Windows Server Update Services (WSUS) -Using Local GPO

Windows Server Update Services (WSUS) on non-domain joined Computers

WSUS is needed to download updates from Microsoft and store them locally on the WSUS server. This reduces the amount of data that gets transferred over the WAN link for a lot of other servers and avoid installing necessary windows updates.

 

It can be used to approve or decline updates (i.e., control how updates are installed).

Note: We do not have a domain controller and these servers are not joined to the domain

Here are the prerequisites:

  • .Net framework 4.5
  • Windows Server 2012R2 (using window internal database [WID])
  • IIS 6.0 or greater (with components such as ASP.net, windows authentication, dynamic content compression etc.)

Hardware requirements:

  • System partition and WSUS partition must be NTFS
  • Cant be installed on compressed drive
  • Requires 1Gb free on System partition
  • 2 GB free for WID (WSUS database)
  • At least 20Gb free for updates (30 GB recommended by Microsoft).

 Setting up a WSUS

Step 1:

  • Click on Server Manager
  • Click on Add roles and features (Add Roles and Features Wizard Opens Up)

Click next and select the Installation Type

–  Click on next (select Webserver IIS) and Windows Server Update Services, click on add features

Click on next till you get to the roles service option as shown below
The first two are selected by default (Since I will be using Windows internal Database for WSUS) I am fine with this.

On the content role service option, enter the path you wish WSUS to download updates to (if you have an external drive you can use that)

– On the confirmation role page, click on install as shown below

When this completes, you can open Windows Server Updates Services in so many ways

  • Navigate to Tools and select Windows Server Updates Services
  • Click on Windows , then Administrative Tools and then on Windows Server Updates Services.
  • Lastly, click on WSUS server on the Server Manager as shown below, right click on the server name and select Windows Server Updates Services

Update Service page will open up as shown below.
– Kindly configure the Options settings according to your need. (work through each option, read and configure). I will drop any import information as the task progresses

Also on the synchronisation service option window, ensure you synchronise your WSUS server to get updates from Microsoft by selecting Synchronise Now

After this has been completed, it should like this below.

The updates section of updates services will be populates as well (note: Takes long when run the first time).

Note: To be able to view the reports, you will need to install the Microsoft report view, https://www.microsoft.com/en-us/download/details.aspx?id=3841
Note: When the WSUS console is not closed, despite having the installation succeeded, you will not be able to view any report generated.. Therefore, close the wsus windows and uninstall and reinstall

https://community.spiceworks.com/topic/365279-wsus-in-non-domain-enviroment
https://mizitechinfo.wordpress.com/2013/08/19/step-by-step-installing-configuring-wsus-in-server-2012-r2/

Steps 2: You can either user the local group policy or setting the registry key to point clients to get windows updates from the wsus server

Using the local group policy

Setup the group policy object to allow clients contact the WSUS for updates
– From the MMC, open the local computer policy from there
– Run gpedit.msc
Open Computer Configuration
Administrative Template
Windows Component and
Click on Windows Update

We have to configure these options
1. The Specify the Microsoft Update Service Location (Double click to open this up) by entering the IP address followed by the port or specify the FQDN.

2: Enable Configure Automatic Updates and select the third option to Auto download and notify for Install

After completed this run gpupdate /force to effect the group policy immediately

Configuring Update Service
Note: Ensure you create a group for administrative purposes to ensure (allow) updates to be tested to some groups before deploying (rolling) them to production servers

Now on the Local Group Policy
Enable it and enter the name created above for the xxxx-Group

Configuring Options: I went for this option because my server will be getting windows updates via GPO

Like I said, just go through it and personalize it (they are straight forwards)