Install and Configure WSUS on Windows Server 2016
1. Introduction to WSUS Server:
The latest Microsoft product updates can be
installed by managers with Windows Server Update Services (WSUS). WSUS is a
server role for Windows Server. Once you install it, you can easily control and
launch updates.
One of the most important things that
system admins do is make sure that all client and server computers have the
most recent security and software patches. It would be really hard to control
where to put updates without WSUS.
The updates come straight from Microsoft
Update when you only have one WSUS server in your setup. WSUS servers can be
set up to act as an update source, which is also called an upstream server, if
you install more than one.
Instead of letting multiple computers grab
updates from the internet, you can set up a WSUS server and tell the clients to
get all of their updates from that server. You can save data on the Internet
and speed up the Windows update process at the same time.
2. WSUS Lab Setup:
Let me give you a list of machines and the OS
info.
|
Server Name |
OS |
Roles
& Features |
IP
Configuration |
|
DC.abc.local |
Server 2016 |
Active Directory |
10.1.1.1/24 |
|
WSUS.abc.local |
Server 2016 |
WSUS |
10.1.1.4/24 |
|
WIN-10.abc.local |
Windows 10 |
None |
10.1.1.5/24 |
3. Install WSUS Role on WSUS server:
3.1.
On the Server Selection page, verify the server
name and click Next.
3.2.
On the Select features page, leave the options
to default and click Next
3.3.
On the Windows Server Update Services page,
click Next.
3.4. You must select role services / Database type to install for Windows Server Update services. Select WID Connectivity and WSUS Services. Click Next.
3.5.
WSUS Content Location:
3.6.
On the Web Server Role (IIS) page, click Next
3.7. The role services to install web server (IIS) are select automatically. Do not change anything here and click Next
3.8.
A final confirmation before you install WSUS.
Review the settings and click Install
3.9.
Once WSUS installation is complete, click Launch
Post-Installation tasks
4. Configure Windows Server Update Services
(WSUS)
4.1. You can launch it by opening the Tools > WSUS Server Configuration wizard
4.2.
Next
4.3. Choose
WSUS Upstream Server
4.4.
Click Next
4.5.
On the Connect to Upstream Server page, click Start
Connecting button
4.6.
Once it is complete, click Next
4.7.
Choose Languages for Updates
4.8.
Choose Products
4.9.
Choose Update Classifications
4.10. Configure WSUS Synchronization Schedule
4.11. Click Begin initial synchronization. Click Next
4.12. Finally, on the last page, click Finish. This
completes the steps to configure WSUS.
5. Configure Group Policy Settings for WSUS in
DC:
You can create the group policy and apply
it at domain level. Or you can create and apply the GPO to a specific OU
(containing your computers).
5.1.
Create A OU Named WSUS:
5.2.
Create another OU
named WIN-10 into WSUS
5.3.
Move The WIN-10 computer to OU WIN-10
5.4.
Create a group policy named Windows Update on that OU
6. Configure Group Policy Settings for WSUS
6.1.
Configure Automatic Updates WSUS in GPO:
- Open the Group Policy
Management console, and open an existing GPO “Windows Update”.
- Navigate to Computer
Configuration > Policies > Administrative Templates > Windows Components > Windows Update.
- Double-click Configure
Automatic Updates and set it to Enabled.
- Under Schedule install day, select the day when you
want the updates to be installed. Set the scheduled install time.
6.2.
Specify Intranet Microsoft Update Service
Location:
To enable the
policy, click Enabled. Specify the intranet update service and intranet
statistics server. Click Apply and OK.
6.3.
Set Automatic Updates detection frequency:
6.4.
Set Enable Client-side Targeting:
6.5.
Gpupdate on DC:
7.
Testing to check whether this update has successfully
applied on Client PC or Not.
7.1.
At first need to check WSUS server can be detect
by Client machine by giving command
wuauclt.exe /detectnow
gpupdate /force
7.2.
On the client computer, do command gpresult.exe /r to confirm if the WSUS
GPO is applied.
7.3.
You can also use Resultant Set of Policy (RSoP) to simulate and test policy settings
that are applied to computers or users using Group Policy.
7.4. You
can also verify the intranet update service
location on client computers using registry.
·
On the client computer, open Registry Editor and
go to COMPUTER\HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate.
·
Check the values of WUServer and WUStatusServer and
confirm if the values match the one that you supplied in WSUS GPO.
8. Configure WSUS computer groups on WSUS
Server:
8.1.
To create a new computer group in WSUS console
·
In the WSUS Administration Console, under Update
Services, expand the WSUS server. Expand computers, right-click All computers,
and then click Add Computer Group.
·
In the add
computer Group dialog box, specify the name of the new group, and then
click Add.
8.2.
Click All
Computers and you should see list of computers. Select the computers WIN-10, right click and click Change Membership.
8.3. On
the Set Computer Group Membership
box, select the new group that you just created. Click OK.
8.4.
Click the new group WIN-10 and you should find the computer.
9. Approve and Deploy Updates in WSUS
Once
you have a test computer group created, your next task to deploy the updates to
the test group. To do so you must first approve and deploy WSUS updates.
9.1. To approve the updates in WSUS
·
Launch the WSUS
Administration Console, click Updates
> All Updates.
·
In the All
Updates section, select the updates that you want to approve for
installation in your test computer group.
·
Right-click the updates and click Approve.
9.2.
Most of all in the Approve Updates dialog box,
select your test group WIN-10, and
then click down arrow. Click Approved
for Install.
9.3.
The Approval Progress window appears, which
shows the progress of the tasks that affect update approval. When the approval
process is complete, click Close
Comments
Post a Comment