Nathan Mercer Microsoft NZ blogs.technet.com/nmercer microsoft.com SVR317

Overview of new WSUS3 features Deployment Architectures Migration from WSUS2 to WSUS3 Overview of WSUS3 deployment for Config Manager 2007 Managing/operations a WSUS 3.0 Deployment Take-aways for maintaining a WSUS 3.0 Server

Provide a simple, low cost, solution for distributing Microsoft Updates within a corporation A “free” RTW add-on for Windows Server; covered by the Windows server CAL Solution only distributes Microsoft Updates Distributing 3rd party patches require purchasing advanced management tools such as SCE (for MORGs) and Configuration Manager 2007 (for LORGS) Provide a foundation infrastructure for Update Management across Microsoft products: MBSA, WU, SBS, Forefront, … SCE, Configuration Manager 2007, MBSA, WU, SBS, Forefront, … Consistent scan results Upgrade path to advanced management products; SCE or Configuration Manager 2007

An integrated management solution for mid market Less than 500 computers or 30 servers, no scale out Upgrade from WSUS 2.0 or 3.0 Access to all content in WSUS Key Features Update Management Basic: Microsoft Updates via WSUS Advanced: 3 rd party updates, push-install Applications Deployment (E.g. LOB Applications) Inventory Operations Monitoring

A complete enterprise management solution (aka SMS) Key features for Software Update Management Basic: WSUS 3.0 integration; upgrade from WSUS 2.0 or 3.0 Advanced: Built on Desired Configuration Management infrastructure, 3 rd party updates, push-install, maintenance windows, delegated admin, wake-on-LAN, NAP Integration Other Configuration Manager Features OS Deployment Desired Configuration Management Application Deployment (E.g. LOB Applications) Inventory, Metering, Discovery Asset Management and many more…

Microsoft Update Many small businesses point their Windows machines directly to Microsoft Updates Microsoft Update catalog site “alpha” Can import updates “ala carte” into our management tools SBS SBS 2003 R2 has WSUS integrated with an additional, simplified UI SBS “Cougar” will have SCE integrated MBSA Analyse security compliance on a Windows machine Uses the Windows Update (WSUS) agent to determine update compliance

WSUS2 ranked as #1 Patch Management Product by readers of Windows IT Pro Magazine Used by approximately 70% MORG/LORG Over 350,000 distinct WSUS servers synched with Microsoft Update last month WSUS3 released April Huge improvements in performance, deployment options, reporting and UI. Easy in-place upgrade from WSUS2

Initial configuration wizard MMC-based UI, with advanced filtering and sorting notification of new updates (and/or compliance summary) Multiple, more granular, auto-approval rules Integrated reporting rollup Cleanup wizard Simplicity Access to more content – import from the MU catalog site MOM pack Improved logging and audit logging NLB and SQL clustering Best practices Operational Reliability Branch office /scale-out optimisations language subsetting content from MU sync more frequently (up to hourly) toggle replica mode Integrated reporting rollup Read-only administrative role (WSUS reporters) Enhanced targeting Upgrade to SCE or Configuration Manager 2007 Deployment Performance Native x64 support Vista BITS peer-caching Scalability improvements

Installing the WSUS Server requires: Windows 2003 SP1+ (full support), Windows Server 2008 beta3+ (beta support) SQL Server 2005 SP1+ (only if using full SQL) Internet Information Services 6.0.NET Framework 2.0 MMC 3.0 Report Viewer The server can manage: Windows 2000 SP4, Windows XP SP1, Vista Windows Server 2003, Windows Server 2008 beta3 x86 and x64 support parity All supported Windows locales

We’ll next discuss common network architectures Single server Remote SQL BITS Peer Caching NLB WSUS Hierarchies Branch Office Disconnected networks (DMZ) Roaming laptops

A single server can support up to 25k clients Console-only install for remote administration (e.g., from XP or Vista clients) Read-only WSUS access to non-admin members of the “WSUS Reporters” group Point machines to the server via Group Policy No need to deploy clients; the built-in WUA will “self- update” from the server on next sync Variety of WUA policies available, including sync rate (recommend twice/day), scheduled install (recommend daily for desktops), and reboot behaviour (can’t postpone reboots indefinitely because it’s not safe/supported) Enable BITS peer-caching policy for efficient network use. Internal MSFT deployment had 70% cache-hit rate.

