|

FEATURED POSTS

How to Change Outlook Password in 3 Different Ways

How to Change Outlook Password in 2 Easy Steps

Introduction Before you change your Outlook Password you have to first change it with your email provider. The reason...
spotify web player not working

Spotify Web Player Not Working [Fixed]

Introduction Spotify Web Player may stop working for you with the following error messages: "Spotify Web Player an Error...
DISM.exe /Online /Cleanup-Image /Restorehealth

DISM.exe /Online /Cleanup-Image /Restorehealth Explained

What is DISM.EXE /Online /Cleanup-image /RestoreHealth? "DISM.exe /Online /Cleanup-Image /Restorehealth" is a DISM command that repairs issue with the...
DHCP Relay agent

DHCP Relay Agent: Configuration in Windows Server 2016

What is a DHCP Relay Agent? A DHCP Relay Agent allows DHCP clients in a different network subnet to...
ForEach-Powershell

PowerShell ForEach: Syntax, Parameters, Examples

What is PowerShell ForEach? PowerShell ForEach (ForEach PowerShell) is a PowerShell construct used in iterating through values in a...

TRENDING POSTS

Remote Desktop Connection

Remote Desktop Connection an Internal Error Has Occurred [Fixed]

Introduction I recently received the error message "Remote Desktop Connection an Internal Error Has Occurred". It was strange because...

Find My Samsung: Register and Use Samsung Find my Mobile

Introduction Ever wondered how you could find your Samsung phone if you lost it? Find my Samsung or Samsung...
PowerShell vs CMD

Powershell vs CMD: Differences and Similarities Compared

Introduction This short guide compares PowerShell vs CMD (Windows command prompt). I will cover the history and nature of...
Spotify No Longer Supports this Version of Microsoft Edge

Spotify No Longer Supports this Version of Microsoft Edge [Fixed]

Introduction When you open Spotify web player on Microsoft Edge, you may receive the error message "Spotify No Longer...
Windows 10 Won't Boot

Windows 10 Won’t Boot With Black Screen? 3 Ways to Fix It

Why Won't Windows 10 Boot Up? If your Windows 10 stops with a black screen, the first question in...

BEST OF ITECHGUIDES

SysWOW64 and File System Redirector Explained

SysWOW64 and File System Redirector Explained

Introduction A Windows 64-bits OS has a SysWOW64 folder. It also has a System32 folder. These folders contain OS...
Amazon Hub

Amazon Hub: Your Definitive Guide to Hub by Amazon

What is Amazon Hub? Amazon Hub provides shoppers with a self-service delivery location to pick up their Amazon packages....
PortalOffice365

Portal Office 365: Your Ultimate Guide to Office 365 Admin Portal

What is PortalOffice365? PortalOffice365 (portal.office.com) is a Microsoft cloud-based portal that allows administrators to create and manage users and...
RAID 5 vs RAID 6

RAID 5 vs RAID 6: Differences, Benefits and Disadvantages

What is RAID 5 vs RAID 6? RAID 5 and RAID 6 uses striping with distributed parity technique. However,...
what is active directory

What is Active Directory (Top 50 AD Questions Answered)

Introduction This article answers the question - What is Active Directory and 49 other most widely asked AD questions....

RECENT POSTS

how to merge cells in excel

How to Merge Cells in Excel in 2 Easy Ways

Introduction You can merge two Cells in Excel using CONCATENATE function or the “&” (ampersand) operator. Though Excel has...
How to Make a Pivot Table in Google Sheets

How to Make a Pivot Table in Google Sheets

Introduction You can make a Pivot Table in Google Sheets to simplify analysis of complex data. A Pivot Table...
how to make Pivot Table

How to Make a Pivot Table in Excel

Introduction A Pivot Table allows you to analyze, summarize and calculate large data to help find relationships. With a...
RAID 3 (Redundant Array of Independent Disks) Explained

RAID 3 (Redundant Array of Independent Disks) Explained

What is RAID 3? RAID 3 is a RAID implementation that uses striping with a dedicated parity disk....
RAID 5 vs RAID 6

RAID 5 vs RAID 6: Differences, Benefits and Disadvantages

What is RAID 5 vs RAID 6? RAID 5 and RAID 6 uses striping with distributed parity technique. However,...
concatenate excel

Concatenate in Excel: How to Concatenate Columns and Strings

What is Concatenate in Excel? Concatenate in Excel is joining two strings into one continuous string. You can join...

