If you have a proxy server on the network, you can configure WSUS to use the proxy server. A summary of the WSUS role is displayed, click Next 1 . proxy_port is the proxy server port number. Type the following command: wsusutil ConfigureSSLproxy [< proxy_server proxy_port>] -enable, where: proxy_server is the name of the proxy server that supports HTTPS. If the database connection must be secured, consider the following recommendations: Move the WSUS database to the WSUS server. On the Update Source page, select Synchronize from another Windows Server Update Services server. Select server 1 and click Next 2 . Choose all the classifications or a subset of them, and then click Next. Enabling Anonymous Authentication (IIS 6.0), as documented in the IIS 6.0 Operations Guide. In my experience I suggest dedicating a secondary disk drive for the updates, this way you will not risk filling up the primary operating system drive. The following procedures assume that your network runs active directory. If the update has been changed, it is not installed. This option automatically begins downloading updates and then installs the updates on the day and time that you specify. If you want to participate in the program. Next specify if your WSUS server needs to connect through a proxy server in order to connect to the Internet. On the Select installation type screen, leave Role-based or feature-based installation selected and click Next. Click Install Step 16: Sit back and grab a coffee. Next you will choose your upstream server. Allow local admin to choose setting. In this case we are using the Windows Internal Database (WID), if you’re going to be using an SQL database instead, include the UpdateServices-DB option rather than UpdateServices-WidDB. For example, if you specify that there should be four synchronizations per day, starting at 3:00 A.M., synchronizations will occur at 3:00 A.M., 9:00 A.M., 3:00 P.M., and 9:00 P.M. After selecting the appropriate synchronization options for your deployment, click Next to continue. Finally on the Confirm installation selections, review your choices and click the Install button to begin the installation process. In the first place let me cover about WSUS lab setup. In my test environment the WSUS server connects directly out to the Internet so I’ll just select next, however if you’re using a proxy server specify its details here. In a simple environment, you might link a single WSUS GPO to the domain. Firewall If you identified that WSUS is behind a corporate firewall, there are some additional steps that must be done at the edge device to properly allow WSUS traffic. You can use any port for SSL. By default, Group Policy updates in the background every 90 minutes, with a random offset of 0-30 minutes. Uncheck WID connectivity 1 box and check SQL Server Connectivity 2 then click Next 3 . If you choose to get updates only for specific languages, select Download updates only in these languages, and then select the languages for which you want updates; otherwise, leave the default selection. – Remote SUP site system role might or can be installed with WID connectivity. The Add Roles and Features Wizard window will appear, click the Next button. Select product categories, such as Windows, or specific products, such as Windows Server 2012. Certificate Updates/Revocation. Although most of corporate firewalls allow this type of traffic, there are some companies that restrict Internet access from the servers due the company's security policies. Unsubscribe any time. Please follow the steps to do the initial configurations. In the left pane, expand the server name, and then click Options. To install WSUS, open Server Manager and go to Management - Add Roles and Features. If you want to enable basic authentication for the user who is connecting to the proxy server, select the Allow basic authentication (password is sent in cleartext) check box. From Server Manager (top right corner), click Manage then select Add Roles and Features. Configure WSUS by using the WSUS Configuration Wizard, 2.5. In Start Search, type Command prompt. Set the time for the First synchronization, and then specify the number of Synchronizations per day that you want this server to perform. Configure the cluster network by using the Network Configuration Wizard. These procedures also assume that you are familiar with Group Policy and you use it to manage the network. This took quite a long time (over 30 minutes) to complete for me even with a decent connection. There are several considerations associated with custom update signing. In a more complex environment, you might link multiple WSUS GPOs to several organizational units (OUs), which will enable you to apply different WSUS policy settings to different types of computers. By default, when each client computer first contacts the WSUS server, the server adds that client computer to both of these groups. Basically you should confirm that other Windows machines can connect to the WSUS server, and that the WSUS server can connect to the Internet to download updates. The WSUS database can be local or a remote SQL 2008/2012 server. if you choose Synchronize manually, you must start the synchronization process from the WSUS Administration Console. The Configure Automatic Updates policy opens. Click Next. If the User Account Control dialog box appears, enter the appropriate credentials (if requested), confirm that the action it displays is what you want, and then click Continue. Auto download and notify for install. Select the Default service account and click Next. Opinions will differ here with how people will advise you set this up. After selecting the appropriate language options for your deployment, click Next to continue. Right-click the computer names that you selected in the previous step, and then click change Membership. From the server manager, click Add Roles and Features 1 . If you use any port other than 443 for SSL, you must include that port in the URL also. You must import the certificate to all computers that will communicate with the WSUS server. For more information