Anyone use WSUS ?

Snow-Munki · 4 Oct 2007 at 08:48

Hi,

Been given the task to manage and sort out WSUS. Basically it has been installed a while ago by a consultant and that's it. It is running version 2.0.0.2620.

Notice there is version 3 available for download. Would you say first thing to do is to download this and install it ?

then go through this:

http://technet2.microsoft.com/Windo...-b596-d24dac987b641033.mspx&reldir=en/library

Or should I get it all working under version 2.0 first ?

Andy100 · 4 Oct 2007 at 09:14

The interface for WSUS 3 is a lot easier to use than 2.

I'd deff upgrade if I were you.

You can set up groups within WSUS for which computers get updates or you can use group policy to manage it.

This is one of the best pieces of kit MS gives you. Anyone that doesn't use it over a large network must be mad.

Snow-Munki · 4 Oct 2007 at 09:18

thanks for the reply, and is the upgrade fairly simple / won't loose any exisiting data ?

Andy100 · 4 Oct 2007 at 09:45

I'm afraid I can't help you there. I've used both but never had to upgrade.

Shaz]sigh[ · 4 Oct 2007 at 09:51

Just rip it out and start again if you're worried about anything. I wouldn't start working under v2 though.

WSUS itself is stupidly simple, has some deps, install those... install WSUS. Set your GPOs inside the relevant OUs to talk to WSUS in their "groups".

Configure WSUS, let it go and fetch the updates and then... it's done.

Seriously, 30 mins work for config at most (followd by x hours download). Don't be worried, you can't really break it.

Snow-Munki · 4 Oct 2007 at 09:56

ok cheers !!

Oh and i know got to test etc etc, but how the *beep* can I push an update to say a DC or file server and not worry it will screw up the server ??

Shaz]sigh[ · 4 Oct 2007 at 10:05

You wouldn't do it to a DC.... file server mebbe if you have any form of resilience.

If you're really desperate, use MS Virtual Server 2005 R2 and throw a quick machine up... it's a rubbishy host based thing but it'll do the job for what you want to do. MS also release pre-built VHDs for trial (ISA... Exchange ring a bell) so you could download one of those and patch it.

sidethink · 4 Oct 2007 at 10:11

Another vote for rip it out and start again.

Its not that complicated a product if you take the time to read a few whitepapers and so on. You should be able to get it uninstalled and reinstalled to V3.0 in less than a day.

Snow-Munki · 4 Oct 2007 at 10:32

Shaz]sigh[;10206684 said:
You wouldn't do it to a DC.... file server mebbe if you have any form of resilience.
.

Thanks again guys. So you're saying not to keep your 'important' servers up to date ?

Oh and at the moment no machines in the entire company are kept up to date

sidethink · 4 Oct 2007 at 10:37

You need to be careful with DCs and critical application servers.

What he was saying is don't let WSUS automatically install patches. You need to decide on a patch by patch basis what goes onto these types of machine. Often you need to be in close contact with application vendors to ensure that a rogue patch doesn't cause your new SQL app to lay an egg.

GarethDW · 4 Oct 2007 at 14:05

WSUS is okay, but the reporting side of it is completely naff - even in v3.

For example, I need to run regular reports and want to know the exact number of machines that were successfully patched. WSUS, however, will group those machines with the patch Installed into the same category as those machines for which the patch is Not Applicable. These aren't the same thing, and aren't useful for my reports. I have to then manually manipulate the reports in order to make them useful (or query the backend database myself).

The use of the MMC snap-in is an improvement over the web-based v2, but there are still things I don't like about v3.

Oh, and it still doesn't cover enough of Microsoft's non-core products (although it does support Mickey Mouse things like Zune :rolleyes:

)

ps - go with v3 over v2 if just for the ability to have more than just a daily synchronisation... v3 allows you to have hourly updates, whereas v2 only allows you to specify a time but will only synchronise at that time every day unless you do a manual synch.

Butters · 4 Oct 2007 at 14:30

For the love of Allah, don't upgrade. Clean install and if you have WSUS 2 already, back it up.

audiolab · 4 Oct 2007 at 16:25

If you can get your company to spend some money on security I would recommend Shavlik products http://shavlik.com/

It comes down to the size of your Domain but for patch management and reporting it is very very good. There is a free trial which is worth a try if you have a test bed to mess around with.

Shaz]sigh[ · 4 Oct 2007 at 18:07

Snow-Munki said:
Thanks again guys. So you're saying not to keep your 'important' servers up to date ?

Oh and at the moment no machines in the entire company are kept up to date

As above, I mean... don't go "testing" it on a server you need

As for my patch management, all patches are implemented to a virtual environment and monitored, then they go to UAT (user acceptance testing) to check it doesn't fiddle with our apps. Then after that they're applied to live making sure we have a relevant snapshot/image to roll back to if need be.

That's just on the normal servers, if you're talking SQL it gets more complicated