Patch management using Patch management using Microsoft Software Update Microsoft Software Update

Service 1.0 SP1Service 1.0 SP1

Chris Hughes, Systems ArchitectChris Hughes, Systems Architect

Warrington College of BusinessWarrington College of Business

Hughescj@ufl.eduHughescj@ufl.edu

OverviewOverview

What is Software Update ServicesWhat is Software Update Services– Local copy of Windows UpdateLocal copy of Windows Update– Allows testing of patches prior to deploymentAllows testing of patches prior to deployment– Integrated with Automatic Updates feature of Integrated with Automatic Updates feature of

Windows 2000/XPWindows 2000/XP

Server RequirementsServer Requirements

Windows Server 2000 Server SP2 or Windows Server 2000 Server SP2 or GreaterGreater

Windows Server 2003Windows Server 2003

Pentium III 733MhzPentium III 733Mhz

512MB RAM512MB RAM

10GB+ HDD10GB+ HDD

Client RequirementsClient Requirements

Windows 2000 SP2 with Automatic Windows 2000 SP2 with Automatic Updates Patch InstalledUpdates Patch Installed

Windows 2000 SP3 or GreaterWindows 2000 SP3 or Greater

Windows XP with Automatic Updates Windows XP with Automatic Updates Patch InstalledPatch Installed

Windows XP SP1Windows XP SP1

Windows Server 2003Windows Server 2003

Server OperationsServer Operations

Server OperationsServer Operations

Synchronization with Windows UpdateSynchronization with Windows Update– Scheduled SynchronizationScheduled Synchronization

Server OperationsServer Operations

Client OptionsClient Options

NoAutoRebootWithLoggedOnUsersNoAutoRebootWithLoggedOnUsers– Give option to reboot if a user is logged in.Give option to reboot if a user is logged in.

NoAutoUpdateNoAutoUpdate– Enable or Disable Auto-Update InstallationEnable or Disable Auto-Update Installation

AUOptionsAUOptions– Notify User of patches available for downloadNotify User of patches available for download– Notify User of patches available for installNotify User of patches available for install– Automatic download and installationAutomatic download and installation

Client OptionsClient Options

ScheduledInstallDayScheduledInstallDay – The days which the installation should occurThe days which the installation should occur

ScheduledInstallTimeScheduledInstallTime – The hour which the scheduled installs should The hour which the scheduled installs should

launchlaunch

RescheduleWaitTimeRescheduleWaitTime– Time delay after reboot when machine is Time delay after reboot when machine is

off during scheduled install timeoff during scheduled install time

Client OptionsClient Options

UseWUServerUseWUServer– Sets the machine to user Windows Update Sets the machine to user Windows Update

or a Local Software Update Serveror a Local Software Update Server

WUServerWUServer – Software Update Server URLSoftware Update Server URL

WUStatusServerWUStatusServer – Statistic Server for Software Update ServicesStatistic Server for Software Update Services

Settings via the registrySettings via the registry

HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate\AUHKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate\AU – NoAutoRebootWithLoggedOnUsersNoAutoRebootWithLoggedOnUsers

Set this to 1 if you want the logged on users to choose whether or not to reboot their systemSet this to 1 if you want the logged on users to choose whether or not to reboot their system

Registry value type: REG_DWORDRegistry value type: REG_DWORD

– NoAutoUpdate NoAutoUpdate 0 = Automatic Updates is enabled (default)0 = Automatic Updates is enabled (default)

1 = Automatic Updates is disabled.1 = Automatic Updates is disabled.

Registry Value Type: REG_DWORDRegistry Value Type: REG_DWORD

– AUOptions AUOptions 2 = notify of download and installation2 = notify of download and installation

3 = automatically download and notify of installation3 = automatically download and notify of installation

4 = automatic download and scheduled installation.4 = automatic download and scheduled installation.

All options notify the local administrator.All options notify the local administrator.

Registry Value Type: REG_DWORDRegistry Value Type: REG_DWORD

Settings via the registrySettings via the registry

HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate\AUHKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate\AU

– ScheduledInstallDayScheduledInstallDay0 = Every day0 = Every day

1 through 7 = the days of the week from Sunday (1) to Saturday (7). 1 through 7 = the days of the week from Sunday (1) to Saturday (7).

Registry Value Type: REG_DWORDRegistry Value Type: REG_DWORD

– ScheduledInstallTimeScheduledInstallTime The time of day in 24-hour format (0-23).The time of day in 24-hour format (0-23).

