What is WSUS Server?
WSUS (Windows Server Update Service) is a Microsoft Server role that allows download and installation of Operating System updates to computers in a local network. System Administrators use WSUS (Windows Server Update Service) to create computer groups to ease patch management. Besides, Windows Server Update Service server can also generate compliance reports to determine computers that need specific updates.
In this tutorial you will learn how to:
- Install and configure the WSUS Server role
- Configure group policies for WSUS (Windows Server Update Service) updates
- Set up Client-side targeting
If you follow the setup in this tutorial you should be able to setup a working WSUS server infrastructure.
To walk through the installations and configurations discussed in this tutorial, you need a Domain Controller, 2 WSUS servers (one as upstream, another as downstream server) and a Windows 10 Client computer. All computers must be members of the AD Domain.
Install and Configure the WSUS (Windows Server Update Service) Server role
Before you install WSUS role, you need to confirm that your server meets the requirements. Below are the requirements.
System Requirements for Installing WSUS (Windows Server Update Service) Role
- Processor: 1.4 gigahertz (GHz) x64 processor (2Ghz or faster is recommended)
- Memory: WSUS server requires an additional 1.5GB of RAM – above and beyond what is required by Windows Server 2016.
- Available disk space: 10 GB (recommended: 40GB or more)
- Network adapter: 100 megabits per second (Mbps) or greater.
Other WSUS (Windows Server Update Service) Role Installation Requirements
- If there is a pending restart requirement, restart the server before you enable the Windows Server Update Service server role.
- Additionally, Microsoft .NET Framework 4.5 must be installed on the server.
- The NT Authority\Network Service account must have Full Control permissions for the following folders:
%windir%\Microsoft.NET\Framework\v4.0.30319\Temporary ASP.NET Files and %windir%\Temp folders. This path might not exist prior to installing Internet Information Services (IIS).
- Finally, the installation account must be a member of the Local Administrators group
WSUS Database Requirements
At least one of these databases is required:
- Windows Internal Database (WID)
- Microsoft SQL Server 2017
- MS SQL Server 2016
- Microsoft SQL Server 2014
- MS SQL Server 2012
- Microsoft SQL Server 2008 R2
Additional Installation Requirements
Apart from the requirements listed above, below are further considerations and requirements:
- You can install WSUS server role and the database server on separate computers. However,
- The Database server cannot be a Domain Controller.
- Also, the WSUS server cannot run Remote Desktop Services
- The Database server and the WSUS server must be in the same AD Domain. If in different domains, the domains must have a trust relationship.
- Finally, the two servers must be in the same time zone or be synchronized to the same GMT time source.
WSUS (Windows Server Update Service) Pre-installation Tasks
Before you install Windows Server Update Service role, perform the following tasks:
- Add the Domain Admin account as member of the Local Administrators group on the server you wish to install WSUS role: Open Server Manager, then click Tools and select Computer Management. On Computer Management, click Local Users and Groups. Double-click Groups then double-click Administrators group. Finally confirm that the installation account is a member of the local administrators group.
- Confirm that Microsoft .NET Framework 4.5 (4.6 on Windows Server 2016) is installed. If not, install it: Open Server Manager. Then click Add Roles or Features. On the first page click Next. Then select Role-based or Feature-based installation. Click Next until you get to Features.
- Next, confirm that the Network Service account have Full Control permissions to: %windir%\Microsoft.NET\Framework64. Right-click Framework64 and select Properties, then click the Security tab.
Important TipTo be able to modify the permission of Framework64 you may need to take ownership of the folder. You may also need to add your account to the local administrators group.
- Confirm that the server you wish to install WSUS role meet the following requirements: Memory is 1.5 GB of RAM – above and beyond what is required by Windows Server 2016. Available disk space: 10 GB (40 GB or greater is recommended). Finally, confirm that your network adapter is 100 megabits per second (Mbps) or greater.
NoteFor Windows Server 2016 hardware requirements read Windows Server 2016: A cheat sheet
Install WSUS (Windows Server Update Service) Server Role
Now you are ready to install WSUS. Follow the steps below:
- Log on to the server and open Server Manager (should normally open by default).
