In this lecture, we are going to talk about Windows Server Update Services or WSUS.

In short Windows Service Update Services or WSUS is a Server Role that allows administrators to control Windows Updates within their domain.

So, Microsoft will release patches on a monthly basis that address different vulnerabilities and bug fixes to the Microsoft operating system. You as an administrator can control whether or not your computers install certain updates, whether they are required or optional updates, etc.

It is really important that you install a WSUS Server within your domain and you use it to control and keep your network safe.

Now there are a couple of different ways that WSUS can acquire updates.

First, you can download updates directly from Microsoft. Now, this is a viable option if your network has Internet connectivity.

Second, you can download updates from another WSUS Server which would be called an upstream server.

You can also import files directly to your WSUS Servers. If your server is disconnected from the Internet you can download the files onto a CD Drive and then transfer those files to your offline WSUS Servers and then import them to your WSUS Server which would allow you now to push them out to all your clients machines.

The most important bullet point in this slide is that the WSUS Server Role should never be installed on a Domain Controller because you’ll have access issues with the database.

Here’s an example of Importing WSUS Updates.

On the left, you can see we have an isolated network. Obviously, certain networks contain sensitive information and it is better for them to not be connected to the Internet. But how do you install these updates and patch all these critical vulnerabilities? Well, a way you do that is you have another network that is connected to the Internet but doesn’t contain the same sensitive information. You get a WSUS Server stood up or configured and installed on that network that has Internet connectivity. You download the updates from Microsoft servers then you transfer those updates via a DVD or USB drive over to the isolated network and then that network can pass out those updates.

Now, an example of an Upstream/Downstream WSUS Server would be an isolated network. It wouldn’t even have to be a network that has to be connected from the Internet but a certain scenario where we have a WSUS Server that is retrieving updates from another WSUS server.

So we can see the Downstream server, in this case on the left-hand side is accepting or is polling its updates from the upstream server.

Now, you might be asking how this works, how do we get it up and running?

First, you add the WSUS Server role to remember not a Domain Controller. 

Then you configure the client computers with Group Policy. Now, you either wait for the clients to check with WSUS or you force an early check-in. When you’re getting this setup I recommend that you force an early check-in just so you can see things are working the way they are supposed to.

Once you’ve done that, you organize your WSUS clients in Computer Groups. This is good for testing purposes. Now, I don’t know with which kind of networks you guys are going to be working on but if you are working with developers, certain versions that .Net will make, you know certain code not work and different things so it is a good idea to test your updates, have a test group, let’s say four workstations and deploy test updates to that workstations, see if anything breaks and if it’s all good go ahead and deploy to the rest of your network.

Now, the monthly maintenance for this is to go through and approve updates for the specific computer groups. Now, patch Tuesday is a term you need to be familiar with and is generally the second and occasionally the fourth Tuesday of each month and this is when Microsoft releases all its updates for their vulnerabilities.

OK, That’s an overview of WSUS or Windows Server Update Services.