back search

hantsweb

Hampshire IT

Centrally Managed Windows Server Update Service (WSUS)



Introduction

Following the success of our centrally automated Virus Protection Service We successfully piloted a centrally managed automated Microsoft update service based on Windows Server Update Service (WSUS).

WSUS is a Microsoft product that allows network administrators to set up their own Windows Update server and control all Microsoft updates that are applied to machines under their control.

Tthis service is now available to other schools running EdICTNet.

To participate schools must subscribe to the Hampshire IT SLA, be connected to HPSN2 and have an EdICTNet network for us to automatically deploy the following Microsoft updates:

  • Windows XP Service Pack 3 (SP3)
  • Windows Server 2003 SP2
  • Internet Explorer 8
  • Silverlight 3
  • .Net Framework 3.5 SP1
  • All available critical and security Hotfixes

Benefits

  • Schools' Microsoft systems are automatically maintained; they receive all security and technical updates in line with key supplier support.
  • Fully automated service.
  • Significantly reduced risk of security vulnerabilities in schools.
  • Completely secure within the HPSN SWAN environment.
  • No training required.
  • Provides Hampshire IT with real time technical information about the school IT infrastructure (e.g. OS and service pack version, free hard disk space, memory size, etc) necessary for support and major project rollout purposes. - Please note: Hampshire IT will have no access to any school data.

How does it work?

  • Hampshire IT maintains a secure central server located in Winchester running WSUS which is necessary to deliver the automated service.
  • School servers, desktops and laptops need to be configured to point to the central server in order to receive updates (automatic for EdICTNet schools).
  • All automated Microsoft updates will be 'throttled down' to ensure minimal impact on school Internet performance.
 

Initial setup

The initial set-up process for schools with EdICTNet networks is fully automated, this isn’t currently possible for schools running third party networks. However, when the service is available to schools with a third party network, we will provide your third party supplier with details of how to configure machines in order to receive updates from the central WSUS Server. Your network supplier may charge for this work.

Ongoing Microsoft Updates

Once network client machines are pointing to the central WSUS server, we will automatically deploy Microsoft Windows Service Packs, critical updates and security updates as soon as possible following their release, providing they are approved by key suppliers (such as Capita, Studywiz and other Hampshire County Council teams).

Adding new network clients

We have configured EdICTNet to automatically point all client machines to the central WSUS server. Schools with third party networks may need to arrange their local supplier to undertake this work, for which there may be a small charge.

Replacement network

Please contact the IT Help Desk if you are having a replacement local area network installed by a third party supplier, but still require Hampshire IT to provide automatic Microsoft updates.

Regardless of whether you currently subscribe to this centrally managed service we will still need to configure a site on the WSUS server and advise your supplier where to point the school server and client machines.

If you are having an EdICTNet installed, this will all be taken care of as part of our standard installation service.

School responsibilities

Once you have joined WSUS you will continue to receive critical Microsoft patches and Hotfixes on a weekly basis. The biggest 'hit' is when you are first connected and this is the time when you are most likely to see some disruption.

The update process is designed to be as transparent as possible - updates will download in the background and install at 4:00pm everyday. If no one is logged on, PCs and laptops will auto reboot to apply updates

There are some things that we need you to be aware of and act upon in order to ensure that the transition period is as painless and trouble free as possible:

  • Laptops - SP3 will only rollout when laptops are plugged into mains power. For the first week, where possible logon first thing in the morning, with a hard wired internet connection to get all updates as quickly as possible. You can continue to work on laptops during the day and the updates will be downloaded in the background. All machines should be logged off prior to 4:00 pm for updates to apply.
  • PCs - For the first week, where possible log on first thing in the morning to get all updates as quickly as possible. You can continue to work on the PC during the day and the updates will be downloaded in the background. All machines should be logged off prior to 4:00 pm for updates to apply.
  • Domain Controller - we will be releasing updates for Windows Server 2003. Administrators will see the yellow updates shield in the taskbar, please ensure you allow the system to install updates and reboot at your convenience. Each reboot should take no more that 10 minutes and we will be happy to talk you through how to do this.
  • Terminal Server - we suggest your IT technician sets time aside to reboot where necessary to get all patches up to date.
  • There are many updates to apply, this may take some time but please be patient, we will be monitoring this on the central server.
  • Finally and most importantly, due to the large number of updates that need to be applied and the extended period over which the application may occur, you may notice slow internet browsing and some incidences of computers becoming unresponsive. This was rarely seen during the pilots but is an unavoidable side effect, these issues should not prove severe.

Service Charges

This new centrally managed service is available to schools connected to HPSN SWAN and who have an Hampshire IT SLA. There are no additional charges for the service, which includes:

  • Initial connection to the automated service (third party network schools may need assistance from their local supplier).
  • Auto deployment of Hampshire IT and key supplier approved Microsoft updates.

Hampshire IT reserves the right to charge for any additional requirements including:

  • Configuration of a downstream local WSUS Server
  • Running/setting up reports for individual schools.

Please note - additional requirements are unlikely to exceed one hour.

 

Next steps

To receive this new service, schools need to subscribe to the Hampshire IT SLA, be connected to HPSN SWAN and currently be using the EdICTNet network.

To go ahead with WSUS please complete and submit this form so that we can make the necessary arrangements:

FAQs

Q: We are now using the WSUS Service but we do not have IE8 on all machines or Service Pack 3 (SP3) on some laptops.

A: We are unable to release IE8 until all machines have XP SP3 installed. During the pilots for WSUS we found that releasing both at the same time caused approximately 50% of machines to fail to install either update and we had to manually resolve these problems. Therefore, when we add a school to WSUS, we release SP3 initially, and when all machines have this update we release IE8. However, it is a requirement of the SP3 upgrade that the machines MUST have mains power in order to install such a large update. Many schools have found installing SP3 manually is the fastest way to get around this issue.

   

WSUS 1

Q: I now have Internet Explorer 8 (IE8) on my machine. When I log into Outlook Web Access (OWA) and create a new email, if I click on a toolbar icon such as ‘Left Align’, if I then click on another toolbar icon, the whole toolbar greys out.

: This behaviour is not seen in IE6 and IE7 but does occur in IE8. The workaround is to click back into the body of the email and the toolbar will become live again. If you type in some text, highlight it and then use the toolbar it will work as expected. OWA is currently version 2003 which is in extended support from Microsoft, and there will therefore not be a permanent fix for this bug. However, we are planning to upgrade to OWA 2010 by the end of 2010 which will resolve this issue.

   

WSUS

Q: I now have IE8 on my machine. When I log into OWA try and view my Inbox in the top right hand corner of the screen is a "flag icon." If I try to set a flag on an item, nothing happens

A: In IE6 and IE7 if a user wishes to flag an item all they have to do is left click on the flag which would mark the item as ‘Important’. However, this does not work correctly in IE8, and if a user wishes to flag an item, they will need to right click the item and select the relevant flag from the drop-down menu.

 



 

In this section…