Setting up Windows Server Update Services (WSUS)

Part 1: INSTALLATION

Assumptions

  1. This is a Server 2012 environment
  2. This is the first and only WSUS server being configured for the environment
  3. AD is already configured and the target server is already installed with Server 2012 R2 Standard, patched and joined to AD
  4. Server is running on Hyper-V, is in the same subnet as AD server, is configured with a static IP, and has at least 160Gb of free space. If you choose to download all updates through WSUS and keep all service packs, you will need at least 500GB of available space
  5. All WSUS databases and update stores will be installed to C:\

WSUS Installation

  1. Open Server Manager, select Add Roles and Features from the Dashboard, click Next through the next 3 screens until you get a Select one or more roles to install the selected server. Select Windows Server Update Services, click Add Features at the prompt and then click Next.
  2. On the Select Features screen click Next, on the WSUS screen click Next, on the Role Services Screen verify that both WID Database and WSUS Services are selected and click Next.
  3. On the Content Screen specify the location that the updates will be stored. You will need AT LEAST 160 GB free space for this, more if you plan to store non-critical updates and Service Packs. Click Next.
  4. On the Web Server Role (IIS) click Next, on the Select Role Services box, click next, on the confirm installation selections box, click Install. When the install completes, click Close.
  5. Open WSUS from the Server Manager, in the Complete WSUS installation Window click Run, wait for the task to complete and click Close. It will verify that the location of the updates you previously selected is still the same.

Part 2: Configuration

Initial Configuration

  1. When clicking on WSUS from Server manager for the first time, you will get a Configuration Wizard. On the “Before You Begin” screen click Next, on the “MS Update Improvement” screen click Next, on the “Choose Upstream Server” screen, select Synchronize from Microsoft Update and click Next
  2. On the “Specify Proxy Server” screen click Next, on the “Connect to Upstream Server” screen, click Start Connecting. Wait for the Windows Update to be applied and then click Next
  3. On the “Choose Languages” screen, make sure English is the ONLY selected language and click Next, on “Products”, select all the updates that will be used in the organization. DO NOT SELECT THEM ALL! Only current OS releases, SQL, .NET/ASP, and Office products should be selected.
  4. On the “Choose Qualifications” screen select Critical Updates, Security Updates, Service Packs and Click Next. On the “Set Sync Schedule” screen, select Synchronize Automatically and choose a time of day to perform the update sync. This should happen once a day. On the Finished screen, select Begin Initial Synchronization and click Finish.
  5. Open the WSUS console and navigate to the WSUS server in the left pane. The initial updates should begin syncing.

Adding Computer Groups

  1. Navigate to the WSUS Console and Select Options from the left hand side. Double click Computers on the right.
  2. In the Computers screen, select Use Group Policy or registry settings on computers, click OK
  3. Right click All Computers in the left pane, select Add Computer Group…
  4. In the Name box, type in names based on how the PCs will receive updates. You will be approving updates based on the groups you specify. For example, all computers and servers will receive Critical updates, but maybe only some workstations will receive all possible updates. Logical classifications may include but are not limited to: Servers, Accounting PCs, Service PCs, NOUPDATE PCs. The GPOs will also be applied based on these groups, which can control how often machines look for updates, whether they reboot after, or if the user should be allowed to control those policies.
  5. Repeat step 4 until all groups have been added. You will then need to create containers in AD that will be used to apply GPOs to place those machines in the correct WSUS groups.