Службы Windows Server Update Services (WSUS) Windows Server Update Services (WSUS)

Область применения. Windows Server (Semi-Annual Channel), Windows Server 2019, Windows Server 2016, Windows Server 2012 R2, Windows Server 2012 Applies To: Windows Server (Semi-Annual Channel), Windows Server 2019, Windows Server 2016, Windows Server 2012 R2, Windows Server 2012

Службы Windows Server Update Services (WSUS) позволяют ИТ-администраторам развертывать новейшие обновления продуктов Майкрософт. Windows Server Update Services (WSUS) enables information technology administrators to deploy the latest Microsoft product updates. Службы WSUS позволяют в полной мере управлять процессом распределения обновлений, выпущенных через Центр обновления Майкрософт, среди компьютеров в сети. You can use WSUS to fully manage the distribution of updates that are released through Microsoft Update to computers on your network. В данном разделе представлен обзор этой роли сервера и дополнительные сведения о том, как развертывать и обслуживать WSUS. This topic provides an overview of this server role and more information about how to deploy and maintain WSUS.

Описание роли сервера WSUS WSUS Server role description

Сервер WSUS предоставляет возможности для управления обновлениями и их распространения через консоль управления. A WSUS server provides features that you can use to manage and distribute updates through a management console. Сервер служб WSUS может также быть источником обновлений для других серверов WSUS в организации. A WSUS server can also be the update source for other WSUS servers within the organization. Сервер WSUS, действующий как источник обновлений, называется вышестоящим сервером. The WSUS server that acts as an update source is called an upstream server. В реализации служб WSUS хотя бы один сервер WSUS в сети должен иметь возможность подключаться к Центру обновления Майкрософт для получения информации о доступных обновлениях. In a WSUS implementation, at least one WSUS server on your network must be able to connect to Microsoft Update to get available update information. Учитывая вопросы безопасности и конфигурации сети, администратор может самостоятельно определить количество дополнительных серверов, напрямую подключенных к Центру обновления Майкрософт. As an administrator, you can determine — based on network security and configuration — how many other WSUS servers connect directly to Microsoft Update.

Практическое применение Practical applications

Управление обновлениями — это процесс управления развертыванием и обслуживанием промежуточных выпусков программного обеспечения в рабочей среде. Update management is the process of controlling the deployment and maintenance of interim software releases into production environments. Это помогает поддерживать производительность, преодолевать уязвимости и обеспечивать стабильность рабочей среды. It helps you maintain operational efficiency, overcome security vulnerabilities, and maintain the stability of your production environment. Если организация не может устанавливать и поддерживать известный уровень доверия в своих операционных системах и прикладном программном обеспечении, то у нее может появиться ряд уязвимостей, что в случае взлома способно привести к потере дохода и интеллектуальной собственности. If your organization cannot determine and maintain a known level of trust within its operating systems and application software, it might have a number of security vulnerabilities that, if exploited, could lead to a loss of revenue and intellectual property. Чтобы минимизировать данную угрозу, необходимо правильно настроить системы, использовать последние версии программного обеспечения и установить рекомендуемые обновления ПО. Minimizing this threat requires you to have properly configured systems, use the latest software, and install the recommended software updates.

Основными сценариями, в которых WSUS повышает эффективность вашего бизнеса, являются: The core scenarios where WSUS adds value to your business are:

Централизованное управление обновлениями Centralized update management

Автоматизация управления обновлениями Update management automation

Новые и измененные функции New and changed functionality

Обновление с любой версии Windows Server, поддерживающей WSUS 3.2, до Windows Server 2012 R2 требует предварительного удаления WSUS 3.2. Upgrade from any version of Windows Server that supports WSUS 3.2 to Windows Server 2012 R2 requires that you first uninstall WSUS 3.2.

В Windows Server 2012 обновление с любой версии Windows Server с установленными службами WSUS 3.2 блокируется в процессе установки, если будет обнаружена служба WSUS 3.2. In Windows Server 2012, upgrading from any version of Windows Server with WSUS 3.2 installed is blocked during the installation process if WSUS 3.2 is detected. В этом случае вам будет предложено сначала удалить службы обновления Windows Server, а затем повторно обновить сервер. In that case, you will be prompted to first uninstall Windows Server Update Services prior to upgrading your server.

Но после изменений, внесенных в текущем выпуске Windows Server и Windows Server 2012 R2, установка не блокируется при обновлении с любой версии Windows Server и WSUS 3.2. However, because of changes in this release of Windows Server and Windows Server 2012 R2, when upgrading from any version of Windows Server and WSUS 3.2, the installation is not blocked. Если перед выполнением обновления Windows Server или Windows Server 2012 R2 не будут удалены службы WSUS 3.2, то задачи WSUS после установки будут завершаться ошибкой. Failure to uninstall WSUS 3.2 prior to performing a Windows Server 2012 R2 upgrade will cause the post installation tasks for WSUS in Windows Server 2012 R2 to fail. Известен только один метод решения такой проблемы — отформатировать жесткий диск и повторно установить Windows Server. In this case, the only known corrective measure is to format the hard drive and reinstall Windows Server.

