Thursday, October 05, 2006

Installing Windows Server Update services (WSUS)

I've installed WSUS in my company's network. Right now it's being tested by a limited number of users, but things seem to run well. Installation and configuration is easy, and fully described in Deployment and Operations guides from Microsoft. A couple of things the guides didn't mention, though. First, I had to install this hotfix on the WSUS server computer, otherwise clients failed to update. Second, Automatic Updates (wuauserv) service as well as Background Intelligent Transfer Service (BITS) must be running on all client computers that update from a WSUS service. The former sounds obvious yet is easy to overlook, and BITS even less obvious for a new user of WSUS. An good way to ensure that the required services are running is through Group Policy. Since Microsoft recommends that WSUS settings are set in a separate GPO, and not in the Default Domain Policy, this WSUS GPO is a good place to configure Automatic Updates service to autostart (although one can do it in any other GPO as well). To do so, open this GPO in Group Policy Object Editor, and navigate to Computer Configuration - Windows Settings - Security Settings - System Services. Locate Automatic Updates services in the list, double-click and set the "Service startup mode" to automatic, like this:

Caveat: you also need to configure services security (the Security dialog pops up automatically). Here make sure to add "Authenticated Users" group with Read permission like this:

If you fail to do so, the Automatic Updates service will fail to start with "Error 0x80004015: The class is configured to run as a security id different from the caller". This is discussed in detail here. Repeat these steps for the Background Intelligent Transfer Service (BITS).

On a related note, in order to test WSUS with a limited number of computers I employed the following approach. As Microsoft guides recommend, I created a separate WSUS policy GPO with WSUS settings in Group Policy Management Console. I linked it to the top-level domain, but using the Security Filtering feature I specified that it only applies to a few selected computers. Once testing is successfully, I will replace this list of computers with "Authenticated Users" group so that the policy applies to all.

No comments: