"Take Aim, Even Badly" 🙂

How to install and configure WSUS (Windows Server Update Service)

image 713247
Open Server Manager
image 714194
Click Add roles and features
image 714862
Click Next, choose Role-base or feature-based installation
image 715441
Click Next. Choose your server. I will be installing this on the local server.
image 716156
Click Next. Scroll down and choose Windows Server Update Services.
image 716712
I believe .NET Framework 3.5 is required. I don’t remember because this is a reinstall and I already have it and .NET Framework 4.5 installed as well.
image 717339
Click Next.
image 718044
Click Next. Here you have the option of installing it with the Windows Internal Database (which is more than capable for smaller environments) or installing to a SQL server database that you might have in your environment. You can either choose WID Database and WSUS Services or Database and WSUS Services.
image 718604
Click Next. Now choose how you want to store your updates. You can choose to store them on a file share of some sort or you can have each client download directly from Microsoft update. In my environment, we have one location where the servers reside and then some remote locations. I’d still like to manage the updates for them but in my opinion, it would be better for those clients to download straight from Microsoft Update instead of over our VPN so I will uncheck the box.
image 719194
Click Next. I also have a database server so I will elect to use that so I will enter the name of that here. If you elected to use the Windows Internal Database (WID), you will not see this.
image 719754
Click Next. Make sure everything is the way you like it and click Install.
image 720526
image 721222
And now we wait.
After it is finished installing and you elected to use your own database server, you will be met with this dialog box when you open WSUS. Put in the name of your database server and click Run.
image 721901
Next will be the Configuration Wizard. Click Next.
image 722546
It’s obviously up to you whether you would like to share your data with Microsoft. Click Next.
image 723068
This is my only server running WSUS so I will click Next.
image 723753
I don’t need to use a Proxy Server so I will click Next.
image 724525
This part is self explanatory. Click Start Connecting. This may take awhile.
image 725378
Click Next. Now choose the products that you would like to manage updates for.
image 726186
Click Next. Now choose your classifications.
image 726988
Click Next. Choose how you would like to handle synchronizations. I like mine to be as automatic as I can.
image 727737
Click Next. Choose whether you would like to Begin Initial Synchronization or not.
image 728392
Once it opens, I’m going to turn on Automatic Approvals so I will go to Options.
image 728967
Click Automatic Approvals.
image 729588
You should see Default Automatic Approval Rule. (If not create it.) Check the box next to it and click Edit.
image 730174
Select which updates to approve. This is up to you.
image 730992
Well looks like I’ll have to wait to change that.
image 731782
Eventually you’ll have to configure your clients and servers to receive updates from your WSUS server through Group Policy. When you do that, you can specify how they are grouped in WSUS. Now I don’t remember if this is done automatically after you set it and push the Group Policy or if you have to do this first manually but I’d rather be safe than sorry so I will create the two groups here. This is not necessary to do and they can be left unassigned.

Rick click All Computers and click Add Computer Group…, name each group (remember these for the group policy creation later) and click Add.

image 732308
image 732899
I chose Workstations and Servers so I will eventually have to create two separate group policies, one for my workstations and one for my servers. Another option I thought of would be to do this by site or location.
image 733490
There are a ton more settings that you can change that I won’t go into now but maybe I’ll cover in future posts. This should get you pointed in the right direction. Your clients will not pull updates from this server unless configured to do so and that should be done through group policy. I cover that here.

UPDATE 9/12/17

I forgot a step. In order for the computers to go into their groups (after being assigned via Group Policy) a setting needs to be changed here. Click Options –> Computers –> Use Group Policy or registry settings on computers –> OK.


Sign Me Up For The Free Assessment!

Sign up here and I will reach out to you to schedule your free assessment.

Thank you for requesting your Free Assessment!