Registry value type: REG_DWORD Registry value type: REG_DWORD

– RescheduleWaitTimeRescheduleWaitTimeTime in minutes (1-60)Time in minutes (1-60)

Registry value type: REG_DWORD Registry value type: REG_DWORD

Settings via the registrySettings via the registry

HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate\AUHKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate\AU

– UseWUServerUseWUServerSet this to 1 to enable Automatic Updates to use the server running Software Update Services as Set this to 1 to enable Automatic Updates to use the server running Software Update Services as specified in WUServer below.specified in WUServer below.

Registry Value Type: Reg_DWORDRegistry Value Type: Reg_DWORD

HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdateHKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate

– WUServer WUServer Sets the SUS server by HTTP name (for example, Sets the SUS server by HTTP name (for example, http://IntranetSUShttp://IntranetSUS).).

Registry Value Type: Reg_SZRegistry Value Type: Reg_SZ

– WUStatusServerWUStatusServer Sets the SUS statistics server by HTTP name (for example, Sets the SUS statistics server by HTTP name (for example, http://IntranetSUShttp://IntranetSUS).).

Registry Value Type: Reg_SZRegistry Value Type: Reg_SZ

Settings via Group PolicySettings via Group Policy

LimitationsLimitations

Problems with administrators being able to Problems with administrators being able to cancel installations and rebootscancel installations and rebootsUnable to push a patch out NOW! Unable to push a patch out NOW! Patching are pulled from the server by the Patching are pulled from the server by the client every 17-22 hours.client every 17-22 hours.Machines with problems installing patchesMachines with problems installing patchesWindows Service Packs and Critical Windows Service Packs and Critical Patches onlyPatches onlyLimited reportingLimited reporting

SUS-Install.VBSSUS-Install.VBS

This is a script written by the SUS product This is a script written by the SUS product team at Microsoft.team at Microsoft.

Resets a client’s settings and schedules Resets a client’s settings and schedules an install timean install time

Verifies that the Automatic Update Client Verifies that the Automatic Update Client download patched and scheduled the download patched and scheduled the installinstall

Client Side TroubleshootingClient Side Troubleshooting

Not enough disk spaceNot enough disk space– Patches fail to download and do not installPatches fail to download and do not install

Machine has been rebooted previously Machine has been rebooted previously during Windows Updateduring Windows Update– Registry settings may be messed upRegistry settings may be messed up

Administrators cancel installationsAdministrators cancel installations– Disable access to Windows update via GPO Disable access to Windows update via GPO

or Registry. This forces the patch installaton.or Registry. This forces the patch installaton.

Server Side ReportingServer Side Reporting

Limited reporting is available in the Limited reporting is available in the product.product.

Logs are in the IIS log files for the SUS Logs are in the IIS log files for the SUS Server machineServer machine

http://www.susserver.comhttp://www.susserver.com has some has some scripts to improved reportingscripts to improved reporting

New Features for SUS 2.0New Features for SUS 2.0

ETA 1H 2004 – Public Beta “soon”ETA 1H 2004 – Public Beta “soon”

Support for all Microsoft Products Support for all Microsoft Products including Office, Exchange, and SQL.including Office, Exchange, and SQL.

Better reporting of patch status (Success, Better reporting of patch status (Success, Failure with reason codes, Integration with Failure with reason codes, Integration with Active Directory)Active Directory)

More options for dealing with patch More options for dealing with patch installation with administrators logged ininstallation with administrators logged in

New Features for SUS 2.0New Features for SUS 2.0

Deployment of different patches to specific Deployment of different patches to specific target machines.target machines.

Filtering using WMIFiltering using WMI

Managed machine databaseManaged machine database

SUS-Install.VBS built into server productSUS-Install.VBS built into server product

More InformationMore Information

WebsitesWebsites– Software Update Services Home Page Software Update Services Home Page http://http://

go.microsoft.com/fwlink/?LinkIdgo.microsoft.com/fwlink/?LinkId=6930=6930 – http://www.SUSServer.Comhttp://www.SUSServer.Com– http://http://bear.cba.ufl.edubear.cba.ufl.edu/SUS/SUS

NewsgroupsNewsgroups– microsoft.public.softwareupdatesvcsmicrosoft.public.softwareupdatesvcs– Email AddressesEmail Addresses– Feedback - Feedback - cwufdbk@microsoft.comcwufdbk@microsoft.com – Product Manager - Product Manager - Jose MorrisJose Morris - - a-a-jomorr@microsoft.comjomorr@microsoft.com

Any Questions?Any Questions?