about how to use SSL certificates in IIS, see Require Secure Sockets Layer (IIS 7). E-Mail Notifications WSUS can send an e-mail when new updates are synchronized, informing administrators that they should be evaluated, tested, and approved. WSUS Configuration. Select the appropriate product options for your deployment, and then click Next. Retain the default selection, or clear the check box, and then click Next. Validate dependencies by clicking Add features 1. Type the name of the upstream server into the Server name text box. If you begin detection manually, you do not have to wait 20 minutes for the client computer to contact WSUS. Selecting a product category selects all the products in that category. From the Complete WSUS Installation window, we will select that we wish to store our updates locally in the folder specified. WSUS uses SSL to authenticate client computers and downstream WSUS servers to the WSUS server. Download WSUS WORKGROUP and execute the. Consider the following examples: If you use the industry standard port of 443 for HTTPS traffic, WSUS uses the industry standard port 80 for clear HTTP traffic. Once you have installed WSUS server, the next steps is to configure it. In this post we will cover how to install and configure Windows Server Update Services (WSUS) in Microsoft’s Windows Server 2016. Step 17: Once its installed, hit Close Step 18: Search for WSUS or Windows Server Update Services and launch it Step 19: Since it’s the first time you’re opening it, it’ll take a while to set up. On the role services screen select next as we’ll just use the Windows Internal Database (WID). WSUS also uses SSL to encrypt update metadata. Do you have the name of the proxy server and the user credentials for the proxy server, if you need them? You must create the group on the WSUS server, and add domain-member computers to that group. In before you begin window, click Next to continue. The listening interfaces and ports are configured in the IIS site(s) for WSUS and in any Group Policy settings used to configure client PCs. WSUS has the ability to publish custom update packages to update Microsoft and non-Microsoft products. Install Windows Server Update Services (WSUS) If you've just logged on to the server, type PowerShell into the command line window before running any of the commands below. This will provide us with useful information such as reports advising which servers have or have not been patched with a specific update. Fatal Error: Failed to start and configure the WSUS service. Applies To: Windows Server 2019, Windows Server (Semi-Annual Channel), Windows Server 2016, Windows Server 2012 R2, Windows Server 2012. If you do not select this option, you need to use WSUS Management Console to perform the initial synchronization. By default, this option is selected. To set up two proxy servers, each of which will handle one protocol for WSUS, use the following procedure: Log on to the computer that is to be the WSUS server by using an account that is a member of the local Administrators group. Alternatively if you already have another WSUS server that stores the update files, you can specify it here to synchronize with it as a downstream server. Log on to the server on which you plan to install the WSUS server role by using an account that is a member of the Local Administrators group. For client computers that are configured with a domain-based Group Policy Object, it can take about 20 minutes for Group Policy to apply the new policy settings to the client computer. This is not recommended unless you are really pressed for disk space as the update process will take a lot longer. After selecting the proper options for your deployment, click Next to proceed. Specify how and when automatic updates are applied to client computers. We can now choose the types of updates to download, for example we can specify that we only want to download critical and security updates. When MPIO is installed you can load the MPIO utility using mpiocpl.For the iSCSI utility you can use iscsicpl. In the complete WSUS Installation dialog box, click Close when the installation successfully finishes. WSUS encrypts update metadata only. On the client computer, open a Command prompt window with elevated privileges. The approval mechanism is really the main one, but WSUS also lets us perform a certain amount of bandwidth management so that our networks aren’t inundated with update traffic when a large new update becomes available. After I successfully added WSUS as a service role to the server, I need to run the Post-installation process to complete the whole installation. Configuring WSUS Server: Once the installation is over, we need to do some initial configuration for the WSUS to make it work. That’s it, on the finished screen you can optionally check to begin the initial synchronization which will start downloading updates from the Internet after you click finish. You must complete this step if you identified that WSUS needs a proxy server to have Internet access. if you choose Synchronize automatically, the WSUS server will synchronize at set intervals. As a best practice, create at least one computer group to test updates before you deploy them to other computers in your organization. Windows Server Update Services: The software update point site system role must be created on a server that has WSUS installed. 