We will also have a look at the GPO’s that are needed to have WSUS work with GPO’s and Computer Groups and last but not least we hope to see that WSUS reports Windows 10 as a Windows 10 client and not as a Vista. It seems that Windows 10 is reported as Windows 10 in the WSUS version included in Windows Server 2016 Essentials. 1. Install WSUS with the Add Roles and Features wizard Installing WSUS on Windows Server 2016 is done from the Server Manager. We start the 'Add Roles and Features wizard' and make our choices. From the Server Manager start ‘Add roles and features’ Click Next Choose Role-based or feature-based installation and click Next. Choose your server and click Next. Check ‘Windows Server Update Services’ Click ‘Add features’. Choose Next Choose Next. Choose Next Choose Next Choose a drive with lots of space (not your system drive) and choose Next. Choose install. Choose ‘Launch post-installation tasks’. If the post-installation tasks are ready click Close 2. Install WSUS with Powershell You can also install WSUS with some Powershell commands and for those who need to do this more often my advice is to use Powershell. It is much faster if you have some Powershell snippets ready for your daily tasks. If you want to the above from within Powershell you need to start a Powershell with admin rights. Right click the Powershell icon on your taskbar. In the Powershell Windows type Install-WindowsFeature –Name UpdateServices –IncludeManagementTools and hit Enter. You need an active internet connection for this because it could be needed to download updates. This went all just fine. WSUS is now installed with a WID. In previous versions you needed to define in Powershell that want a WID, with 2012 R2 that is no longer needed. It assumes that the default is with WID, if you want something else you will have to define that in Powershell. After this we still need to do PostInstallation work by setting the storage folder for the WSUS downloads. For this you need to change directory to “C:\Program Files\Update Services\Tools\” and run: .\WsusUtil.exe PostInstall CONTENT_DIR=D:\WSUS 3. Configure WSUS Before WSUS can 'serve' updates to clients and server it needs to have a 'baseline' for all security updates and patches available. At first download WSUS will also get a new list with updated Operating Systems and Software versions. From the Server Manager choose Tools and then Windows Server Update Services. Click Next Click Next Choose Next Click Next Click ‘Start Connecting”. This can take awhile to complete. Click Next Click Next. Click Next Choose Next At this point I do not choose to Synchronize automatically. After we have done all configuration we will rerun this wizard and change that. Checking ‘Begin initial synchronization’ will be done later when we rerun this wizard. Click Finish Right click the ‘All Computers’ hive and add the computer group ‘Clients’. We will use this later in our GPO. Click Add. Click Options –> Computers and select ‘Use Group Policy or registry settings on computers’. Click OK. For now we are done with WSUS and we need to configure the GPO’s that will force the clients to use our ‘local’ Windows Update Server to get updates. Close the WSUS console. 4. Configure Group Policies With Group Policies we push settings out to our clients like laptops or desktops but you can also use policies to push settings to other (member) servers in your network. From the start menu type ‘Group’ and you will see that is automatically completes it as Group Policy Management and in the Menu Group Policy Management appears. Choose that. This is how a basic GPO setup looks like when nothing is configured. In the Dashboard there is a option called ‘Implement Group Policy’ Open the Windows Server Essentials Dashboard and click ‘Implement Group Policy’. Click Next Click Next Click Finish Click Close and go back to Group Policy Management Click Refresh There we have 2 new GPO’s and one new WMI Filter. I have checked if you can change the WSE Group Policy Security Template and add “Client Side Targeting” and “Specify intranet Microsoft update service location” to this GPO. Rerunning the wizard from Dashboard does not override the custom settings so it seems a good idea to do so. We add both settings as shown in the screenshot. After that close the Group Policy Management Tool. Now it is time to rerun the wizard and set automatic synchronization. After you have done that start a manual synchronization to get things going. After doing that boot your Windows 10 client, run gpudate /force and then gpresult /r and check if the GPO’s are in place. Then run wuauclt /reportnow and wuauclt /updatenow to kick start Windows Update on your client and check the WSUS console if the Windows 10 client show up…and it does and it says it is a Windows 10 client. Now we have to wait and see if it starts updating.