20411B-ENU-TrainerHandbook
.pdf
MCT USE ONLY. STUDENT USE PROHIBITED
|
12-1 |
|
|
|
|
|
|
Module 12 |
MCT |
||
USE |
|||
Implementing Update Management |
|||
Contents: |
|||
|
|
||
Module Overview |
12-1 |
|
|
Lesson 1: Overview of WSUS |
12-2 |
|
|
Lesson 2: Deploying Updates with WSUS |
12-5 |
|
|
Lab: Implementing Update Management |
12-9 |
|
|
Module Review and Takeaways |
12-13 |
|
|
|
ONLY. |
||
Module Overview
Windows Server® Update Services (WSUS) improves security by applying security updates to servers in a timely way. It provides the infrastructure to download, test, and approve security updates. Applying security updates quickly helps prevent security incidents that are a result of known vulnerabilities. While implementing WSUS, you must keep in mind the hardware and software requirements for WSUS, the settings to configure, and the updates to approve or remove according to your organization’s needs.
Objectives
After completing this module, you will be able to: |
STUDENT |
|
|
|
|
• |
Describe the role of WSUS. |
PROHIBITED USE |
• |
Deploy updates with WSUS. |
|
|
|
|
Administering Windows Server® 2012 12-3
The WSUS Update Management Process |
MCT |
|||
The update management process allows you to |
|
|||
|
|
|
||
|
USE |
|||
manage and maintain WSUS and the updates |
|
|||
retrieved by WSUS. This process is a continuous |
|
|||
cycle during which you can reassess and adjust |
|
|||
the WSUS deployment to meet changing needs. |
|
|||
The four phases in the update management |
|
|||
|
|
|
||
process are: |
|
ONLY |
||
• |
Assess |
|
||
• |
Identify |
|
||
• |
Evaluate and plan |
|
||
• |
|
|
||
Deploy |
|
|
|
|
The Assess Phase |
. |
|||
The goal for the assess phase is to set up a production environment that supports update management for routine and emergency scenarios. The assess phase is an ongoing process that you use to determine the most efficient topology for scaling the WSUS components. As your organization changes, you might identify the need to add more WSUS servers in different locations.
The Identify Phase
The identify phase is concerned with identifying new updates that are available and determining whether they are relevant to the organization. You have the option to configure WSUS to retrieve all updates automatically, or to retrieve only specific types of updates. WSUS also identifies which updates are relevant to registered computers.
The Evaluate and Plan Phase
After relevant updates have been identified, you need to evaluate whether they work properly in your |
STUDENT |
|
|
environment. It is always possible that the specific combination of software in your environment might |
|
have problems with an update. |
|
To evaluate updates, you should have a test environment in which you can apply updates to verify proper |
|
functionality. During this time, you might identify dependencies that enable an update to function |
USE |
properly, and you can plan any changes that need to be made. |
|
|
|
The Deploy Phase |
PROHIBITED |
After you have thoroughly tested an update and determined any dependencies, you can approve it for |
|
deployment in the production network. Ideally, you should approve the update for a pilot group of |
|
computers before approving the update for the entire organization. |
|
|
|
Administering Windows Server® 2012 12-5
Lesson 2 |
MCT |
|
Deploying Updates with WSUS |
||
USE |
||
This lesson explains the specifics of deploying updates with WSUS to client computers. Deploying |
||
updates to Windows update clients through WSUS can provide numerous benefits. You can configure |
||
|
updates to be downloaded, approved, and installed automatically, without the input of an administrator. Alternatively, you can exercise more control of the update process and provide a controlled environment in which to deploy updates. You can perform testing on an isolated test computer group before
approving an update for approval in your entire organization.
Lesson Objectives
For Active Directory® Domain Services (AD DS) environments, Automatic Updates are typically configured in a GPO by configuring the settings located under Computer Configuration. To locate the settings, expand Policies, expand Administrative Templates, expand Windows Components, and then locate the Windows Updates node.
