Installing Windows Server Update Services

(Server 2016)

Installing WSUS is very straightforward. WSUS is built in on Server 2016 and can be installed
from the Server Manager.

WSUS will allow you to manage patching for workstations and servers. You can pre-approve
patches, set up test groups to verify patches prior to install and generally make patching systems
more manageable.

This document will help you to install, configure and deploy your own patch management
solution. We will use Group Policy to deploy the settings to all workstations and servers in the
domain.

WSUS Home Page:

https://docs.microsoft.com/en-us/windows-server/administration/windows-server-update-
services/get-started/windows-server-update-services-wsus

Windows Server Update Services (WSUS):

Install WSUS Server Role
https://docs.microsoft.com/en-us/windows-server/administration/windows-server-update-
services/deploy/1-install-the-wsus-server-role

Must have at least 10 GB (40 GB recommended) of hard disk drive space available for updates
and database!

*** NOTE: in my setup I only chose to download Windows 10 Updates for:

Critical Updates
Definition Updates
Security Updates
Update Rollups
Updates
Upgrades

This used ~90Gb, removing Upgrades decreased storage by ~25Gb

Missouri Research and Education Network University of Missouri System

221 N. Stadium Blvd., Ste. 201 Columbia, MO 65203 P: (573) 884-7200 F: (573) 884-6673 www.MORE.net
Installation:

1. Open Server Manager

2. Click Add roles and Features
3. Click Next.
4. Click Next
5. Click Next
6. Click Windows Server Update Services
7. Add Roles and Features Wizard

8. Click Add Features

a. All necessary features will be installed

9. Click Next
 10. Select Features
11. Click Next
12. Windows Server Update Services – Read Info
13. Click Next
14. Select Role Services

15. Click Next

16. Content Location
a. This location is where WSUS will store it’s database and the updates that are
downloaded
*** Best Practice: Store database and Updates on s separate HDD from the Operating System
 17. Enter Location
18. Click Next
19. Web Server Role (IIS) – Read Information
20. Click Next
21. Role Services (Web Server Role)
22. Click Next
23. Confirmation Screen
24. Click Install
25. Role Is installing

At this point you can close the Add Roles and Features Window.
You can check the Progress of the Role in Server Manager by clicking the Notification ‘Flag’

When the Feature is complete (you may want to refresh Server Manager)
The Icon for the Notification will change
Click the Notification Icon

Configuring WSUS:

26. Click Launch Post-Installation Tasks

27. Wait until task completes

28. You are now ready to configure the Update Services.

*** Please See Appendix A for troubleshooting the website. ***

Windows Server Update Services Configuration
Wizard

This section will help you configure the Windows Update Services. We will explore all the
options and focus on default values, to optimize the installation.

Open Server Manager

Click Tools
Click Windows Server Update Services

Before you begin: READ Screen

Click Next
Microsoft Update Improvement Program
Make your choice and click next
Choose upstream server:

If this is your first server you will want to Synchronize from Microsoft, if this is a secondary
(site) server then you can synchronize from an upstream server

*NOTE – If you select Synchronize from Upstream server, the Information for Products and
Classifications and Update Files and Languages will be grayed out, as this server will get the
files that you specified on your upstream server.
Click Next
Specify Proxy Settings
Enter your proxy settings if you have a proxy

Click Next

Connect to Upstream Server

Download update information from Microsoft Update
Click Start Connecting
This will take several minutes to complete…
Click Next when this completes

Choose Language(s)

Click Next
Choose Products
Choose the products that you want to update; Office, Windows OS, etc.

Click Next

Choose Classification
Choose the update classification you would like to download
Click Next

Configure when the server synchronizes with Microsoft Update

Click Next

Begin Initial synchronization

Click the check box to begin the initial synchronization
Click Next
What’s Next: Read the information and click the links to learn what to do next…

Click Finish

We have now finished the Initial Configuration, when you click Finish the WSUS Console will
open and additional settings can be configured at this time.
Now we are ready for our next step, setup automatic approval rules. The automatic approval
rules will allow for specific update classification to be automatically approved so they can be
applied at the next update schedule without interaction.

Click on Option on the left menu

Click Automatic Approvals

There us already a default rule created but it is not enabled. We can check the box to enable this
rule.
Below we see ‘When an update is in … , this is a link, Click the link

Select the classification that you want to Automatically Approve

Click Ok

Click Ok

You have now completed the Configuration for WSUS!

