Windows Server Update Service [WSUS] is a server role that serves as a repository for Microsoft product updates on your network. Instead of every computer on your network downloading updates directly from Microsoft you can deploy a WSUS server so the updates are downloaded once and distributed to your environment from the WSUS server.
In this post I will be deploying WSUS Server 2012 R2 in a domain environment, using the Windows Internal Database (WID), and using Group Policy to have my computers connect to WSUS instead of Microsoft Updates.
Deploying the WSUS Server Role:
My WSUS Server has 1 vCPU, 4 GB Memory, a 30 GB C:\ drive and a 100 GB D:\ drive. For a full list of hardware and software requirements click here.
Ensure the account you will install the WSUS role with is at least a local administrator on the server. Open Server Manager then go to Manage then Add Roles and Features:
Ensure Role-base or feature-based installation is selected then click Next:
Select your WSUS server and click Next:
Scroll to the bottom and select Windows Server Update Services:
A box will appear requesting additional roles and features are included. Click Add Features:
You will see multiple roles are now selected including Windows Server Update Services. Click Next:
Some features will already be selected due to the previous step. Click Next:
WSUS needs a database to store WSUS Configuration and update metadata. The WSUS database can be local or a remote SQL 2008/2012 server. For a local database it will use Windows Internal Database (WID) which is a limited version of SQL Express that doesn’t have a GUI or management interface. The WID database is a file (SUSDB.dbf) stored in C:\Windows\wid\data\. Microsoft recommends using the WID database. If you want to use a SQL Server then check here.
Leave WID Database & WSUS Services selected and click Next:
Click the box to have updates stored locally on your server. If you do not select a location then approved update in WSUS will be downloaded by the client computers from Microsoft Updates.
Add the path location of where to store them and click Next:
Leave as is and click Next:
WSUS does not require a reboot to finish installation so you can leave that box unchecked. If everything looks correct click Install:
Installation took about 10 minutes to complete for me.
Once WSUS is install there is additional configuration that needs to be performed. In Server Manager click the notification drop down then Launch Post-Installation tasks:
It took about roughly 10 minutes for mine to complete.
Once it completes it will say the Configuration completed.
Now the Post-deployment configuration is complete we are ready to launch WSUS console. Still in Server Manager go to Tools then Windows Update Services:
At first launch it will come up to a WSUS Configuration Wizard. Click Next:
Check or uncheck the box to participate in the Microsoft Update Improvement Program. Click Next:
If this is your first WSUS server then select Synchronize from Microsoft Update. If this is a second WSUS server (such as at a remote location) and you want to talk to another WSUS server you would use the second option. Click Next:
If you use a proxy server to access the web then enter it here. Click Next:
Click Start Connecting:
Once it completes click Next:
Select your language(s) then click Next:
Select what products you want to download updates for. In my environment I selected Windows 10, Office 2016, Server 2012 R2, Server 2016, Server Drivers and Server Manager. You can add/remove products later if you miss some. Once you are finished click Next:
Select what types of updates you want to download. Click Next:
Synchronize means WSUS will contact the upstream server (either Microsoft Updates or another WSUS server) and downloads metadata information of new updates that are available. You can leave this set to manual or change to automatic. I opted to leave it manual so I can see what updates are available for each manual sync I do. Click Next:
Go ahead and select the box named Begin initial synchronization as this will be the first one. Click Next:
There are some links you can click on to read more about. Click Finish:
Welcome to the WSUS Console! You should see the status of the Synchronization that we selected a few steps ago.
While it does the first synchronization let’s setup Group Policy.
Configure WSUS Settings via Group Policy:
At a minimum there are two policies that need to be set so the computers on your domain point to your WSUS server instead of Microsoft Updates. Open Group Policy Management for your domain then right click the OU you want to create these policies for. Now click Create a GPO in this domain, and Link it here…
Type a name you want to call this policy and click Ok:
Now right click the policy and click Edit:
Expand down to Computer Configuration -> Policies -> Administrative Templates -> Windows Components and click Windows Update.
In the right pane find the settings named Configure Automatic Updates, right click and Edit:
Click Enable then on the drop down menu select a setting that you want in your environment. I advise to first set it to option 3 – Auto download and notify for install and change it later if you decide.
If you want to complete automate the installation of Updates then select option 4 – Auto download and schedule the install, select the box Install during automatic maintenance and select a time to perform the installation. Now any approved updates will be installed during your scheduled time. If you didn’t approve any updates then nothing will be installed that week. You can stagger your installs by adding this policy to different OUs then picking different install times.
Click Apply then Ok:
Now right click on Specify intranet Microsoft update service location then Edit:
Click Enable then enter the FQDN of your WSUS server. Needs to be in the following format:
http://FQDN of WSUS server:8530
Click Apply then Ok:
Close out of the Group Policy Management Editor then right click the policy then Enforced to enable it:
Configure WSUS Computer Groups:
Back on the WSUS Console let’s look at how you can organize your computers. You can create Computer Groups to organize what computers get your approved updates. This is helpful if for example you want your VMware View servers to receive a update that you don’t want your Citrix servers to get.
Here is how I have my Computer Groups. Another example is you could have Production Servers and Test Servers then have Test Servers get the latest and greatest where Production is a month behind to ensure patch compatibility with your applications.
You can automate adding the computers into Computer Groups by using Group Policy. By default all computers are added into the Unassigned Computers group. To change this click Options then Computers:
If you change the settings to Use Group Policy or registry settings on computers then Group Policy will place them.
To create this policy open Group Policy then drill down to Computer Configuration > Policies > Administrative Templates > Windows Components > Windows Update. There is a settings called Enable Client-Side Targeting where if enabled then you can type the name of the Computer Group so computers that have this policy enabled will join.
You can recreate this policy on each OU in Active Directory to have them automatically placed in a specific Computer Group!
Before your computers will see any updates you must Approve them for installation. Click All Updates and ensure the filter says Unapproved to see the full list. You can select specific updates or do CTRL + A to select them all. Make your select then click Approve in the right pane:
You will get a pop up window asking what Computer Groups do you want to Approve the updates for. Using the drop down I selected to Approve them for all Computer Groups. Click Ok:
Once it competes click Close:
Now when your computers perform their updates they will pull all the approved updates.
After Group Policy takes effect you should start seeing your computers appear in the All Computers section. This has made managing security patches so much easier! In my screenshot below I have 23 recent updates to apply with LABSCCM01 having a failed update I need to look into. Note: Should have a SCCM post coming soon 🙂