How to install & configure WSUS in Windows Server 2016

Intune is a great tool to deploy Windows Updates in all endpoints.

Probably when you have mobile devices that are out of the Company.

If you want to read more for Intune you can find interesting articles by Damien Van Robaeys in http://www.systanddeploy.com/

But there are lot companies that it  hasn't the budget to use Intune or for any other reason that maybe has.

In this case we can use WSUS (Windows Server Update Services) which can deploy the Windows Updates from one location in all endpoints.

So let' start to explain

 

Before install WSUS

Before start the installation of WSUS you must decide how you will Plan the WSUS Deployment.

It's recommended to read the article from Microsoft Docs Plan your WSUS Deployment

WSUS use the port 443 and https protocol. 

If you don't want to allow Internet Access in the WSUS Server you must allow the following URL in your firewall

 

How to install WSUS

The installation of WSUS Role it's easy without complexity

So let's start

  • Open Server Manager
  • Click Manage -- Add Roles & Features
  • Click Next

 

  • Keep the default settings and click Next.

 

  • If you don't have add other Server in Server Manager just leave the default and click Next. Unless select the local Server and click Next.

 

  • Check the Windows Server Update Services and at the same time click Add Features.

 

  • Click Next

 

  • Once again Next without Add any Feature

 

  • Click once again Next. It's just steps that proceed to finish the installation of WSUS.

 

  • Don't change anything for the Role Services of the Web Server and click Next.

 

  • Windows Server Update Services Wizard. Just click Next

 

  • We don't need the option Sql Server Connectivity.

 

  • You must select if you want to store the Windows Updates local in your Server or not

 

  • Let's explain the difference here.
    • If you store the Windows Updates local the endpoints will download quicker the Windows Updates from the WSUS
    • If you will not store the Windows Updates in your Server you save disk space but need more time the endpoints to download the Windows Updates from the WSUS.
  • If you decide to store the Windows Updates it's recommended to create a separate partition.
  • Take your decision and click Next. In my Scenario i choose to store the Windows Updates and gave the path.

 

  • Click Install and wait until finish. 

 

How to configure WSUS

After finish the installation of the WSUS then you must configure the WSUS Server using Configuration Wizard.

This is one time configuration wizard that you must do before start using WSUS. 

  • Open the Server Manager 
  • Click in the Flag
  • Click Launch-Post Installation Task

 

If you skip it by mistake then you can launch it from WSUS Server Console

  • From the Server Manager click Tools -- Windows Server Update Services

 

  • Expand the Server Name. In my scenario is WSUS
  • Select Options.
  • From the right side click WSUS Server Configuration Wizard

 

  • In the first step click Next.

 

  • Click Next again

 

  • Keep the default option Synchronize from Microsoft Updates.

 

  • Specify proxy information if you have got one. Unless click Next without change anything.

 

  • Click Start Connecting  to Connect in Upstream Server.

 

  • Specify the Language for your Windows Updates.

 

  • Specify the products that you want to update. I select Windows Server 2012 , Windows Server 20016 and 2019.

 

  • Specify the type of the Windows updates to download. 

 

  • Configure when you want to synchronize the WSUS with the Windows Updates.

 

  • Check the Begin initial synchronization.Click Next

 

  • Click Finish.

 

  • You can see the Synchronization Status from the Console

Until finish the synchronization let's go to create the Group Policies to deploy the Windows updates in the Endpoints that you would like.

 

How to configure Group Policy for WSUS

The last step after finish the Installation and Configuration of WSUS is to create a Group Policy for the WSUS.

In the Group Policy configure from which Server will request the Windows Updates the Endpoiint.

  • Create a new Group Policy
  • Go in  Computer Configuration > Policies > Administrative Templates > Windows Components > Windows Update.
  • Edit the Configure Automatic Updates with any of the options that match in your environment. In this scenario i select 3 - Automatic download and notify for install and 0-Every Day

 

  • Edit the Specify intranet Microsoft update service location. You must enter the URL of the intranet server which is in type of http:<fqdn>:8350

 

  • Now Apply the GPO in every Organization Unit which include the Endpoints that will be receive Windows Updates from WSUS
  • Once apply the GPO in the Endpoints you will be ask how can identify that the GPO apply and it's sure that the Endpoint will retrieve Windows Updates from WSUS?
  • One way is to open Server Manager - - Local Server
  • Verify that in the Windows Updates says Download Windows updates only using managed updating service

 

  • The other way is to open the registry
  • Go in HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate.

 

 

How to configure WSUS Computer Groups

Probably you will have Server , Workstations and different OS in your environment.

To target the Updates for the different OS and type of Endpoints you can create the Computer Groups.

The hierarchy depends from your infrastructure.

I will show you only how can create the Computer Group and add the Endpoints in the Group

  • Right click in All Computers and select Add Computer Group

 

  • Type the name of the Computer Group. Click Add

 

  • Now right click on Updates and select New update View

 

  • Tick the Updates are for a specific product
  • Click in any produc.

 

  • Select only the product that you prefer. For this scenario i select Windows 10 

 

  • Type the name of the View and click OK
  • Now click on the new Update View
  • Change the Filter to Unapproved

 

  • Select the Windows Updates that you want to deploy in your Windows 10 Endpoints (in my example)
  • As you can see i use the search to find the Update for the specific version of Windows 10
  • Right click select Approve

 

  • Select the Computer Group and select Approve for Install.

 

That's it! Now base on which Computer has in Group and the Group Policy Settings will be install the Windows Updates.

As you can see it's very easy when you separate with the Groups the types of your Endpoints because you can target the specific Windows Updates for the specific group of Endpoints very quickly.

 

To be honest it's not very easy process because must be dedicate specific time to find and approve the Windows Updates for every Category.

From the other hand you can Centralize your Windows Updates and know exactly which Endpoints are out of Date and must be Updated.

Have a nice weekend !!

Be Safe

 

 

Disqus Comments