How to install and configure WSUS (Windows Server Update Service)

image 713247

Open Server Manager

image 714194

Click Add roles and features

image 714862

Click Next, choose Role-base or feature-based installation

image 715441

Click Next. Choose your server. I will be installing this on the local server.

image 716156

Click Next. Scroll down and choose Windows Server Update Services.

image 716712

I believe .NET Framework 3.5 is required. I don’t remember because this is a reinstall and I already have it and .NET Framework 4.5 installed as well.

image 717339

Click Next.

image 718044

Click Next. Here you have the option of installing it with the Windows Internal Database (which is more than capable for smaller environments) or installing to a SQL server database that you might have in your environment. You can either choose WID Database and WSUS Services or Database and WSUS Services.

image 718604

Click Next. Now choose how you want to store your updates. You can choose to store them on a file share of some sort or you can have each client download directly from Microsoft update. In my environment, we have one location where the servers reside and then some remote locations. I’d still like to manage the updates for them but in my opinion, it would be better for those clients to download straight from Microsoft Update instead of over our VPN so I will uncheck the box.

image 719194

Click Next. I also have a database server so I will elect to use that so I will enter the name of that here. If you elected to use the Windows Internal Database (WID), you will not see this.

image 719754

Click Next. Make sure everything is the way you like it and click Install.

image 720526

image 721222

And now we wait.

After it is finished installing and you elected to use your own database server, you will be met with this dialog box when you open WSUS. Put in the name of your database server and click Run.

image 721901

Next will be the Configuration Wizard. Click Next.

image 722546

It’s obviously up to you whether you would like to share your data with Microsoft. Click Next.

image 723068

This is my only server running WSUS so I will click Next.

image 723753

I don’t need to use a Proxy Server so I will click Next.

image 724525

This part is self explanatory. Click Start Connecting. This may take awhile.

image 725378

Click Next. Now choose the products that you would like to manage updates for.

image 726186

Click Next. Now choose your classifications.

image 726988

Click Next. Choose how you would like to handle synchronizations. I like mine to be as automatic as I can.

image 727737

Click Next. Choose whether you would like to Begin Initial Synchronization or not.

image 728392

Once it opens, I’m going to turn on Automatic Approvals so I will go to Options.

image 728967

Click Automatic Approvals.

image 729588

You should see Default Automatic Approval Rule. (If not create it.) Check the box next to it and click Edit.

image 730174

Select which updates to approve. This is up to you.

image 730992

Well looks like I’ll have to wait to change that.

image 731782

Eventually you’ll have to configure your clients and servers to receive updates from your WSUS server through Group Policy. When you do that, you can specify how they are grouped in WSUS. Now I don’t remember if this is done automatically after you set it and push the Group Policy or if you have to do this first manually but I’d rather be safe than sorry so I will create the two groups here. This is not necessary to do and they can be left unassigned.

Rick click All Computers and click Add Computer Group…, name each group (remember these for the group policy creation later) and click Add.

image 732308

image 732899

I chose Workstations and Servers so I will eventually have to create two separate group policies, one for my workstations and one for my servers. Another option I thought of would be to do this by site or location.

image 733490

There are a ton more settings that you can change that I won’t go into now but maybe I’ll cover in future posts. This should get you pointed in the right direction. Your clients will not pull updates from this server unless configured to do so and that should be done through group policy. I cover that here.

UPDATE 9/12/17

I forgot a step. In order for the computers to go into their groups (after being assigned via Group Policy) a setting needs to be changed here. Click Options –> Computers –> Use Group Policy or registry settings on computers –> OK.

Other blog posts