How to install and configure WSUS


In this article I will show you how to install and configure Windows Server Update Services (WSUS) role on a Windows Server 2012 machine. Within a Windows infrastructure WSUS offers a centralized way to monitor and install critical updates for your machines. Note that there are other Microsoft products that can be used to achieve the same results but, some may require additional licenses. One of the well known products of this type is SCCM or System Center Configuration Manager but remember that this is not shipped with the standard Windows Server license so you will need to pay additional fees to get this product.
If you are using older versions of Windows Server you can install WSUS from an executable downloaded from Microsoft’s website. I think the latest version of WSUS is 3.0 SP2 and you can download it from here.
On your Windows Server 2012 machine open the Server Manager console and click on Add roles and features button from the main Dashboard. Press Next until you reach the Server Roles section and select the Windows Server Updates Services from the bottom section:
Windows Server Updates Services

Note that .NET Framework 4.5, RSAT, Windows Internal Database and Windows Process Activation Service features will be installed with this package:

Add Roles and Features Wizard
From the next section you’ll need to check WID Database and WSUS Services:
Windows Server Updates Services Wizard
Now, you’ll need to create a local folder on one of the server’s partitions and type in the path in the WSUS wizard. The folder will be used to store updates downloaded from Microsoft’s website. Remember that you will need to open the flow to Microsoft’s updates repository to obtain the latest definitions:
Windows Server Updates Services Wizard

 

Once the installation has finished, open the Server Manager console, navigate to the Tools section and select the Windows Server Update Services console. You will be prompted to choose the path for the Windows updates:
Complete WSUS Installation
After the updates repository is configured, the WSUS configuration wizard will start. In the Choose Upstream Server section choose the server from which you’ll synchronize windows updates. By default, the WSUS server will download updates from Microsoft’s website but, you can choose a different server if desired:
Windows Server Updates Services Configuration Wizard
If the local WSUS machine requires a proxy to connect to the upstream server, you can specify it in the following section. Next you’ll need to configure the Languages, Products, Classification and Sync Schedule sections. These settings can be configured later from the WSUS console and I will show you right now how to configure each option. In the WSUS console navigate to the Options section and you’ll see all available settings:
WSUS console
There is a short description under each setting so there is no need to list each one and explain them to you. I think the WSUS console is pretty intuitive and easy to use. From the bottom section of this menu you can also start the WSUS Server Configuration Wizard and configure all these options much faster.
When deploying updates you would configure groups of computers to target only machines that need those components updated. Grouping machines within different directories you create a tree structure similar to Active Directory thus creating a centralized and organized architecture to administrate your network devices.
In the WSUS console navigate to Computers/All Computers and click on Add Computer Group from the Actions menu:
WSUS console
Now you can add machines in under each directory and target windows updates on each group. I’ve created several groups as follows:
Update Services console
If you want to remove a group from the WSUS console, right click it and select Delete.
Clients can also be assigned to WSUS groups using Group Policy Objects. Open the WSUS console, navigate to the Options section and click on Computers. Now change the assignment method to use Group Policy or registry settings on computers:
use Group Policy or registry settings on computers
Open the Group Policy Management Console and create a new GPO. Edit the policy and navigate to Computer Configuration/Policies/Administrative Templates/Windows Components/Windows Updates double click on Enable client-side targeting and set it as Enabled. Type in the Group’s name and then link the GPO to the desired OU. You’ll need to restart the WSUS service before the clients will appear in their corresponding groups:
Enable client-side targeting
Once the computers have been added to WSUS console and the updates have been downloaded from Microsoft’s website, you can proceed with updating your devices. We didn’t covered all aspects about this Update service but, I think we will cover them in a future article. Please share your thoughts about this topic and post any questions you have regarding this article. Wish you all the best and hope you’ve enjoyed this post.
Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s