VLT-Website-Heading

How to install and manage your WSUS Server and WSUS Clients

Feb 25, 2021 12:14:54 PM / by Vu Long Tran

What is WSUS?

WSUS refers to "Windows Server Update Services" which is a software provided by Microsoft to help systems administrators to manage Windows and Microsoft products in a corporate environment.

Think of your Windows 10 computer updates, but for Windows servers and how you would want to manage the approval of updates, timing of updating, etc. within a centralised system.


Installing WSUS Server and managing your WSUS Clients with it

This is a guide on how to install WSUS Server on your Windows 2019 virtual machine, with the goal of connecting it to other servers so that you can manage the Windows updates for them.

The goal is for you to be able to confirm that your WSUS Server is connected to your WSUS Clients.

wsus-clients

Just as in my example screenshot above where I have connected my WSUS Clients ("Windows Server 2012R2" and "Windows Server 2016 Standard") with my WSUS Server ("Windows Server 2019 Standard").

Great, so how do I get started?

How to install and manage your WSUS Server and WSUS Clients

0. Ensuring your WSUS Server has the min requirements

1. Installing WSUS Server

2. Configuring your WSUS Server

3. Assigning WSUS Clients to your WSUS Server

4. Start using WSUS Server to Approve and Deploy Updates

Appendix - Best practices/ troubleshooting

0. Ensuring your WSUS Server has the min requirements

Decide on the Windows server you would like to install your WSUS Server on. I am using Windows 2019 in this example, but you can use any Windows Server you prefer.

Ideally you will want to have enough compute power and hard drive storage to handle the requirements, as there will be cases where you may want to download a lot of updates to your WSUS Server. (I maxed out my 80 GB storage at one point so I would recommend at least 150-200 GB).

Microsoft has listed a good summary of minimum requirements and things to consider when Plan[ning] your WSUS deployment.

Here is what they list, though this is the bare minimum so I would suggest loading up a lot more.

  • Processor: 1.4 gigahertz (GHz) x64 processor (2 Ghz or faster is recommended)
  • Memory: WSUS requires an additional 2 GB of RAM more than what is required by the server and all other services or software.
  • Available disk space: 40 GB or greater is recommended
  • Network adapter: 100 megabits per second (Mbps) or greater (1GB is recommended)

1. Install WSUS Server on your Windows Server

Open "Server Manager" on your Windows Server. windows-server-manager

Click Add "Roles and Features".

Click "Next".

add-roles-features

Confirm that "Role-based or feature-based installation" option is selected.

Click "Next".

role-based
Select location for your destination server. This will be your current machine or somewhere. Essentially you need to find and select where your current server is located (from a server pool or from a virtual hard disk).

Click "Next".

windows-machine

You will be presented with a bunch of options and checklists, find and select "Windows Server Update Services".server-role2

You will be presented a "Add Roles and Features Wizard" pop up box.

Click "Add Features". Leave this, you can safely accept the default values. server-role1
Click "Next".

On the "Select Features" page, select features and click "Next".

select-features

On the Role Services page, leave the default selections.

WSUS-role-services
Click "Next"

On the Content location selection page, type a valid location to store the updates. E.g. C:\WSUS.

WSUS-content-location

WSUS-content-location2

Click "Next".

The Web Server Role (IIS) page opens. Review the information, and then click "Next". In select the role services to install for Web Server (IIS), retain the defaults, and then click "Next".

web-server-role-iis

role-services

install-wsus

On the Confirm installation selections page, review the selected options, and when you are ready, click "Install".

install-wsus-server-2

Optionally, you can choose to "Close".

If you wait, you will see the following screen.

install-wsus-server-3

Once WSUS installation is complete, click "Launch Post-Installation tasks".

Restart server if needed. You may receive a notification in Server Manager to inform you that a restart is required. This can vary according to the installed server. If it requires a restart make sure to restart the server to complete the installation.

 

2. Configuring your WSUS Server

Now that you have WSUS Server installed. You will be asked to configure your WSUS and select where you want to storage WSUS updates. That is,

"Configuration required for Windows Server Updates Services at <yourservername>"

In my example, my Windows Server machine is called "WINDOWS", so the message I received was "Configuration required for Windows Server Updates Services at WINDOWS".

WSUS-Configuration-required

I created a folder on my C: Drive called "WSUS", but you can choose a location you prefer.

Configure-WSUS-storage

Once you have selected this, you can proceed and wait for it to get set up.

Configure-WSUS-message

It will load up this "Before you begin" screen when it is ready.

Click "Next".Configure-WSUS

On the "Microsoft Update Improvement Program" select what you are comfortable with and click "Next".

