Tutorials

 Für unsere deutschen Kunden Premier Support ist auch in deutscher Sprache verfügbar. Wir helfen Ihnen gerne bei allen Ihren Migrationsproblemen.
How to install WSUS on Windows Server 2012 R2 Essentials

How to install WSUS on Windows Server 2012 R2 Essentials

This document describes the steps needed to install WSUS on Windows Server 2012 R2 Essentials. WSUS is a handy tool that is like a local repository for the files needed by your clients from Windows Update and therefor prevents excessive use of bandwidth. WSUS will download the updates from the Microsoft Windows Update server but in some cases it can also be configured to use an upstream WSUS server or act as a replica but that is outside of the scope of this article.

In this article we will create the environment so that all clients will automatically get updates from the WSUS server. We do this by pushing policies to those clients with explicit instructions on using WSUS as the only source for updates and service packs. If you want to read more about WSUS and the history have a look here Windows Server Update Services - Wikipedia

  1. Start the Server Manager and click Add roles and features.
    Install WSUS on your server from the Server Manager or with Powershell
  2. Click next.
    Install WSUS on your server from the Server Manager or with Powershell
  3. Click Next
    Install WSUS on your server from the Server Manager or with Powershell
  4. Click Next
    Install WSUS on your server from the Server Manager or with Powershell
  5. Check ‘Windows Server Update Services’.
    Install WSUS on your server from the Server Manager or with Powershell
  6. Click ‘Add features’.
    Install WSUS on your server from the Server Manager or with Powershell
  7. Click Next
    Install WSUS on your server from the Server Manager or with Powershell
  8. Click Next
    Install WSUS on your server from the Server Manager or with Powershell
  9. Click Next
    Install WSUS on your server from the Server Manager or with Powershell
  10. If you want to install the WSUS database in an existing SQL database you can do that by unchecking ‘WID Database’ and checking ‘Database’ but for now we accept the defaults and install the WSUS database in a WID (Windows Internal Database). Click next.
    Install WSUS on your server from the Server Manager or with Powershell
  11. You will need to set a location for the updates to be stored. Do not set this on your system drive but some other drive where you have plenty of room. Over time WSUS will download a lot of updates and therefor needs a lot of place.
    Install WSUS on your server from the Server Manager or with Powershell
  12. Click Install
    Install WSUS on your server from the Server Manager or with Powershell
  13. Setup is installing the role ‘Windows Server Update Services’.
    Install WSUS on your server from the Server Manager or with Powershell
  14. Click ‘Launch Post-Installation tasks’
    Install WSUS on your server from the Server Manager or with Powershell
  15. This will take awhile..
    Install WSUS on your server from the Server Manager or with Powershell
  16. When everything is done it will tell you ‘Configuration successfully completed’. Click Close.
    Install WSUS on your server from the Server Manager or with Powershell
  17. If you want to the above from within Powershell you need to start a Powershell with admin rights. Right click the Powershell icon on your taskbar.
    Install WSUS on your server from the Server Manager or with Powershell
  18. In the Powershell Windows type
    Install-WindowsFeature –Name UpdateServices –IncludeManagementTools
    and hit Enter.
    Install WSUS on your server from the Server Manager or with Powershell
  19. You need an active internet connection for this because it could be needed to download updates.
    Install WSUS on your server from the Server Manager or with Powershell
  20. This went all just fine. WSUS is now installed with a WID. In previous versions you needed to define in Powershell that want a WID, with 2012 R2 that is no longer needed. It assumes that the default is with WID, if you want something else you will have to define that in Powershell.
    Install WSUS on your server from the Server Manager or with Powershell
  21. After this we still need to do PostInstallation work by setting the storage folder for the WSUS downloads. For this you need to change directory to “C:\Program Files\Update Services\Tools\” and run:
    .\WsusUtil.exe PostInstall CONTENT_DIR=D:\WSUS
    Install WSUS on your server from the Server Manager or with Powershell

Now that we have successfully installed WSUS on our server it is time to do something with it. We need to configure WSUS.

  1. Start WSUS from the Tools menu in Server Manager.
    Apply a basic configuration to WSUS
  2. Click Next
    Apply a basic configuration to WSUS
  3. Click Next
    Apply a basic configuration to WSUS
  4. Accept the default setting. WSUS will synchronize from the Microsoft Update servers. Click Next.
    Apply a basic configuration to WSUS
  5. We do not need to connect to a proxy. Click Next.
    Apply a basic configuration to WSUS
  6. Click ‘Start Connecting’.
    Apply a basic configuration to WSUS
  7. This can take awhile to complete.
    Apply a basic configuration to WSUS
  8. Click Next
    Apply a basic configuration to WSUS
  9. Add the languages you need to be available. In our case it is Dutch.
    Apply a basic configuration to WSUS
  10. Carefully check and uncheck what you need or do not need. It is tempting to select everything but I would not do that. WSUS will download a huge amount of data if you do that and most likely you will not need a big part of that. Click Next
    Apply a basic configuration to WSUS
  11. In addition to the default options I always choose ‘Service Packs’ to be available also.
    Apply a basic configuration to WSUS
  12. Later we will change this to Synchronize automatically but for now we choose Manually. Click next.
    Apply a basic configuration to WSUS
  13. I would not start initial synchronization immediately. We will do that later after we have configured all other stuff like the GPO’s. Synchronization can take place in the middle night when nobody is working on the server.
    Apply a basic configuration to WSUS
  14. Click Finish
    Apply a basic configuration to WSUS