Adding Clients:

There are several ways to add a client. The best way if you are in an Active Directory domain is
via Group Policy. We will look at this option as well creating a local security policy on a single
system.

Group Policy:

We will step through this to make sure we get all the settings. On a side note, the WSUS server
DOES NOT have to be in the same Active Directory domain or in any domain.
Let’s take a look at the settings for active directory; I am going to lay this part out in steps.

We will start by opening Active Directory Users and Computers

1. Open Server Manager > Click Tools > Group Policy Management
2. Expand the Domain
3. Right Click Group Policy Objects (Folder)
4. Click New
5. Name Your Policy

6. Click Ok
7. Right Click the new WSUS Policy
8. Click Edit
9. Expand:
a. Computer Configuration > Policies > Administrative Templates > Windows
Components > Windows Update
There are a lot of new settings, we will no go through all the settings here but will highlight the
most common and make mention of a few that may be useful.
Configure Manually:
You can manually configure the settings in the registry:
Create a script that will set the settings and apply to all systems:
@ECHO OFF &SETLOCAL disableDelayedExpansion

# Target WSUS url

reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" /v
"WUServer" /D "http://10.10.10.5:8530/";

# Target WSUS Reporting server

reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" /v
"WUStatusServer" /D "http://10.10.10.5:8530/";

# Download Updates and Notify User

reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" /v
"AUOptions" /D 3 /t reg_dword

# Logged on user has option to reboot or not computer

reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" /v
"NoAutoRebootWithLoggedOnUsers" /D 1 /t reg_dword

# Enable Automatic Windows Updates

reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" /v
"NoAutoUpdate" /D 0 /t reg_dword

# The WSUS Server is not used unless this key is set

reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" /v
"UseWUServer" /D 1 /t reg_dword

wuauclt.exe /resetauthorization /detectnow

wuauclt.exe /reportnow /detectnow

Link to more information about the settings in the script and their settings:

https://technet.microsoft.com/en-us/library/dd939844(v=ws.10).aspx
Installing Microsoft Report Viewer to run reports
After installing WSUS you will need to run the Microsoft Report Viewer in order to create
reports. You will also need to download the Microsoft System CLR Types for SQL Server 2012.
You will get this error when running reports:

Click the link in the error message to be taken to the download page

Click Download
Click Save
If you Click RUN now you will get this error:

Go here to download the CLR Types:

https://www.microsoft.com/en-us/download/details.aspx?id=29065
Click Download
Expand Install Instructions
Scroll down to the CLR Types and choose the appropriate package to download
Microsoft® System CLR Types for Microsoft® SQL Server® 2012
The SQL Server System CLR Types package contains the components implementing the
geometry, geography, and hierarchy id types in SQL Server 2012. This component can be
installed separately from the server to allow client applications to use these types outside of
the server.

Note: This component also requires Windows Installer 4.5

X86 Package(SQLSysClrTypes.msi)
X64 Package (SQLSysClrTypes.msi)

SQL Server System CLR Types Books on-line page

Save the File Download

Once you have it saved to the Downloads folder, navigate to that folder and install
the following:
SQLSysClrTypes.msi
Run:
Click Next
Accept the terms, Click Next
Click Install
Click Finish

ReportViewer.msi
Run
Next
Accept Terms, Click Next
Click Install
Click Finish

Now re-launch the WSUS Console and run a report

Success!!!!

You are now all set and ready to update!

Required Settings:

Configure Automatic Updates: Define the automatic update settings:

Select the appropriate Automatic updating selection for your needs:
2 – Notify for download and notify for install
3 – Auto Download and notify for install
4 – Auto Download and schedule install
5 – Allow local admin to choose setting

Install during automatic maintenance: The maintenance window can be set within another policy
Schedule install time: Default 03:00am
Install updates for other Microsoft products
Specify the intranet Microsoft update service location:

Set the server and port information for the intranet update server:
http://servername:port (default port: 8530)

The above 2 settings are required and all that is needed to get clients to start updating from the
WSUS server.