How to Add in Excel (Excel Sum) with Examples

Introduction There are different ways to add numbers in Excel. You could simply select the cells containing the data....
Excel Count

Excel Count: How to Count in Excel With Examples

Introduction Excel COUNT Function is used for counting items in a worksheet. Excel COUNT also has the conditional function,...
powershell.exe -command

Powershell.exe Command: Syntax, Parameters and Examples

Introduction You may be wondering why write on Powershell.exe Command. Are there special commands for Powershell.exe? Yes! When you...
how to move columns in excel

How to Move Columns to Rows and Rows to Columns in Excel

Introduction If you receive some Excel data in columns, you can easily move the columns to rows in Excel...

MUST READ

FTP and SFTP ports

FTP and FTP Port, SFTP and SFTP Port: Quick Reference

Introduction FTP and SFTP are two protocols for transferring files between a server and a client computer. FTP port...
How to Make a Pivot Table in Google Sheets

How to Make a Pivot Table in Google Sheets

Introduction You can make a Pivot Table in Google Sheets to simplify analysis of complex data. A Pivot Table...

DHCP vs Static IP: How to Set a Static IP or Enable DHCP in...

What is DHCP vs Static IP Address? This tutorial will compare the difference between DHCP vs Static IP addressing....
what is active directory

What is Active Directory (Top 50 AD Questions Answered)

Introduction This article answers the question - What is Active Directory and 49 other most widely asked AD questions....
RAID 5 vs RAID 6

RAID 5 vs RAID 6: Differences, Benefits and Disadvantages

What is RAID 5 vs RAID 6? RAID 5 and RAID 6 uses striping with distributed parity technique. However,...

WSUS (Windows Server Update Service): Installation and Configuration

-

What is WSUS Server?

WSUS (Windows Server Update Service) is a Microsoft Server role that allows download and installation of Operating System updates to computers in a local network. System Administrators use WSUS (Windows Server Update Service) to create computer groups to ease patch management. Besides, Windows Server Update Service server can also generate compliance reports to determine computers that need specific updates.

In this tutorial you will learn how to:

  • Install and configure the WSUS Server role
  • Configure group policies for WSUS (Windows Server Update Service) updates
  • Set up Client-side targeting

If you follow the setup in this tutorial you should be able to setup a working WSUS server infrastructure.

To walk through the installations and configurations discussed in this tutorial, you need a Domain Controller, 2 WSUS servers (one as upstream, another as downstream server) and a Windows 10 Client computer. All computers must be members of the AD Domain.

Sponsored Content


Install and Configure the WSUS (Windows Server Update Service) Server role

Before you install WSUS role, you need to confirm that your server meets the requirements. Below are the requirements.

System Requirements for Installing WSUS (Windows Server Update Service) Role

  • Processor: 1.4 gigahertz (GHz) x64 processor (2Ghz or faster is recommended)
  • Memory: WSUS server requires an additional 1.5GB of RAM – above and beyond what is required by Windows Server 2016.
  • Available disk space: 10 GB (recommended: 40GB or more)
  • Network adapter: 100 megabits per second (Mbps) or greater

Other WSUS (Windows Server Update Service) Role Installation Requirements

  • If there is a pending restart requirement, restart the server before you enable the Windows Server Update Service server role.
  • Additionally, Microsoft .NET Framework 4.5 must be installed on the server.
  • The NT Authority\Network Service account must have Full Control permissions for the following folders:

%windir%\Microsoft.NET\Framework\v4.0.30319\Temporary ASP.NET Files and %windir%\Temp folders. This path might not exist prior to installing Internet Information Services (IIS).

