步骤 2:配置 WSUSStep 2: Configure WSUS

适用于:Windows Server 2019、Windows Server(半年频道)、Windows Server 2016、Windows Server 2012 R2、Windows Server 2012Applies To: Windows Server 2019, Windows Server (Semi-Annual Channel), Windows Server 2016, Windows Server 2012 R2, Windows Server 2012

在服务器上安装 WSUS 服务器角色后,你必须正确配置它。After installing the WSUS server role on your server, you need to properly configure it. 以下清单汇总了为你的 WSUS 服务器执行首次配置时执行的步骤。The following checklist summarizes the steps involved in performing the initial configuration for your WSUS server.

任务Task 说明Description
2.1.配置网络连接2.1. Configure network connections 使用网络配置向导配置群集网络。Configure the cluster network by using the Network Configuration Wizard.
2.2.使用 WSUS 配置向导配置 WSUS2.2. Configure WSUS by using the WSUS Configuration Wizard 使用 WSUS 配置向导执行基本 WSUS 配置。Use the WSUS Configuration wizard to perform the base WSUS configuration.
2.3.配置 WSUS 计算机组2.3. Configure WSUS computer groups 在 WSUS 管理控制台创建计算机组以管理组织中的更新。Create computer groups in the WSUS administration console to manage updates in your organization.
2.4.配置客户端更新2.4. Configure client updates 指定如何以及何时将自动更新应用于客户端计算机。Specify how and when automatic updates are applied to client computers.
2.5.使用安全套接字层协议保护 WSUS2.5. Secure WSUS with the Secure Sockets Layer Protocol 配置安全套接字层 (SSL) 协议以帮助保护 Windows Server Update Services (WSUS)。Configure Secure Sockets Layer (SSL) protocol to help protect Windows Server Update Services (WSUS).

2.1.2.1. 配置网络连接Configure network connections

开始配置过程之前,确保你知道以下问题的答案:Before you start the configuration process, be sure that you know the answers to the following questions:

  1. 是否配置服务器防火墙以便让客户端访问服务器?Is the server's firewall configured to allow clients to access the server?

  2. 该计算机是否连接至上游服务器(例如专为从 Microsoft 更新下载更新而设计的服务器)?Can this computer connect to the upstream server (such as the server that is designated to download updates from Microsoft Update)?

  3. 你是否拥有代理服务器的名称以及代理服务器 的用户凭据(如需要)?Do you have the name of the proxy server and the user credentials for the proxy server, if you need them?

默认情况下,配置 WSUS 以将 Microsoft 更新用作获取更新的位置。By default, WSUS is configured to use Microsoft Update as the location from which to obtain updates. 如果你在网络上有代理服务器,则可配置 WSUS 以使用代理服务器。If you have a proxy server on the network, you can configure WSUS to use the proxy server. 如果 WSUS 和 Internet 之间存有企业防火墙,你可能必须配置防火墙以确保 WSUS 可获得更新。If there is a corporate firewall between WSUS and the Internet, you might have to configure the firewall to ensure that WSUS can obtain updates.

提示

虽然需要 Internet 连接线从 Microsoft 更新下载更新,WSUS 让你你能够将更新导入到连接到 Internet 的网络。Although Internet connectivity is required to download updates from Microsoft Update, WSUS offers you the ability to import updates onto networks that are not connected to the Internet.

当你知道这些问题的答案时,你可以开始配置以下 WSUS 网络设置:When you have the answers for these questions, you can start configuring the following WSUS network settings:

  • Updates 指定该服务器获得更新的方式(从 Microsoft 更新或其他 WSUS 服务器)。Updates Specify the way this server will obtain updates (from Microsoft Update or from another WSUS server).

  • Proxy 如果你确定 WSUS 需要使用代理服务器才能访问 Internet,则必须在 WSUS 服务器中配置代理设置。Proxy If you identified that WSUS needs to use a proxy server to have Internet access, you need to configure proxy settings in the WSUS server.

  • Firewall 如果你确定 WSUS 安装在企业防火墙后面,还要在边缘设备上执行其他一些步骤以便完全允许 WSUS 流量。Firewall If you identified that WSUS is behind a corporate firewall, there are some additional steps that must be done at the edge device to properly allow WSUS traffic.

2.1.1.2.1.1. 从 WSUS 服务器到 Internet 的连接Connection from the WSUS server to the Internet

如果 WSUS 和 Internet 之间存有企业防火墙,你可能必须配置防火墙以确保 WSUS 可获得更新。If there is a corporate firewall between WSUS and the Internet, you might have to configure that firewall to ensure WSUS can obtain updates. 为了从 Microsoft 更新获取更新,WSUS 服务器将端口 443 用于 HTTPS 协议。To obtain updates from Microsoft Update, the WSUS server uses port 443 for HTTPS protocol. 虽然大多数企业防火墙允许此类流量,但由于公司的安全策略,有些公司限制从服务器访问 Internet。Although most of corporate firewalls allow this type of traffic, there are some companies that restrict Internet access from the servers due the company's security policies. 如果你的公司限制访问,你需要获得授权才能从 WSUS 通过 Internet 访问以下 URL 列表:If your company restricts access, you need to obtain authorization to allow Internet access from WSUS to the following list of URLs:

  • http://windowsupdate.microsoft.comhttp://windowsupdate.microsoft.com

  • http://*.windowsupdate.microsoft.comhttp://*.windowsupdate.microsoft.com

  • https://*.windowsupdate.microsoft.comhttps://*.windowsupdate.microsoft.com

  • http://*.update.microsoft.comhttp://*.update.microsoft.com

  • https://*.update.microsoft.comhttps://*.update.microsoft.com

  • http://*.windowsupdate.comhttp://*.windowsupdate.com

  • http://download.windowsupdate.comhttp://download.windowsupdate.com

  • https://download.microsoft.comhttps://download.microsoft.com

  • http://*.download.windowsupdate.comhttp://*.download.windowsupdate.com

  • http://wustat.windows.comhttp://wustat.windows.com

  • http://ntservicepack.microsoft.comhttp://ntservicepack.microsoft.com

  • http://go.microsoft.comhttp://go.microsoft.com

  • http://dl.delivery.mp.microsoft.comhttp://dl.delivery.mp.microsoft.com

  • https://dl.delivery.mp.microsoft.comhttps://dl.delivery.mp.microsoft.com

重要

如果由于防火墙配置而导致 WSUS 未能获得更新,请参阅 Microsoft 知识库中的文章 885819For a scenario in which WSUS is failing to obtain updates due to firewall configurations, see article 885819 in the Microsoft Knowledge Base.