We will look at a few more settings, the rest you will want to read the information to determine if
those policies are right for your environment.
Honorable Mentions:

Turn off Auto-restart for updates during active hours:

This settings sets the computers to run the updates in the defined ‘Inactive Hours’
Click Enable: Set the time frame for updates to run and reboot the system.
The max length of time is 12 hours
Do Not Connect to any Windows Update Internet locations:
This setting will make it so machines NEVER go out to the Internet for updates.
If the WSUS server stops working then clients will NOT go out to Microsoft to get updates
Systems will still occasionally contact the Internet servers to retrieve information that includes
update information and MS store information
This setting can help decrease network usage if there are issues

To block systems from contacting Microsoft Internet servers set this policy to ‘Enable’
Allow Automatic Updates immediate installation

This setting allow for the immediate installation of updates that DO NOT require a reboot, This
setting can help spread out the updates so that ALL updates are not waiting to be installed during
the scheduled installation time.
Enable this policy to allow for immediate installation

Once you have completed all your policy settings we are now ready to link this policy to the
proper OU’s for it to take effect.
Defer Windows Updates:
These settings allow you to defer Feature Updates and Quality Updates for Windows 10.
Select when Feature Updates are received:
Feature updates are the current branch release of Windows, you can block Feature updates for up
to 180 days. You can also PAUSE the updates for 60 days by checking the ‘Pause feature
updates’ checkbox.
(Prior to 1703 feature updates could only be paused for 60 days)
You can check the date that the feature updates were paused by checking the PausedFeatureDate
registry key: HKLM\SOFTWARE\Microsoft\WindowsUpdate\UpdatePolicy\Settings
Select when Quality Updates are received:
Quality updates are released in the normal patch cycle at the first Tuesday of the month
(although they can be released any time). These updates will be paused for 30 days, if you check
the box to Pause quality updates then they will be paused for 35 days.
Link the Policy to the OU:

I am going to link my Policy to the OU: IT Staff > Computers

Right Click the OU and Click Link an Existing Policy:

Click on the Policy to link: WSUS Policy

Click Ok and the Policy is now linked and Active

You can link this policy to as many OU’s as needed to apply to all computers in the domain

Note – If you create and link the policy at the top level with the Default Domain Policy then it
will affect ALL computers in the domain including the servers. You can choose to link this on
your specific computer OU or set it here and then create computer groups and restrict them from
the policy!

Commands to get the computer to check in with the WSUS server:

This command works every single time…. In testing… Mixed results in real life. J
Command prompt:
Wuauclt /detectnow
Wuauclt /reportnow

Keeping WSUS Clean and Happy:

Make sure to run the cleanup Wizard for WSUS regularly to remove old updates and old
computer accounts. I would recommend running this at least once every 3 months.
Open WSUS Console > Click Options > Click Server Cleanup Wizard
APPENDIX A
Installing WSUS role with Powershell:
Save the following as wsus-install.ps1
The script checks to see if WSUS is already installed and installs if it is not. Make sure to
change the $CDIR variable to the location that you want to install the update files.
######################################################################
# This script installs WSUS on Server 2012 and later. It uses the
# Windows Internal Database (WID) instead of SQL Server, and places
# the WSUS database files into a new folder named C:\WSUS. Note that
# IIS is also installed at the same time as a required service.
######################################################################

###############################################################################
#
# Created By: Jim Long
# Last Updated: 07-22-2017
#
###############################################################################

######################################################################
#
#
" Checking to see if WSUS is installed..."
#
#
######################################################################

$IsWSUS = $false

if ( $(Get-WindowsFeature -Name UpdateServices).Installed -eq $true ){ $IsWSUS = $true

}

######################################################################
#
" Installing WSUS if necessary..."
# Use -SkipWSUSCheck to bypass this section.
# Install WSUS Services
#
######################################################################

if ( $IsWSUS )
{
" Is WSUS Server = " + $IsWSUS
}
elseif ( $(Get-WindowsFeature -Name UpdateServices).Installed -eq $false )
{

"`n Installing WSUS now...`n"

if (-not $Verbose) { $WarningPreference = "SilentlyContinue" } #This is not
$VerbosePreference dude.
Install-WindowsFeature UpdateServices -IncludeManagementTools | Out-Null
$WarningPreference = "Continue"

# Create the folder where the WSUS content will be stored:

# Define Content Directory:
# You can change the directory to desired path
$CDIR = "C:\wsus"
" Checking for content directory"
 if (-not (test-path $CDIR))
{
"`n Creating WSUS Directory...`n"
mkdir $CDIR
}

"`n Set WSUS to use new directory now...`n"

# Tell WSUS to use that new folder for its content:
& 'c:\Program Files\Update Services\Tools\wsusutil.exe' postinstall
CONTENT_DIR=$CDIR

"`n WSUS is installed..."