After completing this lesson, you will be able to: |
ONLY |
|||
|
|
|||
• Describe how to configure the Automatic Updates feature to use WSUS. |
|
|
||
• Explain how to administer WSUS. |
. |
|||
• Identify computer groups in WSUS. |
||||
|
|
|||
• Describe the options for approving WSUS updates. |
|
|
||
Configuring Automatic Updates |
|
|
||
When you enable the Automatic Updates |
|
|
|
|
|
STUDENT |
|||
feature on a server, the default configuration |
|
|||
automatically downloads updates from Microsoft |
|
|||
Update and installs them. After you have |
|
|||
implemented WSUS, your clients should be |
|
|||
configured to obtain updates automatically from |
|
|||
the WSUS server instead. |
|
|||
The location from which Automatic Updates |
|
|
|
|
obtains updates is controlled by a registry key. |
|
|
|
|
Although it is possible to configure the registry |
|
|
|
|
key manually by using the Regedit tool, this is not |
|
|
|
|
recommended except when the computer is not |
USE |
|||
|
|
|||
in a domain. If a computer is in a domain, it is much more efficient to create a Group Policy Object (GPO) |
||||
that configures the registry key. |
PROHIBITED |
|||
|
|
|||
•Update frequency. This setting determines how often the updates are detected.
•Update installation schedule. This setting determines when updates are installed. This setting also determines when updates are rescheduled for, when updates cannot be installed at the scheduled time.
PROHIBITED USE STUDENT .ONLY USE MCT
Administering Windows Server® 2012 12-7
|
|
|
|
|
|
cmdlet |
Description |
|
MCT |
||
|
|
|
|
|
|
Get-WsusServer |
Gets the value of the WSUS update server object. |
|
|
|
|
|
|
|
|
|
|
Get-WsusUpdate |
Gets the WSUS update object with details about the update. |
|
|
|
|
|
|
|
|
|
|
Invoke-WsusServerCleanup |
Performs the process of cleanup on a specified WSUS server. |
USE |
|||
|
|
|
|||
Set-WsusClassification |
Sets whether the classifications of updates that WSUS |
|
|
|
|
|
synchronizes are enabled or disabled. |
|
|
|
|
|
|
|
|
|
|
Set-WsusProduct |
Sets whether the product representing the category of updates |
|
|
|
|
|
to synchronize is enabled or disabled. |
|
|
|
|
|
|
|
|
|
|
Set-WsusServerSynchronization |
Sets whether the WSUS server synchronizes from Microsoft |
ONLY |
|||
|
Update, or from an upstream server and uses the upstream |
||||
|
server properties. |
||||
|
|
|
|||
|
|
|
|
|
|
|
|
|
. |
||
What Are Computer Groups? |
|
|
|
||
Computer groups are a way to organize the |
|
|
|
|
|
|
STUDENT |
||||
computers to which a WSUS server deploys |
|
||||
updates. The two computer groups that exist |
|
||||
by default are All Computers and Unassigned |
|
||||
Computers. New computers that contact the |
|
||||
WSUS server are assigned automatically to both |
|
||||
of these groups. |
|
|
|||
You can create custom computer groups for |
|
||||
controlling how updates are applied. Typically, |
|
||||
custom computer groups contain computers |
|
|
|
|
|
with similar characteristics. For example, you |
|
|
|
|
|
might create a custom computer group for each |
|
|
|
|
|
|
|
|
|
||
department in your organization. You can also create a custom computer group for a test lab where you |
|||||
first deploy updates for testing. You would also typically group servers separate from client computers. |
USE |
||||
|
|
|
|||
When you manually assign new computers to a custom computer group, it is called server-side targeting. |
|||||
You can also use client-side targeting to assign computers to a custom computer group. To use client-side |
|||||
targeting, you need to configure a registry key or GPO for the computer that specifies the custom |
PROHIBITED |
||||
computer group to be joined during initial registration with the WSUS server. |
|||||
|
|
|
|||
Server-side targeting enables administrators to manage WSUS computer group membership manually. This is useful when the AD DS structure does not support the logical client-side for computer groups, or when computers need to be moved between groups for testing or other purposes. Client-side targeting is used most commonly in large organizations where automated assignment is required and computers must be assigned to specific groups.