以下部分描述如何配置位于 WSUS 和 Internet 之间的企业防火墙。The following section describes how to configure a corporate firewall that is positioned between WSUS and the Internet. 由于 WUS 启动所有网络流量,因此你无需在WSUS 服务器上配置 Windows 防火墙。Because WSUS initiates all the network traffic, it is not necessary to configure Windows Firewall on the WSUS server. 虽然 Microsoft 更新和 WSUS 之间的连接需要打开端口 80 和 443,你可以配置多台 SUS 服务器以便与自定义端口同步。Although the connection between Microsoft Update and WSUS requires ports 80 and 443 to be open, you can configure multiple WSUS servers to synchronize with a custom port.

2.1.2.2.1.2. WSUS 服务器之间的连接Connection between WSUS servers

WSUS 上游和下游服务器会在 WSUS 管理员配置的端口上同步。WSUS upstream and downstream servers will synchronize on the port configured by the WSUS Administrator. 默认情况下,这些端口配置如下:By default, these ports are configured as follows:

  • 在 WSUS 3.2 及更早版本中,端口 80 用于 HTTP,443 用于 HTTPSOn WSUS 3.2 and earlier, port 80 for HTTP and 443 for HTTPS

  • 在 WSUS 6.2 及更高版本(至少为 Windows Server 2012)中,端口 8530 用于 HTTP,8531 用于 HTTPSOn WSUS 6.2 and later (at least Windows Server 2012 ), port 8530 for HTTP and 8531 for HTTPS are used

WSUS 服务器上的防火墙必须配置为允许这些端口上存在入站流量。The firewall on the WSUS server must be configured to allow inbound traffic on these ports.

2.1.3.2.1.3. 客户端(Windows 更新代理)与 WSUS 服务器之间的连接Connection between clients (Windows Update Agent) and WSUS servers

侦听接口和端口在 WSUS 的 IIS 站点以及用于配置客户端 PC 的任何组策略设置中进行配置。The listening interfaces and ports are configured in the IIS site(s) for WSUS and in any Group Policy settings used to configure client PCs. 默认端口与上一部分 WSUS 服务器之间的连接 中指定的端口相同,WSUS 服务器上的防火墙也必须配置为允许这些端口上存在入站流量。The default ports are the same as those specified in the preceding section Connection between WSUS servers, and the firewall on the WSUS server must also be configured to allow inbound traffic on these ports.

配置代理服务器Configure the proxy server

如果公司网络使用代理服务器,则代理服务器必须支持 HTTP 和 SSL 协议,并使用基本身份验证或 Windows 身份验证。If the corporate network uses proxy servers, the proxy servers must support HTTP and SSL protocols and use basic authentication or Windows authentication. 可以使用以下配置之一来满足这些要求:These requirements can be met by using one of the following configurations:

  1. 支持两个协议通道的单台代理服务器。A single proxy server that supports two protocol channels. 在这种情况下,将一个通道设置为使用 HTTP,将另一个通道设置为使用 HTTPS。In this case, set one channel to use HTTP and the other channel to use HTTPS.

    备注

    可以设置一个代理服务器,它在 WSUS 服务器软件安装过程中为 WSUS 处理这两种协议。You can set up one proxy server that handles both protocols for WSUS during the WSUS server software installation.

  2. 两台代理服务器,各自支持一个协议。Two proxy servers, each of which supports a single protocol. 在这种情况下,一台代理服务器配置为使用 HTTP,另一个代理服务器配置为使用 HTTPS。In this case, one proxy server is configured to use HTTP, and the other proxy server is configured to use HTTPS.

若要设置两台代理服务器(各自为 WSUS 处理一种协议),请使用以下过程:To set up two proxy servers, each of which will handle one protocol for WSUS, use the following procedure:

设置 WSUS 以使用两台代理服务器To set up WSUS to use two proxy servers

  1. 使用本地 Administrators 组的成员帐户登录要作为 WSUS 服务器的计算机。Log on to the computer that is to be the WSUS server by using an account that is a member of the local Administrators group.

  2. 安装 WSUS 服务器角色的。Install the WSUS server role. 在 WSUS 配置向导(下一部分中讨论)过程中,未指定代理服务器。During the WSUS Configuration Wizard (discussed in the next section) do not specify a proxy server.

  3. 以管理员身份打开命令提示符 (Cmd.exe)。Open a command prompt (Cmd.exe) as an administrator. 若要以管理员身份打开命令提示符,请转到“开始” 。To open a command prompt as an administrator, go to Start. 在“开始搜索” 中,键入 Command promptIn Start Search, type Command prompt. 在“开始”菜单的顶部,右键单击“命令提示符”,然后单击“以管理员身份运行” 。At the top of the start menu, right-click Command prompt, and then click Run as administrator. 如果出现了“用户帐户控制”对话框,请输入适当的凭据(如果需要),确认其所显示的操作是你要采取的操作,然后单击“继续”。If the User Account Control dialog box appears, enter the appropriate credentials (if requested), confirm that the action it displays is what you want, and then click Continue.

  4. 在命令提示符窗口中,转到 C:\Program Files\Update Services\Tools 文件夹。In the Command prompt window, go to the C:\Program Files\Update Services\Tools folder. 键入以下命令:Type the following command:

    wsusutil ConfigureSSLproxy [< proxy_server proxy_port>] -enable,其中:wsusutil ConfigureSSLproxy [< proxy_server proxy_port>] -enable, where:

    1. proxy_server 是支持 HTTPS 的代理服务器的名称。proxy_server is the name of the proxy server that supports HTTPS.

