Windows Server Update Service

Home , Windows Update

Table of Contents

Windows Server Update Service...... 2

Microsoft’s Recommended Update Management Process ...... 3

Microsoft Update ...... 6

Enterprise Updates ...... 7

Windows Server Update Service...... 8

WSUS Topologies ...... 9

Single Server ...... 10

Synchronized Servers ...... 11

Disconnected Servers ...... 12

Server Side Update Process ...... 14

Client Side Update Process ...... 15

Automatic Updates ...... 16

Automatic Update Settings ...... 21

Other Automatic Update Settings ...... 23

Notices ...... 24

Page 1 of 24 Windows Server Update Service

Windows Server Update Service

**035 Mark Williams: So continuing on with Windows Update.

Page 2 of 24 Microsoft’s Recommended Update Management Process

Microsoft’s Recommended Update Management Process

• Computers • Servers • New updates • Clients available • Operating • Applicability of systems updates • Bandwidth • Storage • Other factors Assess Identify

Evaluate Deploy & Plan • Approve & • Test the schedule updates • Roll out update • Learn how to • Review deploy updates

**036 As a refresher from earlier on in this module. We talked about the Update process; we have to have some patch management or update process. That begins with an assessment. The assessment is figuring out what is it that we have; what computers, hardware, software, applications and so on we have. Where is it located? That's that inventorying process we mentioned about.

Then the second thing is we have to identify what are the new patches; what are the new updates that we need or that we might need within our organization? Right? What's available to us?

Page 3 of 24 Third step was to now evaluate. Here's an update that has been released. Do I need it in my organization? If I do, what impact is it going to bring to the table? And keep in mind, it could be a good impact; it could also be a bad impact.

If we decide that it's desirable for us to use this update, then we figure out a plan. We figure out the rollout process. Keeping this in mind-- it's not stated-- but you do need to be aware that your plan for rolling out the patch should also include a plan for rolling back the patch. So if I do the roll out and I screw it up, then I have a plan already thought of in place in order to undo it.

Even if you have a vendor, a third party who's going to help you with your patch roll out-- sometimes we have vendors, their engineers are going to come on site and help us with those updates-- make sure that still they have the documentation. How are they going to do the roll outs and how are they going to roll back if they make a mistake?

I heard a vendor one time say: "I've done 100 of these updates on systems just like yours. No problems at all. We don't need a rollback plan." Yes you do.

And if you let them convince you you don't need a rollback plan, here's exactly what's going to happen. There's going to be an error. That vendor is going to say: "Hum, I wonder what's different about your

Page 4 of 24 organization, from those other hundred that I did." All right? Meanwhile you are having problems. So make sure you have that rollback plan.

So then after you have the plan created, then you deploy. Sometimes we do a deployment in a what I call a forklift approach: Everything gets updated in one shot. Sometimes I do it in a phased approach: Pieces at a time.

Which is the best methodology? Well that's situationally dependent upon your organization and the impact of the patch.

Sometimes if I do an update, and I do it in a phased or a modular approach, as I do the update-- so I update these first 100 machines; now they're fixed but for whatever reason that update stops them from communicating with the other machines on the network. And then I do the next 200; now the next 200 can talk to the first group but now they can't talk.

And so it might have an adverse impact. I will learn what the impact is of both the update itself and the update methodology we use during that testing. Right? So under the evaluating and planning we're going to do a test to see what's the best way to get this job done.

Page 5 of 24 Microsoft Update

Microsoft Update

Update.Microsoft.com • Web site ran by Microsoft • Non-stop updating for all Microsoft operating systems and applications • If Automatic Updates is enabled on the computer, this is where it goes to find and download the latest. Good for personal use and small office, home office Not great for enterprise use

**037 Right?

Now we already mentioned about Microsoft.com. This is a great site for you and I to use to update our personal computers. But when you have more than say 100 or more than say 200-- whatever your threshold is-- computers in your organization, you probably don't want to have 5000 requests from individual machines going out to Update.com and 5000 machines independently of one another downloading the latest and greatest updates; keeping in mind that some of those updates--

Page 6 of 24 The way Automatic Update works is if it's out there, I'm going to apply it to my machine. Right? There might be updates that out there that have no bearing and no benefit to you. So do I really want thousands of my machines going out and getting all the updates, whether they apply or not?

So it's not really great for an enterprise use.

Enterprise Updates

Large organizations (and even many SMB’s) do not want computers to go directly to Windows Update site. Windows Server Update Service allows administrators better control over which updates to deploy and when and how to deploy those updates.

**038 Enterprises will use a server, one server that is going to go out and get the updates from Microsoft; and then that server, which is running the

Page 7 of 24 Windows Server Update Service is going to then be used to push patches out to all the other machines in our network, on an as-needed per our organizational policy basis.

Windows Server Update Service

Included with Windows Server 2012 Central point to collect patches and distribute to corporate systems Individual systems do not need to connect to Windows Update directly

**039 Right?

So WSUS is included in Server 2012. It's not- that's not the first place that it came into existence. I think-- well it's been around for a very long time. 2003 might've been when SUS came into existence. I can't even remember anymore but it's been awhile. And even before that they had another tool that we could use.

