WSUS:

Lead: Wayne Hyde

Description:

• Our PatchLink license has run out and the agent has been disabled on all machines. We are replacing this product with WSUS.

Details:

WSUS has been enabled for all OU’s in IFAS, with the exception of IMOK who already has their own implementation. It is configured with the same settings as we had in SUS:

• hourly update checks
• immediate installation of updates not requiring a reboot
• 1:00am installation of updates that require a reboot, with a forced reboot
• offline machines will install updates immediately after starting up

All Microsoft’s products are included and all patches are downloaded for the English versions.

Concerning Remote Sites:All sites currently point to the on campus WSUS server. As WSUS is rolled out to the Multi-Purpose Servers, we will be redirecting the updates to the local servers.

Note on Windows 2000 machines: There are some issues with the WSUS client on Windows 2000 machines that may be resolved via the login script. Worst case, they will have the same patching functionality they had prior to the change.

Example Walk-through of how this works:

Due to a problem that will be fixed in SP1, there are three possibilities of how patch deployment should occur after the usual Patch Tuesday:

1. The client downloads the patches from WSUS before the 1am install time on Wednesday morning. The patches will then get installed about 1am and then possibly reboot the computer.
2. The client downloads the patches from WSUS on patch day, but the user shuts down at the end of the day. When the user turns on his computer the next morning, the patches will be installed 1 minute after system startup. A reboot may be needed and Windows will probably bug the user every 15 minutes with the annoying dialog popup window that won't go away until a reboot.
3. The client checks WSUS for updates before WSUS has the new patches. The client won't check again for about 18 hours. This means the patches won't be downloaded until possibly the next day. In this case, the client will patch and reboot at 1am the day after installing the patches. (download and install on Wednesday afternoon for example and install/reboot at 1am Thursday morning).

Suggested management methods:

The install settings can be changed by OU admins by editing their IF-OU Computer GPO and configuring the settings you desire.

However, there is a valid concern that someone will see something not working, and make a change, which could cause problems, specifically for the servers which have a different patching schedule. Dwight has a very specific method for patching the Building 120 servers during the maintenance windows. Consequently, it is always best to run proposed changes by IT/SA security staff before implementing those.

To make up for the lack of WSUS reporting features, IT/SA will be doing some checking for machines that are not reporting in, or not accepting patches. The current WSUS service does not have a view only mode, so we will be building an interface using SQL reporting to allow unit admins to report on their machines. Based on feedback, this will be a fairly high priority.