WSUS – A how to guide for a basic configuration of WSUS Server 2012

 

What is Wsus?

WSUS – stands for Windows Server Update Services. It is a server role that enables you as the Administrator to handle updates and patches/hotfixes on your domain for windows server operating systems as well related applications by Microsoft. 

Note –  If you host a WSUS server onsite be aware that each user accessing that WSUS Server through Active directory needs to have a Client Access License.

So how does it Work?

Well you can configure updates to download from the Microsoft servers directly through your internet connectivity.

You can also download from other WSUS Servers on your network, these are called upstream servers.

You can also manually download and import them to your server.

Note – Never install the WSUS role on a domain controller this will cause access issues with the database. 

The Diagram below is a basic idea of how it works, there are a lot of variations of design and implementation but this will give you a brief overview.

Your WSUS server will download the Updates from the Microsoft server and store them locally, Instead of the clients accessing Microsoft updates on the internet  they will first look on the internal network. This will be configured via Group Policy as shown later in the Guide.

What are the benefits of Using a WSUS Server?

  1. First of all a central repository to download all the updates.
  2. Frees up valuable resources, your client computers will now access the internal network instead of accessing the internet to download the latest patches. Just think how much bandwidth that will save.
  3. Tighter control on what updates and patches/hotfixes you download.
  4. Reporting to show who has updates installed, who does not etc.
Note – Make sure the WSUS Server has enough capacity assigned to it as it can grow very large.
WSUS

Step 1:

  • First step is to get your Role installed, remember to not install WSUS on a DC. I like to keep the WSUS server a seperate member server. You ask why well if anything breaks you not stopping other roles doing there jobs and can isolate issues a lot quicker. You might not have this option because of resource constraints however this is the most effective way I think of doing it.

    Note - Remember to give your WSUS server a static IP and make sure it's joined to the domain.
Wsus role - 1

Step 2:

  • Click Next
Wsus role - 2

Step 3:

  • Select Role Based
    Click Next
Wsus role - 3

Step 4:

  • Select your WSUS server
    Click Next
Wsus role - 4

Step 5:

  • Check Windows Server Update Services
    Click Next
Wsus role - 5

Step 6:

  • Click Add Features required for WSUS server role to install
Wsus role - 6

Step 7:

  • Leave Default features checked
    Click Next
Wsus role - 7

Step 8:

  • Read the brief and take note of the suggestions
    Click Next
Wsus role - 8

Step 9:

  • Leave Defaults Checked, You can configure a SQL Database instead of Windows Internal Database however for this guide we will leave it as default.
    Click Next
Wsus role - 9

Step 10:

  • Type the Path where you wish to install updates to, I have installed on the local drive and named the folder WSUS. Note - Make sure that your drive capacity has sufficient space as it can take up a lot of capacity.
    Click Next
Wsus role - 10

Step 11:

  • It will now go ahead and install all the other features that it is needed for WSUS.
    Click Next
Wsus role - 11

Step 12:

  • Leave Default role services.
    Click Next
Wsus role - 12

Step 13:

  • Click Install
Wsus role - 13
Wsus role - 14

Step 14:

  • Wait for install process to complete

Step 15:

  • Click on Launch Post - Installation Tasks

Step 16:

  • Select Tools on Server manager and Navigate down to Windows Server Update Services

Step 17:

  • Once you have selected Windows Update Services you will be prompted by the following window, leave the defaults and select Run

Step 18:

  • Once the installation is complete click Close

Step 19:

  • Go back to Tools on Server Manager and Select Windows Server Update Services again. A new Window will appear to run you through the install Guide. Read through . Click Next
  • Note - If You are not prompted with this window it will open to the Update Services Window. All you need to do is to Scroll Down to options on the left pane then on the right pane scroll down to WSUS Server configuration Wizard. This will open the wizard as in the first picture.

Step 20:

  • Next you will be prompted if you want to Join the Microsoft improvement program. Check or Leave it unchecked. Click Next

Step 21:

  • As this is the Only Wsus Server we will be synchronizing with the Microsoft Updates. If you already have one setup then you would select to synchronize with another server. Click Next

Step 22:

  • We will leave this unchecked as we do not have a proxy server. Click Next

Step 23:

  • Click Start Connecting this will go out on the Internet and Search for the Microsoft Updates Server to Download from.

Step 24:

  • Once it has completed you will have the option to click Next.

