WSUS is needed to download updates from Microsoft and store them locally on the WSUS server. This reduces the amount of data that gets transferred over the WAN link for a lot of other servers and avoid installing necessary windows updates.
It can be used to approve or decline updates (i.e., control how updates are installed).
Note: We do not have a domain controller and these servers are not joined to the domain
For more articles I have written, see the following hyperlinks below
– Configuring WSUS Email Notification to Work With Office365
– Important Areas to Master on WSUS (Installed and not applicable, Install 1/4, and Installed / Not applicable 100)
– Targeting WSUS Client with the Registry keys: How to configure WSUS Clients to get Updates from the WSUS server using Registry settings
– How to apply Windows Updates from WSUS to the server using AWS RunCommand
– How to Configure SSL between WSUS servers (Upstream and Downstream Servers)
– Handy WSUS Commands – Windows Server Update Services Commands, WAUACLT, PowerShell and USOClient
– How to Start, Stop and Restart Windows Server Update Services (WSUS) via PowerShell and CMD
– Windows Server Update Services: Windows 2016 Servers does not show up on WSUS console,
– WSUS clients appear and disappear from the WSUS Update Services console
Here are the prerequisites:
- .Net framework 4.5
- Windows Server 2012R2 (using window internal database [WID])
- IIS 6.0 or greater (with components such as ASP.net, windows authentication, dynamic content compression etc.)
- System partition and WSUS partition must be NTFS
- Cant be installed on compressed drive
- Requires 1Gb free on System partition
- 2 GB free for WID (WSUS database)
- At least 20Gb free for updates (30 GB recommended by Microsoft).
Setting up a WSUS: Below are the steps to have WSUS installed and configured for Windows Update via GPO
- Click on Server Manager
- Click on Add roles and features (Add Roles and Features Wizard Opens Up)
Click next and select the Installation Type
– Click on next (select Webserver IIS) and Windows Server Update Services, click on add features
Click on next till you get to the roles service option as shown below
The first two are selected by default (Since I will be using Windows internal Database for WSUS) I am fine with this.
On the content role service option, enter the path you wish WSUS to download updates to (if you have an external drive you can use that)
– On the confirmation role page, click on install as shown below
When this completes, you can open Windows Server Updates Services in so many ways
- Navigate to Tools and select Windows Server Updates Services
- Click on Windows , then Administrative Tools and then on Windows Server Updates Services.
- Lastly, click on WSUS server on the Server Manager as shown below, right click on the server name and select Windows Server Updates Services
Update Service page will open up as shown below.
– Kindly configure the Options settings according to your need. (work through each option, read and configure). I will drop any import information as the task progresses
Also on the synchronisation service option window, ensure you synchronise your WSUS server to get updates from Microsoft by selecting Synchronise Now
After this has been completed, it should like this below.
The updates section of updates services will be populates as well (note: Takes long when run the first time).
Note: To be able to view the reports, you will need to install the Microsoft report view, https://www.microsoft.com/en-us/download/details.aspx?id=3841
Note: When the WSUS console is not closed, despite having the installation succeeded, you will not be able to view any report generated.. Therefore, close the wsus windows and uninstall and reinstall
Steps 2: You can either user the local group policy or setting the registry key to point clients to get windows updates from the WSUS server
Using the local group policy: Setup the group policy object to allow clients contact the WSUS for updates
– From the MMC, open the local computer policy from there
– Run gpedit.msc
Open Computer Configuration
Windows Component and
Click on Windows Update
We have to configure these options
1. The Specify the Microsoft Update Service Location (Double click to open this up) by entering the IP address followed by the port or specify the FQDN.
2: Enable Configure Automatic Updates and select the third option to Auto download and notify for Install
After completed this run gpupdate /force to effect the group policy immediately
Configuring Update Service
Note: Ensure you create a group for administrative purposes to ensure (allow) updates to be tested to some groups before deploying (rolling) them to production servers
Now on the Local Group Policy
Enable it and enter the name created above for the xxxx-Group
Configuring Options: I went for this option because my server will be getting windows updates via GPO
Like I said, just go through it and personalize it (they are straight forwards)