patch management using microsoft software update service 1.0 sp1
DESCRIPTION
Patch management using Microsoft Software Update Service 1.0 SP1. Chris Hughes, Systems Architect Warrington College of Business [email protected]. Overview. What is Software Update Services Local copy of Windows Update Allows testing of patches prior to deployment - PowerPoint PPT PresentationTRANSCRIPT
Patch management using Patch management using Microsoft Software Update Microsoft Software Update
Service 1.0 SP1Service 1.0 SP1
Chris Hughes, Systems ArchitectChris Hughes, Systems Architect
Warrington College of BusinessWarrington College of Business
[email protected]@ufl.edu
OverviewOverview
What is Software Update ServicesWhat is Software Update Services– Local copy of Windows UpdateLocal copy of Windows Update– Allows testing of patches prior to deploymentAllows testing of patches prior to deployment– Integrated with Automatic Updates feature of Integrated with Automatic Updates feature of
Windows 2000/XPWindows 2000/XP
Server RequirementsServer Requirements
Windows Server 2000 Server SP2 or Windows Server 2000 Server SP2 or GreaterGreater
Windows Server 2003Windows Server 2003
Pentium III 733MhzPentium III 733Mhz
512MB RAM512MB RAM
10GB+ HDD10GB+ HDD
Client RequirementsClient Requirements
Windows 2000 SP2 with Automatic Windows 2000 SP2 with Automatic Updates Patch InstalledUpdates Patch Installed
Windows 2000 SP3 or GreaterWindows 2000 SP3 or Greater
Windows XP with Automatic Updates Windows XP with Automatic Updates Patch InstalledPatch Installed
Windows XP SP1Windows XP SP1
Windows Server 2003Windows Server 2003
Server OperationsServer Operations
Server OperationsServer Operations
Synchronization with Windows UpdateSynchronization with Windows Update– Scheduled SynchronizationScheduled Synchronization
Server OperationsServer Operations
Client OptionsClient Options
NoAutoRebootWithLoggedOnUsersNoAutoRebootWithLoggedOnUsers– Give option to reboot if a user is logged in.Give option to reboot if a user is logged in.
NoAutoUpdateNoAutoUpdate– Enable or Disable Auto-Update InstallationEnable or Disable Auto-Update Installation
AUOptionsAUOptions– Notify User of patches available for downloadNotify User of patches available for download– Notify User of patches available for installNotify User of patches available for install– Automatic download and installationAutomatic download and installation
Client OptionsClient Options
ScheduledInstallDayScheduledInstallDay – The days which the installation should occurThe days which the installation should occur
ScheduledInstallTimeScheduledInstallTime – The hour which the scheduled installs should The hour which the scheduled installs should
launchlaunch
RescheduleWaitTimeRescheduleWaitTime– Time delay after reboot when machine is Time delay after reboot when machine is
off during scheduled install timeoff during scheduled install time
Client OptionsClient Options
UseWUServerUseWUServer– Sets the machine to user Windows Update Sets the machine to user Windows Update
or a Local Software Update Serveror a Local Software Update Server
WUServerWUServer – Software Update Server URLSoftware Update Server URL
WUStatusServerWUStatusServer – Statistic Server for Software Update ServicesStatistic Server for Software Update Services
Settings via the registrySettings via the registry
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate\AUHKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate\AU – NoAutoRebootWithLoggedOnUsersNoAutoRebootWithLoggedOnUsers
Set this to 1 if you want the logged on users to choose whether or not to reboot their systemSet this to 1 if you want the logged on users to choose whether or not to reboot their system
Registry value type: REG_DWORDRegistry value type: REG_DWORD
– NoAutoUpdate NoAutoUpdate 0 = Automatic Updates is enabled (default)0 = Automatic Updates is enabled (default)
1 = Automatic Updates is disabled.1 = Automatic Updates is disabled.
Registry Value Type: REG_DWORDRegistry Value Type: REG_DWORD
– AUOptions AUOptions 2 = notify of download and installation2 = notify of download and installation
3 = automatically download and notify of installation3 = automatically download and notify of installation
4 = automatic download and scheduled installation.4 = automatic download and scheduled installation.
All options notify the local administrator.All options notify the local administrator.
Registry Value Type: REG_DWORDRegistry Value Type: REG_DWORD
Settings via the registrySettings via the registry
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate\AUHKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate\AU
– ScheduledInstallDayScheduledInstallDay0 = Every day0 = Every day
1 through 7 = the days of the week from Sunday (1) to Saturday (7). 1 through 7 = the days of the week from Sunday (1) to Saturday (7).
