It been quite a retentive time that I have actually configured anything in WSUS. That ’ south because the consequence you start using SCCM to deploy updates, you forget about the WSUS cabinet. I have chosen Windows Server 2019 to install and configure WSUS. After server 2012 R2 I believe waiter 2019 is a static release. I hate Windows server 2016 because I have spent draw of fourth dimension in troubleshooting windows update issues. For me the most crucial complain is that updates just don ’ metric ton install properly on Server 2016 .
- What are Windows Updates
- Introduction to Windows Server Update Services
- WSUS Lab Setup
- WSUS System Requirements
- WSUS Firewall Ports / Exceptions
- Install WSUS Role on Windows Server 2019
- Configure Windows Server Update Services (WSUS)
- Configure Group Policy Settings for WSUS
- Configure WSUS computer groups
- Approve and Deploy Updates in WSUS
- WSUS Reports
What are Windows Updates
Let ’ s beginning with some basics. When you install an operating system or picture a machine, you always ensure it is patched with latest updates. not equitable operating system but about every software that we use needs to be constantly updated. Windows updates are released to fix bugs, fix security issues in OS and to add new features to operating system. The Windows Updates trust on Windows Update service which is set to start mechanically by default. Windows Update service downloads and installs recommended and authoritative updates mechanically. Microsoft updates can be classified into following categories : –
- Critical Updates
- Security Updates
- Definition Updates
- Update Rollups
- Service Packs
- Feature Packs
If you have migrated from Windows 7 to Windows 10, you will notice distribute of newly options under Windows Update. You get some cool options such as pause the updates for 7 days, change active hours for installing updates. In addition to that there are many useful options under Advanced Options. When you get meter, go ahead and explore all of them .
Introduction to Windows Server Update Services
Windows Server Update Services ( WSUS ) enables the administrators to deploy the latest Microsoft merchandise updates. WSUS is a Windows Server server character and when you install it, you can efficiently manage and deploy the updates. One of the most important task of system administrators is to keep client and waiter computers updated with the latest software patches and security updates. Without WSUS it would be truly hard to manage the update deployment. When you have a single WSUS waiter in your apparatus, the updates are downloaded directly from Microsoft Update. however if you install multiple WSUS server, you can configure WSUS server to act as an update source which is besides known as an upriver server. rather than letting multiple computers download updates directly from internet, you can setup WSUS server and point the clients to download all the updates from a WSUS server. With this you save your Internet bandwidth and besides speed up the Windows update process. I can talk a set about WSUS but let ’ s get started with installing WSUS .
WSUS Lab Setup
First of all let me cover about WSUS lab frame-up. I believe the best way to master WSUS is to install and configure it in your quiz or lab setup first. You can then start working on it and try several things. I have created some virtual machines in my lab. Let me give you a list of machines and the OS information .
|Server Name||Operating System||Roles|
|CORPAD.PRAJWAL.LOCAL||Windows Server 2019 Datacenter||Active Directory, DNS, DHCP|
|CORPWSUS.PRAJWAL.LOCAL||Windows Server 2019 Datacenter||WSUS|
|CORPWIN10ENT.PRAJWAL.LOCAL||Windows 10 Enterprise||None|
|CORPWIN10PRO.PRAJWAL.LOCAL||Windows 10 Pro||None|
And if I had to show my frame-up in the kind of a network diagram, this is how it ’ randomness going to look.
WSUS System Requirements
When you have decided to implement WSUS in your apparatus, you must first look into WSUS requirements. To plan your WSUS deployment I recommend reading this article from Microsoft. It covers all the data required to WSUS requirements, deployment scenarios, performance considerations etc. This post covers the routine to install Windows Server Update Services using Windows Internal Database ( WID ) .
WSUS Firewall Ports / Exceptions
When you set up WSUS server, it is significant that the server connects to Microsoft update to download updates. If there is a corporate firewall between WSUS and the Internet, you might have to configure that firewall to ensure WSUS can obtain updates. To obtain updates from Microsoft Update, the WSUS server uses port 443 for HTTPS protocol. You must allow Internet entree from WSUS to the follow list of URLs : –
Install WSUS Role on Windows Server 2019
The steps to install Windows Server Update Services ( WSUS ) Role on Windows Server 2019 include : –
- Log on to the Windows 2019 server on which you plan to install the WSUS server role using an account that is a member of the Local Administrators group.
- In Server Manager, click Manage and click add Roles and Features.
- On the Before you begin page, click Next.
- In the select installation type page, select Role-based or feature-based installation option. Click Next.