    2. proxy_port 是代理服务器端口号。proxy_port is the proxy server port number.

  5. 关闭命令提示符窗口。Close the Command prompt window.

若要向 WSUS 配置添加使用 HTTP 协议的代理服务器,请使用以下过程:To add the proxy server that uses the HTTP protocol to the WSUS configuration, use the following procedure:

添加使用 HTTP 协议的代理服务器To add a proxy server that uses the HTTP protocol

  1. 打开 WSUS 管理控制台。Open the WSUS Administration Console.

  2. 在左窗格中,展开服务器名称,然后单击“选项” 。In the left pane, expand the server name, and then click Options.

  3. 在“选项” 窗格中,单击“更新源和更新服务器” ,然后单击“代理服务器” 选项卡。In the Options pane, click Update Source and Update Server, and then click the Proxy Server tab.

  4. 使用以下选项可修改现有代理服务器配置:Use the following options to modify the existing proxy server configuration:

    对 WSUS 配置更改或添加代理服务器To change or add a proxy server to the WSUS configuration
    1. 选中“在同步时使用代理服务器” 的复选框。Select the check box for Use a proxy server when synchronizing.

    2. 在“代理服务器名称” 文本框中,输入代理服务器的名称。In the Proxy server name text box, type the name of the proxy server.

    3. 在“代理端口号” 文本框中,输入代理服务器的端口号。In the Proxy port number text box, type the port number of the proxy server. 默认端口号为 80。The default port number is 80.

    4. 如果代理服务器需要使用特定用户帐户,请选中“使用用户凭据连接到代理服务器”复选框。If the proxy server requires that you use a specific user account, select the Use user credentials to connect to the proxy server check box. 向对应的文本框中输入所需用户名、域和密码。Type the required user name, domain, and password into the corresponding text boxes.

    5. 如果代理服务器支持基本身份验证,请选择“允许基本身份验证(以明文形式发送密码)” 复选框。If the proxy server supports basic authentication, select the Allow basic authentication (password is sent in cleartext) check box.

    6. 单击“确定” 。Click OK.

    从 WSUS 配置中删除代理服务器To remove a proxy server from the WSUS configuration
    1. 若要从 WSUS 配置中删除代理服务器,请清除“在同步时使用代理服务器” 的复选框。To remove a proxy server from the WSUS configuration, clear the check box for Use a proxy server when synchronizing.

    2. 单击“确定” 。Click OK.

2.2.2.2. 使用 WSUS 配置向导配置 WSUS。Configure WSUS by using the WSUS Configuration Wizard

该过程假设你使用首次启用 WSUS 管理控制台时出现的 WSUS 配置向导。This procedure assumes that you are using the WSUS Configuration Wizard, which appears the first time you launch the WSUS Management Console. 在本主题的后部分中,你将学习如何使用 “选项” 页执行这些配置。Later in this topic, you will learn how to perform these configurations by using the Options page:

配置 WSUS 的步骤To configure WSUS

  1. 在“服务器管理器”导航窗格中,单击 “仪表板” ,单击 “工具” ,然后单击 “Windows Server Update Services”In the Server Manager navigation pane, click Dashboard, click Tools, and then click Windows Server Update Services.

    备注

    如果出现“完成 WSUS 安装” 对话框,请单击“运行” 。If the complete WSUS Installation dialog box appears, click Run. 当安装成功完成时,在“完成 WSUS 安装” 对话框中,单击“关闭” 。In the complete WSUS Installation dialog box, click Close when the installation successfully finishes.

  2. Windows Server Update Services 向导会打开。The Windows Server Update Services Wizard opens. 在“开始之前” 页上,查看信息,再单击“下一步” 。On the Before you Begin page, review the information, and then click Next.

  3. 阅读 “加入 Microsoft 更新改善计划” 页上的说明,评估你是否想参与其中。Read the instructions on the Join the Microsoft Update Improvement Program page and evaluate if you want to participate. 如果要参与该计划。If you want to participate in the program. 保留默认选择,或清除复选框,然后单击“下一步”。Retain the default selection, or clear the check box, and then click Next.

  4. 在“选择‘上游服务器’” 页上,有两个选项:On the Choose Upstream Server page, there are two options:

    1. 与 Microsoft 更新同步更新Synchronize the updates with Microsoft Update

    2. 从其他 Windows Server Update Services 服务器中进行同步Synchronize from another Windows Server Update Services server

      • 如果你选择从其他 WSUS 服务器同步,请指定服务器名称以及该服务器与上游服务器通信时所在的端口。if you choose to synchronize from another WSUS server, specify the server name and the port on which this server will communicate with the upstream server.

      • 若要使用 SSL,请选中 “同步更新信息时使用 SSL” 复选框。To use SSL, select the Use SSL when synchronizing update information check box. 服务器将使用端口 443 进行同步。The servers will use port 443 for synchronization. (确保该服务器和上游服务器支持 SSL。)(Make sure that this server and the upstream server support SSL.)

      • 如果这是副本服务器,请选择“这是上游服务器的副本” 复选框。if this is a replica server, select the This is a replica of the upstream server check box.

  5. 为你的部署选择适当选项后,单击 “下一步” 继续。After selecting the proper options for your deployment, click Next to proceed.

  6. “指定代理服务器” 页上,选中 “同步时使用代理服务器” 复选框,然后在对应的框中键入代理服务器名称和端口号(默认是端口 80)。On the Specify Proxy Server page, select the Use a proxy server when synchronizing check box, and then type the proxy server name and port number (port 80 by default) in the corresponding boxes.

    重要

    如果你确定 WSUS 需要代理服务器才能访问 Internet,则必须完成此步骤。You must complete this step if you identified that WSUS needs a proxy server to have Internet access.

  7. 如果你希望通过使用特定用户凭据来连接代理服务器,请选择 “使用用户凭据连接代理服务器” 复选框,然后在对应的框中键入用户名称、域和用户密码。If you want to connect to the proxy server by using specific user credentials, select the Use user credentials to connect to the proxy server check box, and then type the user name, domain, and password of the user in the corresponding boxes. 如果你希望启用已连接代理服务器的用户的基本身份验证,请选择 “允许基本身份验证(以明文形式发送密码)” 对话框。If you want to enable basic authentication for the user who is connecting to the proxy server, select the Allow basic authentication (password is sent in cleartext) check box.