Page 8 of 24 So I can collect all the patches, all the updates on Server 2012 in my organization, and then use it to push to the individual machines when they are available.

WSUS Topologies

Single server Synchronized servers Disconnected servers

**040 Now there's a couple of topologies that we can deploy Windows SUS in.

Page 9 of 24 Single Server

Single Server

WSUS

Update.microsoft.com

**041 One of those topologies is basically a single-server topology: One WSUS server that is going to download the patches from Microsoft and then push them out to all of the machines on the network.

Not bad in a small organization. Not bad in an organization with only one location. But maybe it's not the greatest for large organizations, or for organizations that span multiple locations.

Page 10 of 24 Synchronized Servers

Synchronized Servers

Update.microsoft.com

WSUS WSUS

**042 And so we can use the idea of synchronized servers.

I have a department in New York, I have a department in-- where are we?-- Pittsburgh. So I have a department in New York and I have a department in Pittsburg. We can have each one of them running their own WSUS server; and they would synchronize to each other and then push out patches to their own subdomain, or domain if you will. Right?

Page 11 of 24 Disconnected Servers

Disconnected Servers

Update.microsoft.com

WSUS WSUS

**043 The third option that we have is disconnected servers. This is the approach that we basically would use when we had different levels of classified networks.

So on the left-hand side of the diagram we have the Unclassified network that's connected to the internet, where we can download the updates. But then I had to have some way of getting those updates on to the Classified side of the house; and in this case we're using a CD. We copy all the updates to the CD; transfer it over in that regard. Right?

Page 12 of 24 You have to understand-- I used the example of Classified and Unclassified. In that case we had rules about what direction data could flow. Data could flow from the Unclassified to the Secret network; but it could not go the other way around. So a CD, once it was in this machine, we had rules that we could not take it back into the other one. Which is why we used CDs because they were cheap and they were disposable. Actually we stated off using tapes; but we made sure that they did not go in the reverse direction.

So three different topologies: A single server; synchronized servers; or what's referred to as disconnected servers. You'll choose whatever topology makes sense in your organization.

Page 13 of 24 Server Side Update Process

Server Side Update Process

**044 All right?

So on the server side. The server goes out to update.microsoft.com; downloads the patches. We then test those updates, as is necessary for the organization; and then we figure out how we're going to roll those patches out to the machines. So we create our package for deployment. All right?

Page 14 of 24 Client Side Update Process

Client Side Update Process

**045 Then on the client side. We tell our clients the Automatic Update utility: Don't go out to update.microsoft.com but go out to our WSUS- Window SUS server, check for updates there; and if there are updates, schedule the installation of those updates, download them from WSUS, restart as is necessary, and then-- well it depends on what type of update. Restart it if it's necessary; and if it's not necessary-- sometimes we want to schedule the update for a later- the install for a later date. So on the client side.

The big difference is I'm not going out to Microsoft to get the updates

Page 15 of 24 here; I'm going out to my local machine to get the updates. Right?

Automatic Updates

Review already installed updates.

Windows 8

**046 So. What updates do I have on my machine?

This might be a good thing to do. Let's see here. Give me a second. I will bring it up.

So I have the Microsoft Security Bulletin that we talked about earlier. Right? It says that it causes a Stop Error on Windows 7 after install Update 2823324.

Page 16 of 24 Well I might want to know do I have that on my machine? So how would I go about doing it? Well what I could do is go to the Start Menu, bring up our Control Panel; and from the Control Panel I can go to Programs. Let's see if it's under Programs. And up here at the top I have Programs and Features; and under Programs and Features I have this link that says: View installed updates.

So this could take a little while. Notice that some of the updates are from third parties: Adobe; I have an update from Adobe.

By the way, can you see that okay? I'm not sure if I can increase the size. Oh I can do that. That makes it a little bit better.

I have Microsoft.NET updates of various types. Microsoft Windows Update.

And oh by the way, what did we say that number was? 2823324. Oh-oh. 2823324. So I have that one that-- pardon me; I think I'm done-- I have that update.

So I should probably go out and follow their instructions for removing this particular update and getting the new update installed on my machine that's going to fix this particular problem. Does that make sense?

I do think it's interesting to note, as we look through here, it tells me what type of updates we have. So

Page 17 of 24 that one is a security update. This one down where the cursor is, it just simply says Update from Microsoft Windows.

Well what do you think the difference is between a security update and an update from Microsoft Windows? Probably the result. This one, Update from Microsoft Windows, it might fix the title bar doesn't look pretty enough; or it might have a line width that's four points and it's supposed to be five points. Who knows what it is. It could be something very simple; not security related; not a vulnerability. And that's the key thing.

Notice I have an update for Windows Virtual PC that is on my machine.

Now if there's an update out there from Microsoft for Windows Virtual PC, but I don't have Virtual PC installed, should I have this update? Probably not.

I wonder if there's other updates. Wow, that's a big list of updates isn't it?

