WSUS and the Update Management Process

  • Article

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2, Windows Server 2008, Windows Server Update Services

This Microsoft recommended approach to the update management process consists of an ongoing set of four phases, as illustrated in the following figure. It is essential to repeat the update management process on an ongoing basis, as new updates become available that can enhance and protect the production environment.

Following the figure are the goals of each phase and examples of how administrators can use WSUS features to ensure success during each of the four phases of the process. It is important to note that many of the features can be employed in more than one phase.

1. Assess

The administrator’s goals for the Assess phase are:

  • To set up a production environment that will support update management for both routine and emergency scenarios.

Although it is the first step, the Assess phase is essentially an ongoing process. For example, administrators have to assess how many servers and client computers they need to update, what their storage and network bandwidth requirements are, and what time frame is acceptable to deploy an average update. Administrators also have to determine what platforms, products, and languages they want to update. Based on these factors, administrators can determine the most efficient topology for scaling out their WSUS components.

WSUS provides numerous options for setting up WSUS components, including the ability to store update content locally on WSUS servers or download content on demand from Microsoft Update. Administrators can also configure Automatic Updates to download and install missing updates on a computer automatically. WSUS provides options for managing client computers in both Active Directory and non–Active Directory environments.

WSUS provides standardized aggregate reports that administrators can run on an ongoing basis. These reports provide comprehensive information about all activity in the WSUS implementation, including information about updates that have been synchronized to a WSUS server, and which updates are installed or are missing from each computer.

2. Identify

The administrator’s goals for the Identify phase are:

  • To discover new updates in a convenient manner.

  • To determine whether updates are relevant to the production environment.

WSUS enables administrators to determine which types of updates to synchronize from Microsoft Update and when to synchronize them. Because WSUS automatically gathers data about all the computers known to the WSUS server in order to determine whether an update is relevant, administrators can see immediately how many computers need the update and how the deployment of the update would impact the network before installing the update in the production environment.

3. Evaluate and Plan

The administrator’s goals for the Evaluate and Plan phase are:

  • To test updates in an environment that is separate from but resembles the production environment.

  • To determine the tasks necessary to deploy updates into production, plan the update releases, build the releases, and then conduct acceptance testing of the releases.

When evaluating updates in a test environment, administrators can run many of the WSUS features they would be using in the actual deployment. They can set the criteria and schedule for automatically synchronizing their WSUS servers, create computer groups, and then target updates for those groups by approving updates for install. During and after testing, administrators can use the standardized reports that WSUS provides to monitor the success of their test update installations.

WSUS enables administrators to evaluate the result of installing updates before deploying them to a production environment. By creating a group of test computers and autoapproving different sets of updates by product, language, and other classifications, administrators can test various types of updates using automation. During and after testing, administrators can correlate WSUS update reports with their test results to validate installed updates and decide how and when to schedule download and installation approvals for the production environment.

4. Deploy

The administrator’s goals for the Deploy phase are:

  • To approve and schedule update installations.

  • To review the process after the deployment is complete.

WSUS allows administrators to specify target groups of computers and approve the deployment of updates to those groups. To establish the order in which updates are deployed, administrators can use WSUS to create the most efficient upstream and downstream WSUS server configuration for their network and staffing resources. In addition, administrators can configure how client computers communicate with WSUS servers or Microsoft Update by using Group Policy or by scripting with the WSUS API. The administrator can then use reporting to determine the success of the update deployment by computer or target group.