"Take Aim, Even Badly" 🙂

How to install and configure WSUS (Windows Server Update Service)

image 713247
 
Open Server Manager
 
image 714194
 
Click Add roles and features
 
image 714862
 
Click Next, choose Role-base or feature-based installation
 
image 715441
 
Click Next. Choose your server. I will be installing this on the local server.
 
image 716156
 
Click Next. Scroll down and choose Windows Server Update Services.
 
image 716712
 
I believe .NET Framework 3.5 is required. I don’t remember because this is a reinstall and I already have it and .NET Framework 4.5 installed as well.
 
image 717339
 
Click Next.
 
image 718044
 
Click Next. Here you have the option of installing it with the Windows Internal Database (which is more than capable for smaller environments) or installing to a SQL server database that you might have in your environment. You can either choose WID Database and WSUS Services or Database and WSUS Services.
 
image 718604
 
Click Next. Now choose how you want to store your updates. You can choose to store them on a file share of some sort or you can have each client download directly from Microsoft update. In my environment, we have one location where the servers reside and then some remote locations. I’d still like to manage the updates for them but in my opinion, it would be better for those clients to download straight from Microsoft Update instead of over our VPN so I will uncheck the box.
 
image 719194
 
Click Next. I also have a database server so I will elect to use that so I will enter the name of that here. If you elected to use the Windows Internal Database (WID), you will not see this.
 
image 719754
 
Click Next. Make sure everything is the way you like it and click Install.
 
image 720526
 
image 721222
 
And now we wait.
 
After it is finished installing and you elected to use your own database server, you will be met with this dialog box when you open WSUS. Put in the name of your database server and click Run.
 
image 721901
 
Next will be the Configuration Wizard. Click Next.
 
image 722546
 
It’s obviously up to you whether you would like to share your data with Microsoft. Click Next.
 
image 723068
 
This is my only server running WSUS so I will click Next.
 
image 723753
 
I don’t need to use a Proxy Server so I will click Next.
 
image 724525
 
This part is self explanatory. Click Start Connecting. This may take awhile.
 
image 725378
 
Click Next. Now choose the products that you would like to manage updates for.
 
image 726186
 
Click Next. Now choose your classifications.
 
image 726988
 
Click Next. Choose how you would like to handle synchronizations. I like mine to be as automatic as I can.
 
image 727737
 
Click Next. Choose whether you would like to Begin Initial Synchronization or not.
 
image 728392
 
Once it opens, I’m going to turn on Automatic Approvals so I will go to Options.
 
image 728967
 
Click Automatic Approvals.
 
image 729588
 
You should see Default Automatic Approval Rule. (If not create it.) Check the box next to it and click Edit.
 
image 730174
 
Select which updates to approve. This is up to you.
 
image 730992
 
Well looks like I’ll have to wait to change that.
 
image 731782
 
Eventually you’ll have to configure your clients and servers to receive updates from your WSUS server through Group Policy. When you do that, you can specify how they are grouped in WSUS. Now I don’t remember if this is done automatically after you set it and push the Group Policy or if you have to do this first manually but I’d rather be safe than sorry so I will create the two groups here. This is not necessary to do and they can be left unassigned.

Rick click All Computers and click Add Computer Group…, name each group (remember these for the group policy creation later) and click Add.

 
image 732308
image 732899
 
I chose Workstations and Servers so I will eventually have to create two separate group policies, one for my workstations and one for my servers. Another option I thought of would be to do this by site or location.
 
image 733490
 
There are a ton more settings that you can change that I won’t go into now but maybe I’ll cover in future posts. This should get you pointed in the right direction. Your clients will not pull updates from this server unless configured to do so and that should be done through group policy. I cover that here.

UPDATE 9/12/17

I forgot a step. In order for the computers to go into their groups (after being assigned via Group Policy) a setting needs to be changed here. Click Options –> Computers –> Use Group Policy or registry settings on computers –> OK.

 
 
 

Sign Me Up For The Free Assessment!

Sign up here and I will reach out to you to schedule your free assessment.

Thank you for requesting your Free Assessment!