How to Setup, Manage, and Maintain WSUS
In this 8 part series, we’ll go over a good strategy on setting up Windows Server Update Services (WSUS) and managing it through the use of test groups approval processing, and more. Sometimes WSUS may also be referred to as Windows Update Server (WUS) or Software Update Point (SUP) and in System Center Configuration Manager, it’s known as a Software Distribution Point. We’ll touch on group policy, using inheritance and scoping permissions to create a highly flexible, yet simple design for any AD architecture. We’ll also go over what it modifications from the default WSUS Console to make your views mean more and give you more visibility into your environment. Finally we’ll wrap up with the required maintenance for WSUS and how you can use WSUS Automated Maintenance to help automate what you need to do. You can use the menu’s on the left to jump to a specific part and navigate the series. Let’s start!
Choosing your Server OS
Server 2008 & Server 2008 R2
- Server 2008 & Server 2008 R2 are no longer in support by Microsoft as of 2020.01.14 and should NOT be a consideration for deployment.
- Server 2008 and Server 2008 R2 CANNOT handle upgrades to Windows 10 from Windows 7 or 8, and cannot handle upgrades to Windows 10 from Windows 10 (eg, 1511 to 1607 or 1703 or 1709) which is also known as Windows as a Service (WaaS).
- Server 2008+ can supply updates (not upgrades) to Windows 10 devices to keep them updated with the current cumulative updates.
Server 2012 & Server 2012R2
- Server 2012 or higher is required to perform upgrades to Windows 10 Devices
- Server 2012 does not have the ‘out of the box’ servicing options for Windows 10; they were added afterwards. The latest CU DOES have the ‘out of the box’ servicing options.
- If Server 2012 contains KB3159706 which was installed BEFORE the latest CU, you will need to perform manual steps to allow Windows 10 servicing and upgrades.
- Server 2012 & Server 2012R2 will be supported until 2023.10.10.
- Out of the box support for Windows 10 Servicing
- Server 2016 should be considered your SECOND option for your WSUS server deployment.
- Out of the box support for Windows 10 Servicing
- If at all possible, Server 2019 should be considered your FIRST option for your WSUS server deployment.
Deploy Updates (Push System) vs Handle Updates (Pull System)
WSUS is a repository for updates and associated files. It is not a true deployment tool. The Windows Update Agent on each of the client systems is responsible for doing all of the work including checking in with the WSUS server and ask if there are any updates that are applicable to them, and if there are, download them, install them, initiate the restart, communicate back to WSUS and report that the update(s) have been installed. The Windows Update Agent is controlled with policies set through GPO (Most common), Local Group Policy, or Registry Edits.
Microsoft Endpoint Manager Configuration Manager (MEMCM/SCCM/ConfigMgr) is a true deployment tool with an agent on each system. MEMCM uses WSUS in the background to populate updates available for MEMCM to push to clients and install. Because MEMCM uses WSUS in the background, you must also make sure you’re performing the required maintenance for WSUS, not just doing the maintenance for MEMCM.
Take note of all your client systems but plan for Windows 10.
Whatever client systems you have you should make a mental note of, but plan your WSUS around Windows 10. Although according to Microsoft, it is the last version of Windows they will build, this simply is a marketing gimmick as they’ve just changed the name of “Windows” to “Windows 10”. One thing that is very good that comes out of this is their switch to WaaS where you get free upgrades to the latest revision of Windows 10 for the life of your device. What does ‘life of your device’ mean? As it has always been, it really means your motherboard, so if you have a catastrophic failure and need to replace your motherboard, you’ll have to buy a new license of Windows 10. Now, another way to look at the phrase ‘life of your device’ is the hardware capabilities that it has. For example, if you’re using Windows 10 on a 32bit Generation 1 netbook with 1GB of RAM, you may have realized that there’s an end of life due to minimum requirements going up to 2GB.