Службы Windows Server Update Services представляют собой встроенную роль сервера со следующими дополнительными возможностями. Windows Server Update Services is a built-in server role that includes the following enhancements:

Может быть добавлена и удалена с помощью диспетчера серверов Can be added and removed by using the Server Manager

Включает командлеты Windows PowerShell для управления наиболее важными задачами администрирования в службах WSUS Includes Windows PowerShell cmdlets to manage the most important administrative tasks in WSUS

Добавляет возможность использования хэширования SHA256 для дополнительной безопасности Adds SHA256 hash capability for additional security

Обеспечивает разделение клиента и сервера, благодаря чему версии агента Центра обновления Windows (WUA) могут поставляться независимо от WSUS Provides client and server separation: versions of the Windows Update Agent (WUA) can ship independently of WSUS

Использование Windows PowerShell для управления WSUS Using Windows PowerShell to manage WSUS

Системным администраторам для автоматизации работы необходим охват с помощью автоматизации командной строки. For system administrators to automate their operations, they need coverage through command-line automation. Основной целью является облегчение администрирования WSUS, позволяя системным администраторам автоматизировать их ежедневный труд. The main goal is to facilitate WSUS administration by allowing system administrators to automate their day-to-day operations.

Какой эффект дает это изменение? What value does this change add?

Пропуская основные операции WSUS через Windows PowerShell, системные администраторы могут увеличить продуктивность, уменьшить время на изучение новых инструментов, а также снизить количество ошибок из-за неоправданных ожиданий, ставших результатом отсутствия согласованности простых операций. By exposing core WSUS operations through Windows PowerShell, system administrators can increase productivity, reduce the learning curve for new tools, and reduce errors due to failed expectations resulting from a lack of consistency across similar operations.

Что работает иначе? What works differently?

В более ранних версиях операционной системы Windows Server отсутствовали командлеты Windows PowerShell, а автоматизация управления обновлениями была затруднительным делом. In earlier versions of the Windows Server operating system, there were no Windows PowerShell cmdlets, and update management automation was challenging. Командлеты Windows PowerShell для операций WSUS дают дополнительную гибкость и быстроту системному администратору. The Windows PowerShell cmdlets for WSUS operations add flexibility and agility for the system administrator.

Содержание коллекции In this collection

В эту коллекцию включены следующие руководства по планированию, развертыванию и администрированию служб WSUS. The following guides for planning, deploying, and managing WSUS are in this collection:

Configure Windows Server Update Services (WSUS) in Analytics Platform System

These instructions walk you through the steps for using the Windows Server Update Services (WSUS) Configuration Wizard to configure WSUS for Analytics Platform System. You need to configure WSUS before you can apply software updates to the appliance. WSUS is already installed on the VMM virtual machine of the appliance.

For more information about configuring WSUS, see the WSUS Step-by-Step Installation Guide on the WSUS website. After configuring WSUS, see Download and Apply Microsoft Updates (Analytics Platform System) to initiate an update.

If you encounter any errors during this configuration process, stop and contact support for assistance. Do not ignore errors or continue in the process after errors are received.

Before You Begin

To configure WSUS, you need to:

Have the Analytics Platform System appliance domain administrator account login information.

Have a Analytics Platform System login with permissions to access the Admin Console and view appliance state information.

Know the IP address of the upstream WSUS server if you are planning to synchronize updates from an upstream WSUS server instead of synchronizing updates directly from Microsoft Update. Make sure your upstream WSUS server is set to allow anonymous connections and supports SSL.

Know the IP address of the proxy server if your appliance will be using a proxy server to access the upstream server or Microsoft Update.

In most cases, WSUS needs to access servers outside of the appliance. To support this usage scenario the Analytics Platform System DNS can be configured to support an external name forwarder that will allow the Analytics Platform System hosts and Virtual Machines (VMs) to use external DNS servers to resolve names outside of the appliance. For more information, see Use a DNS Forwarder to Resolve Non-Appliance DNS Names (Analytics Platform System).

To configure Windows Server Update Services (WSUS)

Log into the Admin Console. On the Appliance State tab, verify that the Cluster and Network columns show green (or NA) for all nodes. Verify the status indicators for all nodes on the Appliance State.

It is safe to continue with green or NA indicators.

Evaluate non-critical (yellow) warning errors. In some cases warning messages will not block updates. If there is a non-critical disk volume error that is not on the C:\ drive, you can proceed to the next step before resolving the disk volume error.

Most red indicators must be resolved before continuing. If there are disk failures, use the Admin Console Alerts page to verify there is no more than one disk failure within each server or SAN array. If there is no more than one disk failure within each server or SAN array, you can proceed to the next step before fixing the disk failures. Be sure to contact Microsoft support to fix the disk failures as soon as possible.

