Implementing Update Management 20411B 12: Implementing Update Management Presentation: 40 minutes Lab: 60 minutes After completing this module, students will be able to: Describe the role of Windows Server® Update Services (WSUS). Deploy updates with WSUS. Required materials To teach this module, you need the Microsoft® Office PowerPoint® file 20411B_12.pptx. Important: We recommend that you use PowerPoint 2007 or a newer version to display the slides for this course. If you use PowerPoint Viewer or an older version of Office PowerPoint, all the features of the slides might not display correctly. Preparation tasks To prepare for this module: Read all of the materials for this module. Practice performing the demonstrations and the lab exercises. Work through the Module Review and Takeaways section, and determine how you will use this section to reinforce student learning and promote knowledge transfer to on-the-job performance. Module 12 Implementing Update Management

Deploying Updates with WSUS 20411B Module Overview 12: Implementing Update Management Deploying Updates with WSUS  

Lesson 1: Overview of WSUS 20411B Lesson 1: Overview of WSUS 12: Implementing Update Management Server Requirements for WSUS Briefly describe the lesson content.

Windows Server Update Services 20411B What Is WSUS? 12: Implementing Update Management Automatic updates Server running Windows Server Update Services LAN Internet Test clients Microsoft Update website This topic introduces students to WSUS. Make sure that students understand the capabilities and limitations of WSUS. WSUS obtains updates for Windows® operating systems and for other Microsoft application software such as Microsoft SQL Server®. However, WSUS cannot be used to provide updates for non-Microsoft software.

The WSUS Update Management Process 20411B The WSUS Update Management Process 12: Implementing Update Management Phase 1: Assess Set up a production environment that will support update management for routine and emergency scenarios Assess Explain the four phases that Microsoft recommends for the update management process: assess, identify, evaluate and plan, and deploy. Emphasize that it is essential to repeat the update management process on an ongoing basis, as new updates become available that can enhance and protect the production environment. Explain that each phase has different goals and methods for using WSUS features to ensure success during the update-management process. It is important to note that you can employ many of the features in more than one phase. Phase 4: Deploy Approve and schedule update installations Review the process after the deployment is complete Phase 4: Deploy Approve and schedule update installations Review the process after the deployment is complete Phase 2: Identify Discover new updates in a convenient manner Determine whether updates are relevant to the production environment Deploy Identify Update Management Evaluate and Plan Phase 3: Evaluate and Plan Test updates in an environment that resembles, but is separate from, the production environment Determine the tasks necessary to deploy updates into production, plan the update releases, build the releases, and then conduct acceptance testing of the releases

Server Requirements for WSUS 20411B Server Requirements for WSUS 12: Implementing Update Management Software requirements: Internet Information Services 6.0 or newer Microsoft .NET Framework 2.0 or newer Microsoft Management Console 3.0 Microsoft Report Viewer Redistributable 2008 or newer SQL Server 2012, SQL Server 2008, SQL Server 2005 SP2, or Windows Internal Database Hardware requirements: 1.4 GHz or faster x64 processor 2 GB of RAM or greater 10 GB available disk space (40 GB or greater is recommended) WSUS is included as a server role in Windows Server® 2012. If you install the WSUS server role, then all software prerequisites are installed automatically, including Windows Internal Database if required.

Lesson 2: Deploying Updates with WSUS 20411B Lesson 2: Deploying Updates with WSUS 12: Implementing Update Management Approving Updates  

Configuring Automatic Updates 20411B Configuring Automatic Updates 12: Implementing Update Management You must configure the client computers to use the WSUS server as the source for updates You can use Group Policy to configure clients, including the following settings: Update frequency Update installation schedule Automatic restart behavior Default computer group in WSUS Explain to students that WSUS clients must be configured to use the WSUS server as a source for obtaining updates. After the WSUS clients are configured, they will no longer obtain updates directly from Microsoft Update. As an informal demonstration, open Group Policy Management on LON-DC1, edit a Group Policy Object (GPO), and show the students the settings and where they are located.

You can use the WSUS Administration console to: 20411B WSUS Administration 12: Implementing Update Management You can use the WSUS Administration console to: Manage updates Configure computer groups View computer status View synchronization information Configure and view WSUS reports Configure WSUS settings and options In Windows Server 2012, WSUS also includes Windows PowerShell cmdlets for administration Explain the different management tasks that can be performed in the WSUS administration console. Open the WSUS administration console on LON-SVR1, and show students the tool and the location where some of the key configuration tasks are performed. Focus on where computer groups are located and created, and how to view and approve or decline updates.