  • Finally, the installation account must be a member of the Local Administrators group

WSUS Database Requirements

At least one of these databases is required:

  • Windows Internal Database (WID)
  • Microsoft SQL Server 2017
  • MS SQL Server 2016
  • Microsoft SQL Server 2014
  • MS SQL Server 2012
  • Microsoft SQL Server 2008 R2

Additional Installation Requirements

Apart from the requirements listed above, below are further considerations and requirements:

  • You can install WSUS server role and the database server on separate computers. However,
  • The Database server cannot be a Domain Controller.
  • Also, the WSUS server cannot run Remote Desktop Services
  • The Database server and the WSUS server must be in the same AD Domain. If in different domains, the domains must have a trust relationship.
  • Finally, the two servers must be in the same time zone or be synchronized to the same GMT time source.

Sponsored Content


WSUS (Windows Server Update Service) Pre-installation Tasks

Before you install Windows Server Update Service role, perform the following tasks:

  • Add the Domain Admin account as member of the Local Administrators group on the server you wish to install WSUS role: Open Server Manager, then click Tools and select Computer Management. On Computer Management, click Local Users and Groups. Double-click Groups then double-click Administrators group. Finally confirm that the installation account is a member of the local administrators group.
WSUS (Windows Server Update Service) - Add the Domain Admin account as member of the Local Administrators group on the server you wish to install WSUS role
  • Confirm that Microsoft .NET Framework 4.5 (4.6 on Windows Server 2016) is installed. If not, install it: Open Server Manager. Then click Add Roles or Features. On the first page click Next. Then select Role-based or Feature-based installation. Click Next until you get to Features.
WSUS pre-installation tasks - Confirm that Microsoft .NET Framework 4.5 is installed
  • Next, confirm that the Network Service account have Full Control permissions to: %windir%\Microsoft.NET\Framework64. Right-click Framework64 and select Properties, then click the Security tab.
Important Tip
To be able to modify the permission of Framework64 you may need to take ownership of the folder. You may also need to add your account to the local administrators group.
  • Confirm that the server you wish to install WSUS role meet the following requirements: Memory is 1.5 GB of RAM – above and beyond what is required by Windows Server 2016. Available disk space: 10 GB (40 GB or greater is recommended). Finally, confirm that your network adapter is 100 megabits per second (Mbps) or greater.
Note
For Windows Server 2016 hardware requirements read Windows Server 2016: A cheat sheet

Install WSUS (Windows Server Update Service) Server Role

Now you are ready to install WSUS. Follow the steps below:

  • Log on to the server and open Server Manager (should normally open by default).
  • From Server Manager (top right corner), click Manage then select Add Roles and Features.
Install WSUS (Windows Server Update Service) - add roles and features
  • On the “Before you begin” page, click Next.
  • On the “Select Installation type” select “Role-based or feature-based installation” and click Next.
Windows Server Update Service
  • Next, on the “Select Destination server page”, select the server you wish to install WSUS (Windows Server Update Service) role and click Next.
  • Next page presents option to select the roles you wish to install. Check the boxes beside Windows Server Update Service. A page will load asking you to confirm additional features to install. Click Add Features. Then click Next.

Sponsored Content


  • The “Select features” page loads. To proceed click Next.
  • Note the information in the Windows Server Update Services page. Then click Next to proceed.
  • Review the features checked below. Then click Next.
  • Enter a local or remote path to store updates.
  • On the Web Server (IIS) Role information page, read the information then click Next to proceed.
  • Then review the server roles and features you selected. Click Next.
  • Finally, on the confirmation page, review your selections. Check the box Restart the destination server automatically if required and click Install.
WSUS (Windows Server Update Service) - roles installation confirmation page

WSUS role may also be installed by running the PowerShell command below:

Install-WindowsFeature -Name UpdateServices -IncludeManagementTools

Sponsored Content


Configure Windows Server Update Service Using the WSUS Configuration Wizard

After installing WSUS (Windows Server Update Service), the next step is configuration. To configure the role:

  • Open Server Manager and click the yellow amber triangle. Then select Launch Post-installation tasks. Wait for the post-installation task to complete. Then proceed to the next step.
  • Still on Server Manager, click Tools then select Windows Server Update Services.
  • Read the information on the “Before you begin” page, then click Next to proceed.
WSUS (Windows Server Update Service) - configuration
  • Next, decide whether you wish to join the Microsoft Update Improvement Program or not. Click Next.
  • The next stage is very critical as this is where you decide the WSUS Server that connects to Microsoft Updates Server. Select Synchronize from Microsoft Update. Then to proceed click Next.
  • If you require a proxy server to connect to the internet, configure it here.
  • Read the relevant information on the Connect to Upstream Server page then click Start Connecting.
WSUS (Windows Server Update Service) - connect to Microsoft Update server
Important Tip
The previous step may take sometime to complete depending on your internet connection.
  • Once the connection task is completed, click Next.
  • Select the languages to download then click Next. I am downloading just English.

Sponsored Content


  • Choose the products you wish to download updates for. If you are in a production environment, download updates for all products in your environment.
  • Decide updates classification to download. In most cases the defaults are okay.
WSUS (Windows Server Update Service) - Decide updates clarification to download
  • Decide how you wish to synchronize your WSUS server with Microsoft Updates server. In a production environment, this has a lot of implications. Consider the number of updates to download, and your internet bandwidth.
  • On the Finish page, check Begin initial synchronization and click Next. Then click Finish.
WSUS (Windows Server Update Service) - Begin initial synchronization

Configure Downstream Servers

In a production environment with computers in different locations, a downstream server may be required. The downstream server will download updates from your upstream server and distribute the updates to computers in its local network. This way, you avoid updates installing over WAN links.

The steps below will walk you through how to configure a downstream WSUS (Windows Server Update Service) server.

Important Tip
To perform this task you would have installed Windows Server Update Service role on the downstream server. Moreover, you should also perform post-installation task.
  • Log on to the second WSUS server. From Server Manager click Tools then Select Windows Server Update Services.
  • On the Before you begin page, click Next.
  • Decide whether to join the Microsoft Update improvement program or not. Click Next to proceed.

Sponsored Content


  • On the Choose Upstream Server page, enter the name of your upstream WSUS server. Then check the boxes Use SSL when synchronizing update information and This is a replica of the upstream server. To proceed click Next.
WSUS (Windows Server Update Service)
Important Tip
Depending on your environment, you may decide not to configure the downstream server as a replica of the upstream. However, it is strongly recommended to use SSL.
  • On the Specify Proxy Server page, click Next.
  • Finally, to synchronize with the upstream WSUS server, click Start Connecting.
WSUS (Windows Server Update Service)
Important Tip
If you receive HTTP error, check that your upstream server is configured to accept SSL connection. Alternatively, you could go back and uncheck Use SSL when synchronizing update information.

Continue with Downstream Server Configuration

In the last task when you click Start Connecting, it may take sometime for the wizard to process your request.

  • When the Next button becomes available, click it to proceed.
WSUS (Windows Server Update Service)
  • Compared to the same screen when we configured the upstream server, the only available language is English. Click Next to proceed.
WSUS (Windows Server Update Service) -
  • Earlier in the tutorial we configured sync schedule for the upstream server. Do the same below. If you are working in a production environment, be sure to set the time below to happen after the upstream server has synced.

Sponsored Content


  • Finally, check Begin initial synchronization box then click Finish.

Configure Group Policies for WSUS Updates

The next step is to use group policy settings to automatically configure WSUS.

