Deploy and Configure WSUS on Server 2012 R2

Windows Server Update Service [WSUS] is a server role that serves as a repository for Microsoft product updates on your network. Instead of every computer on your network downloading updates directly from Microsoft you can deploy a WSUS server so the updates are downloaded once and distributed to your environment from the WSUS server.

In this post I will be deploying WSUS Server 2012 R2 in a domain environment, using the Windows Internal Database (WID), and using Group Policy to have my computers connect to WSUS instead of Microsoft Updates.

Single WSUS Server

Deploying the WSUS Server Role:

My WSUS Server has 1 vCPU, 4 GB Memory, a 30 GB C:\ drive and a 100 GB D:\ drive. For a full list of hardware and software requirements click here.

Ensure the account you will install the WSUS role with is at least a local administrator on the server. Open Server Manager then go to Manage then Add Roles and Features:

WSUS Install 1 - Add Roles and Features

Click Next:

WSUS Install 2 - Before you Begin

Ensure Role-base or feature-based installation is selected then click Next:

WSUS Install 3 - Installation Type

Select your WSUS server and click Next:

WSUS Install 4 - Server Selection

Scroll to the bottom and select Windows Server Update Services:

WSUS Install 5 - Server Roles

A box will appear requesting additional roles and features are included. Click Add Features:

WSUS Install 5-1 - Add Features

You will see multiple roles are now selected including Windows Server Update Services. Click Next:

WSUS Install 5-2 - WSUS Role Selection

Some features will already be selected due to the previous step. Click Next:

WSUS Install 6 - Features

Click Next:

WSUS Install 7 - WSUS

WSUS needs a database to store WSUS Configuration and update metadata. The WSUS database can be local or a remote SQL 2008/2012 server. For a local database it will use Windows Internal Database (WID) which is a limited version of SQL Express that doesn’t have a GUI or management interface. The WID database is a file (SUSDB.dbf) stored in C:\Windows\wid\data\. Microsoft recommends using the WID database. If you want to use a SQL Server then check here.

Leave WID Database & WSUS Services selected and click Next:

WSUS Install 8 - Role Services

Click the box to have updates stored locally on your server. If you do not select a location then approved update in WSUS will be downloaded by the client computers from Microsoft Updates.

Add the path location of where to store them and click Next:

WSUS Install 9 - Content

Click Next:

WSUS Install 10 - Web Server Role

Leave as is and click Next:

WSUS Install 11 - Role Services

WSUS does not require a reboot to finish installation so you can leave that box unchecked. If everything looks correct click Install:

WSUS Install 12 - Confirmation

Installation took about 10 minutes to complete for me.

Post-Deployment Configuration:

Once WSUS is install there is additional configuration that needs to be performed. In Server Manager click the notification drop down then Launch Post-Installation tasks:

WSUS Install 13 - Feature Installation Finished

It took about roughly 10 minutes for mine to complete.

WSUS Install 13-1 - Post Deployment Configuration

Once it completes it will say the Configuration completed.

WSUS Install 13-2 - Confiuration Complete

Now the Post-deployment configuration is complete we are ready to launch WSUS console. Still in Server Manager go to Tools then Windows Update Services:

WSUS Config 1 - Windows Server Update Services

At first launch it will come up to a WSUS Configuration Wizard. Click Next:

WSUS Config 2 - Before you Begin

Check or uncheck the box to participate in the Microsoft Update Improvement Program. Click Next:

WSUS Config 3 - Microsoft Update Improvement Program

If this is your first WSUS server then select Synchronize from Microsoft Update. If this is a second WSUS server (such as at a remote location) and you want to talk to another WSUS server you would use the second option. Click Next:

WSUS Config 4 - Choose Upstream Server

If you use a proxy server to access the web then enter it here. Click Next:

WSUS Config 5 - Specify Proxy Server

Click Start Connecting:

WSUS Config 5-1 - Start Connecting

Once it completes click Next:

WSUS Config 5-2 - Information from Microsoft

Select your language(s) then click Next:

WSUS Config 6 - Choose Languages

Select what products you want to download updates for. In my environment I selected Windows 10, Office 2016, Server 2012 R2, Server 2016, Server Drivers and Server Manager. You can add/remove products later if you miss some. Once you are finished click Next:

WSUS Config 7 - Choose Products

Select what types of updates you want to download. Click Next:

WSUS Config 8 - Choose Classifications

Synchronize means WSUS will contact the upstream server (either Microsoft Updates or another WSUS server) and downloads metadata information of new updates that are available. You can leave this set to manual or change to automatic. I opted to leave it manual so I can see what updates are available for each manual sync I do. Click Next:

WSUS Config 9 - Configure Sync Schedule

Go ahead and select the box named Begin initial synchronization as this will be the first one. Click Next:

WSUS Config 10 - Finished

There are some links you can click on to read more about. Click Finish:

WSUS Config 11 - Whats Next

Welcome to the WSUS Console! You should see the status of the Synchronization that we selected a few steps ago.

