Windows Server Update Services (WSUS) is a free component for Windows Server that allows you to create your own mirror for Windows Update and control every aspect of how updates are distributed on your network. (Download it here.)
Prerequisites:
- Windows Server 2003 or later (or SBS)
- IIS 6.0 or later
- .NET Framework 2.0 or later (Download)
- Microsoft Report Viewer Redist. 2008 (Download)
- Plenty of free space to store approved updates
- Reliable DNS and Group Policy
- A well-organized Active Directory
Installation:
- Make sure that all prerequisites are met.
- Download and start the installation of WSUS.
- Proceed through the installation wizard and accept the license agreement, but pay attention to where it wants to store the updates – feel free to change it.
- Let it install the Windows Internal Database and make sure the path matches the store folder that you previously selected.
- At this point you will see one of two things. If you have a clean IIS installation with no sites, you will be told that WSUS will be set up on the default website and the default HTTP ports (80,443). If you have SharePoint, an SBS, or any other sites in IIS, your WSUS site will be setup on an alternate port (usually 8530, 8531).
- After clicking Next, your installation should start.
- When installation is complete, you will be dumped into the Configuration Wizard
Server Configuration:
- Most of this should be self explanatory, but here is what to expect:
- You will be asked if you want to send usage data to Microsoft.
- You can choose whether to download updates directly from Microsoft, or from another WSUS server.
- You will be asked to specify a proxy if necessary.
- You will be asked to perform an initial quick sync with your selected upstream server. Click the “Start Connecting” button.
- You will be asked which languages you would like your updates in.
- You will be asked to choose which products you want to download updates for. Take your time making these selections.
- You will be asked to choose which types of updates you would like. Notice that “Service Packs” are not selected by default.
- Next you must schedule when to sync your updates database with Microsoft’s servers.
- All done. You may perform your initial sync now, or postpone that while you set up your clients.
Client Configuration:
- I would suggest using Group Policy to configure clients as this will automatically enroll new workstations.
- Go to “Options” then “Computers” in the Update Services console.
- Select “Use Group Policy or registry settings on computers” and click “OK”.
- Now it would be a good idea to create groups for your clients. For example, I usually just use two groups: Servers and Workstations. You can organize them in whatever way suits your network. To add a group, expand the “Computers” menu on the left side, right-click on “All Computers” and select “Add Computer Group…”
- Time to create some GPOs…
- Create a GPO for each computer group that you created in the previous step. Link these GPOs to the appropriate OUs in Active Directory. For example, I normally would create a GPO called “WSUS-CLIENTS” and “WSUS-SERVERS” and link them to the appropriate OU containers.
- All the settings that must be configured are in “Computer Configuration -> Administrative Templates -> Windows Components -> Windows Update”
- At the very least, you will want to configure the following policies:
- “Configure Automatic Updates”
- “Specify intranet Microsoft update service location” (set both values to “http://yourservername:yourport” that setup provided to you way back in step 5 of the installation)
- “Enable client-side targeting” (Set this to the computer group that you want these clients assigned.)
- Using PowerShell or by actually sitting at a client computer, run
gpupdate /force
- Once the computer has applied the policy, you can run
wuauclt.exe /detectnow
to force a sync with the WSUS server. Expect this first sync to take a few minutes. Depending on a number of factors, it may take anywhere from 5 minutes to several hours for all of the computers on the network to show up in the WSUS management console.
There are many ways to setup a WSUS infrastructure. The steps above represent a very basic, no-frills approach. If you have a large network or a network with special needs, it will be worthwhile to spend some time going through the options both in the WSUS MMC snap-in and in the group policy settings specified in step 7.
-Nick
Leave a Reply