  8. 单击 下一步Click Next. 在“连接到上游服务器” 页上,单击“开始连接” 。On the Connect to Upstream Server page, click start Connecting.

  9. 连接它时,然后单击 “下一步” 继续。When it connects, click Next to proceed.

  10. 在“选择语言” 页上,你可选择 WSUS 将收到更新的语言 - 所有语言或语言子集。On the Choose Languages page, you have the option to select the languages from which WSUS will receive updates - all languages or a subset of languages. 选择语言子集将节省磁盘空间,但必须选择此 WSUS 服务器的所有客户端需要的所有语言。Selecting a subset of languages will save disk space, but it is IMPORTANT to choose all of the languages that are needed by all the clients of this WSUS server. 如果你选择仅获得特定语言的更新,请选择 “仅下载这些语言的更新”,然后选择你希望获得更新的语言;否则保留默认选择。If you choose to get updates only for specific languages, select Download updates only in these languages, and then select the languages for which you want updates; otherwise, leave the default selection.

    警告

    如果你选择 “仅下载这些语言的更新” 选项,且该服务器具有与其连接的下游 WSUS 服务器,该选项将强制下游服务器也仅使用所选的语言。If you select the option Download updates only in these languages, and this server has a downstream WSUS server connected to it, this option will force the downstream server to also use only the selected languages.

  11. 为你的部署选择适当语言后,单击 “下一步” 继续。After selecting the appropriate language options for your deployment, click Next to continue.

  12. “选择产品” 页允许你指定希望更新的产品。The Choose Products page allows you specify the products for which you want updates. 选择产品类别(如 Windows)或特定产品(如 Windows Server 2012)。Select product categories, such as Windows, or specific products, such as Windows Server 2012. 选择产品类别将选择该类别的所有产品。Selecting a product category selects all the products in that category.

  13. 为你的部署选择适当的产品选项,然后单击“下一步”。Select the appropriate product options for your deployment, and then click Next.

  14. “选择类别” 页上,选择要包含的更新类别。On the Choose Classifications page, select the update classifications that you want to obtain. 选择所有类别或它们的子集,然后单击“下一步” 。Choose all the classifications or a subset of them, and then click Next.

  15. “设置同步计划” 页使你可以选择手动还是自动执行同步。The Set Sync Schedule page enables you to select whether to perform synchronization manually or automatically.

    • 如果你选择“手动同步” ,则必须通过 WSUS 管理控制台启动同步过程。if you choose Synchronize manually, you must start the synchronization process from the WSUS Administration Console.

    • 如果你选择“自动同步” ,WSUS 服务器将每隔一段时间执行同步。if you choose Synchronize automatically, the WSUS server will synchronize at set intervals.

    设置“第一次同步” 的时间,然后指定你希望该服务器执行的“每天同步次数” 数量。Set the time for the First synchronization, and then specify the number of Synchronizations per day that you want this server to perform. 例如,如果你指定每天同步四次,从上午 3:00 开始,则同步将在上午 3:00、上午 9:00、下午 3:00 和下午 9:00 发生。For example, if you specify that there should be four synchronizations per day, starting at 3:00 A.M., synchronizations will occur at 3:00 A.M., 9:00 A.M., 3:00 P.M., and 9:00 P.M.

  16. 为你的部署选择适当的产品选项后,单击 “下一步” 继续。After selecting the appropriate synchronization options for your deployment, click Next to continue.

  17. “完成” 页上,你可通过选择 “开始初始同步” 对话框,即时启动同步。On the Finished page, you have the option to start the synchronization now by selecting the Begin initial synchronization check box. 如果你不选择此选项,你必须使用 WSUS 管理控制台来执行初始同步。If you do not select this option, you need to use WSUS Management Console to perform the initial synchronization. 如果你希望阅读有关其他设置的详细信息,请单击 “下一步” ,或单击 “完成” 来结束该向导并完成初始 WSUS 设置。Click Next if you want to read more about additional settings, or you can click Finish to conclude this wizard and finish the initial WSUS setup.

  18. 在单击 “完成” 后,WSUS 管理控制台会出现。After you click Finish, the WSUS Management Console appears.

既然你已执行基本的 WSUS 配置,请阅读下一部分了解有关使用 WSUS 管理控制台来更改设置的详细信息。Now that you have performed the basic WSUS configuration, read the next sections for more details about changing the settings by using WSUS Management Console.

2.3.2.3. 配置 WSUS 计算机组Configure WSUS computer groups

计算机组是 Windows Server Update Services (WSUS) 部署的重要部分。Computer groups are an IMPORTANT part of Windows Server Update Services (WSUS) deployments. 计算机组允许你测试更新并将更新作为特定计算机的目标。Computer groups permit you to test and target updates to specific computers. 有两个默认计算机组:“所有计算机”和“未分配的计算机”。There are two default computer groups: All computers and Unassigned computers. 默认情况下,当每台客户端计算机首次联系 WSUS 服务器时,服务器会将该客户端计算机添加到这两组。By default, when each client computer first contacts the WSUS server, the server adds that client computer to both of these groups.

你可以按需要创建自定义计算机组来管理组织的更新。You can create as many custom computer groups as you need to manage updates in your organization. 根据最佳做法,先至少创建一个计算机组来测试更新,然后再将它们部署给组织中的其他计算机。As a best practice, create at least one computer group to test updates before you deploy them to other computers in your organization.

使用以下过程创建新组并将计算机分配给该组:Use the following procedure to create a new group and assign a computer to this group:

创建计算机组的步骤To create a computer group

  1. 在 WSUS 管理控制台中,在“更新服务” 下,展开 WSUS 服务器,展开“计算机” ,右键单击“所有计算机” ,然后单击“添加计算机组” 。In the WSUS Administration Console, under Update Services, expand the WSUS server, expand computers, right-click All computers, and then click add computer Group.