Log on to the VMM virtual machine as an appliance domain administrator.

Launch the configuration wizard.

To launch the configuration wizard

In the Server Manager Dashboard, on the Tools menu, click Windows Server Update Services.

In the left pane of the Update Services window, click to expand the Virtual Machine Management node server (appliance_domain-VMM), and then click Options.

In the Options pane, click WSUS Server Configuration Wizard to launch the configuration wizard.

If this is the first time you have run the WSUS wizard, you may be asked to configure a directory for storing the updates. C:\wsus is an appropriate location; however you may provide a different path.

Review the Before You Begin list of items to complete before you complete the wizard.

On the Join the Microsoft Update Improvement Program page, select Yes, I would like to join the Microsoft Update Improvement Program, and then click Next.

You should now see the Choose Upstream Server page. The following screenshot is the starting point of the configuration wizard.

Choose the upstream server.

On the Choose Upstream Server page of the WSUS configuration wizard, you will select how WSUS on the Virtual Machine Management node will connect to an upstream server to obtain software updates. Your two choices are to synchronize the upstream server with Microsoft Update or to synchronize updates with another Windows Server Update Services server.

To update by using Microsoft Update

If you choose to synchronize with Microsoft Update, you do not need to make any changes to the Choose Upstream Server page. Click Next.

To update from another WSUS server

If you choose to synchronize with a source other than Microsoft Update (an upstream server), specify the server (enter the IP address) and the port on which this server will communicate with the upstream server.

To use Secure Sockets Layer (SSL), select the Use SSL when synchronizing update information check box. In that case the servers will use port 443 for synchronization.

If this is a replica server, select the This is a replica of the upstream server check box. It is possible to select both Use SSL when synchronizing update information and This is a replica of the upstream server.

At this point, you are finished with upstream server configuration. Click Next, or select Specify proxy server in the left navigation pane.

Specify the proxy server.

If this server requires a proxy server to access Microsoft Update or a different upstream server, you can configure the proxy server settings here; otherwise, click Next.

To configure proxy server settings

On the Specify Proxy Server page of the configuration wizard, select the Use a proxy server when synchronizing check box, and then type the proxy server IP address (not name) and port number (port 80 by default) in the corresponding boxes.

If you want to connect to the proxy server by using specific user credentials, select the Use user credentials to connect to the proxy server check box, and then type the user name, domain, and password of the user in the corresponding boxes. If you want to enable basic authentication for the user connecting to the proxy server, select the Allow basic authentication (password is sent in cleartext) check box.

At this point, you are finished with proxy server configuration. Click Next to go to the next page, where you can start to set up the synchronization process.

Click Start Connecting.

After the connection has succeeded, click Next to go to the next page, where you can choose languages.

Select Download updates only in these languages.

Select English, and then click Next.

If you are using an Upstream Server, you may not be able to Choose Products. If this option is not available, skip this step.

Please exclude any SQL Server 2016 updates.

Unselect all selected updates.

Select SQL Server 2012, SQL Server 2014, Windows Server 2012 R2, System Center 2012 R2 — Virtual Machine Manager, Windows Server 2016, and System Center 2016 — Virtual Machine Manager and then click Next.

If you are using an Upstream Server, you may not be able to Choose Classifications. If this option is not available, skip this step.

Unselect all previously selected updates.

Select Critical Updates, Security Updates and Update Rollups for the updates that will be synchronized for the Analytics Platform System appliance, and then click Next.

Configure the synchronization schedule.

Select Synchronize Manually, and then click Next.

Begin initial synchronization.

Select Begin initial synchronization, then click Next.

Click Finish.

Group the Appliance Servers in WSUS

After configuring WSUS for Analytics Platform System, the next step is to group the appliance servers. By adding all of the appliance servers to a group, WSUS will be able to apply software updates to all servers in the appliance.

The WSUS system is designed to run asynchronously. Initiating activity does not always result in an immediately update. Therefore, you might need to wait a while until computers will be visible in the WSUS dialog boxes. Running the setup.exe /action=ReportMicrosoftUpdateClientStatus /DomainAdminPassword=»

» command described at the end of the topic Download and Apply Microsoft Updates (Analytics Platform System) can help refresh the dialog boxes.

To group the appliance servers

Open the WSUS console, right-click All Computers and then click Add Computer Group.

Enter the name «APS» for the computer group, and then click Add.

Click All Computers again, change the status in the Status drop-down menu to Any, and then click Refresh. You may need to expand All Computers by clicking it on the tree control on the left in order to see the new group you just added.

Select all computers that are part of the appliance, right-click, and then click Change Membership.

Select the new computer group that you created by clicking the check box and then clicking OK.

Select the new computer group, change its Status to Any, and then click Refresh. All computers should now be assigned to this group and listed in the right pane. It is generally safe to continue when nodes show warnings such as This node has not reported status yet.