Step 25:

  • To try and keep the installation footprint to a minimal size I will only be selecting updates only in English. Click Next

Step 26:

  • Select the products you wish to download for updates. I would make sure beforehand what is required you do not need any unnecessary products checked. For my demonstration I will only be checking the Windows 10 Box so that I can get a test user to download updates from the WSUS server. Click Next

Step 27:

  • You can choose the classification of updates you want to install, I will just be installing the critical updates for this scenario. Pick the ones that work for you. Click Next

Step 28:

  • You can select wether you wish to Sync updates automatically or Manually. Select what works for you and Click Next

Step 29:

  • Check Begin Initial Sync with Microsoft Server or Upstream Server. Click Finish.
    You can select next as well which will list some other topics that you can make use of with the WSUS Server, in this example however we are trying to keep the installation as simple as possible.

Step 30:

  • Now that we have complete the configuration wizard, let's open up Windows Server Update Services again.
  • On the Left side of the pane we can see our WSUS Server name listed highlight it and then on the Right Side will appear the Status of Synchronization between our WSUS Server and the Microsoft Server. You can force Syncronization by clicking the Synchronization now link. As we can see it will download all the updates and inform you at the top with an exclamation that updates need to be approved still. It also displays what time and date of when last Synchronization occurred between our server and the Microsoft server. Also note on the top that no new computers have been registered to receive updates, we will configure this later.

Step 31:

  • On the Left pane if we highlight All Updates we can see all the Updates available. Note - If you don't see anything in the pane on the right just check that the drop down menu filters are set correctly.

Step 33:

  • Now we can for test purposes right click on one of the updates and choose if we want to approve or decline the update, in this scenario approve it.

Step 34:

  • As we can see in the below diagram we can assign the update to all computers or we can assign it to just a group, because we have not set a group of computers yet it is listed as unassigned computers. Note - Even though we approve the update it will not apply as we have not configured it in group policy yet we will complete that step later.

Step 35:

  • Right Click on All Computers and select Approve for install

Step 36:

  • As we can see it will approve install then click ok and the progress approval bar will complete then click close.

Step 37:

  • Now that we have approved our updates let's hop onto our Domain Controller and configure a Group Policy to apply these updates. Click Tools then Group Policy Management

Step 38:

  • Let's create a new Group policy, Right click Group Policy Objects and Select New, Name Your GPO. Make sure its descriptive to understand what its purpose is. Click ok

Step 39:

  • Now on the right pane, right click the gpo we have just created and select Edit

Step 40:

  • Group Policy management editor will now open. We will now Navigate to the following section as this is a Computer configuration. Select under computer configurations, Policies>Administrative Templates>Windows Components>Windows Updates.

Step 41:

  • We will first Right click and edit Configure Automatic updates

Step 42:

  • We want to select the enable selection, there are a few options that we can select, configure as what is required. Click Apply

Step 43:

  • Next we want to Specify the location where our WSUS Server is installed, select the below and edit.

Step 44:

  • Select Enabled, Under options we need to specify where on our network we will find our WSUS server.Type the following http://WSUS:8530 in both boxes, the first text box is for updates and the second one is for reporting, we will have it on the same server. WSUS = the name of the Server the number represents the port assignment number. Click Apply

Step 45:

  • Remember that unassigned group that fell under all Computers, I want to create a WSUS test group so that we can target a specific group for updates, we do this by enable client Side Targeting as below. Select Edit, enabled and type the Group name.

Step 46:

  • Its also a good idea to set the check update Frequency as well, Select as below. Enable and set you hour intervals.Click Apply.

Step 47:

  • Now open up Group Policy Managment and link your GPO to your OU, Run the gpupdate /force command in command prompt (Admin)

Step 48:

  • Reboot the user Computer, for this example I am using a windows 10 machine, Go to Windows Update Settings. you will note its states in the second diagram that windows updates are managed by the Organisation, click check for updates. Once this is done we can go back to the WSUS Server and see what updates have applied.

Step 49:

  • On the Wsus Server we can see that the Updates have successfully applied to the Users Computer.

Step 50:

  • The Last topic I want to discuss is what we referred to in step 45, Where we created a computer group, we named that group WSUS TEST. We can now right click on all computers and add that computer group name. Now Highlight All Computers again and right click on the computers in the right pane and select change membership. This will open a popup where you can check to which group you want to add your computers. This is useful when you only want to apply updates to certain computers or not allow updates to certain computers. this is useful in troubleshooting as it isolates individuals as well.

    Congratulations you have now configured a WSUS Server
Back To Home Page