  2. 在“添加计算机组” 对话框中,在“名称” 中,指定新组的名称,然后单击“添加” 。In the add computer Group dialog box, in Name, specify the name of the new group, and click then add.

  3. 单击“计算机” ,然后选择你希望分配给此新组的计算机。Click computers, and then select the computers that you want to assign to this new group.

  4. 右键单击你在上一步骤中选择的计算机名称,然后单击“更改成员身份” 。Right-click the computer names that you selected in the previous step, and then click change Membership.

  5. 在“设置计算机组成员身份” 对话框中,选择你已创建的测试组,然后单击“确定” 。In the Set computer Group Membership dialog box, select the test group that you created, and then click OK.

2.4.2.4. 配置客户端更新Configure client updates

WSUS 设置自动配置 IIS 以将最新版本的自动更新分配给每台连接 WSUS 服务器的客户端计算机。WSUS Setup automatically configures IIS to distribute the latest version of Automatic Updates to each client computer that contacts the WSUS server. 配置自动更新的最佳方式取决于网络环境。The best way to configure Automatic Updates depends on the network environment.

  • 在使用 Active Directory 目录服务的环境中,你可以使用现有的基于域的组策略对象 (GPO) 或创建新的 GPO。In an environment that uses active directory directory service, you can use an existing domain-based Group Policy Object (GPO) or create a new GPO.

  • 在无 Active Directory 的环境中,使用本地组策略编辑器配置自动更新,然后将客户端计算机指向 WSUS 服务器。In an environment without active directory, use the Local Group Policy editor to configure Automatic Updates, and then point the client computers to the WSUS server.

重要

以下过程假设你的网络运行 Active Directory。The following procedures assume that your network runs active directory. 这些过程也假设你熟悉组策略且使用它来管理网络。These procedures also assume that you are familiar with Group Policy and you use it to manage the network.

使用以下过程向客户端计算机配置自动更新。Use the following procedures to configure Automatic Updates for client computers:

在组策略中配置自动更新Configure Automatic Updates in Group Policy

如果你在网络中设置了 Active Directory,则可通过在组策略对象 (GPO) 中包含它们来同时配置一台或多台计算机,然后配置带有 WSUS 设置的 GPO。If you have set up active directory in your network, you can configure one or multiple computers simultaneously by including them in a Group Policy Object (GPO), and then configuring that GPO with WSUS settings. 我们建议你创建一个仅含有 WSUS 设置的新 GPO。We recommend that you create a new GPO that contains only WSUS settings.

将该 WSUS GPO 连接到适用于你的环境的 Active Directory 容器。Link this WSUS GPO to an active directory container that is appropriate for your environment. 在简单的环境中,你可能将单一 WSUS GPO 连接到域。In a simple environment, you might link a single WSUS GPO to the domain. 在较为复杂的环境中,你可能会将多个 WSUS GPO 连接到几个组织单位 (OU),从而将不同的 WSUS 策略设置应用到不同类型的计算机。In a more complex environment, you might link multiple WSUS GPOs to several organizational units (OUs), which will enable you to apply different WSUS policy settings to different types of computers.

通过域启用 WSUS 的步骤To enable WSUS through a domain GPO
  1. 在组策略管理控制台 (GPMC) 中,浏览到你希望配置 WSUS 的 GPO,然后单击“编辑” 。In the Group Policy Management Console (GPMC), browse to the GPO on which you want to configure WSUS, and then click edit.

  2. 在 GPMC 中,依次展开“计算机配置” 、“策略” 、“管理模本” 和“Windows 组件” ,然后单击“Windows Update” 。In the GPMC, expand computer Configuration, expand Policies, expand Administrative Templates, expand Windows components, and then click Windows Update.

  3. 在详细信息窗格中,双击 “配置自动更新”In the details pane, double-click Configure Automatic Updates. “配置自动更新” 策略会打开。The Configure Automatic Updates policy opens.

  4. 单击“已启用” ,然后选择“配置自动更新” 设置下的以下选项之一:Click Enabled, and then select one of the following options under the Configure automatic updating setting:

    • 下载通知和安装通知Notify for download and notify for install. 该选项会在你下载和安装更新之前通知登录的管理用户。This option notifies a logged-on administrative user before you download and install the updates.

    • 自动下载和通知安装Auto download and notify for install. 该选项将自动开始下载更新,然后在安装更新之前通知登录的管理用户。This option automatically begins downloading updates and then notifies a logged-on administrative user before installing the updates. 默认情况下选择此选项。By default, this option is selected.

    • 自动下载和计划安装Auto download and schedule the install. 该选项自动开始下载更新,然后在你指定的当天和时间安装更新。This option automatically begins downloading updates and then installs the updates on the day and time that you specify.

    • 允许本地管理员选择设置Allow local admin to choose setting. 该选项可让本地管理员使用控制面板中的自动更新来选择配置选项。This option lets local administrators to use Automatic Updates in Control Panel to select a configuration option. 例如,他们可以选择计划的安装时间。For example, they can choose a scheduled installation time. 本地管理员不能仅用自动更新。Local administrators cannot disable Automatic Updates.

  5. 选择“允许客户端目标设置” ,选择“已启用” ,然后在“此计算机的目标组名称” 框中输入要向其中添加此计算机的 WSUS 计算机组的名称。Select Enable client-side targeting, select Enabled, and then type the name of the WSUS computer group to which you want to add this computer in the Target group name for this computer box.

    备注

    “允许客户端目标设置” 使客户端计算机可以在自动更新重定向到 WSUS 服务器时将自己添加到 WSUS 服务器上的目标计算机组。Enable client-side targeting enables client computers to add themselves to target computer groups on the WSUS server, when Automatic Updates is redirected to a WSUS server. 如果状态设置为“已启用”,则此计算机会 在向 WSUS 服务器发送信息(该服务器使用这些信息确定部署到此计算机的更新)时将自己标识为特定计算机组的成员。If the status is set to Enabled, this computer will identify itself as a member of a particular computer group when it sends information to the WSUS server, which uses it to determine which updates are deployed to this computer. 此设置会向 WSUS 服务器指示客户端计算机使用的组。This setting indicates to the WSUS server which group the client computer will use. 必须在 WSUS 服务器上创建组,并将域成员计算机添加到该组。You must create the group on the WSUS server, and add domain-member computers to that group.

