In case you aren’t familiar with Windows Server Update Services, WSUS is Microsoft’s built-in technology for centrally deploying patches to workstations and servers for Windows, Office and other Microsoft software. When it came out, WSUS was a great leap forward for all of us who must keep systems secure and patched. As time has passed, patching is even more critical than it was before and more complicated because we have to:
• patch more quickly to defend against 0-day exploits
• deal with power management concerns
• patch servers inside tighter maintenance windows
• patch more than just Windows
In these slides, Randy Franklin Smith from UltimateWindowsSecurity shares a load of tips, tricks and scripts for helping you address these issues and deal with limitations in WSUS.
One of the biggest issues with WSUS is that you control patch management partly from within WSUS and partly from group policy. In WSUS, you select which patches are approved for deployment, but you control patch schedule and other Automatic Update settings with group policy. Learn a ton of advanced ways to use group policy to the full in order to finely tune how updates are applied on your network.
• How to ensure not a single computer in your domain is missed by WSUS while not misapplying a patch by accident
• Why you should start with 3 top-level computer groups in WSUS: Servers, Workstations, Terminal Servers
• How to schedule automatic updates and reboots for servers during their maintenance window using group policy and WSUS (and the limitations)
• How to use “client-side targeting” to automatically assign computers to WSUS groups and avoid manually assigning computers
• How to set up a test group of computers from across all your OUs to receive updates first
• How to address the problem of computers that are powered down when a patch should be installed
• How to patch computers in your DMZ Fine-tuning BITS for bandwidth protection Understanding how time zones work in WSUS and the AU client
Another issue we’ll tackle though is: “Should I even be using WSUS?” Issues we’ll discuss:
• Do you require Wake-On-LAN capability to fulfill a green initiative with timely patching?
• Do you have strict maintenance window requirements
• Do you understand the critical need to centrally control patching non-MS apps without relying on each app’s auto-updater?
This is where our sponsor Lumension comes in. Russ Ernst shows how Lumension’s Endpoint Management and Security Suite addresses all of these issues and more, much more.