- From Server Manager (top right corner), click Manage then select Add Roles and Features.
- On the “Before you begin” page, click Next.
- On the “Select Installation type” select “Role-based or feature-based installation” and click Next.
- Next, on the “Select Destination server page”, select the server you wish to install WSUS (Windows Server Update Service) role and click Next.
- Next page presents option to select the roles you wish to install. Check the boxes beside Windows Server Update Service. A page will load asking you to confirm additional features to install. Click Add Features. Then click Next.
- The “Select features” page loads. To proceed click Next.
- Note the information in the Windows Server Update Services page. Then click Next to proceed.
- Review the features checked below. Then click Next.
- Enter a local or remote path to store updates.
- On the Web Server (IIS) Role information page, read the information then click Next to proceed.
- Then review the server roles and features you selected. Click Next.
- Finally, on the confirmation page, review your selections. Check the box Restart the destination server automatically if required and click Install.
WSUS role may also be installed by running the PowerShell command below:
Install-WindowsFeature -Name UpdateServices -IncludeManagementTools
Configure Windows Server Update Service Using the WSUS Configuration Wizard
After installing WSUS (Windows Server Update Service), the next step is configuration. To configure the role:
- Open Server Manager and click the yellow amber triangle. Then select Launch Post-installation tasks. Wait for the post-installation task to complete. Then proceed to the next step.
- Still on Server Manager, click Tools then select Windows Server Update Services.
- Read the information on the “Before you begin” page, then click Next to proceed.
- Next, decide whether you wish to join the Microsoft Update Improvement Program or not. Click Next.
- The next stage is very critical as this is where you decide the WSUS Server that connects to Microsoft Updates Server. Select Synchronize from Microsoft Update. Then to proceed click Next.
- If you require a proxy server to connect to the internet, configure it here.
- Read the relevant information on the Connect to Upstream Server page then click Start Connecting.
Important TipThe previous step may take sometime to complete depending on your internet connection.
- Once the connection task is completed, click Next.
- Select the languages to download then click Next. I am downloading just English.
- Choose the products you wish to download updates for. If you are in a production environment, download updates for all products in your environment.
- Decide updates classification to download. In most cases the defaults are okay.
- Decide how you wish to synchronize your WSUS server with Microsoft Updates server. In a production environment, this has a lot of implications. Consider the number of updates to download, and your internet bandwidth.
- On the Finish page, check Begin initial synchronization and click Next. Then click Finish.
Configure Downstream Servers
In a production environment with computers in different locations, a downstream server may be required. The downstream server will download updates from your upstream server and distribute the updates to computers in its local network. This way, you avoid updates installing over WAN links.
The steps below will walk you through how to configure a downstream WSUS (Windows Server Update Service) server.
Important TipTo perform this task you would have installed Windows Server Update Service role on the downstream server. Moreover, you should also perform post-installation task.
- Log on to the second WSUS server. From Server Manager click Tools then Select Windows Server Update Services.
- On the Before you begin page, click Next.
- Decide whether to join the Microsoft Update improvement program or not. Click Next to proceed.
- On the Choose Upstream Server page, enter the name of your upstream WSUS server. Then check the boxes Use SSL when synchronizing update information and This is a replica of the upstream server. To proceed click Next.
Important TipDepending on your environment, you may decide not to configure the downstream server as a replica of the upstream. However, it is strongly recommended to use SSL.
- On the Specify Proxy Server page, click Next.
- Finally, to synchronize with the upstream WSUS server, click Start Connecting.
Important TipIf you receive HTTP error, check that your upstream server is configured to accept SSL connection. Alternatively, you could go back and uncheck Use SSL when synchronizing update information.
Continue with Downstream Server Configuration
In the last task when you click Start Connecting, it may take sometime for the wizard to process your request.
- When the Next button becomes available, click it to proceed.
- Compared to the same screen when we configured the upstream server, the only available language is English. Click Next to proceed.
- Earlier in the tutorial we configured sync schedule for the upstream server. Do the same below. If you are working in a production environment, be sure to set the time below to happen after the upstream server has synced.
- Finally, check Begin initial synchronization box then click Finish.
Configure Group Policies for WSUS Updates
The next step is to use group policy settings to automatically configure WSUS.