Notice a couple of them are hotfixes. What did we say hotfixes were? That's the emergency; that's the really bad stuff that has to be fixed extremely quickly.

Huh. I'm just noticing something that is interesting to me, which after the class I'll have to do a little bit of research on. This one down here towards the bottom, it does not look

Page 18 of 24 like the rest of them. It says it's Knowledge Base 958488; but it doesn't have- does not have a name; and the KB is not in parens-- that's interesting to me. And it also does not have a publisher over here on the right-hand side-- Microsoft Corporation.

So I'm not sure what that is; but it is something that is of concern. Yes?

Student: That's a long list. Could you search for that KB?

Mark Williams: Could I search for it?

Student: Would it work?

Mark Williams: Yes. See up in the top right I have the Search. So what was the number? 2823324. Right? Let's see if that worked for me. And so--

Student: What about KB?

Mark Williams: Oh that was it. It came up right away. That's kind of- it kind of surprised me that it did not come up with just the number.

Student: It's a solid string. Maybe if you wildcarded it. I don't know.

Mark Williams: Yes who know. But yes absolutely, searching is possible. And all I did to get that window up was a Control-F; because if it's not there-- right? If I'm highlighted down here or something. It's up there but I'm not in the

Page 19 of 24 window. So Control-F gets me right into the window, into the Search window.

All right. So just out of curiosity, that one that I found at the bottom that does not look like it's published from Microsoft-- anyone know what it is? It's a little-- would it concern you if you saw it?

Student: I'd be curious.

Mark Williams: I'm curious.

Student: Yes.

Mark Williams: And that's exactly it.

All right.

By the way, how do we find the installed updates on a Windows 8 machine? Same way; getting to the Control Panel might be a little bit differently- different but the Control Panel looks pretty much the same. And as a matter of fact, this is a capture off a Windows 8 machine.

Maybe a little bit later on today or tomorrow I'll bring up a Windows 8 virtual machine and we can kind of tinker around in there and see what some of the differences are; just play with the look and feel of it.

Page 20 of 24 Automatic Update Settings

Automatic Update Settings

Choose the recommended “Install updates automatically.”

**047 All right? All right.

We can also choose how we want our install- our updates to be checked and installed.

In this case-- especially for standalone machines and small office, home office type machines, it is recommended you do automatic updates.

Be aware that automatic updates- you know, you might wake up one morning and you find out oh your machine rebooted; and oh-oh now it doesn't work anymore. Because if we set up automatic updates, it's

Page 21 of 24 going to go out there periodically, check and do the download, do the install, reboot if necessary; and if there is a problem you might have an issue. Right?

So an alternative would be download the updates-- go out and check-- download the updates and let me take a look at them and decide do I want to install them or not. Right?

And then we have-- and this is progressively going away from the recommended-- check-- I'm sorry, never check for updates will be the worst case scenario, never check at all. Right?

Page 22 of 24 Other Automatic Update Settings

Other Automatic Update Settings

Windows 8 Windows 7

Fewer options than Windows7

**048 Here is just a comparison of the Windows 7 versus the Windows 8 selections.

I know it's very hard-- actually it's a lot easier for you guys to see it up here than it is for me to see it back there.

But the one thing that I think is interesting is Windows 7 has a lot more options for us to choose. Windows 8, they took away some of those options. I haven't really compared to see what they took away or why they took them away. It's probably a situation of oh they know a little bit better than we do;

Page 23 of 24 and so we're not even going to give you that option, we're just going to make it a requirement.

Or it could be those are some of the- these might be some of the options that have caused stumbling blocks and so they've changed it ever so slightly. All right?

Notices

© 2014 Carnegie Mellon University This material is distributed by the Software Engineering Institute (SEI) only to course attendees for their own individual study. Except for the U.S. government purposes described below, this material SHALL NOT be reproduced or used in any other manner without requesting formal permission from the Software Engineering Institute at [email protected]. This material was created in the performance of Federal Government Contract Number FA8721-05-C-0003 with Carnegie Mellon University for the operation of the Software Engineering Institute, a federally funded research and development center. The U.S. government's rights to use, modify, reproduce, release, perform, display, or disclose this material are restricted by the Rights in Technical Data-Noncommercial Items clauses (DFAR 252-227.7013 and DFAR 252-227.7013 Alternate I) contained in the above identified contract. Any reproduction of this material or portions thereof marked with this legend must also reproduce the disclaimers contained on this slide. Although the rights granted by contract do not require course attendance to use this material for U.S. government purposes, the SEI recommends attendance to ensure proper understanding. THE MATERIAL IS PROVIDED ON AN “AS IS” BASIS, AND CARNEGIE MELLON DISCLAIMS ANY AND ALL WARRANTIES, IMPLIED OR OTHERWISE (INCLUDING, BUT NOT LIMITED TO, WARRANTY OF FITNESS FOR A PARTICULAR PURPOSE, RESULTS OBTAINED FROM USE OF THE MATERIAL, MERCHANTABILITY, AND/OR NON-INFRINGEMENT). CERT ® is a registered mark owned by Carnegie Mellon University.

Page 24 of 24