WSUS Setup on Server 2012 & Higher
The setup for WSUS on Server 2012 or higher is relatively the same, if not the same. First you will need to add the role to the server through Server Manager. You can choose to use the Windows Internal Database (good for small to large deployments) or decide to use a Remote SQL server (Express, Standard or Enterprise) if you’re going to run a load balancing or high availability service. Most large organizations should use a distributed model for WSUS with a single master upstream server and multiple replica downstream servers based on location, bandwidth, or operational boundaries.
Windows Internal Database vs SQL Express Edition
The Windows Internal Database (WID) is SQL Express edition, just built into the operating system as a feature, rather than having a separate installation. There is no benefit to installing a SQL Express instance locally on a system instead of using the WID. There is actually a detriment to installing SQL Express instead of using the WID; the SQL Express instance will have a hard limit for space in the database while the WID does not. The trade-off on using the WID is that it can only be accessed from the server itself (only through Named Pipes, and not from a remote server via TCP/IP)
Let’s run through the WSUS Configuration Wizard to get started.
- Microsoft update improvement program – It is up to you if you want to be part of it or not.
- Choose Upstream Server – Synchronize from Microsoft Update (If this is a downstream server, you can choose that here, but more often than not, you will want from Microsoft Update)
- Specify Proxy Server – If you need it, set it up. More often than not, this will stay not configured.
- Click Start Connecting
- Choose Languages – Select ONLY THE LANGUAGES for the Operating systems you use.
- Choose Products – ONLY SELECT the products to which you have currently and want to update through WSUS. I recommend all under “Developer Tools, Runtimes, and Redistributables” (This satisfies updates to items like the Visual C++ Runtime libraries, etc), “Windows Dictionary Updates” under the “Windows” sub-category, and “Windows Server Manager – Windows Server Update Services (WSUS) Dynamic Installer” at the very least.
- Choose Classifications – I would suggest choosing all of them INCLUDING Drivers (Most places on the internet tell you to exclude Drivers. The reason is that they don’t have the power of WSUS Automated Maintenance (WAM)). At this moment in time as the Drivers category opens your server up to over 40,000 updates. As this is a new installation, after you WAM your server ™, this list will be cut down immensely and it will be manageable.
- Configure Sync Schedule – I would recommend Synchronize Automatically, 4 times per day, at whatever start time you want. WSUS will automatically adjust the time when you click finished to be a random offset around the time you selected.
Now that the WSUS server has been configured and is starting the first sync, check for updates from Microsoft using Microsoft Update on the server and install all updates that it finds, rebooting when necessary and re-checking for updates to make sure you’re fully updated.
Note: If you are using Server 2012 or Server 2012 R2, along your update path, you may or may not heard about the dreaded KB3159706 (https://support.microsoft.com/en-us/kb/3159706). While Microsoft has not officially superseded this update, from the feedback I’ve seen in the communities, the patches and fixes that this KB comes with has been included with the latest cumulative update for Server 2012 and Server 2012 R2. According to the KB Article, you now only need to run a single command (“C:\Program Files\Update Services\Tools\wsusutil.exe” postinstall /servicing). If KB3159706 still applies to you and is installed, you will have to perform manual steps explained later in this series.
Open the WSUS Console and head to Options. Click on E-Mail Notifications and setup your recipients, with status reports daily, and setup the email server tab with your mail server info. Click OK.
For the average install, click on Update files and Languages and make sure that “Download express installation files” is NOT checked. This ‘option’ will eat up space and is a misnomer with the description. It is not a ‘stub vs. full’ download of the update, where a stub installation will require an internet connection and download what’s needed. It is essentially a revision control system for each file. A better description of what it does comes from:
“When you distribute updates by using this method, it requires an initial investment in bandwidth. Express installation files are larger than the updates they are meant to distribute. This is because the express installation file must contain all the possible variations of each file it is meant to update.”
Express Installation files has it’s place – when you have hundreds of servers to deliver updates to, install and reboot in a short amount of time, express installation files works well as it will only send the deltas to the requesting server. It will however, require 3-5 times the space on your server.
Click OK to close this window.