Important TipIn a complex production environment, you can create different Group Policy Objects (GPOs) and link them to different Organizational Units (OUs). For this tutorial, I will link a single GPO to the top of the domain.
- To begin, login to the Domain Controller. Open Server Manager, click Tools then select Group Policy Management.
Important TipTo get to the Domain, you may need to expand the Forest container then expand the Domain container.
- Next, make a copy of the Default Domain Policy GPO. To do this expand the Group Policy Objects container. Then Drag the Default Domain Policy GPO into the Group Policy Objects container.
- Then, on the Copy GPO dialogue box, accept the default permission and click Ok. The GPO will be copied. Click Ok on the copy dialogue box.
- A new GPO, Copy of Default Domain Policy is created.
- It is a good idea to rename the copied GPO to a more memorable name. I called mine “WSUS GPO”. To rename the GPO right-click it then select Rename. In the next step, you will edit the GPO and configure WSUS settings
Configure WSUS (Windows Server Update Service) GPO
Now that you have created a GPO for WSUS, next step is to configure the GPO settings.
- To begin, right-click the new GPO and select Edit. The Group Policy Management Editor opens.
- Beneath the Computer Configuration container, expand Policies. Then navigate to \Administrative Templates\Windows Components. Click Windows Update. Finally, beneath the window select the Standard tab.
- In the details pane, double-click Configure Automatic Updates. On the GPO settings, select Enabled, then configure automatic updates settings. Read the help page (right) to help you make a choice to meet your requirement. When you finish click Ok to save your changes.
- Back to the Group Policy Management Editor double-click the Specify intranet Microsoft update service location policy.
- Click the Enable option. Then on the Set the intranet update service for detecting updates and Set the intranet statistics server boxes, enter the WSUS server name you wish to use. Enter in the format shown. Finally, click Ok to apply your changes.
Important TipIf you used a different port number, remember to include it here. Also as important is the SSL option. If your server is configured for SSL, use https, otherwise use http.
- Before you close Group Policy Management Editor confirm that the two policy settings (highlighted in red below) are Enabled. Then close the editor and proceed to the next step.
Link the WSUS (Windows Server Update Service) GPO to a Container
As I said earlier, you can link your WSUS GPO to OUs or directly on the domain. Best practice is to link the GPO to OUs containing your Computers. For this tutorial though, I will be linking the GPO to the domain.
- To link the WSUS GPO to a container, drag it to the container. Mine is linked to the domain. You will be prompted to confirm the link. Click Yes.
- The GPO is now linked to the domain!
Final Notes Regarding WSUS (Windows Server Update Service) GPO
Computers in the container are expected to accept the configuration in the GPO. When a computer updates the GPO it should appear in the WSUS (Windows Server Update Services) console.
Computers may take up to 30 minutes to show up in WSUS console. To force GPO update on a computer, run the command below from the computer:
To force a computer to be detected immediately by the WSUS server, execute the command below:
Configure Client-Side Targeting
Client-side targeting, configured via Group Policy is used to add computers to WSUS groups. The WSUS group a computer belongs determines the updates that will be applied to it.
When client-side targeting is enabled, client computers identifies WSUS computer groups they should be added to. The information is sent to the server when the client communicates with the server. The WSUS server then uses the information received from the client to determine which updates are deployed to the client computer.
The steps below will walk you through enabling client-side targeting via group policy.
- Log on to the Domain Controller and open Group Policy Management (via Server Manager).
- Next, right-click the GPO you created earlier and select Edit. Group Policy Management Editor opens. Navigate to \Administrative Templates\Windows Components. Click Windows Update
- In the details pane, double-click Enable Client-side targeting Policy.
- Enable the policy. Then on the Target group name for this computer, enter the name of the WSUS group. Click Ok to save your changes.
Important TipThe name of the group entered above must be created under the All Computers container in WSUS.
There you have it – WSUS installation and configuration! If you have any questions or comments, use the “Leave a Reply” form below.
Other Helpful Tutorials
- Active Directory Concepts & Administration
- Active Directory Domain Services: Installation & Configuration
- What is Active Directory (Top 50 AD Questions Answered)