"`n Configure WSUS using Server Manager`n"

# Bertlham
APPENDIX B
Create WSUS GPO:
Save the following as wsus-GPO.ps1
Script checks to see if a policy already exists called WSUS and if the policy exists it will not
create a new one.
Run the following script on a domain controller to create a basic WSUS policy. This policy is
created in the Group Policy Objects folder and is not linked to any OU. Verify and change any
settings and then link to the appropriate OU(s).

######################################################################
#
" Create GPO for WSUS if necessary...`n "
#
######################################################################

Import-Module -Name ActiveDirectory -ErrorAction SilentlyContinue | Out-Null

Start-Sleep -Seconds 2 #Shouldn't be necessary, but seems to help avoid errors.

$GPOExist = $false
$gpocheck = (Get-GPO -all); if ($gpocheck.displayname -eq "WSUS") {$GPOExist = $true}

If ($gpoexist -eq $false)

{
New-GPO -Name WSUS -comment "Deploy WSUS settings." | out-null
######################################################################
#
# Make sure to change the entries in the next to lines to have
# The WSUS Server name for your domain!
#
######################################################################
Set-GPRegistryValue -Name "WSUS" -key
"HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate" -valuename "WUServer" -type
String -value "http://WSUSServer:8530" | out-null
Set-GPRegistryValue -Name "WSUS" -key
"HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate" -valuename "WUStatusServer" -
type String -value "http://WSUSServer:8530" | out-null
Set-GPRegistryValue -Name "WSUS" -key
"HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate\AU" -valuename "AUOptions" -
type DWORD -Value 3 | out-null
Set-GPRegistryValue -Name "WSUS" -key
"HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate\AU" -valuename
"AutoInstallMinorUpdates" -type DWORD -Value 1 | out-null
Set-GPRegistryValue -Name "WSUS" -key
"HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate\AU" -valuename "UseWUServer"
-type DWORD -Value 1 | out-null
Set-GPRegistryValue -Name "WSUS" -key
"HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate\AU" -valuename "NoAutoUpdate"
-type DWORD -Value 0 | out-null

" WSUS GPO Created but is not linked. Link GPO after configuring WSUS server in
Server Manager "

}
elseif ($gpoexist -eq $True)
{
" WSUS GPO already exists"
}

# Bertlham
APPENDIX C
WSUS Cleanup Script:
Script to run WSUS server cleanup
Save as WSUS-cleamup.ps1 and schedule it via Windows task scheduler.
###############################################################################
#
# This script will be used to run the WSUS Server Cleanup Wizard
#
# This script MUST be run on the WSUS server
#
# Do not run the script by double-clicking it or right-clicking it, the
# script must be run from the command line in PowerShell.
#
###############################################################################

###############################################################################
#
# Created By: Jim Long
# Last Updated: 07-22-2017
#
###############################################################################

Get-WsusServer | Invoke-WsusServerCleanup -DeclineSupersededUpdates -

DeclineExpiredUpdates -CleanupObsoleteComputers -CleanupObsoleteUpdates -
CleanupUnneededContentFiles -CompressUpdates

# If time outs occur

# Run:

# Get-WsusServer | Invoke-WsusServerCleanup -CleanupUnneededContentFiles -

CompressUpdates

# Then Run:

# Get-WsusServer | Invoke-WsusServerCleanup -DeclineSupersededUpdates -

DeclineExpiredUpdates -CleanupObsoleteComputers -CleanupObsoleteUpdates

# Bertlham
APPENDIX D
LINKS:

WSUS Home Page:

https://docs.microsoft.com/en-us/windows-server/administration/windows-server-update-
services/get-started/windows-server-update-services-wsus

Install WSUS Server Role

https://docs.microsoft.com/en-us/windows-server/administration/windows-server-update-
services/deploy/1-install-the-wsus-server-role

Microsoft WSUS Step-by-Step guide (Windows 2012 R2)

https://gallery.technet.microsoft.com/Windows-Server-Update-Step-cf811a18

WSUS TechNet articles

http://technet2.microsoft.com/windowsserver/en/technologies/featured/wsus/default.mspx

WSUS Tools and Utilities

https://docs.microsoft.com/en-us/windows-server/administration/windows-server-update-
services/manage/wsus-tools

WSUS Troubleshooting
https://support.microsoft.com/en-us/help/4025764/how-to-troubleshoot-wsus