On the Server Selection page, verify the server name and snap Next .
Server Roles – Windows Server Update Services
On the Server roles page, select the function “ Windows Server Update Services “. You should see Add features that are required for Windows Server Update Services box. Click Add Features, and then click Next. On the Select features page, leave the options to default and click Next. On the Windows Server Update Services page, click Next.
WSUS Database Type – Role Services
You must select function services / Database type to install for Windows Server Update services. Select WID Connectivity and WSUS Services. Click Next .
WSUS Content Location
Specify a content localization to store the updates. I would recommend storing the updates on another drive and not on your degree centigrade : drive. The size of this folder can grow finally and you don ’ deoxythymidine monophosphate want this folder to reside on C : drive. Hence choose either a separate force or store the updates on distant server. Click Next. On the Web Server Role (IIS) page, cluck Next. The function services to install vane server ( IIS ) are blue-ribbon mechanically. Do not change anything here and click Next. A final confirmation before you install WSUS. Review the settings and suction stop Install. once WSUS initiation is complete, click Launch Post-Installation tasks. Wait for the message Configuration successfully completed. Click Close .
Configure Windows Server Update Services (WSUS)
After you install WSUS, you can configure the WSUS server using WSUS Server configuration sorcerer. This is a one time configuration where you will configure some important WSUS options. If you don ’ thymine see a WSUS Server configuration charming or if you have skipped it by mistake, don ’ metric ton worry. You can launch it by opening the WSUS Console > Options > WSUS Server Configuration wizard. Note – Before you start to configure WSUS, some authoritative points .
- Ensure the server firewall allows the clients to access the WSUS server. If the clients have issues connecting to WSUS server, updates won’t be downloaded from server.
- The WSUS downloads the updates from upstream server which is Microsoft update in our case. So ensure the firewall allows the WSUS server to connect to Microsoft Update.
- In case there is a proxy server in your setup, you must enter the credentials for proxy server while configuring WSUS. Have them handy as they are required.
On the Before you begin page, click Next. Click Next.
Choose WSUS Upstream Server
This is an authoritative section where you select the upstream waiter. You get two options .
- Synchronize from Microsoft Update – Selecting this option will download the updates from Microsoft update.
- Synchronize from another Windows Server Update Services server – Select this option if you want this WSUS server to download updates from already existing WSUS server. You must specify the server name and port number (8530) by default. If you are selecting the option to use SSL during updates synchronization, ensure that upstream WSUS server is also configured to support SSL.
Since this will be my entirely WSUS server, I will select Synchronize from Microsoft Update. Click Next .
Specify Proxy server information if you have got one. If this option is selected, ensure you specify proxy server identify and port number. In accession to that specify the credentials to connect to the proxy server. If you want to enable basic authentication for the user connecting to the proxy server, click Allow basic authentication (password in clear text). Click Next. On the Connect to Upstream Server page, chink Start Connecting button.
Read more: How to register as a VIP in GTA Online
Once it is complete, snap Next.
Choose Languages for Updates
On the Choose Languages page, you have the option to select the languages from updates. If you choose to download updates in all languages, you would find update with all languages in the WSUS cabinet. however if you choose to get updates only for specific languages, choice Download updates only in these languages. Select the languages for which you want updates. Click Next .
This is the page where you select the products for which you want the updates. A merchandise is a specific edition of an operate on system or application. From the number of products you can select individual products or product families for which you want your server to synchronize updates. In this casing I am going to select Windows Server 2019 and Windows 10 1903 as products. Click Next .
Choose Update Classifications
In the begin of the post I have listed the types of updates. On the Choose Classifications page, select the ask classifications. I have selected Critical Updates, Security Updates and Update Rollups. Click Next .
Configure WSUS Synchronization Schedule
You must decide on how do you want to perform WSUS synchronize. The Set Sync Schedule page lets you select whether to perform synchronism manually or automatically. If you choose Synchronize manually, you must manually start the synchronism action from the WSUS Administration Console. With this choice selected, you have to manually perform the synchronize every time. therefore do not select this option if you are setting up the WSUS in production. If you choose Synchronize automatically, the WSUS server will synchronize at set intervals. You can set the time of First synchronization. then set the number of synchronizations per day. From the drop-down you can choose the prize between 1-24. Click Next. Click Begin initial synchronizatio n. Click Next. finally on the last page, pawl Finish. This completes the steps to configure WSUS.