SQL 2005 SP1 WSUS3 has a unified front-end/back-end setup No performance gain over built-in/default “Windows Internal Database” option Each WSUS client requires a SQL CAL Recommendation: Use only if available/convenient NLB Provides redundancy/no single-point of failure – not scale up. Multiple front-ends all point to the same SQL backend and shared content folder Recommendation: Use only if required since it’s easy to just rebuild a failed WSUS server

Used for scale-out or branch office support Autonomous servers get update binaries and metadata from parent “upstream” server (USS) Replica children also get approvals from USS New WSUS3 features for hierarchies Reporting roll-up across replicas More granular sync schedule; up to hourly Toggle replica mode DSS can sync a subset of USS language binaries DSS can get approvals from USS and binaries from MU; useful if DSS has broadband internet connection but only narrowband to USS

Same support as for WSUS2 Need one server to sync updates from MU Transfer updates to disconnected server: Make sure language and binary file settings match Export/import content folder via ntbackup Export/import metadata via WsusUtil.exe (shipped with WSUS); export, import, reset Export/import approvals and target groups via WsusMigrate SDK sample

Deploy internet-facing WSUS server Configure server to host content on MU SSL strongly recommended Further hardening via ISA proxy or remote SQL backend Roaming laptops configured to point to this server Can be replica of intranet facing WSUS server WSUS3 supports distinct content hosting settings Can configure laptops to get updates from the best available server: Client policy points to server alias Alias resolved to appropriate server name depending on location using DNS netmask ordering

On web farms or critical servers, patch installation may need to be orchestrated with other processes Configure WUA on server for download only (no scheduled install) Use WUA API to install applicable updates at the appropriate time Start with “Search, Download, Install” VB script on MSDN

From SUS1 Not directly supported Upgrading a single server In-place upgrade: WSUS2->WSUS3 on a single server Migration upgrade: WSUS2->WSUS3 on different servers Upgrading a server hierarchy Connected servers Disconnected servers

Setup supports in-place upgrade Preserves updates, settings, and approvals No need to deploy agents; clients automatically update to new versions when they contact the serve WsusMigrate SDK sample migrates target groups and approvals from one server to another Can be also be used for sync’ing disconnected servers. Server hierarchy is upgraded from top-down WSUS 2.0 Servers can synchronise updates from a 3.0 Server Setup supports unattended installs

Simply install WSUS3 on same server as WSUS2 In-place upgrade preserves settings, updates, and approvals Customised IIS settings must be re-applied after the upgrade (port, SSL, host headers). Clients “self-update” next time they sync Watch out: Uninstalling WSUS3 will not bring back WSUS2 If using SQL 2000, setup will fail; use migration upgrade If using remote SQL 2005, need to first uninstall the backend (leave DB behind), then upgrade Because WSUS3 has unified frontend/backend setup.

Install WSUS3 on a new server Migrate updates and approvals: Export/import content folder via ntbackup Sync the WSUS3 server to get the latest metadata Export/import approvals and target groups via WsusMigrate SDK sample Point clients to the new server Change GPO to point clients to the new server/port Clients will “self-update” next time they sync

Upgrade must be performed top-down WSUS 2.0 Servers can synchronize updates from a 3.0 Server (but not vice versa) Watch-out: DSS must be WSUS2 SP1 or have KB installed (else replica sync may fail after USS upgrade) Post-upgrade, take advantage of new WSUS3 deployment options Reporting rollup (on by default) DSS can sync a subset of language DSS sync from MU but host locally (for narrowband connections to USS) Can synch more frequently

Software Update Management (SUM) built on WSUS 3 Full Microsoft update catalog Can also manage non-Microsoft software updates Included as Managed Server role in site hierarchy Full benefits of site management, Binary Delta Replication etc. No need to configure/manage WSUS directly

Windows Updates Agent needs updating to version required by WSUS 3.0* * Client Deployment does this, except for Vista clients in Beta 2, WUA self-update via Automatic Updates is required Site Server Role Wizard used to configure WSUS as Software Update Point WSUS 3.0 admin console required for all remote Site Servers WSUS 3.0 server installation is prerequisite for all Software Update Points

