Microsoft regularly provides fixes and updates for its products. These can improve functionality, fix bugs, or close security-critical gaps. To ensure the most secure computer infrastructure possible, BITS strives to quickly distribute these updates to computers within the university network.
Microsoft uses the "Windows Server Update Services" service, WSUS for short, to distribute the improvements. Every Windows computer (from Windows 7) can use this service to request specific patches for the operating system and Microsoft software installed on it. To better control the distribution of these patches, BITS operates its own WSUS server, which forwards the patches published by Microsoft.
Regular security-related updates are distributed daily. For other updates, Microsoft has used the second Tuesday of each month, "Patch Tuesday," since November 2003. Extremely critical security updates can also be distributed outside this fixed date, but this is very rare.
The patches are distributed from the WSUS server to the end devices using the "Background Intelligent Transfer Service" protocol. This ensures that the transfer of the patches does not interfere with normal work on the computer. In many cases, however, it is necessary to restart the computer after the patches have been installed.
The WSUS server at Bielefeld University does not distribute all updates provided by Microsoft, but only a defined part of them. Only patches classified by Microsoft as "updates", "important updates", "security updates" and "definition updates" are distributed. Service packs or update rollups, for example, are not distributed, as these usually make major changes to the operating system or applications. The distribution of such updates is the responsibility of the respective supervisors of the computers. Furthermore, only updates in the languages "German" and "English" are distributed.
When using the WSUS server of Bielefeld University, two cases have to be distinguished:
WSUS and computers that are members of the domain "AD".
Computers that are members of the Active Directory domain "AD" are automatically configured via a group policy to query the university's WSUS server for updates. If updates are available, they will be downloaded and installed. If a reboot is required, it will be performed at 3am.
WSUS and computers that are not members of the "AD" domain
Computers that are not members of the Active Directory "AD" domain can also use the university's WSUS server, e.g. if they cannot establish direct contact with Microsoft's update server. For this purpose, the address "windowsupdate.uni-bielefeld.de:8530" must be configured as WSUS server via a local security policy or a suitable group policy. The choice of update intervals and any rules for automatic restarting are to be determined by the respective supervisor. It is strongly recommended to install security-relevant updates as soon as possible.