Registry Value Type: REG_DWORDRegistry Value Type: REG_DWORD
– ScheduledInstallTimeScheduledInstallTime The time of day in 24-hour format (0-23).The time of day in 24-hour format (0-23).
Registry value type: REG_DWORD Registry value type: REG_DWORD
– RescheduleWaitTimeRescheduleWaitTimeTime in minutes (1-60)Time in minutes (1-60)
Registry value type: REG_DWORD Registry value type: REG_DWORD
Settings via the registrySettings via the registry
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate\AUHKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate\AU
– UseWUServerUseWUServerSet this to 1 to enable Automatic Updates to use the server running Software Update Services as Set this to 1 to enable Automatic Updates to use the server running Software Update Services as specified in WUServer below.specified in WUServer below.
Registry Value Type: Reg_DWORDRegistry Value Type: Reg_DWORD
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdateHKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate
– WUServer WUServer Sets the SUS server by HTTP name (for example, Sets the SUS server by HTTP name (for example, http://IntranetSUShttp://IntranetSUS).).
Registry Value Type: Reg_SZRegistry Value Type: Reg_SZ
– WUStatusServerWUStatusServer Sets the SUS statistics server by HTTP name (for example, Sets the SUS statistics server by HTTP name (for example, http://IntranetSUShttp://IntranetSUS).).
Registry Value Type: Reg_SZRegistry Value Type: Reg_SZ
Settings via Group PolicySettings via Group Policy
LimitationsLimitations
Problems with administrators being able to Problems with administrators being able to cancel installations and rebootscancel installations and rebootsUnable to push a patch out NOW! Unable to push a patch out NOW! Patching are pulled from the server by the Patching are pulled from the server by the client every 17-22 hours.client every 17-22 hours.Machines with problems installing patchesMachines with problems installing patchesWindows Service Packs and Critical Windows Service Packs and Critical Patches onlyPatches onlyLimited reportingLimited reporting
SUS-Install.VBSSUS-Install.VBS
This is a script written by the SUS product This is a script written by the SUS product team at Microsoft.team at Microsoft.
Resets a client’s settings and schedules Resets a client’s settings and schedules an install timean install time
Verifies that the Automatic Update Client Verifies that the Automatic Update Client download patched and scheduled the download patched and scheduled the installinstall
Client Side TroubleshootingClient Side Troubleshooting
Not enough disk spaceNot enough disk space– Patches fail to download and do not installPatches fail to download and do not install
Machine has been rebooted previously Machine has been rebooted previously during Windows Updateduring Windows Update– Registry settings may be messed upRegistry settings may be messed up
Administrators cancel installationsAdministrators cancel installations– Disable access to Windows update via GPO Disable access to Windows update via GPO
or Registry. This forces the patch installaton.or Registry. This forces the patch installaton.
Server Side ReportingServer Side Reporting
Limited reporting is available in the Limited reporting is available in the product.product.
Logs are in the IIS log files for the SUS Logs are in the IIS log files for the SUS Server machineServer machine
http://www.susserver.comhttp://www.susserver.com has some has some scripts to improved reportingscripts to improved reporting
New Features for SUS 2.0New Features for SUS 2.0
ETA 1H 2004 – Public Beta “soon”ETA 1H 2004 – Public Beta “soon”
Support for all Microsoft Products Support for all Microsoft Products including Office, Exchange, and SQL.including Office, Exchange, and SQL.
Better reporting of patch status (Success, Better reporting of patch status (Success, Failure with reason codes, Integration with Failure with reason codes, Integration with Active Directory)Active Directory)
More options for dealing with patch More options for dealing with patch installation with administrators logged ininstallation with administrators logged in
New Features for SUS 2.0New Features for SUS 2.0
Deployment of different patches to specific Deployment of different patches to specific target machines.target machines.
Filtering using WMIFiltering using WMI
Managed machine databaseManaged machine database
SUS-Install.VBS built into server productSUS-Install.VBS built into server product
More InformationMore Information
WebsitesWebsites– Software Update Services Home Page Software Update Services Home Page http://http://
go.microsoft.com/fwlink/?LinkIdgo.microsoft.com/fwlink/?LinkId=6930=6930 – http://www.SUSServer.Comhttp://www.SUSServer.Com– http://http://bear.cba.ufl.edubear.cba.ufl.edu/SUS/SUS
NewsgroupsNewsgroups– microsoft.public.softwareupdatesvcsmicrosoft.public.softwareupdatesvcs– Email AddressesEmail Addresses– Feedback - Feedback - [email protected]@microsoft.com – Product Manager - Product Manager - Jose MorrisJose Morris - - [email protected]@microsoft.com
Any Questions?Any Questions?