MCSA 70-411 – Part 2 – WSUS

Continuing on from Part 1, today we will setup and configure Windows Server Update Services, or WSUS. For this we will need to use a mix of GUI and PowerShell, as there is not yet full support to do everything in PowerShell alone.

  1. As you might have guessed, we first need to install the role. We cannot user the “-IncludeAllSubfeature” flag, because this will configure WSUS to use both its own internal database (WID) as well as a SQL database to store update information, which is not allowed.
    10-4-2016 8-02-29 AM
  2. Once the role has been installed we need to do some configuration. First up we need to select where to store the updates. Preferably this should be on a separate drive with a lot of free space. In this lab example we will use the system drive. Note the path where wsusutil.exe is located, as we need to run it from this directory:
    10-4-2016 8-07-31 AM
  3. Now we need to decide where to get the updates from. In this example we setup a stand-alone server, so we will get our updates directly from Microsoft. In a larger setup we  might want to sync with an upstream WSUS server, in which case we would use the flags “-UssServerName” and “-Portnumber”.
    10-4-2016 8-10-10 AM
  4. The next step is to synchronize our WSUS server with our selected source, in this case from Microsoft. We do this through the GUI:
    10-4-2016 8-15-26 AM
  5. Once the sync is complete (this might take a while) we can view the available updates under the “Updates” tab. In order to configure client computers to get updates from our WSUS server we need to change some settings, as well as configure a Group Policy Object (GPO):
    10-4-2016 8-22-05 AM
    10-4-2016 8-24-18 AM
  6. We only need to enable to policies to get WSUS up and running, however for a more manageable setup we might also want to enable client-side targeting. That will automatically assign the computers to a group that we create under the “Computers” tab in WSUS. In this lab we will keep it simple though:
    10-4-2016 8-26-36 AM
    10-4-2016 8-29-17 AM
  7. This concludes the WSUS basic setup. Remember that we need to approve the available updates before our clients can install them. This can be done either though the GUI or with PowerShell using “Get/Approve-WsusUpdate”.
    10-4-2016 8-31-04 AM