from the beginning: Cumulative in this context means, that you install the release version of the OS and only have to apply the latest Cumulative Update in order to be fully patched. Another great thing about WSUS is that the Automatic Update agent, which is the software the client uses to connect to the server, is included out of the box in every single copy of Windows Since XP. As the clients in your DMZ are probably not domain joined you will need to manually apply the registry keys to configured the automatic update service. You can find the list of Monthly Rollups for Windows 7 and 8.1 and Cumulative Updates for Windows 10/Server 2016 at these links, or you can find them by searching for Windows X update History, where X is the version. To establish a test group for patches you will need to create a number of security groups. One of the options you can set using Group Policy is called “Specify intranet Microsoft update service location” which allows you to specify the WSUS Server name. So subgroups in WSUS just use the subgroup name and not in Group\Subgroup format with client side targeting: Specify intranet Microsoft update service location, Best Practice: Active Directory Structure Guidelines – Part 1, Best Practice: Group Policy Design Guidelines – Part 2, Best Practices with Windows Server Update Services, Set up a work schedule to limit the maximum network bandwidth used for BITS background transfers, http://technet.microsoft.com/en-us/library/cc708550(WS.10).aspx, Enabling Windows Update Power Management to automatically wake up the system to install scheduled update, Allow Automatic Updates immediate installation, No auto-restart for scheduled Automatic Updates installations, How to show or hide Control Panel items in Windows 7 using Group Policy, How to use Group Policy to disable the EU Browser Choice, How to use Group Policy to turn off the Backup Notification in the Windows 7 Actions Center, How to use Group Policy to configure home page settings – Part 1. Windows Server Update Service (a.k.a. Users simply have the updates forcibly installed at the deadline time with no opportunity to do them themselves beforehand. Hello and thanks for this article, which shows WSUS configuration within a large IT environment. Once you have finished testing of the patch and you are going to approve it for the rest of the computers ensure that you reset the approval for that patch on the “Workstations Test” group by using the “Same as Parent” option. Just to recap we are applying three essential Group Policy setting at three different levels which get combined together when the policy is applied to the client: Once you have applied the above three settings to your computers then your clients should have the minimum setting to report into your WSUS server. I’ve even tried nesting a Global Group inside the Domain Local group but the same result is achieved. This can generate enough load to cause errors when clients communicate with a WSUS instance. Is this possible only with gpo? The only other GPO setting you might want to apply to the domain controllers is the “Enable client-side targeting” setting configured to a value such as “Servers Domain Controllers”. For the older operating systems, we don't have such updates yet, although this is the direction we're heading in. This has the slight disadvantage of not having the granularity of the lower level targeting (e.g. I’m able to apply the global WSUS settings as you recommended which I see getting applied when I do a gpresult /r on the servers I see it as an applied Computer Policy. updates are successfully downloaded from upstream server and available on downstream server but unable to approve. Therefore by default you DON’T want your servers to be automatically installing patches and rebooting at 3am every day. For more information, see Plan for software updates in Configuration Manager. This assumes you cannot resolve internal host names from the DMZ. That is, if one server goes down, although important, it won't immediately spoil your weekend because no client can update, and you have to be updated against the latest 0-day exploit. Great work! I have created some virtual machines in my lab. The Workstation prefix is required as you might also want to patch Servers in the same site and therefore due to the unique target group requirement you will need to have a “Workstations Sydney” and “Servers Sydney” group. Doing this this is more a discovery process so that you can at least be aware of any un-patched computers on then network that you can then appropriately remediate… An added side benefit doing this is you also get an accurate picture as to home real computer’s are actually on your network. After this point if you decide to abort the scheduled update you might not have enough time to allow for AD propagation and Group Policy refresh for all your servers to stand down from the auto reboot that was scheduled. If a GPO is linked to an OU and you don’t want it to be, delete it instead of … More people really need to look at this and understand this side of the story. Report Save. Since WSUS deployment depends on your specific environment, the type of upstream and downstream services and the connection method should also be considered by you based on actual conditions. However you might find that you need to have to additional groups if you want to have additional independent test groups. But it bears mentioning. 3 … it from somewhere? Therefore I recommend that you approve any required update to this group of computers on an aggressive timeline…. Group Policy and WSUS Best Practices 1. Creating a DNS alias for your WSUS Server will give you another way to easily migrate your clients to a new WSUS server without the need to keep a legacy alias of your old server name after you move to a new WSUS server. This is fine if you only have few computers but once you star managing many hundreds or thousands of computers this quickly becomes impractical. You may also want to make sure that the people that use these computers are technically proficient and are likely to report an issues if something goes wrong. Remove them after you're done with them. If you have some need to separately approve patches to a group of computers that is not just a workstation, terminal server or server (e.g. If both aren't present, it can be enabled by running this command and then restarting the WsusPool application pool in IIS. level 1. This is typically 8531 or 443. However, with the “Remove links and access to Windows Update” setting also turned on in group policy, users don’t have an option to install the updates. WSUS best practices Wed Aug 22, 2018 8:19 pm So I just got a new job and for the most part everything is going smooth and nothing I haven't seen before except for WSUS. Obvious question however is What happens if the computer is off at 3am? I'm desiging a WSUS solution for my company. It doesn’t matter which OU the WSUS-WED-5AM group resides in does it!? Exactly what I was needing. Excellent article. I’d like them to be notified of internal WSUS updates, be able to install them at leisure up to a deadline, but not be able to access the Windows Update site directly. The reason why I still normally recommend that people using WSUS over SCCM is that the product overall is much easier to use and its just human nature for people to want to do the easier tool where possible…. This is a PSA for all Group Policy administrator about MS16-072 that was release yesterday. Thanks. Same as the “Workstation WSUS Test” this policy will have authenticated users removed and only be security filtered using a group called “WSUS Workstations No Reboot”. Here is an example for Windows 7 and Windows Server 2008 R2 on what it takes to have an almost fully patched system. Terminal Servers (a.k.a. ... if it doesn't, drop the port 8530, it might have set up on port 80. after that create a test OU and update the wsus address in GPO for that OU, then drop some test machines in it. I am not sure of the exact reason why 3am has been selected by Microsoft but I am sure they have there reasons…, Reference TechNet: Best Practices with Windows Server Update Services, one of your main goals is to have any planned downtime occur when there is little chance for lost productivity. If you then create the “Workstations Test” group at the top level you would need to 1. approve all patches twice to both top level groups and 2. risk approving a patch to the one group and not the other and thus making your test computer not an accurate representation of your non-test computers. Optional: As an added level of protection, you can use HTTPS encryption of all traffic to the WSUS server. Here you can see an example of how the Group Policy Object would also be applied to support the OU Structure and WSUS Target Group Structure above….