70-411 Exam Cram - Deploy, manage and maintain servers
Implement patch management
Install and configure the Windows Server Update Services (WSUS) role
- If you install the UpdateServices role without specifying a database type, Windows Internal Database (WID) will be used. You must specify the UpdateServices-Db feature at installation to use SQL Server
- wsusutil.exe is used to complete Windows Server Update Services (WSUS) post installation steps
- When using the Windows Internal Database (WID), you do not need to specify the SQL_INSTANCE_NAME parameter
- You can use localhost or the local default SQL Server instance, otherwise you will need to use the SERVER\INSTANCE notation
- Wsusutil can be used to move the WSUS content folder to a different location, the syntax is:
- Wsusutil.exe movecontent "destination e.g. C:\WSUS\" "log file name e.g. C:\Temp\Move.log"
- The steps required to change a WSUS Server from HTTP to HTTPS are as follows:
- Install a server certificate
- Edit bindings to add a port for SSL, the SSL port determines the HTTP port, if 443 is used for SSL, 80 will be used for HTTP, if 8351 is used for SSL, 8350 will be used for HTTP
- Enforce SSL on the following virtual root sites:
- ApiRemoting30
- ClientWebService
- DSSAuthWebService
- ServerSyncWebService
- SimpleAuthWebService
- From cd “c:\Program Files\Update Services\Tools”, run: WSUSUtil.exe configuressl myserver.mydomain.local
- Configuration changes cannot be made on replica WSUS servers
- Wsusutil can be used with the export and import commands to transfer updates to a WSUS server that does not have an internet connection
Configure group policies for updates
- Windows 8 and Windows 8.1 computers hide Windows Update notification for non-Admin users by default. Set the 'Allow non-administrators to receive update notifications' to Enabled to restore this notification on Windows 8 computers
- Automatic Wakeup is controlled in the Maintenance Scheduler settings
- To configure clients to use a local WSUS Server, configure the following Group Policy setting:
- Computer Configuration -> Administrative Templates -> Windows Components -> Windows Update -> Specify intranet Microsoft update service location
- The Configure Automatic Updates setting is used to configure settings such as installation configuration
- The default port for SSL on Windows Server Update Services (WSUS) is 8531, you also are required to use the https:// prefix
Configure client-side targeting
- Enable client-side targeting must be enabled on the Windows Server Update Services (WSUS) Server and configured in the 'Computer Configuration > Policies > Administrative Templates > Windows Components > Windows Update > Enable client-side targeting' Group Policy setting
- When configuring multiple client side targeting, target groups can be separated using a semicolon
Configure WSUS synchronisation
- When configuring WSUS synchronisation, you will require some, if not all of the following information:
- The upstream server
- Product languages
- Update Products
- Update classifications
- The synchronisation schedule, manual or automatic
- Replica WSUS servers can be used to minimise administrative overhead by approving updates centrally and also reduce the bandwidth requirements at remote offices
- Storing updates locally reduces bandwidth requirements, not storing updates locally reduces disk requirements on the WSUS server, when choosing to store updates locally, you can choose either:
- Download updates only when approved (Deferred) - This reduces network and disk requirements
- Download express installation files (Express) - Reduces local network bandwidth at the expense of Internet bandwidth by downloading larger files to the WSUS server and smaller files to the clients
- When a new product is added to Microsoft Update, you need to synchronise the WSUS server with Microsoft Update before you can add the new product using the Products and Classifications settings
Configure WSUS groups
- You must create computer groups in the WSUS console before they can be assigned using Group Policy. You also need to change the WSUS server options to use Group Policy or Registry settings on computers for group assignment
Manage patch management in mixed environments
- To deploy patches in a mixed environment, use Microsoft System Center 2012 SP1 Configuration Manager or later
- You can import drivers directly into WSUS without synchronising the “drivers” category