  6. 单击“确定” 关闭“允许客户端目标设置” 策略并返回 Windows 更新详细信息窗格。Click OK to close the Enable client-side targeting policy and return to the Windows Update details pane.

  7. 单击“确定” 关闭“配置自动更新” 策略并返回 Windows 更新详细信息窗格。Click OK to close the Configure Automatic Updates policy and return to the Windows Update details pane.

  8. Windows Update 详细信息窗格中,双击 “指定 Intranet Microsoft 更新服务位置”In the Windows Update details pane, double-click Specify intranet Microsoft update service location.

  9. 单击“已启用” ,然后在“设置检测更新的 Intranet 更新服务” 框和“设置 Intranet 统计服务器” 框中,输入 WSUS 服务器的相同 URL。Click Enabled, and then, server in the Set the intranet update service for detecting updates and Set the intranet statistics server text boxes, type the same URL of the WSUS server. 例如,在这两个框中键入 http://servername (其中 servername 是 WSUS 服务器的名称)。For example, type http://servername in both boxes (where servername is the name of the WSUS server).

    警告

    键入 WSUS 服务器的 Intranet 地址时,确保指定准备使用哪个端口。When you type the intranet address of your WSUS server, make sure to specify which port is going to be used. 默认情况下,WSUS 对 HTTP 使用端口 8530,对 HTTPS 使用端口 8531。By default, WSUS will use port 8530 for HTTP and 8531 for HTTPS. 例如,如果使用 HTTP,则应键入 http://servername:8530For example, if you are using HTTP, you should type http://servername:8530.

  10. 单击“确定” 。Click OK.

设置客户端计算机几分钟后,计算机将出现在 WSUS 管理控制台中的“计算机” 页上。After you set up a client computer, it will take several minutes before the computer appears on the computers page in the WSUS Administration Console. 对于配有基于域的组策略对象的客户端计算机,组策略将花费大约 20 分钟才能将新的策略设置应用于客户端计算机。For client computers that are configured with a domain-based Group Policy Object, it can take about 20 minutes for Group Policy to apply the new policy settings to the client computer. 默认情况下,组策略会在后台每隔 90 分钟更新一次,并将时间作 0 到 30 分钟的随机调整。By default, Group Policy updates in the background every 90 minutes, with a random offset of 0-30 minutes. 如果你希望更快地更新组策略,可在客户端计算机上打开命令提示符窗口,然后键入 gpupdate /force。If you want to update Group Policy sooner, you can open a Command prompt window on the client computer and type gpupdate /force.

对于使用本地组策略编辑器配置的客户端计算机,可立即使用 GPO,而更新将耗时大约 20 分钟。For client computers that are configured by using the Local Group Policy editor, the GPO is applied immediately, and the update takes about 20 minutes. 如果你开始手动检测,你不必等待 20 分钟(客户端计算机联系 WSUS 所耗费的时间)。If you begin detection manually, you do not have to wait 20 minutes for the client computer to contact WSUS.

因为等待检测开始是费时的过程,所以你可以使用以下过程立即启动检测。Because waiting for detection to start can be a time-consuming process, you can use the following procedure to initiate detection immediately.

启动 WSUS 检测的步骤To initiate WSUS detection
  1. 在客户端计算机上,使用提升的权限打开“命令提示符”窗口。On the client computer, open a Command prompt window with elevated privileges.

  2. 输入 wuauclt.exe /detectnow,然后按 Enter 键。Type wuauclt.exe /detectnow, and then press ENTER.

2.5.2.5. 使用安全套接字层协议保护 WSUSSecure WSUS with the Secure Sockets Layer Protocol

可以使用安全套接字层 (SSL) 协议来帮助保护 WSUS 部署。You can use the Secure Sockets Layer (SSL) protocol to help secure the WSUS deployment. WSUS 使用 SSL 向 WSUS 服务器验证客户端计算机和下游 WSUS 服务器的身份。WSUS uses SSL to authenticate client computers and downstream WSUS servers to the WSUS server. WSUS 还使用 SSL 加密更新元数据。WSUS also uses SSL to encrypt update metadata.

重要

配置为使用传输层安全性 (TLS) 或 HTTPS 的客户端和下游服务器还必须将配置为将完全限定的域名 (FQDN) 用于其上游 WSUS 服务器。Clients and downstream servers that are configured to use Transport Layer Security (TLS) or HTTPS must also be configured to use a fully qualified domain name (FQDN) for their upstream WSUS server.

WSUS 仅将 SSL 用于元数据,而不用于更新文件。WSUS uses SSL for metadata only, not for update files. 这与 Microsoft 更新分发更新的方式相同。This is the same way that Microsoft Update distributes updates. Microsoft 通过对每个更新进行签名来降低在未加密通道上发送更新文件的风险。Microsoft reduces the risk of sending update files over an unencrypted channel by signing each update. 此外,还会为每个更新计算哈希并随元数据一起发送。In addition, a hash is computed and sent together with the metadata for each update. 下载更新时,WSUS 会检查数字签名和哈希。When an update is downloaded, WSUS checks the digital signature and hash. 如果更新已更改,则不会安装它。If the update has been changed, it is not installed.

WSUS SSL 部署的限制Limitations of WSUS SSL deployments

使用 SSL 保护 WSUS 部署时,必须考虑以下限制:You must consider the following limitations when you use SSL to secure a WSUS deployment:

  1. 使用 SSL 会增加服务器工作负荷。Using SSL increases the server workload. 应预计到 10% 的性能损失,因为对通过网络发送的所有元数据进行加密会产生成本。You should expect a 10 percent loss of performance because of the cost of encrypting all the metadata that is sent over the network.

  2. 如果将 WSUS 与远程 SQL Server 数据库一起使用,则 WSUS 服务器与数据库服务器之间的连接不通过 SSL 进行保护。If you use WSUS with a remote SQL Server database, the connection between the WSUS server and the database server is not secured by SSL. 如果必须保护数据库连接,请考虑以下建议:If the database connection must be secured, consider the following recommendations:

    • 将 WSUS 数据库移动到 WSUS 服务器。Move the WSUS database to the WSUS server.

