Professional Documents
Culture Documents
Configuration WSUS On Windows Server 2012 R2
Configuration WSUS On Windows Server 2012 R2
Windows Server Update Service [WSUS] is a server role that serves as a repository for
Microsoft product updates on your network. Instead of every computer on your network
downloading updates directly from Microsoft you can deploy a WSUS server so the updates are
downloaded once and distributed to your environment from the WSUS server.
In this post I will be deploying WSUS Server 2012 R2 in a domain environment, using
the Windows Internal Database (WID), and using Group Policy to have my computers connect
to WSUS instead of Microsoft Updates.
Click Next:
Ensure Role-base or feature-based installation is selected then click Next:
A box will appear requesting additional roles and features are included. Click Add Features:
You will see multiple roles are now selected including Windows Server Update Services.
Click Next:
Some features will already be selected due to the previous step. Click Next:
Click Next:
WSUS needs a database to store WSUS Configuration and update metadata. The WSUS
database can be local or a remote SQL 2008/2012 server. For a local database it will use
Windows Internal Database (WID) which is a limited version of SQL Express that doesn’t have a
GUI or management interface. The WID database is a file (SUSDB.dbf) stored in
C:\Windows\wid\data\. Microsoft recommends using the WID database. If you want to use a
SQL Server then check here.
Leave WID Database & WSUS Services selected and click Next:
Click the box to have updates stored locally on your server. If you do not select a location then
approved update in WSUS will be downloaded by the client computers from Microsoft Updates.
Add the path location of where to store them and click Next:
Click Next:
Post-Deployment Configuration:
Once WSUS is install there is additional configuration that needs to be performed. In Server
Manager click the notification drop down then Launch Post-Installation tasks:
Expand down to Computer Configuration -> Policies -> Administrative Templates ->
Windows Components and click Windows Update.
In the right pane find the settings named Configure Automatic Updates, right click and Edit:
Click Enable then on the drop down menu select a setting that you want in your environment. I
advise to first set it to option 3 – Auto download and notify for install and change it later if
you decide.
If you want to complete automate the installation of Updates then select option 4 – Auto
download and schedule the install, select the box Install during automatic
maintenance and select a time to perform the installation. Now any approved updates will be
installed during your scheduled time. If you didn’t approve any updates then nothing will be
installed that week. You can stagger your installs by adding this policy to different OUs then
picking different install times.
Click Apply then Ok:
Now right click on Specify intranet Microsoft update service location then Edit:
Click Enable then enter the FQDN of your WSUS server. Needs to be in the following format:
Close out of the Group Policy Management Editor then right click the policy then Enforced to
enable it:
Configure WSUS Computer Groups:
Back on the WSUS Console let’s look at how you can organize your computers. You can
create Computer Groups to organize what computers get your approved updates. This is
helpful if for example you want your VMware View servers to receive a update that you don’t
want your Citrix servers to get.
Here is how I have my Computer Groups. Another example is you could have Production
Servers and Test Servers then have Test Servers get the latest and greatest where Production
is a month behind to ensure patch compatibility with your applications.
You can automate adding the computers into Computer Groups by using Group Policy. By
default all computers are added into the Unassigned Computers group. To change this
click Options then Computers:
If you change the settings to Use Group Policy or registry settings on computers then
Group Policy will place them.
To create this policy open Group Policy then drill down to Computer
Configuration > Policies > Administrative Templates > Windows Components > Windows
Update. There is a settings called Enable Client-Side Targeting where if enabled then you can
type the name of the Computer Group so computers that have this policy enabled will join.
You can recreate this policy on each OU in Active Directory to have them automatically placed
in a specific Computer Group!
Approve Updates:
Before your computers will see any updates you must Approve them for installation. Click All
Updates and ensure the filter says Unapproved to see the full list. You can select specific
updates or do CTRL + A to select them all. Make your select then click Approve in the right
pane:
You will get a pop up window asking what Computer Groups do you want to Approve the
updates for. Using the drop down I selected to Approve them for all Computer Groups. Click Ok:
Conclusion:
After Group Policy takes effect you should start seeing your computers appear in the All
Computers section. This has made managing security patches so much easier! In
my screenshot below I have 23 recent updates to apply with LABSCCM01 having a failed
update I need to look into. Note: Should have a SCCM post coming soon .