WSUS Config 12 - Synchronization Status

While it does the first synchronization let’s setup Group Policy.

Configure WSUS Settings via Group Policy:

At a minimum there are two policies that need to be set so the computers on your domain point to your WSUS server instead of Microsoft Updates. Open Group Policy Management for your domain then right click the OU you want to create these policies for. Now click Create a GPO in this domain, and Link it here…

WSUS Group Policy 1 - Create a GPO in this domain

Type a name you want to call this policy and click Ok:

WSUS Group Policy 2 - New GPO Name

Now right click the policy and click Edit:

WSUS Group Policy 3 - Edit GPO

Expand down to Computer Configuration -> Policies -> Administrative Templates -> Windows Components and click Windows Update.

In the right pane find the settings named Configure Automatic Updates, right click and Edit:

WSUS Group Policy 4 - Group Policy Mangement Editor

Click Enable then on the drop down menu select a setting that you want in your environment. I advise to first set it to option 3 – Auto download and notify for install and change it later if you decide.

WSUS Group Policy 5 - Configure Automatic Updates

If you want to complete automate the installation of Updates then select option 4 – Auto download and schedule the install, select the box Install during automatic maintenance and select a time to perform the installation. Now any approved updates will be installed during your scheduled time. If you didn’t approve any updates then nothing will be installed that week. You can stagger your installs by adding this policy to different OUs then picking different install times.

Click Apply then Ok:

WSUS Automate 1 - Group Policy

Now right click on Specify intranet Microsoft update service location then Edit:

WSUS Group Policy 6 - Edit Intranet Update Service

Click Enable then enter the FQDN of your WSUS server. Needs to be in the following format:

http://FQDN of WSUS server:8530

Click Apply then Ok:

WSUS Group Policy 7 - Configure GP Update Service Location

Close out of the Group Policy Management Editor then right click the policy then Enforced to enable it:

WSUS Group Policy 8 - Enforce Policy

Configure WSUS Computer Groups:

Back on the WSUS Console let’s look at how you can organize your computers. You can create Computer Groups to organize what computers get your approved updates. This is helpful if for example you want your VMware View servers to receive a update that you don’t want your Citrix servers to get.

WSUS Computer Group 1 - Add Computer Group

Here is how I have my Computer Groups. Another example is you could have Production Servers and Test Servers then have Test Servers get the latest and greatest where Production is a month behind to ensure patch compatibility with your applications.

WSUS Computer Group 2 - Computer Group List

You can automate adding the computers into Computer Groups by using Group Policy. By default all computers are added into the Unassigned Computers group. To change this click Options then Computers:

WSUS Computer Group 4 - Computer Group Options

If you change the settings to Use Group Policy or registry settings on computers then Group Policy will place them.

WSUS Computer Group 4-1 - Edit Computer Group Options

To create this policy open Group Policy then drill down to Computer Configuration > Policies > Administrative Templates > Windows Components > Windows Update. There is a settings called Enable Client-Side Targeting where if enabled then you can type the name of the Computer Group so computers that have this policy enabled will join.

WSUS Computer Group 4-2 - Group Policy for Computer Groups

You can recreate this policy on each OU in Active Directory to have them automatically placed in a specific Computer Group!

Approve Updates: 

Before your computers will see any updates you must Approve them for installation. Click All Updates and ensure the filter says Unapproved to see the full list. You can select specific updates or do CTRL + A to select them all. Make your select then click Approve in the right pane:

WSUS Updates 1 - Approve Updates

You will get a pop up window asking what Computer Groups do you want to Approve the updates for. Using the drop down I selected to Approve them for all Computer Groups. Click Ok:

WSUS Updates 2 - Approve Updates Popup

Once it competes click Close:

WSUS Updates 3 - Updates Approved

Now when your computers perform their updates they will pull all the approved updates.

Conclusion:

After Group Policy takes effect you should start seeing your computers appear in the All Computers section. This has made managing security patches so much easier! In my screenshot below I have 23 recent updates to apply with LABSCCM01 having a failed update I need to look into. Note: Should have a SCCM post coming soon 🙂WSUS Computer Status

Additional Resources:

4 thoughts on “Deploy and Configure WSUS on Server 2012 R2

Leave a Reply