Important Tip
In a complex production environment, you can create different Group Policy Objects (GPOs) and link them to different Organizational Units (OUs). For this tutorial, I will link a single GPO to the top of the domain.
  • To begin, login to the Domain Controller. Open Server Manager, click Tools then select Group Policy Management.
Important Tip
To get to the Domain, you may need to expand the Forest container then expand the Domain container.
  • Next, make a copy of the Default Domain Policy GPO. To do this expand the Group Policy Objects container. Then Drag the Default Domain Policy GPO into the Group Policy Objects container.
  • Then, on the Copy GPO dialogue box, accept the default permission and click Ok. The GPO will be copied. Click Ok on the copy dialogue box.
  • A new GPO, Copy of Default Domain Policy is created.
  • It is a good idea to rename the copied GPO to a more memorable name. I called mine “WSUS GPO”. To rename the GPO right-click it then select Rename. In the next step, you will edit the GPO and configure WSUS settings

Sponsored Content


WSUS (Windows Server Update Service) - navigate to Windows Update GPO

Configure WSUS (Windows Server Update Service) GPO

Now that you have created a GPO for WSUS, next step is to configure the GPO settings.

  • To begin, right-click the new GPO and select Edit. The Group Policy Management Editor opens.
WSUS (Windows Server Update Service)
  • Beneath the Computer Configuration container, expand Policies. Then navigate to \Administrative Templates\Windows Components. Click Windows Update. Finally, beneath the window select the Standard tab.
  • In the details pane, double-click Configure Automatic Updates. On the GPO settings, select Enabled, then configure automatic updates settings. Read the help page (right) to help you make a choice to meet your requirement. When you finish click Ok to save your changes.
WSUS (Windows Server Update Service)
  • Back to the Group Policy Management Editor double-click the Specify intranet Microsoft update service location policy.
  • Click the Enable option. Then on the Set the intranet update service for detecting updates and Set the intranet statistics server boxes, enter the WSUS server name you wish to use. Enter in the format shown. Finally, click Ok to apply your changes.
Important Tip
If you used a different port number, remember to include it here. Also as important is the SSL option. If your server is configured for SSL, use https, otherwise use http.
  • Before you close Group Policy Management Editor confirm that the two policy settings (highlighted in red below) are Enabled. Then close the editor and proceed to the next step.

Link the WSUS (Windows Server Update Service) GPO to a Container

As I said earlier, you can link your WSUS GPO to OUs or directly on the domain. Best practice is to link the GPO to OUs containing your Computers. For this tutorial though, I will be linking the GPO to the domain.

  • To link the WSUS GPO to a container, drag it to the container. Mine is linked to the domain. You will be prompted to confirm the link. Click Yes.
  • The GPO is now linked to the domain!

Final Notes Regarding WSUS (Windows Server Update Service) GPO

Computers in the container are expected to accept the configuration in the GPO. When a computer updates the GPO it should appear in the WSUS (Windows Server Update Services) console.

Computers may take up to 30 minutes to show up in WSUS console. To force GPO update on a computer, run the command below from the computer:

gpupdate /force

To force a computer to be detected immediately by the WSUS server, execute the command below:

wuauclt.exe /detectnow

Sponsored Content


Configure Client-Side Targeting

Client-side targeting, configured via Group Policy is used to add computers to WSUS groups. The WSUS group a computer belongs determines the updates that will be applied to it.

When client-side targeting is enabled, client computers identifies WSUS computer groups they should be added to. The information is sent to the server when the client communicates with the server. The WSUS server then uses the information received from the client to determine which updates are deployed to the client computer.

The steps below will walk you through enabling client-side targeting via group policy.

  • Log on to the Domain Controller and open Group Policy Management (via Server Manager).
  • Next, right-click the GPO you created earlier and select Edit. Group Policy Management Editor opens. Navigate to \Administrative Templates\Windows Components. Click Windows Update
  • In the details pane, double-click Enable Client-side targeting Policy.
WSUS (Windows Server Update Service)
  • Enable the policy. Then on the Target group name for this computer, enter the name of the WSUS group. Click Ok to save your changes.
Important Tip
The name of the group entered above must be created under the All Computers container in WSUS.

There you have it – WSUS installation and configuration! If you have any questions or comments, use the “Leave a Reply” form below.

Other Helpful Guides

Additional Resources and References

YOU MAY ALSO LIKE:

LEAVE A REPLY

Please enter your comment!
Please enter your name here

By using this website you agree to accept our Privacy Policy and Terms & Conditions