Windows SBS 2011 provides a functional WSUS installation by
default, but there are many possible reasons why administrators might
want to modify those default settings. The following sections examine
the various WSUS configuration settings that you can change using the
Windows SBS Console, as well as the reasons why you might want to
Moving the Update Repository
The Windows SBS 2011 setup program configures WSUS to store the
updates that it downloads from the Internet on the computer’s C drive.
This is largely because C is usually the only drive available during a
new server installation. However, you might want to move the update
repository to another drive later. To move the WSUS data store, click Backup and Server storage in the Windows SBS Console, then choose the Server storage tab. Finally, under the Storage tasks list, select the Move Windows Update repository data task, as shown in Figure 1.
Figure 1. The Backup And Server Storage page of the Windows SBS Console.
As with the other data stores on the server running Windows SBS 2011, you can move the WSUS data to any available volume on the computer (see Figure 2).
Because the updates are readily available on the Internet, there is
usually no need to store them on a fault tolerant volume—that would be
a needless expense. The most common reason for moving the WSUS data store is to free up disk space on the C drive.
Figure 2. The Choose A New Location For The Data page.
Configuring Software Update Settings
The Windows SBS Console enables you to modify the default settings for some of the most basic WSUS and Windows Update parameters. To configure these settings, use the following procedure:
Log on to your Windows SBS 2011 server, using an account with network Administrator privileges. The Windows SBS Console appears.
Click Security, and then select the Updates tab.
In the Tasks list, click Change the software update settings. The Software Update Settings dialog box appears.
Select one of the following tabs and use the controls to configure the following settings located there:
Server updates Specifies, by classification, which updates WSUS should automatically approve for servers. The default Medium setting omits service packs.
Client updates Specifies, by classification, which updates WSUS should approve automatically for clients. The default High setting includes all high-priority updates and service packs.
Specifies whether servers and clients should install updates
automatically and, if so, how often and at what time the installations
Included computers Specifies which of the computers on the network should obtain their updates from the WSUS server.
Click OK. The Software Update Settings dialog box closes.
The Server Updates And Client Updates pages in the Software Update Settings dialog box specify which types of updates WSUS
should approve automatically for your servers and client workstations,
respectively. In the default configuration, the only difference between
the server and client settings is the inclusion of service packs for
Service packs are major updates, and many administrators do not like
to install them as soon as they are released, preferring instead to
wait to see if problems arise. The installation of a service pack
requires a system restart and can also be a lengthy process, so you
must be sure that the installation occurs at an appropriate time of day.
If you prefer to wait before installing service packs on your clients, you can change the Client updates setting to Medium.
This enables you to gauge the industry response to the service pack
release and possibly install it manually in a test laboratory
environment before deploying it on the whole network.
Scheduling Update Installations
The installation of the updates on your network computers is controlled by the Windows Update client, not WSUS. Therefore, the Schedule tab of the Software Update Settings dialog box actually modifies the Group Policy settings that configure the Windows Update client.
Here again, servers and clients have their own separate settings.
The default setting for clients is to install new updates automatically
every day at 3 A.M. Depending on your organization’s work schedule, you
might want to change the time of the installation or even limit it to
one day a week instead of every day. Microsoft typically releases new
updates once per month, so you might feel that a daily schedule is not
necessary. However, Microsoft does sometimes release updates that are
particularly critical between the usual monthly cycles.
Another element to consider with client updates is whether your
users are accustomed to shutting their computers down at the end of
each workday. Obviously, an update installation cannot occur when a
computer is turned off. If a scheduled installation does not occur,
because the computer is shut down or for any other reason, the Windows
Update client triggers the installation one minute after the computer’s
next startup. If this causes problems, you can change this behavior,
but only by modifying the GPOs directly.
For servers, the default setting enables the computers to download
new updates from the WSUS server, but the computers do not install them
automatically. This enables administrators to exercise greater control
over which updates the servers receive, and when.
The Included Computers page of the Software
Update Settings dialog box enables you to specify which of the
computers on your network you want to receive updates from WSUS. By
default, all your computers are included, but if you want to change the
default, you can select a computer and click Remove to disable its Windows Update client entirely.
You can also select a computer and click Modify to display the Change The Members Of An Update Group dialog box, as shown in Figure 3. This dialog box enables you to put a client workstation in the Update services server computers group to prevent it from automatically installing updates, or to put a server in the Update services client computers group to enable automatic update installations.
Figure 3. The Change The Members Of An Update Group dialog box.
WSUS synchronizes with the Microsoft Update servers on the Internet once every day, but you can trigger a manual synchronization using the Windows SBS Console at any time by clicking Synchronize now in the Tasks list on the Security/Updates page.
WSUS automatically approves the most important updates by default,
but the Security/Updates page also contains a list of optional updates.
WSUS does not approve these updates automatically. If you want to
deploy them on your network, you must approve them manually, using the
Log on to your Windows SBS 2011 server using an account with network Administrator privileges. The Windows SBS Console appears.
Click Security, and then select the Updates tab.
Select one of the entries in the Optional updates list and, in the Tasks list, click Deploy the update. A Software Updates message box appears, prompting you to confirm your action.
Click OK. Another Software Updates message box appears, informing you that the update is approved.
Click OK. The update moves from the Optional updates list to the Updates in progress list.
You can also remove an entry from the Optional updates list and delete it permanently from the update repository by selecting it and clicking Decline the update.