If the update has been changed, it's not installed. You must use the certificate store for the local computer. You can't use a user's certificate store. If you change these ports, you must use two adjacent port numbers. This creates a potential attack vector. To help protect this connection, consider the following recommendations:. Deploy Internet Protocol security IPsec to help secure network traffic. Local publishing allows you to create and distribute updates that you design yourself, with your own payloads and behaviors.
Enabling and configuring local publishing is beyond the scope of this article. For full details, see Local publishing. Local publishing is a complicated process and is often not needed. Before you decide to enable local publishing, you should carefully review the documentation and consider whether and how you'll use this functionality.
Computer groups are an important part of using WSUS effectively. Computer groups permit you to test and target updates to specific computers.
There are two default computer groups: All Computers and Unassigned Computers. By default, when each client computer first contacts the WSUS server, the server adds that client computer to both of these groups. You can create as many custom computer groups as you need to manage updates in your organization.
As a best practice, create at least one computer group to test updates before you deploy them to other computers in your organization. There are two approaches to assigning client computers to computer groups. The right approach for your organization will depend on how you typically manage your client computers.
Server-side targeting : This is the default approach. This approach gives you the flexibility to quickly move client computers from one group to another as circumstances change. But it means that new client computers must manually be moved from the Unassigned Computers group to the appropriate computer group. Client-side targeting : In this approach, you assign each client computer to computer groups by using policy settings set on the client computer itself.
This approach makes it easier to assign new client computers to the appropriate groups. You do so as part of configuring the client computer to receive updates from the WSUS server. But it means that client computers can't be assigned to computer groups, or moved from one computer group to another, through the WSUS Administration Console. Instead, the client computers' policies must be modified. You must create computer groups by using the WSUS Administration Console, whether you use server-side targeting or client-side targeting to add client computers to the computer groups.
In the Add Computer Group dialog, for Name , specify the name of the new group. Then select Add. The client computers must trust the certificate that you bind to the WSUS server. Depending on the type of certificate that's used, you might have to set up a service to enable the client computers to trust the certificate that's bound to the WSUS server.
If you're using local publishing, you should also configure the client computers to trust the WSUS server's code-signing certificate. For instructions, see Local publishing. By default, your client computers receive updates from Windows Update. They must be configured to receive updates from the WSUS server instead. This article presents one set of steps for configuring client computers by using Group Policy.
These steps are appropriate in many situations. But many other options are available for configuring update behavior on client computers, including using mobile device management. These options are documented in Manage additional Windows Update settings.
If you don't use Active Directory in your network, you'll configure each computer by using the Local Group Policy Editor. These instructions assume that you're using the most recent versions of the policy editing tools.
On older versions of the tools, the policies might be arranged differently. In the object that you expanded in the previous step, expand Administrative Templates , expand Windows components , expand Windows Update , and select Manage end user experience.
On the details pane, double-click Configure Automatic Updates. The Configure Automatic Updates policy opens. Select Enabled , and then select the desired option under the Configure automatic updating setting to manage how Automatic Updates will download and install approved updates.
We recommend using the Auto download and schedule the install setting. It ensures that the updates you approve in WSUS will be downloaded and installed in a timely fashion, without the need for user intervention.
If desired, edit other parts of the policy, as documented in Manage additional Windows Update settings. The Install updates from other Microsoft products checkbox has no effect on client computers receiving updates from WSUS. The client computers will receive all updates approved for them on the WSUS server.
On the Manage updates offered from Windows Server Update Service details pane, double-click Specify intranet Microsoft update service location. The Specify intranet Microsoft update service location policy opens. Make sure to include the correct port in the URL.
Select OK to close the Specify intranet Microsoft update service location policy. If you've chosen to use client-side targeting, you should now specify the appropriate computer group for the client computers you're configuring. These steps assume that you've just completed the steps for editing policies to configure the client computers. On the Manage updates offered from Windows Server Update Service details pane, double-click Enable client-side targeting.
The Enable client-side targeting policy opens. Select Enabled , and then enter the name of the WSUS computer group to which you want to add the client computers in the Target group name for this computer box.
If you're running a current version of WSUS, you can add the client computers to multiple computer groups by entering the group names, separated by semicolons. For example, you can enter Accounting;Executive to add the client computers to both the Accounting and Executive computer groups.
If you used an Active Directory-based GPO to configure the client computers, it will take some time for the Group Policy Update mechanism to deliver the changes to a client computer. If you used the Local Group Policy Editor to configure an individual client computer, the changes take effect immediately.
Restart the client computer. This step makes sure that the Windows Update software on the computer detects the policy changes. The client computer successfully scans for updates.
It might or might not find any applicable updates to download and install. Within about 20 minutes, the client computer appears in the list of computers displayed in the WSUS Administration Console, based on the type of targeting:. If you're using server-side targeting, the client computer appears in the All Computers and Unassigned Computers computer groups. If you're using client-side targeting, the client computer appears in the All Computers computer group and in the computer group that you selected while configuring the client computer.
If you're using server-side targeting, you should now add the new client computer to the appropriate computer groups. Skip to main content. This browser is no longer supported. Download Microsoft Edge More info. Contents Exit focus mode.
Is this page helpful? Please rate your experience Yes No. Any additional feedback? Important If you only have one WSUS server, it must have internet access, because it needs to download updates from Microsoft. Tip If your network is "air gapped"--if it does not have access to the internet at all--you can still use WSUS to provide updates to client computers on the network.
Note If the network connection between the WSUS servers is slow or expensive, you can configure one or more of the other WSUS servers to receive update payloads directly from Microsoft. Note If you have a large organization, you can use chains of connected WSUS servers, rather than having all your other WSUS servers connect directly to the topmost server. Important You must complete this step if you identified that WSUS needs a proxy server to have internet access.
Warning If you select the option Download updates only in these languages , and this server has a downstream WSUS server connected to it, this option will force the downstream server to also use only the selected languages.
Important You must use the certificate store for the local computer. Important Local publishing is a complicated process and is often not needed. Note You must create computer groups by using the WSUS Administration Console, whether you use server-side targeting or client-side targeting to add client computers to the computer groups. Important This article presents one set of steps for configuring client computers by using Group Policy.
Note These instructions assume that you're using the most recent versions of the policy editing tools. Warning Make sure to include the correct port in the URL.
Note These steps assume that you've just completed the steps for editing policies to configure the client computers. Submit and view feedback for This product This page. Update management is the process of controlling the deployment and maintenance of interim software releases into production environments. It helps you maintain operational efficiency, overcome security vulnerabilities, and maintain the stability of your production environment.
If your organization cannot determine and maintain a known level of trust within its operating systems and application software, it might have a number of security vulnerabilities that, if exploited, could lead to a loss of revenue and intellectual property.
Minimizing this threat requires you to have properly configured systems, use the latest software, and install the recommended software updates. In that case, you will be prompted to first uninstall Windows Server Update Services prior to upgrading your server. Failure to uninstall WSUS 3. In this case, the only known corrective measure is to format the hard drive and reinstall Windows Server. Windows Server Update Services is a built-in server role that includes the following enhancements:.
For system administrators to automate their operations, they need coverage through command-line automation. The main goal is to facilitate WSUS administration by allowing system administrators to automate their day-to-day operations. By exposing core WSUS operations through Windows PowerShell, system administrators can increase productivity, reduce the learning curve for new tools, and reduce errors due to failed expectations resulting from a lack of consistency across similar operations.
In earlier versions of the Windows Server operating system, there were no Windows PowerShell cmdlets, and update management automation was challenging. Deploy Windows Server Update Services. Skip to main content. This browser is no longer supported.
0コメント