Without ‘Computer groups’ WSUS deployments are not finished. If you need a granular setup for the deployment of updates you really need to setup ‘Computer Groups’. In our little network we need to create two groups, one is for the Clients and the other one for the server(s).

  1. From the Server Manager start WSUS.
    Configure computers groups and use group policies to assign computers to those groups
  2. Right click the All Computers group and click Add Computer Group
    Configure computers groups and use group policies to assign computers to those groups
  3. My first Computer Group will be for all the Clients on my network. Click Add.
    Configure computers groups and use group policies to assign computers to those groups
  4. Do the same for Servers
    Configure computers groups and use group policies to assign computers to those groups
  5. In addition to the two groups I specified above I will also create a group called ‘Test’. In that group I will put one or more computers that I use to test certain updates or service packs. It is up to you to decide if you want to do the same. Next we will need to tell WSUS how it will assign computers to the Groups we just have created. Best way is doing this by GPO’s. From the Options hive click Computers and then in the window that pops up choose ‘Use Group Policy or registry settings on computers’ and click Apply.
    Configure computers groups and use group policies to assign computers to those groups
  1. From Options choose ‘Automatic approvals’. You see that there is one Default Rule that is not checked. I would check that so that it is turned on. This way you make sure that if there is an important update like a Critical Update or a Security Update those are immediately made available to the Computer Group ‘All Computers’. What after this happens with the updates is controlled by the GPO’s that we will create in the next chapter.
    Configure automatic approvals
  2. Remember we created a Computer Group called Test? We will create a new Rule for this so that we test Service Packs first on the computers in the Test group. Click ‘Any Specification’.
    Configure automatic approvals
  3. Uncheck ‘All Classifications’ and check only ‘Service Packs’ and click OK
    Configure automatic approvals
  4. Click ‘All Computers’.
    Configure automatic approvals
  5. Uncheck ‘All Computers’ and check ‘Test’. Click OK
    Configure automatic approvals
  6. Click OK to finish the configuration of ‘Automatic Approvals’.
    Configure automatic approvals

It is ‘best practice’ to create WSUS policies in its own object (GPO) and not in any other like the Default Domain Policy or whatever.

General WSUS settings

  1. From Server Manager choose Tools and then
    Configure Automatic Updates in Group Policy Objects (GPO)
  2. Right click ‘Yourdomain.local’ and choose ‘Create a GPO in this domain, and Link it here’.
    Configure Automatic Updates in Group Policy Objects (GPO)
  3. This is the first out of 3 GPO’s we will create. This one defines the basic settings for WSUS that will apply domain wide to all computers and servers. Name it ‘WSUS General Settings’ and click OK.
    Configure Automatic Updates in Group Policy Objects (GPO)
  4. Right click the GPO you just made and choose ‘Edit’.
    Configure Automatic Updates in Group Policy Objects (GPO)
  5. Browse to Computer Configuration > Policies > Administrative Templates > Windows Components > Windows Update and double click on that hive.
    Configure Automatic Updates in Group Policy Objects (GPO)
  6. Next we will specify where our clients and servers van find the WSUS server. Double click ‘Specify intranet Microsoft update service location.
    Configure Automatic Updates in Group Policy Objects (GPO)
  7. Set this policy to ‘enabled’ and both intranet update service and statistic server to http://yourserver:8530. Click OK.
    Configure Automatic Updates in Group Policy Objects (GPO)

Though you can debate whether you need to set other options like ‘Turn on recommend updates via Automatic updates’ or ‘Automatic Updates detection frequency’ I ignore those two. Why? The first offers recommended Updates and if you have ever looked in what that really means you will understand it does not fix anything nor does it repair security related issues. Because updates are installed on daily basis setting detection frequency to anything faster then the default 22 hours does not add any benefit at all to your WSUS setup. It only increases traffic over your network because clients keep knocking on the WSUS door by asking ‘do you have anything for me’.