Configure Group Policy Settings for WSUS
After you install and configure WSUS, the adjacent important undertaking is to configure group policy settings for automatic rifle updates. The new clients still don ’ thymine know about the new WSUS waiter that you barely setup. Using group policy you can point your node machines to new WSUS server. In an active directory environment, you can use Group Policy specify the WSUS waiter. The group policy settings will be used to obtain automatic updates from Windows Server Update Services ( WSUS ). You can create the group policy and apply it at domain level. Or you can create and apply the GPO to a specific OU ( containing your computers ). While there are many Windows Update policy settings, I am going to configure few of them. For a number of all windows update policy settings, read this article from Microsoft .
Configure Automatic Updates WSUS
To configure Automatic Updates group policy settings for WSUS
- Open the Group Policy Management console, and open an existing GPO or create a new one.
- Navigate to Computer Configuration > Policies > Administrative Templates > Windows Components > Windows Update.
- Double-click Configure Automatic Updates and set it to Enabled.
Under Configure automatic update, select the hope choice. Under Schedule install day, select the sidereal day when you want the updates to be installed. Set the scheduled install time. In case you select Auto download and schedule the updates install, you get some options to limit update frequency. If you have configured the settings, pawl Apply and OK .
Specify Intranet Microsoft Update Service Location
The future sic that you should configure is specify an intranet Microsoft update service location. The theme behind this is to ensure the node computers contact the stipulate intranet server rather of downloading updates from internet. Unless you configure this policy fructify, the node computers wouldn ’ thyroxine know about the intranet server. To enable the policy, click Enabled. Specify the intranet update service and intranet statistics server. Click Apply and OK. On the node computer, check the attendant set of policy to confirm if the WSUS GPO is applied. You can besides verify the intranet update service location on node computers using register. On the client computer, afford Registry Editor and go to HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate. Check the values of WUServer and WUStatusServer and confirm if the values match the one that you supplied in WSUS GPO .
Configure WSUS computer groups
By creating calculator groups you can first test and target updates to specific computers. When you open WSUS comfort, you will find two default calculator groups – All computers and Unassigned computers. You can create custom calculator groups to manage updates in your administration. As per Microsoft you must create at least one calculator group in the WSUS console table. Test updates before you deploy them to early computers in your constitution. To create a new computer group in WSUS console In the WSUS Administration Console, under Update Services, expand the WSUS server. Expand computers, right-click All computers, and then click Add computer Group. In the attention deficit disorder calculator Group dialogue box, specify the name of the new group, and then click Add. Click All Computers and you should see tilt of computers. Select the computers, right suction stop and click Change Membership. On the Set Computer Group Membership box, select the raw group that you barely created. Click OK. Click the new group and you should find those computers.
Approve and Deploy Updates in WSUS
once you have a quiz computer group created, your next job to deploy the updates to the test group. To do sol you must first approve and deploy WSUS updates. To approve the updates in WSUS
- Launch the WSUS Administration Console, click Updates > All Updates.
- In the All Updates section, select the updates that you want to approve for installation in your test computer group.
- Right-click the updates and click Approve.
Most of all in the Approve Updates dialogue box, select your test group, and then click down arrow. Click Approved for Install. You an besides set a deadline to install the updates. Click OK. The Approval Progress window appears, which shows the progress of the tasks that affect update approval. When the approval process is complete, snap Close.
Configure Auto Approval Rules in WSUS
If you don ’ t want to manually approve the updates you can configure car approval predominate in Windows Server Update Services. To configure automatic Approvals in WSUS
- Launch WSUS Administration Console, expand the WSUS server, and then click Options.
- In Options, click Automatic Approvals.
- You should find the default automatic approval rule and if you wish you can edit it and use it.
- To create a new approval rule, click New Rule.
Check the box When an update is in a specific classification. Select the classifications. You can besides approve the update for computers groups. I am going to select Windows 10 as that is my test calculator group. finally you can set a deadline for the update approval and stipulate car approval rule name. After you configure the principle, chink OK. On the Automatic Approvals window, you can find the rule that you merely created. If you wish to run this rule, cluck Run Rule.
The end section that I want to cover is the WSUS reports. Clicking Reports in the WSUS comfort shows the number of reports. WSUS comes with several reports to help you find the update deployment status, sync reports and computers reports .
- Update Reports – Includes Updates status summary, detailed and tabular status, tabular status for Approved Updates.
- Computer Reports – Computer Status Summary, Detailed Status, Tabular Status and Computer tabular Status for approved updates.
- Synchronization Reports – Shows the results of last synchronization.
This completes the steps to install and configure WSUS. I am surely this guide will help you to setup WSUS in your lab setup. If you have any questions related to WSUS, do let me know in comments section .