What Are Computer Groups? 20411B What Are Computer Groups? 12: Implementing Update Management You can use computer groups to organize WSUS clients The default computer groups include: You can create custom computer groups to control how updates are applied Explain to students that computers are always assigned to the All Computers group, and remain assigned to the Unassigned Computers group until you assign them to another group. Point out that computers can belong to more than one group. Computer groups can be set up in hierarchies. For example, the groups Payroll and Accounts Payable can be below the Accounting group. Updates that are approved for a higher group will be deployed automatically to lower groups, and to the higher group itself. Thus, if you approve Update1 for the Accounting group, the update will be deployed to all the computers in the Accounting group, in addition to all the computers in the Payroll and Accounts Payable groups. All Computers Unassigned Computers

Updates can be approved automatically, but it is not recommended Approving Updates 12: Implementing Update Management Updates can be approved automatically, but it is not recommended Updates should be tested before they are approved for production Updates can be declined if they are not needed Updates can be removed if they cause problems Stress to students the importance of testing updates before they are applied in a production environment. Mention that a custom computer group for a pilot group can be used for testing. You can also discuss with students what type of updates should be approved. For example, security updates should be applied in most cases unless you can identify a problem, whereas driver updates might be considered optional if a problem that is not known exists. Consider showing the students the approval process in the WSUS console on LON-SVR1.

Lab: Implementing Update Management Exercise 3: Approving and Deploying an Update by Using WSUS Exercise 1: Implementing the WSUS Server Role Your organization already has a WSUS server called LON-SVR1, which is located in the head office. You need to install the WSUS server role on LON-SVR4 at a branch location. LON-SVR4 will use LON-SVR1 as the source for Windows Update downloads. The installation on LON-SRV4 will use the Windows Internal Database for the deployment. Exercise 2: Configuring Update Settings You need to configure the Group Policy settings to deploy automatic WSUS settings to client computers. With the WSUS role configured on LON-SVR4, you must ensure that the Research department has its own computer group in WSUS on LON-SVR4. You must also configure client computers in the Research OU to use LON-SVR4 as their source for updates. Exercise 3: Approving and Deploying an Update by Using WSUS After you have configured the Windows Update settings, you can now view, approve, and then deploy required updates. You have been asked to use LON-CL1 as a test case for the Research department. You will approve, deploy, and verify an update on LON-CL1 to confirm the proper configuration of the WSUS environment. Virtual machines: 20411B-LON-DC1 20411B-LON-SVR1 20411B-LON-SVR4 20411B-LON-CL1 User name: Adatum\Administrator Password: Pa$$w0rd Logon Information Estimated Time: 60 minutes

20411B Lab Scenario 12: Implementing Update Management A. Datum is a global engineering and manufacturing company with head office based in London, UK. An IT office and a data center are located in London to support the London location and other branch office locations. A. Datum has recently deployed a Windows Server 2012 server and client infrastructure. A. Datum has been manually applying updates to servers in a remote location. This has resulted in difficulty identifying which servers have updates applied and which do not. This is a potential security issue. You have been asked to automate the update process by extending A. Datum’s WSUS deployment to include the branch office.

What is the advantage of configuring a downstream WSUS server? 20411B Lab Review 12: Implementing Update Management You created a separate group for the Research department. Why would you configure a separate group for part of your organizations’ computers? What is the advantage of configuring a downstream WSUS server? Question: You created a separate group for the Research department. Why would you configure a separate group for part of your organizations’ computers? Answer: The Research department may have special considerations or security practices that require a different process for testing and approving updates than the rest of the organization. In addition, other departments may have administrators that have been delegated the responsibility for managing the update approval process. Question: What is the advantage of configuring a downstream WSUS server? Answer: If the main WSUS and the downstream server are connected by a slow wide area network (WAN) connection, the downstream WSUS server only downloads the updates once for the client computers it services, instead of each client computer downloading the update individually over the WAN connection from the main WSUS server.

Module Review and Takeaways 20411B Module Review and Takeaways 12: Implementing Update Management Tools Review Questions Question A colleague has argued that all updates to the Windows operating system should be applied automatically when they are released. Do you recommend an alternative process? Answer All updates should be tested before they are applied in a production environment. That is, you should first deploy updates to a set of test computers by using WSUS. Your organization implements several applications that are not Microsoft applications. A colleague has proposed using WSUS to deploy application and operating system updates. Are there any potential issues with using WSUS? Yes. WSUS is an excellent tool for deploying updates for Microsoft applications such as Microsoft Office and Windows operating system updates. However, WSUS does not deploy updates for all Microsoft applications, and it does not deploy updates for non-Microsoft applications. Microsoft System Center 2012 Configuration Manager is a better choice when you need to deploy updates for non-Microsoft applications. Why is WSUS easier to manage in an AD DS domain? WSUS takes advantage of the AD DS OU structure for deploying client settings through Group Policy. You can also use Group Policy settings to configure client-side targeting to determine the WSUS group membership of a client computer. Tools Tool Use Where to find it WSUS Administration console Administer WSUS Server Manager - Tools Windows PowerShell WSUS cmdlets Administer WSUS from the command–line interface Windows PowerShell