The official blog for Windows Server Essentials and Small Business Server support and product group communications.
[Today’s post comes to us courtesy of Shawn Sullivan]
SBS 2008 includes the Update Services component to provide the administrator with a simple interface for managing software updates from the SBS Console. Those who are familiar with Update Services from SBS 2003 R2 will find that the SBS 2008 implementation is quite similar. It is essentially a wrapper for the native WSUS 3.0 interface meant to simplify the management of software updates for the network. By default all critical updates, security updates, and update definitions will be automatically approved for installation if at least one machine on the network requires it. Other updates are manually approved by the administrator as needed.
Below is the full list of default configuration settings in WSUS as they exist after SBS 2008 setup has completed:
Critical Updates Definition Updates Security Updates Service Packs Update Rollups
English and the Language of the SBS 2008 SKU
Store update files locally on this server Download update files to this server only when updates are approved
Automatically 01:00 am Daily
Unused updates and update revisions Computers not contacting the server Unneeded update files Expired updates Superseded updates
Update Service Excluded Computers Update Services Client Computers Update Services Server Computers
Important: If you go into the native WSUS 3.0 SP1 console and change these default settings, SBS Update Services will detect this and shut down. In order to guarantee the accuracy and reliability of its reporting function, it requires WSUS to be configured with these settings. If you are in this state, you will get the following warning when you click on “Change the software update settings” in the SBS console:
“Windows Small Business Server (Windows SBS) Update Services is not running because it automatically turns off if you customize Windows Server Update Services (WSUS)”
The easiest way to tell which changes you need to revert is to run the SBS 2008 BPA: http://www.microsoft.com/downloads/info.aspx?na=22&p=1&SrcDisplayLang=en&SrcCategoryId=&SrcFamilyId=&u=%2fdownloads%2fdetails.aspx%3fFamilyID%3d86a1aa32-9814-484e-bd43-3e42aec7f731%26DisplayLang%3den
The below screenshot shows an example of the warning and its specific cause:
The Update Services Excluded Computers, Update Services Client Computers, and Update Services Server Computers groups are created natively in WSUS during setup and managed through the SBS 2008 Console.
By default, the Client and Server groups will be populated by machine accounts that are either in the SBS Servers or SBS Computers Organizational Units in Active Directory. The purpose of these groups is to assign one of the following update levels to them through the SBS Console:
By default, Server updates are set to Medium and client updates are set to High. If you choose to exclude a machine from receiving updates through Update Services, then they will be placed in the Excluded Computers group.
Included Computers adds the machine account to the proper WSUS group and to the security filter of either the Update Services Client Computers or Update Services Server Computers GPOs:
These GPOs control various settings in how machines in your network contact WSUS. You should not make changes to them:
Among its many responsibilities, this service applies all of the configuration settings that the administrator has chosen through the SBS 2008 Console. It performs the following tasks:
The logs for this service are found in the following directory: C:\Program Files\Windows Small Business Server\Logs\MonitoringServiceLogs.
All of the pieces described above are brought together to give the administrator a simplified interface in the SBS 2008 Console in which to manage all updates for all machines on the network. You can access Update services information from the following locations:
You also receive a list of Updates with Microsoft Software License Terms that are pending approval, Updates with Errors, Optional Updates and Updates in Progress. From here you can deploy the update, decline the update, or view the update deployment report:
PingBack from http://www.web2designer.org/news/index.php/2009/06/web2design-update-services-in-sbs-2008-news/
It would be nice to see an option to change some of the settings (like add more catagories to approve etc.) without it breaking it. Plus it would be great if we could approve more than one update at a time - on new installs it takes us well over an hour to go through and approve all the updates for a network!