1. You can use the Secure Sockets Layer (SSL) protocol to help secure the WSUS deployment. By default, WSUS is configured to use Microsoft Update as the location from which to obtain updates. Manual configuration. Type the required user name, domain, and password into the corresponding text boxes. In the case of WSUS, we are looking only at the update services feature. Deploy Internet Protocol security (IPsec) to help secure network traffic. Copyright © 2021 RootUsers | Privacy Policy | Terms and Conditions. In the GPMC, expand computer Configuration, expand Policies, expand Administrative Templates, expand Windows components, and then click Windows Update. WSUS upstream and downstream servers will synchronize on the port configured by the WSUS Administrator. Complete the Patch Manager Configuration Wizard and click Next. If there is a corporate firewall between WSUS and the Internet, you might have to configure that firewall to ensure WSUS can obtain updates. after discovering that it expired), WSUS offered no functionality to enable this. If this has occurred, you must re-enable the anonymous read access before you can successfully install and operate WSUS. If there is a corporate firewall between WSUS and the Internet, you might have to configure the firewall to ensure that WSUS can obtain updates. If the status is set to Enabled, this computer will identify itself as a member of a particular computer group when it sends information to the WSUS server, which uses it to determine which updates are deployed to this computer. Click Enabled, and then select one of the following options under the Configure automatic updating setting: Notify for download and notify for install. 2.2. With installing and configuring WSUS in your corporate network you will no longer need to manually install updates and hotfixes that are periodically released by Microsoft. Install from power shell and voila youre done!! Once installation has successfully completed, we can open the WSUS console and complete our configuration. Once you have installed WSUS through either PowerShell or the GUI we can proceed to configure WSUS. By default manual synchronization is set, however we will change this to happen a few times per day. WSUS needs a database to store WSUS Configuration and update metadata. This will take about 5-10 minutes. In addition to configuring those e-mail notifications, you can use this option to send daily or weekly status reports. In the Command prompt window, type the following command: certificateName is the DNS name of the WSUS server. Check the box for Windows Server Update Services (WSUS). We can manually or automatically approve individual updates, as we’ll see later. Step 2: Configure the Automation Server Routing Rule . I would recommend reading the “Plan for Software Updates” article by Microsoft. In the wizard that opens, add the Windows Server Update Services role. To open a command prompt as an administrator, go to Start. This video is a step by step guide to deploy or how to install and configure WSUS ( Windows Server Update Services ) in Windows Server 2016. Receive new post notifications by email for free! Log on to the server and open Server Manager (should normally open by default). Windows Server Update Services (WSUS) are a “must have” feature in business environments.WSUS dramatically improve network bandwidth effiency and allow a granular control of the updates.. On the Web Server Role (IIS) screen, you are advised that IIS 10.0 will be used for WSUS, simply click next to continue. Use the following procedure to create a new group and assign a computer to this group: In the WSUS Administration Console, under Update Services, expand the WSUS server, expand computers, right-click All computers, and then click add computer Group. When launching the wizard, click Next 1 . Once the installation is complete, it is time to configure the updates. You must consider the following limitations when you use SSL to secure a WSUS deployment: Using SSL increases the server workload. For more related posts and information check out our full 70-744 study guide. This option lets local administrators to use Automatic Updates in Control Panel to select a configuration option. Select Install SQL Server Express, and click Next. The best way to configure Automatic Updates depends on the network environment. If your company restricts access, you need to obtain authorization to allow Internet access from WSUS to the following list of URLs: For a scenario in which WSUS is failing to obtain updates due to firewall configurations, see article 885819 in the Microsoft Knowledge Base. Open the WSUS Administration Console. In the Options pane, click Update Source and Update Server, and then click the Proxy Server tab. In the Windows Update details pane, double-click Specify intranet Microsoft update service location. The following checklist summarizes the steps involved in performing the initial configuration for your WSUS server. 1. Later in this topic, you will learn how to perform these configurations by using the Options page: In the Server Manager navigation pane, click Dashboard, click Tools, and then click Windows Server Update Services. On the Select destination server window leave everything as is as we’re installing to this server itself, so click Next to continue. Windows Server Update Services Wizard Select Role Services to Install WSUS. Because waiting for detection to start can be a time-consuming process, you can use the following procedure to initiate detection immediately. In this case, one proxy server is configured to use HTTP, and the other proxy server is configured to use HTTPS. Although the connection between Microsoft Update and WSUS requires ports 80 and 443 to be open, you can configure multiple WSUS servers to synchronize with a custom port. We can do the installation by using the Install-WindowsFeature cmdlet and specifying the proper feature names that you would like to have installed. If you select the option Download updates only in these languages, and this server has a downstream WSUS server connected to it, this option will force the downstream server to also use only the selected languages. The certificate on a client computer must be imported into the Local computer Trusted Root CA store or Automatic Update Service Trusted Root CA store. However, the port that you set up for SSL also determines the port that WSUS uses to send clear HTTP traffic. Note that you should only select the languages that you actually support, if you select additional languages additional update files will be downloaded for each update to include your language selection which can quickly increase your disk space requirements. Read the instructions on the Join the Microsoft Update Improvement Program page and evaluate if you want to participate.