Review considerations and system requirements
Before you enable the WSUS server role, confirm that the server meets the system requirements and confirm that you have the necessary permissions to complete the installation by adhering with the following guidelines:
- Server hardware requirements to enable WSUS role are bound to hardware requirements. The hardware requirements are listed in the topic: Windows Server Update Services Overview.
- If you install roles or software updates that require you to restart the server when installation is complete, restart the server before you enable the WSUS server role.
- Microsoft .NET Framework 4.0 must be installed on the server where the WSUS server role will be installed.
- The NT Authority\Network Service account must have Full Control permissions for the following folders so that the WSUS Administration snap-in displays correctly:
- %windir%\Microsoft.NET\Framework\v4.0.30319\Temporary ASP.NET Files
- Confirm that the account you plan to use to install WSUS is a member of the Local Administrators group.
During the installation process, WSUS will install the following by default:
- .NET API and Windows PowerShell cmdlets
- Windows Internal Database (WID), which is used by WSUS
- Services used by WSUS, which are:
- Update Service
- Reporting Web Service
- Client Web Service
- Simple Web Authentication Web Service
- Server Synchronization Service
- DSS Authentication Web Service
Features on Demand Considerations
Be aware that configuring client computers (including servers) to update by using WSUS will result in the following limitations:
- Server roles that have had their payloads removed using Features on Demand cannot be installed on demand from Microsoft Update. You will must either provide an installation source at the time you try to install such server roles, or configure a source for Features on Demand in Group Policy.
- Windows client editions will not be able to install .NET 3.5 on demand from the web. The same considerations as server roles apply to .NET 3.5.
Benefit of WSUS Server:-
Figure 1 Basic WSUS deployment
WSUS server hierarchies
You can create complex hierarchies of WSUS servers. Because you can synchronize one WSUS server with another WSUS server instead of with Microsoft Update, you need to have only a single WSUS server that is connected to Microsoft Update. When you link WSUS servers together, there is an upstream WSUS server and a downstream WSUS server. A WSUS server hierarchy deployment offers the following benefits:
- You can download updates one time from the Internet and then distribute the updates to client computers by using downstream servers. This method saves bandwidth on the corporate Internet connection.
- You can download updates to a WSUS server that is physically closer to the client computers, for example, in branch offices.
- You can set up separate WSUS servers to serve client computers that use different languages of Microsoft products.
- You can scale WSUS for a large organization that has more client computers than one WSUS server can effectively manage.
Plan Automatic Updates settings
You can specify a deadline to approve updates on the WSUS server. The deadline causes client computers to install the update at a specific time, but there are a number of different situations, depending on whether the deadline has expired, whether there are other updates in the queue for the computer to install, and whether the update (or another update in the queue) requires a restart.
By default, Automatic Updates polls the WSUS server for approved updates every 22 hours minus a random offset. If new updates need to be installed, they are downloaded. The time between each detection cycle can be manipulated from 1 to 22 hours.
You can manipulate the notification options as follows:
- If Automatic Updates is configured to notify the user of updates that are ready to be installed, the notification is sent to the System log and to the notification area of the client computer.
- When a user with appropriate credentials clicks the notification area icon, Automatic Updates displays the available updates to install. The user must clickInstall to start the installation. A message appears if the update requires the computer to be restarted to complete the update. If a restart is requested, Automatic Updates cannot detect additional updates until the computer is restarted.
- Security Updates(Broadly released fixes for specific products, addressing security issues. This includes fixing security vulnerabilities and other bugs, with such patches usually called bug fixes or bug fixes, and improving the usability or performance.)Definition updates(Updates to virus or other definition files like Microsoft Security Essentials virus and spyware definition updates)· Updates (Broadly released fixes for specific problems addressing non-critical, non-security related bugs.)
- It is recommended that we must install the critical, security and windows updates on last Friday of every month.