    • 将远程数据库服务器和 WSUS 服务器移动到专用网络。Move the remote database server and the WSUS server to a private network.

    • 部署 Internet 协议安全性 (IPsec) 以帮助保护网络流量。Deploy Internet Protocol security (IPsec) to help secure network traffic. 有关 IPsec 的详细信息,请参阅 创建和使用 IPsec 策略For more information about IPsec, see Creating and Using IPsec Policies.

在 WSUS 服务器上配置 SSLConfigure SSL on the WSUS server

WSUS 需要将两个端口用于 SSL:一个端口使用 HTTPS 发送加密的元数据,另一个端口使用 HTTP 发送更新。WSUS requires two ports for SSL: one port that uses HTTPS to send encrypted metadata, and one port that uses HTTP to send updates. 将 WSUS 配置为使用 SSL 时,请考虑下列事项:When you configure WSUS to use SSL, consider the following:

  • 不能将整个 WSUS 网站配置为需要 SSL,因为必须对发送到 WSUS 网站的所有流量进行加密。You cannot configure the whole WSUS website to require SSL because all traffic to the WSUS site would have to be encrypted. WSUS 仅对更新元数据进行加密。WSUS encrypts update metadata only. 如果计算机尝试在 HTTPS 端口上检索更新文件,则传输会失败。If a computer attempts to retrieve update files on the HTTPS port, the transfer will fail.

    只应要求将 SSL 用于以下虚拟根:You should require SSL for the following virtual roots only:

    • SimpleAuthWebServiceSimpleAuthWebService

    • DSSAuthWebServiceDSSAuthWebService

    • ServerSyncWebServiceServerSyncWebService

    • APIremoting30APIremoting30

    • ClientWebServiceClientWebService

    不应要求将 SSL 用于以下虚拟根:You should not require SSL for the following virtual roots:

    • 内容 Content

    • InventoryInventory

    • ReportingWebServiceReportingWebService

    • SelfUpdateSelfUpdate

  • 证书颁发机构 (CA) 的证书必须导入本地计算机受信任的根 CA 存储中,或下游 WSUS 服务器上的 Windows Server Update Service 受信任的根 CA 存储中。The certificate of the certification authority (CA) must be imported into the local computer Trusted Root CA store, or the Windows Server Update Service Trusted Root CA store on downstream WSUS servers. 如果证书仅导入到本地用户受信任的根 CA 存储,则下游 WSUS 服务器不会在上游服务器上进行身份验证。If the certificate is only imported to the Local User Trusted Root CA store, the downstream WSUS server will not be authenticated on the upstream server.

    有关如何在 IIS 中使用的 SSL 证书的详细信息,请参阅 需要安全套接字层 (IIS 7)For more information about how to use SSL certificates in IIS, see Require Secure Sockets Layer (IIS 7).

  • 必须将证书导入与 WSUS 服务器通信的所有计算机。You must import the certificate to all computers that will communicate with the WSUS server. 这包括所有客户端计算机、下游服务器和运行 WSUS 管理控制台的计算机。This includes all client computers, downstream servers, and computers that run the WSUS Administration Console. 证书应导入本地计算机受信任的根 CA 存储中,或 Windows Server Update Service 受信任的根 CA 存储中。The certificate should be imported into the local computer Trusted Root CA store or into the Windows Server Update Service Trusted Root CA store.

  • 可以将任何端口用于 SSL。You can use any port for SSL. 但是,为 SSL 设置的端口还确定 WSUS 用于发送明文 HTTP 流量的端口。However, the port that you set up for SSL also determines the port that WSUS uses to send clear HTTP traffic. 请考虑以下示例:Consider the following examples:

    • 如果将行业标准端口 443 用于 HTTPS 流量,则 WSUS 会将行业标准端口 80 用于明文 HTTP 流量。If you use the industry standard port of 443 for HTTPS traffic, WSUS uses the industry standard port 80 for clear HTTP traffic.

    • 如果将任何非 443 的端口用于 HTTPS 流量,则 WSUS 会在数字位于用于 HTTPS 的端口之前的端口上发送明文 HTTP 流量。If you use any port other than 443 for HTTPS traffic, WSUS will send clear HTTP traffic over the port that numerically comes before the port for HTTPS. 例如,如果将端口 8531 用于 HTTPS,则 WSUS 会将端口 8530 用于 HTTP。For example, if you use port 8531 for HTTPS, WSUS will use port 8530 for HTTP.

  • 如果服务器名称、SSL 配置或端口号更改,则必须重新初始化 ClientServicingProxy。You must re-initialize ClientServicingProxy if the server name, SSL configuration, or port number has changed.

在 WSUS 根服务器上配置 SSLTo configure SSL on the WSUS root server
  1. 使用 WSUS Administrators 组或本地 Administrators 组的成员帐户登录 WSUS 服务器。Log on to the WSUS server by using an account that is a member of the WSUS Administrators group or the local Administrators group.

  2. 转到“开始” ,输入“CMD” ,右键单击“命令提示符” ,然后单击“以管理员身份运行” 。Go to start, type CMD, right-click Command prompt, and then click Run as administrator.

  3. 导航到 %ProgramFiles% \Update Services\Tools\ 文件夹。Navigate to the %ProgramFiles%\Update Services\Tools\ folder.

  4. 在命令提示符窗口中,键入以下命令:In the Command prompt window, type the following command:

    Wsusutil configuressl certificateNameWsusutil configuressl certificateName

    其中:where:

    certificateName 是 WSUS 服务器的 DNS 名称。certificateName is the DNS name of the WSUS server.

