WSUS ABC Core

System stability and security rely heavily on keeping systems up to date with patches. Patches can fix errors that cause application and services to run slow or even crash in certain circumstances as well as plug holes in security that could endanger the system or network. While there are third party patching solutions, if you run a Windows network, Microsoft includes the Windows Server Update Service (WSUS) in every modern version of Windows server operating system.

While WSUS is “free” it can take a few settings and modifications to get it to perform as it should. First we will begin with a standardized setup that with only minor changes can work in most small to medium sized businesses.

Prerequisites;

Windows server 2016 or higher with a static IP address.

If updates will be stored and served locally from WSUS server a data drive of 1Tb or more may be required. This is not recommended in most situations and will be discussed below under “Content location selections”.

STEP 1: Install the WSUS server role

The WSUS server role can be added through Server Manager \ Local Server \ Roles and Features:TASKS \ Add Roles and Features.

Select the server role “Windows Server Update Service”

Additional features will be needed to support WSUS, select “Add Features”

Select NEXT on the following screens until you get to the Select Role Services screen. The defaults on this screen will be OK for most installations. The choice here is between Windows Internal Database (WID) and using a separate SQL server. Microsoft says that WID works to the point of managing 10,000 computers and anything over should use SQL. Frankly, if you are managing updates on 10,000 computers or more you should look at a more enterprise level patching system. If you choose to use SQL, select “SQL Server Connectivity” here otherwise select NEXT.

On the Content Location Selection screen we are going to un-check “Store Updates…” and leave the path empty. Normally this would be where you would designate a local path like D:\UPDATES to store all of the downloaded updates. This used to be a good idea that would centralize downloads on the WSUS server and clients would download them from there saving bandwidth and speeding up the update process. Modern versions of Windows allow clients and servers to download from each other and actually propagate patches quicker in a mesh than they would in a centralized download location. The use of a centralized download location can also easily accumulate a terabyte or more of storage space.

Keep the defaults on the next few screens until you reach the Confirm Installation Selections screen. Make sure to check the “Restart…” box and then click Install.

After a few minutes, WSUS will be installed. Allow the server to reboot if necessary.

STEP 2: Post Installation Tasks

After installing the WSUS role you will notice on the Server Manager the exclamation point signifying configuration is necessary. Select the exclamation point and then select “Launch Post-Installation Tasks”. After a few minutes the task will complete.

STEP 3: Apply application pool memory fix for IIS

WSUS utilizes Internet Information Services (IIS) and the default settings on the WSUS application pool are too low causing stability issues inside of WSUS. It is best to simply change the settings on the WSUS pool by running the following PowerShell commands in administrative mode.

Import-Module WebAdministration

Set-ItemProperty IIS:\AppPools\WsusPool -Name recycling.periodicrestart.privateMemory -Value 0

Set-ItemProperty -Path IIS:\AppPools\WsusPool -Name queueLength -Value 2500

Set-ItemProperty -Path IIS:\AppPools\WsusPool -Name cpu.resetInterval -Value "00.00:15:00"

Set-ItemProperty -Path IIS:\AppPools\WsusPool -Name failure.loadBalancerCapabilities -Value "TcpLevel"

STEP 4: Configure WSUS

From the Start menu; launch “Windows Server Update Services”. This will start the WSUS Configuration Wizard. Continue through the first few screens until you get to “Choose Upstream Server”. In this example we will leave this at the default and synchronize with Microsoft Update but if we were in a more complex environment with multiple WSUS servers we would configure this to synchronize with another WSUS server to reduce managing multiple servers.

If you are on a network that requires a proxy server you will need to configure that on the “Specify Proxy Server” screen. After configuring (or not) you will prompted to make a connection to Microsoft Update. Select “Start Connecting”. The server will connect to Microsoft Update and download some base information about products and languages that will be used in the next steps. This will take several minutes.

Once the initial download from Microsoft is complete, select NEXT to go to the Choose Products screen. Here you will be presented with a check-able tree of everything offered through WSUS, select the products that apply to your organization. This is a good time to scour the list and make sure you have the products in your organization covered for patching as only products selected will be updated through WSUS. On the flip side you don’t want to just select all since leaving retired products, that aren’t in your organization, like “Windows 7” and “Windows 2000” unchecked will save quite a bit of clutter in your database. Don’t worry if you miss one, it is possible to change these selections in the future and product selection should be part of a regular checklist.

Once you have made your initial selections, click NEXT to progress to the Choose Classifications screen. Here you can select types of updates to download for the the products selected above. At the very least Critical, Definition, and Security Updates should be selected to maintain a healthy environment. Upgrades, Updates and Update Rollups are also suggested.

After making your selections and clicking NEXT you will progress to the Set Sync Schedule screen. The default here is to synchronize manually but unless you like clicking on things every day, you should set a schedule. Often this is best to be set for the early hours of the morning but select what works for your organization

Clicking NEXT will take you to the Finished screen. Here you will want to check the Begin Initial Synchronization option (unless you opted for local storage in STEP 1, as this could cause internet bandwidth issues downloading a terabyte or more of update packages).

 

Click FINISH here to complete the setup wizard and automatically open the Update Services management screen. this is the tool interface you will use on a regular basis to manage WSUS. Two things you should notice right away are the notifications at the top of the screen. These notifications will be important when later when you are administering the WSUS server. The second thing you should notice is the Synchronization status. The first time synchronization is run it can take awhile but luckily we don’t have to wait for it to complete.

The next step is to create groups for our Windows machines to be sorted into. These groups are important for managing approvals and setting install schedules. Create a group on the left hand pane by expanding Computers, right-clicking All Computers, and selecting Add Computer Group. Computer groups can also be added under existing computer groups by right-clicking that group and selecting Add Computer Group.

Go ahead and add several groups to mimic the ones shown below.

OPTIONAL: You can configure rules to help with day-to-day management of update approval by setting up automatic approvals based computer group, update product/classification and even set a deadline for installation. Setup these rules through Options / Automatic Approvals.

OPTIONAL: The next thing you will want to automate is assigning computers from Active Directory to the appropriate groups inside of WSUS. This will be accomplished with WSUS Group Policy Objects. First configure WSUS to take group assignments from Group Policy Objects by selecting Options / Computers and clicking “Use Group Policy…”. When you have completed setting up WSUS it is highly recommended you setup Group Policy Objects in Active Directory to manage rules for registering with WSUS and applying updates.

OPTIONAL: To have your WSUS server report to you and reduce the number of times you log into to check status, it is advised to setup email notifications. You can setup email in WSUS by going to Options / E-Mail Notifications. It is also advised you setup both synchronization reports as well as daily status reports. In most organizations these emails should be sent to a distribution list, not an individual. Do not forget to setup the options for your mail server on the E-Mail Server tab, and select TEST to make sure your configuration works.

At this point you have a fully functional WSUS server, but don’t forget; if you have setup WSUS to assign computers by using Active Directory Group Policy Objects you will need to continue HERE.

Continue the journey by automating many of the chores in WSUS by implementing WSUS AutoMan.

Get detailed information in one spot for all of your patches on the WSUS server by setting up WSUS Patch Report.

-fin