Client specific settings

  1. We need to create two more GPO’s. One is for the Clients and the other one is for our server(s). From the Server Manager start the Group Policy Manager if it is not already started and right click your domain and choose ‘Create a GPO in this domain, and link it here.
    Configure Automatic Updates in Group Policy Objects (GPO)
  2. The first one is called WSUS Client Settings. Click OK.
    Configure Automatic Updates in Group Policy Objects (GPO)
  3. And we need to create the last GPO for our server(s) and we name it WSUS Server(s) Settings. Click OK.
    Configure Automatic Updates in Group Policy Objects (GPO)
  4. Choose the WSUS Client Settings GPO and choose Edit.
    Configure Automatic Updates in Group Policy Objects (GPO)
  5. Browse to Computer Configuration > Policies > Administrative Templates > Windows Components > Windows Update and double click on that hive.
    Configure Automatic Updates in Group Policy Objects (GPO)
  6. Double click Enable client-side targeting
    Configure Automatic Updates in Group Policy Objects (GPO)
  7. In our WSUS settings we defined three computer groups, Clients, Servers and Test. This GPO is for our Clients so we fill in Clients here and click OK.
    Configure Automatic Updates in Group Policy Objects (GPO)
  8. Next we need to Configure Automatic Updates. Double click ‘Configure Automatic Updates.
    Configure Automatic Updates in Group Policy Objects (GPO)
  9. Set according to the screenshot. New in 2012 R2 is the setting ‘Install during automatic maintenance’. Click OK and close the Group Policy Management Editor but keep the Group Policy Manager open.
    Configure Automatic Updates in Group Policy Objects (GPO)
  10. To make sure this GPO is really only applied to Client computers we make use of a WMI filter that was created as soon as you choose ‘Implement Group Policy’ from the Dashboard. Click the dropdown menu to choose the WSE Group Policy WMI Filter.
    Configure Automatic Updates in Group Policy Objects (GPO)
  11. Click Yes to change WMI filter.
    Configure Automatic Updates in Group Policy Objects (GPO)

Server specific settings

  1. Repeat the above for the Server GPO but change the ‘Configure Automatic Updates’ as shown in the below screenshot. I choose manual installation for Servers.
    Configure Automatic Updates in Group Policy Objects (GPO)
  2. In order to make sure these settings apply only to our server we need to create another WMI filter. If you want to read more about WMI filters please go here https://technet.microsoft.com/en-us/library/JJ899801.aspx. As you can see in that link [select * from Win32_OperatingSystem where (Version >= "6.1%") and ProductType = "3" or ProductType = "2"] will do the trick for us. In this example we use ProductType 2 and 3. For server operating systems that are not domain controllers, use ProductType="3". For domain controllers only, use ProductType="2". On our domain we have also some servers who are not domain controllers, therefor I have included those in this WMI filter.
    Configure Automatic Updates in Group Policy Objects (GPO)
  3. You also need to set delegation for SYSTEM to Full Control for Allowed Permissions.
    Configure Automatic Updates in Group Policy Objects (GPO)

The above can also be accomplished with Powershell. From an elevated Powershell command run:

New-GPO -Name "Contoso WSUS General Settings"
New-GPO -Name "Contoso WSUS Client Settings"
New-GPO -Name "Contoso WSUS Server Settings"

That will create the three GPO's we talked about but it does not configure the GPO's.

Now that we have configured WSUS on our server there is one thing we have forgotten and that is to optimize the GPO’s we have created. It is best practice to only enable that part of the GPO we really use. All 3 GPO’s have only Computer Settings and the User Settings don’t do anything so we need to turn the processing of User Settings in those 3 GPO’s off. Here is how we do that.

  1. Open Group Policy Manager from Tools Menu in the Server Manager and click on one of the WSUS GPO’s and choose the tab ‘Details’. In the dropdown menu choose ‘User configuration settings disabled’. If you want learn more about Group Policy Processing please read this https://technet.microsoft.com/en-us/library/Cc779168%28v=WS.10%29.aspx.
    Wrap up, optimize performance and test
  2. In the start of this tutorial we decided not to run synchronization immediately but postpone that for later. Now has come the time to start synchronization. There are two ways of doing that. You can run the ‘WSUS Configuration Wizard’ or just manually turn on automatic synchronization from the ‘Synchronization Schedule’ option. I opt for the ‘WSUS Configuration Wizard’. As we ran that wizard in the beginning of this document I am not going to make more screenshots of that, just set in #12 Synchronize automatically and in #13 check the option ‘Begin initial synchronization’.
    Wrap up, optimize performance and test

Subscribe and receive ‘how to’ and ‘best practice’ articles on server and cloud maintenance, design and troubleshooting.

  • Monthly newsletter with a summary of all new tutorials
  • Get an email as soon as a new tutorial has been published

About www.server-essentials.com 

www.server-essentials.com is founded by Mariette Knap, a Dutch Microsoft MVP. www.server-essentials.com is a community for IT Consultants and Business Owners who, themselves, take care of the IT infrastructure and Employees who do that little extra in the company to keep things running. Our forum is for discussing all things ‘IT’ and more.  Our documentation is top notch and written by and for the community.

Change your cookie settings


 
Contact Us

Concentrix BV

C. de Rijcklaan 1

3723 PM Bilthoven

The Netherlands

KvK 30202318

VAT Id 814036739B01

The layout of this page is made to be viewed online.