So you've just finished rolling out 500 new desktops using disk imaging. How are you going to keep them updated? As you know, Microsoft releases updates on the second Tuesday of each month. You need a way to approve and install these updates on all your desktops and servers, and you need to do it quickly because the time between release of the update and an exploit being developed is shrinking.
You've got a couple of options:
A better option is to use the free Windows Server Update Services from Microsoft to install a Windows Update server on your internal network. This allows all your clients and servers to get their updates from the local WSUS server. There are numerous benefits to using WSUS:
All you need is a moderately powered Windows Server 2003 box to run it on (Remember, most of the month the machine won't be doing anything). Installing and configuring WSUS is not complicated and there are many, many articles available about how to do it.
Once you have your WSUS server set up, you can use Group Policy to force the clients to use it and configure how and when they install updates. All you need to do is analyze and approve the updates when they are released and assign them to the groups you created. WSUS handles notifying the clients and pushing the updates out to them.
The WSUS team maintains a blog with some good information (although it's not updated that often).
Using WSUS gives you complete control over keeping your network updated. If you run a really large network, you should check out the new System Center Configuration Manager 2007, which is the updated version of SMS. It is a full featured network management system that does update management and much, much more.
Download WSUS 3.0
You've got a couple of options:
- Allow each user to go to Windows Update and select and install their own updates. That would put an enormous strain on your network as each update is downloaded 500 times and you need to rely on the users actually doing this.
- Configure Automatic Updates on each machine. Still strains your network and you don't know what is really being installed.
- Do nothing and hope for the best.
A better option is to use the free Windows Server Update Services from Microsoft to install a Windows Update server on your internal network. This allows all your clients and servers to get their updates from the local WSUS server. There are numerous benefits to using WSUS:
- It saves bandwidth since each update is only downloaded once from the Internet and then stored locally.
- It allows you to investigate and authorize updates before they are installed.
- You can group your machines and install different updates to different groups.
- You can force the machines to only use your local WSUS server and not allow users to download updates from Windows Update.
- You can force updates to be installed within a specific timeframe.
- You can use WSUS to update Office, Exchange, SQL, ISA and other Microsoft products.
- The whole thing can be controlled using Group Policy.
- You can create detailed reports showing which updates are needed by which machines.
- The WSUS software is free!
All you need is a moderately powered Windows Server 2003 box to run it on (Remember, most of the month the machine won't be doing anything). Installing and configuring WSUS is not complicated and there are many, many articles available about how to do it.
Once you have your WSUS server set up, you can use Group Policy to force the clients to use it and configure how and when they install updates. All you need to do is analyze and approve the updates when they are released and assign them to the groups you created. WSUS handles notifying the clients and pushing the updates out to them.
The WSUS team maintains a blog with some good information (although it's not updated that often).
Using WSUS gives you complete control over keeping your network updated. If you run a really large network, you should check out the new System Center Configuration Manager 2007, which is the updated version of SMS. It is a full featured network management system that does update management and much, much more.
Download WSUS 3.0
We also covered 3rd party programs that will keep your small workgroup or individual computers updated via firefox here.