SUP = WSUS + Installed Configuration Manager component Can use existing WSUS servers Uppermost SUP will sync with Microsoft Update Software Update Point (SUP) Role SUP co-located with Site Server on same machine SUP on remote machine from Site Server Advanced: Internet-facing, native mode Supported configurations WSUS can be configured across NLB NLB supports failover up to 100,000 clients SQL clusters are supported Each WSUS server supports 25,000 clients Regional roaming only (secondary site) - no global roaming between sites Offset scan times to avoid clients hitting WSUS at the same time Clients will always use assigned site SUP

Server Default is to auto-approve all updates for detection Recommendation Configure auto-approvals for Critical, security and definition updates Configure desktops to be scheduled installation every day (with “immediate installation” enabled) Configure servers for download and notify Use sample scripts to control server install behaviours

Ensuring Update Deployment by a specific time Use deadlines Deadlines override all other policy and client configuration settings Use with caution on servers! Ensuring Updates are applied Do not delay reboots, always reboot as soon as possible after applying an update that requires rebooting Use the client schedule options to schedule installing updates at the least impactful time, to avoid the need to delay reboots For servers and other reboot sensitive computers, use Option #3 Emergency update deployment Use a deadline set in the past Use scripts to start a detection cycle Deploying drivers or other updates Use “Import from …” Microsoft Update Catalog capability

WSUS servers require very little ongoing maintenance Three key areas: Client computers Dynamic environments will need to manage computers appearing and disappearing Update content Purging of superseded/expired/ declined content Database Backup Defragmentation of indexes

Why clean up clients? Computers enter and leave the environment due to repurposing or retirement Stale computers will slow reporting, increase DB size, and add unneeded “noise” Simplest approach is to use the Server Cleanup Wizard Will remove computers that have not contacted the server in 30 days API samples available for finer control Clean Stale Computers Populate computers from AD mspx

Why? Unapproving or Declining updates does not delete update content Remove content for superseded updates that you no longer need Reduce disk space requirements From the UI, unapprove superseded updates that are not needed by any computers Run the Server Cleanup Wizard, which will delete: Metadata for expired updates that haven’t been approved for 90 days Old revisions of updates Unneeded files for updates that are not in use on the server and are not needed by a Downstream Server Decline expired updates that are unneeded and have been unapproved for at least 30 days

Periodically defrag the DB Have a disaster recover plan Many customers plan is to reinstall Alternative is to backup the server database: For the Windows Internal Database you will have to run a SQLCMD script to backup the database Download the SQL Management Studio for easier management of the Windows Internal Database or SQL Express. Location of the WID backup: %windir%\SYSMSI\SSEE\MSSQL.2005\MSSQL\ SchemaSig\WSUSSignDb.*

Backup Windows Internal Database SQLCMD -S np:\\.\pipe\MSSQL$MICROSOFT##SSEE\sql\query -E - Q “backup database SUSDB to disk=’c:\susdb.bak’”\\.\pipe\MSSQL$MICROSOFT##SSEE\sql\query Index Defrag example: server/susvvb01.mspx?mfr=true

Run the Cleanup wizard: Periodically, especially after rolling out a new SP After 2.0 -> Upgrade Computers: Clean up from the bottom of your hierarchy to the top Updates: Always start at the top of the hierarchy and work down Content deletion does not replicate! Have a Disaster Recovery plan

WSUS 3 is a huge improvement over WSUS 2 Simple in-place upgrade from WSUS2 to WSUS3 Can later upgrade to System Center Essentials or Configuration Manager 2007

Technical Communities, Webcasts, Blogs, Chats & User Groups NewsGroup: Microsoft.Public.Windows.Server.Update_Services Microsoft Developer Network (MSDN) & TechNet Trial Software and Virtual Labs Starting point for all WSUS information Product overview Links to our great documentation, including: Step-by-step guide (for simple deployment) Deployment guide (many details on advanced deployments) Many other docs; ops guide, API, SDK, … Links to community pages

© 2007 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.