Intune is a great tool to deploy Windows Updates in all endpoints.
Probably when you have mobile devices that are out of the Company.
If you want to read more for Intune you can find interesting articles by Damien Van Robaeys in http://www.systanddeploy.com/
But there are lot companies that it hasn't the budget to use Intune or for any other reason that maybe has.
In this case we can use WSUS (Windows Server Update Services) which can deploy the Windows Updates from one location in all endpoints.
So let' start to explain
Before install WSUS
Before start the installation of WSUS you must decide how you will Plan the WSUS Deployment.
It's recommended to read the article from Microsoft Docs Plan your WSUS Deployment
WSUS use the port 443 and https protocol.
If you don't want to allow Internet Access in the WSUS Server you must allow the following URL in your firewall
- http://windowsupdate.microsoft.com
- http://*.windowsupdate.microsoft.com
- https://*.windowsupdate.microsoft.com
- http://*.update.microsoft.com
- https://*.update.microsoft.com
- http://*.windowsupdate.com
- http://download.windowsupdate.com
- https://download.microsoft.com
- http://*.download.windowsupdate.com
- http://wustat.windows.com
- http://ntservicepack.microsoft.com
- http://go.microsoft.com
- http://dl.delivery.mp.microsoft.com
- https://dl.delivery.mp.microsoft.com
How to install WSUS
The installation of WSUS Role it's easy without complexity
So let's start
- Open Server Manager
- Click Manage -- Add Roles & Features
- Click Next
- Keep the default settings and click Next.
- If you don't have add other Server in Server Manager just leave the default and click Next. Unless select the local Server and click Next.
- Check the Windows Server Update Services and at the same time click Add Features.
- Click Next
- Once again Next without Add any Feature
- Click once again Next. It's just steps that proceed to finish the installation of WSUS.
- Don't change anything for the Role Services of the Web Server and click Next.
- Windows Server Update Services Wizard. Just click Next
- We don't need the option Sql Server Connectivity.
- You must select if you want to store the Windows Updates local in your Server or not
- Let's explain the difference here.
- If you store the Windows Updates local the endpoints will download quicker the Windows Updates from the WSUS
- If you will not store the Windows Updates in your Server you save disk space but need more time the endpoints to download the Windows Updates from the WSUS.
- If you decide to store the Windows Updates it's recommended to create a separate partition.
- Take your decision and click Next. In my Scenario i choose to store the Windows Updates and gave the path.
- Click Install and wait until finish.
How to configure WSUS
After finish the installation of the WSUS then you must configure the WSUS Server using Configuration Wizard.
This is one time configuration wizard that you must do before start using WSUS.
- Open the Server Manager
- Click in the Flag
- Click Launch-Post Installation Task
If you skip it by mistake then you can launch it from WSUS Server Console
- From the Server Manager click Tools -- Windows Server Update Services
- Expand the Server Name. In my scenario is WSUS
- Select Options.
- From the right side click WSUS Server Configuration Wizard
- In the first step click Next.
- Click Next again
- Keep the default option Synchronize from Microsoft Updates.
- Specify proxy information if you have got one. Unless click Next without change anything.
- Click Start Connecting to Connect in Upstream Server.
- Specify the Language for your Windows Updates.
- Specify the products that you want to update. I select Windows Server 2012 , Windows Server 20016 and 2019.
- Specify the type of the Windows updates to download.
- Configure when you want to synchronize the WSUS with the Windows Updates.
- Check the Begin initial synchronization.Click Next
- Click Finish.
- You can see the Synchronization Status from the Console
Until finish the synchronization let's go to create the Group Policies to deploy the Windows updates in the Endpoints that you would like.
How to configure Group Policy for WSUS
The last step after finish the Installation and Configuration of WSUS is to create a Group Policy for the WSUS.
In the Group Policy configure from which Server will request the Windows Updates the Endpoint.
- Create a new Group Policy
- Go in Computer Configuration > Policies > Administrative Templates > Windows Components > Windows Update.
- Edit the Configure Automatic Updates with any of the options that match in your environment. In this scenario i select 3 - Automatic download and notify for install and 0-Every Day
- Edit the Specify intranet Microsoft update service location. You must enter the URL of the intranet server which is in type of http:<fqdn>:8350
- Now Apply the GPO in every Organization Unit which include the Endpoints that will be receive Windows Updates from WSUS
- Once apply the GPO in the Endpoints you will be ask how can identify that the GPO apply and it's sure that the Endpoint will retrieve Windows Updates from WSUS?
- One way is to open Server Manager - - Local Server
- Verify that in the Windows Updates says Download Windows updates only using managed updating service
- The other way is to open the registry
- Go in HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate.
How to configure WSUS Computer Groups
Probably you will have Server , Workstations and different OS in your environment.
To target the Updates for the different OS and type of Endpoints you can create the Computer Groups.
The hierarchy depends from your infrastructure.
I will show you only how can create the Computer Group and add the Endpoints in the Group
- Right click in All Computers and select Add Computer Group
- Type the name of the Computer Group. Click Add
- Now right click on Updates and select New update View
- Tick the Updates are for a specific product
- Click in any produc.
- Select only the product that you prefer. For this scenario i select Windows 10
- Type the name of the View and click OK
- Now click on the new Update View
- Change the Filter to Unapproved
- Select the Windows Updates that you want to deploy in your Windows 10 Endpoints (in my example)
- As you can see i use the search to find the Update for the specific version of Windows 10
- Right click select Approve
- Select the Computer Group and select Approve for Install.
That's it! Now base on which Computer has in Group and the Group Policy Settings will be install the Windows Updates.
As you can see it's very easy when you separate with the Groups the types of your Endpoints because you can target the specific Windows Updates for the specific group of Endpoints very quickly.
How to Automatic Approval Updates
It's not the recommended option for all the Windows Updates but only for the Security Updates.
We must keep every time all our Servers with the latest Security Updates to avoid any security hole in our systems.
It's not easy to keep the process manual when you have hundred of Servers to maintain.
For this reason i will show you how can approve automatic all the Security Updates for your Windows OS
- Open the WSUS
- Click in the Options
- From the right side Select Automatic Approvals
- Click in the New Rule
- Tick the first 2 Options
- Now click in Any Classification
- Select only the Security Updates. Click OK
- Select any Product
- Select only the product that you want to automatic approve the Security Updates. For the scenario i select Windows Server 2016.Click OK
- Click in all computers
- Select the Computer Group which include the specific Servers or Workstations with the appropriate Windows OS. Click OK
- If you have already download the Windows Updates then you must click in Run Rule to approve all the Security Updates.
- You don't need to click in Run Rule for the next updates that will download or if you don't have start to download any Windows update yet.
- Now you can easily create a new Update View which will include only the Security Updates to verify that all has been approved
Remember that until now we have only Automatic Approve all the Security updates.
If you want to proceed with automatic installation of the Security Updates you must change your Group Policy settings.
Read the paragraph How to configure Group Policy for WSUS to understand which settings must be change in Group Policy
To be honest it's not very easy process because must be dedicate specific time to find and approve the Windows Updates for every Category.
But remember that this will happened only once and create an automate procedure while you have centralize your Windows Updates and know exactly which Endpoints are out of Date and must be Updated.
Have a nice weekend !!
Be Safe