In this article I will show you how to install and configure Windows Server Update Services (WSUS) role on a Windows Server 2012 machine. Within a Windows infrastructure WSUS offers a centralized way to monitor and install critical updates for your machines. Note that there are other Microsoft products that can be used to achieve the same results but, some may require additional licenses. One of the well known products of this type is SCCM or System Center Configuration Manager but remember that this is not shipped with the standard Windows Server license so you will need to pay additional fees to get this product.
If you are using older versions of Windows Server you can install WSUS from an executable downloaded from Microsoft’s website. I think the latest version of WSUS is 3.0 SP2 and you can download it from here.
On your Windows Server 2012 machine open the Server Manager console and click on Add roles and features button from the main Dashboard. Press Next until you reach the Server Roles section and select the Windows Server Updates Services from the bottom section:
Note that .NET Framework 4.5, RSAT, Windows Internal Database and Windows Process Activation Service features will be installed with this package:
From the next section you’ll need to check WID Database and WSUS Services:
Now, you’ll need to create a local folder on one of the server’s partitions and type in the path in the WSUS wizard. The folder will be used to store updates downloaded from Microsoft’s website. Remember that you will need to open the flow to Microsoft’s updates repository to obtain the latest definitions:
Once the installation has finished, open the Server Manager console, navigate to the Tools section and select the Windows Server Update Services console. You will be prompted to choose the path for the Windows updates:
After the updates repository is configured, the WSUS configuration wizard will start. In the Choose Upstream Server section choose the server from which you’ll synchronize windows updates. By default, the WSUS server will download updates from Microsoft’s website but, you can choose a different server if desired:
If the local WSUS machine requires a proxy to connect to the upstream server, you can specify it in the following section. Next you’ll need to configure the Languages, Products, Classification and Sync Schedule sections. These settings can be configured later from the WSUS console and I will show you right now how to configure each option. In the WSUS console navigate to the Options section and you’ll see all available settings:
There is a short description under each setting so there is no need to list each one and explain them to you. I think the WSUS console is pretty intuitive and easy to use. From the bottom section of this menu you can also start the WSUS Server Configuration Wizard and configure all these options much faster.
When deploying updates you would configure groups of computers to target only machines that need those components updated. Grouping machines within different directories you create a tree structure similar to Active Directory thus creating a centralized and organized architecture to administrate your network devices.
In the WSUS console navigate to Computers/All Computers and click on Add Computer Group from the Actions menu:
Now you can add machines in under each directory and target windows updates on each group. I’ve created several groups as follows:
If you want to remove a group from the WSUS console, right click it and select Delete.
Clients can also be assigned to WSUS groups using Group Policy Objects. Open the WSUS console, navigate to the Options section and click on Computers. Now change the assignment method to use Group Policy or registry settings on computers:
Open the Group Policy Management Console and create a new GPO. Edit the policy and navigate to Computer Configuration/Policies/Administrative Templates/Windows Components/Windows Updates double click on Enable client-side targeting and set it as Enabled. Type in the Group’s name and then link the GPO to the desired OU. You’ll need to restart the WSUS service before the clients will appear in their corresponding groups:
Once the computers have been added to WSUS console and the updates have been downloaded from Microsoft’s website, you can proceed with updating your devices. We didn’t covered all aspects about this Update service but, I think we will cover them in a future article. Please share your thoughts about this topic and post any questions you have regarding this article. Wish you all the best and hope you’ve enjoyed this post.