在客户端计算机上配置 SSLConfigure SSL on client computers

在客户端计算机上配置 SSL 时,应考虑以下问题:When you configure SSL on client computers, you should consider the following issues:

  • 必须包含用于 WSUS 服务器上的安全端口的 URL。You must include a URL for a secure port on the WSUS server. 因为不能在服务器上要求 SSL,所以确保客户端计算机可以使用安全通道的唯一方法是使用指定 HTTPS 的 URL。Because you cannot require SSL on the server, the only way to make sure that client computers can use a security channel is by using a URL that specifies HTTPS. 如果将非 443 的任何端口用于 SSL,则必须也在 URL 中包含该端口。If you use any port other than 443 for SSL, you must include that port in the URL also.

  • 必须将客户端计算机上的证书导入到本地计算机受信任的根 CA 存储中,或自动更新服务受信任的根 CA 存储中。The certificate on a client computer must be imported into the Local computer Trusted Root CA store or Automatic Update Service Trusted Root CA store. 如果证书仅导入到本地用户受信任的根 CA 存储时,则自动更新会无法通过服务器身份验证。If the certificate is imported to the Local User's Trusted Root CA store only, Automatic Updates will fail server authentication.

  • 客户端计算机必须信任绑定到 WSUS 服务器的证书。The client computers must trust the certificate that you bind to the WSUS server. 根据使用的证书类型,可能必须设置服务以使客户端计算机可以信任绑定到 WSUS 服务器的证书。Depending on the type of certificate that is used, you might have to set up a service to enable the client computers to trust the certificate that is bound to the WSUS server.

为下游 WSUS 服务器配置 SSLConfigure SSL for downstream WSUS servers

以下说明配置下游服务器以同步到使用 SSL 的上游服务器。The following instructions configure a downstream server to synchronize to an upstream server that uses SSL.

将下游服务器同步到使用 SSL 的上游服务器To synchronize a downstream server to an upstream server that uses SSL
  1. 使用本地 Administrators 组或 WSUS Administrators 组的成员用户帐户登录计算机。Log on to the computer by using a user account that is a member of the local Administrators group or the WSUS Administrators group.

  2. 依次单击“开始” 、“所有程序” 和“管理工具” ,然后单击“Windows Server Update Service” 。Click start, click All Programs, click Administrative Tools, and then click Windows Server Update Service.

  3. 在右窗格中,展开服务器名称。In the right pane, expand the server name.

  4. 单击“选项” ,然后单击“更新源和代理服务器” 。Click Options, and then click Update Source and Proxy Server.

  5. 在“更新源” 页上,选择“从其他 Windows Server Update Services 服务器中进行同步” 。On the Update Source page, select Synchronize from another Windows Server Update Services server.

  6. 在“服务器名称”文本框中输入上游服务器的名称。Type the name of the upstream server into the Server name text box. 在“端口号”文本框中输入服务器用于 SSL 连接的端口号。Type the port number that the server uses for SSL connections into the Port number text box.

  7. 选中“在同步更新信息时使用 SSL”复选框,然后单击“确定”。Select the Use SSL when synchronizing update information check box, and then click OK.

其他 SSL 资源Additional SSL resources

设置证书颁发机构所需的步骤是将证书绑定到 WSUS 网站并在客户端计算机之间建立信任,证书不在本指南的讨论范围之内。The steps that are required to set up a certification authority, bind the certificate to the WSUS website, and establish a trust between the client computers and the certificate are beyond the scope of this guide. 有关详细信息以及有关如何安装证书和设置此环境的说明,请参阅以下主题:For more information and for instructions about how to install certificates and set up this environment, see the following topics:

2.6.2.6. 完成 IIS 配置Complete IIS Configuration

默认情况下,会为默认和所有新的 IIS 网站启用匿名读取访问。By default, anonymous read access is enabled for the default and all new IIS websites. 某些应用程序(特别是 Windows SharePoint Services)可能会删除匿名访问。Some applications, notably Windows SharePoint Services, may remove anonymous access. 如果发生这种情况,则必须先重新启用匿名读取访问,然后才能成功地安装和运行 WSUS。If this has occurred, you must re-enable the anonymous read access before you can successfully install and operate WSUS.

若要启用匿名读取访问,请安装适用版本的 IIS 的步骤操作:To enable anonymous read access, follow the steps for the applicable version of IIS:

  1. 启用匿名身份验证 (IIS 7)(在《IIS 7 操作指南 》中进行了介绍)。Enable Anonymous Authentication (IIS 7), as documented in the IIS 7 Operations Guide.

  2. 启用匿名身份验证 (IIS 6.0)(在《IIS 6.0 操作指南 》中进行了介绍)。Enabling Anonymous Authentication (IIS 6.0), as documented in the IIS 6.0 Operations Guide.

2.7.2.7. 配置签名证书Configure a Signing Certificate

WSUS 能够发布自定义更新程序包来更新 Microsoft 和非 Microsoft 产品。WSUS has the ability to publish custom update packages to update Microsoft and non-Microsoft products. WSUS 可以使用验证码证书自动为你对这些自定义更新程序包进行签名。WSUS can automatically sign these custom update packages for you with an Authenticode certificate. 若要启用自定义更新签名,必须在 WSUS 服务器上安装程序包签名证书。To enable custom update signing, you must install a package signing certificate on your WSUS server. 有几个与自定义更新签名关联的注意事项。There are several considerations associated with custom update signing.

  1. 证书分发Certificate Distribution. 必须在 WSUS 服务器上安装私钥,并且必须在要接收自定义签名更新的所有客户端 PC 和服务器上受信任的证书存储中显式安装公钥。The private key must be installed on the WSUS server, and the public key must be explicitly installed in the trusted certificate store on all client PCs and servers which are to receive custom-signed updates.

  2. 过期Expiration. 当自签名证书过期或接近过期时,WSUS 会在事件日志中记录事件。When the self-signed certificate expires or nears expiration, WSUS will log events in the event log.

  3. 证书更新/吊销Certificate Updates/Revocation. 如果要更新或吊销证书(例如在发现它过期之后),WSUS 未提供用于实现此操作的功能。If you wanted to update or revoke a certificate (i.e. after discovering that it expired), WSUS offered no functionality to enable this. 实现此操作转变为手动任务,非常难以手动执行或成功地自动执行。Accomplishing this turned into a manual task that was very hard to either do by hand or automate successfully.