On the "Choose Upstream Server", review the option where you want to synchronise updates from and click "Next".

choose-upstream-server

The next tabs are pretty straightforward, so you need to decide what works best for you and what you really need. I would recommend choosing only what you need as it will need to download this to your server. You can always change/ add more later.

On the "Choose Languages" tab, select your languages.

choose-language

On the "Choose Products" tab , select your products.

choose-products

choose-products2

On the "Choose Classifications" tab, select the types updates you want.

choose-classifications

Configure your "Sync Schedule".

configure-sync-schedule

 

3. Assigning WSUS Clients to your WSUS Server

This is where you want to check on the menu on the left if you can see your Windows servers (WSUS Clients) listed in your WSUS Server.

You will need to configure your other Windows servers (WSUS Clients) to point to your WSUS Server for it to appear on this "All Computers" page.

wsus-clients

 

4. Start using WSUS Server to Approve and Deploy Updates

Expand and click on the menu on the left and bring out the "Updates".

Make sure you change the filters of "Approval" = unapproved and "Status" = Any so you start seeing updates there.

You may need to wait for some time for WSUS to download the update details from the Microsoft servers or the server you set.

choose-and-approve-updates

 

 


 

 

Appendix - Best practices/ troubleshooting:

If you run out of space, consider using this option in the WSUS Update Services settings.

WSUS Update Services> Options> Update Files and Languages> Do not store update files locally; computers install from Microsoft Update.

If you are using a configuration manager like Puppet, this means setting the host binaries to Microsoft. That is:

host_binaries_on_microsoft_update => true

update-files-from-microsoft-update

To check on your WSUS Client what WSUS Server (server_url) that they may be pointing to. In cmd or Powershell, run this command:

reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate

wsusclient-setting-1

Make sure it has port 8530 open and listed right after your hostname. That is, for example:

http://windows.vulongtran.net:8530

port-listed now

You can also ping your server from the client to make sure there is connectivity. e.g.

ping windows.vulongtran.net

If you are using Puppet, you can configure your WSUS Client module to have the following settings with port 8530 (e.g.windows.vulongtran.net:8530) to test and adjust to what you need (you can also consider using the WSUS Server module for managing the configuration for your WSUS Server):

wsus-client

You can run the following in cmd or Powershell on the WSUS Client to check that the module is active on the WSUS Client server. 

puppet config print classfile

cat C:/ProgramData/PuppetLabs/puppet/cache/state/classes.txt

If you are using images and the Windows servers were cloned, you may need to remove them from the WSUS console and then and then reset the ID on each server. That is:

net stop wuauserv

REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate" /v AccountDomainSid /f

REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate" /v PingID /f

REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate" /v SusClientId /f

net start wuauserv

wuauclt /resetauthorization

wuauclt /detectnow

Then, after waiting up to 15-20 minutes, run the following on the clients and then refresh the console in the WSUS server.

wuauclt /reportnow

Configuration management example:

If you are using a configuration management tool like Puppet, you can use the WSUS_client module and add code to a manifest file which you can call, "wsus_client.pp" to manage your WSUS clients.

class profile::wsus_client {
class { 'wsus_client':
server_url => 'http://windows.yourdomain.com:8530',
target_group => 'production',
auto_update_option => 'NotifyOnly',
auto_install_minor_updates => false,
no_auto_update => true,
purge_values => true,
detection_frequency_hours => 2,
# before => Class['pe_patch'],
}
}

You can use the WSUS_server module and add code to a manifest file which you can call, "wsusserver.pp" to manage your WSUS server machines.

 class profile::wsusserver {

class { 'wsusserver':
products => [
'Windows Server 2012',
'Windows Server 2012 R2',
'Windows Server 2016',
'Windows Server 2019',
],
update_classifications => [
'Update Rollups',
'Security Updates',
'Critical Updates',
'Updates'
],
host_binaries_on_microsoft_update => true, #download binaries on demand
synchronize_automatically => true,
synchronize_time_of_day => '02:00:00',
number_of_synchronizations_per_day => 8,
package_ensure => 'present',
update_languages => ['en'],
}


wsusserver_computer_target_group { ['production']:
ensure => 'present',
}

wsusserver::approvalrule { 'Automatic Approval for Security and Critical Updates Rule':
ensure => 'present',
enabled => true,
classifications => [
'Update Rollups',
'Security Updates',
'Critical Updates',
'Updates'
],
products => [
'Windows Server 2012',
'Windows Server 2012 R2',
'Windows Server 2016',
'Windows Server 2019',
],
computer_groups => ['production'],
}
}
# More details here - https://puppet.com/blog/how-automate-windows-patching-puppet/

 

References:

Topics: microsoft

Vu Long Tran

Written by Vu Long Tran

Solutions Engineer APAC. ex-@Forrester consultant. Writing on #cloud #howto guides and #tech tinkering!