June 2010 IT Business Consulting Newsletter

Centrally Manage Microsoft Updates Across Your Enterprise…

For Free!

By Tom K

One issue that is extremely important to the safety of your environment, but is often overlooked, concerns Microsoft Updates. Security holes in Microsoft products are a HUGE issue, and you need to be sure these updates are properly installed on ALL of your devices. This is just as critical to your environment’s well being as the previously discussed Anti Virus protections for Servers, PCs, and email.

This month’s newsletter highlights this next layer of enterprise protection, discussing why it is so important and providing methods that will allow you to provide full control, management, and monitoring of Microsoft Updates across your Enterprise (and it is Free!).

About Microsoft Updates

Microsoft Updates come in varying levels of importance for all Microsoft operating systems and all of their products. Security and Critical Updates are essential, as they are the updates that patch security holes in their products. These holes can give the bad guys a means to load damaging software on your machines or take total control of them. Many experts consider an improperly patched PC or server more at risk than one with outdated virus definitions!

Most Microsoft Updates are published on “Patch Tuesday”, which is the second Tuesday of every month, when as many as 100+ updates/patches can be published. Occasional updates can be released throughout the month to address severe threats as they are discovered.

The Unmanaged Updates Environment

In an unmanaged environment, each server and PC is individually configured as to how it handles downloading and installing updates. Any user can access and edit the update options on his PC, from running updates automatically to completely shutting the update process down! Even when running updates “automatically”, the user is often required to perform actions like accepting a license agreement, installing a special update, or rebooting the machine (and we NEVER want to rely on our users to maintain our resources!)

In this unmanaged environment, you have no way of knowing if a machine’s updates are current or if any updates failed unless you get on the machine itself and check its stats via the Microsoft Update site. And, when updates are unmanaged, you have no way of preventing (or delaying) an unwanted update from being installed to all your devices (remember when that first cut of IE 7 suddenly appeared on all of your PCs?)

Managed Enterprise Updates using WSUS

Microsoft realized that not being able to manage and monitor the update process across an Enterprise was dangerous and inefficient. So, they created a wonderful utility called Windows Server Update Services (WSUS) and they provide it for Free! It can be installed on any server (including SBS servers) in any Microsoft environment that uses Active Directory.

The tool has an intuitive console similar to those used in Enterprise Anti Virus systems. At a glance, you can see a list of all your devices showing current update levels and any update failures. You can drill down for specifics on any device.

You have control over what update severity levels are automatically pushed to your devices and which need to be manually approved. We typically auto approve Security and Critical updates, but not Service Packs and Feature updates. In this way YOU decide when (and who) gets that IE 8 update, but you don’t have to worry about Security and Critical updates being installed.

Perhaps most importantly, you can create one or more Update Configurations from the server. Each config is automatically pushed to the devices you select, and your users can’t mess with that config. In fact, the user is removed from all contact with the update process. If a license agreement needs to be approved, you are advised of this at the console and you approve it once for the whole Enterprise. If a PC needs to be rebooted, the server forces a reboot. Seamless!

One other key advantage to Managed Updates in a larger Enterprise is download efficiency. Using WSUS, all updates are downloaded through your relatively low bandwidth Internet circuit only once by the WSUS server, which then distributes the updates to all your devices via your very high bandwidth internal network. In an unmanaged environment, every device individually downloads all of its updates through your Internet circuit. Imagine 50 PCs trying to download that 280 MB Service Pack through that little 3 MB DSL circuit!

WSUS Installation and Configuration

The latest version currently available for download is WSUS 3.0 SP2. Pay attention, as there are two downloads. Select the right one depending on your server platform. Note if you are running SBS 2003, there are special instructions, via a link on this page. This page also has links to the full set of installation and use documentation.

The installation is handled by a wizard, so it is pretty straight forward. The WSUS configuration does, however, require familiarity and reasonable comfort levels with Active Directory and Group Policy. If you are not familiar with these tools, you may need a bit of help with the initial configuration, but you'll have no problems managing your updates once WSUS is set up. (Note that we expect to discuss Active Directory and Group Policy – two awesome tools – in the November and December newsletters).

As always, if you have questions or comments concerning this article I’d be happy to discuss them with you at your convenience. Feel free to contact me at TomK@TomKConsulting.com, or via my cell 443.310.5110.

Next month I will continue with the next phase of enterprise reliability, with the goal of ZERO DOWNTIME. You can and should realize this goal, and it starts with server design principles relating to redundancy, quick response warrantees, and having a few cheap spare pieces of hardware on the shelf.
See "Zero Downtime! It IS attainable and I’ll show you how to do it!"