. On the Windows Server Update Services Configuration Wizard before you begin page, read the information and click Next. This option notifies a logged-on administrative user before you download and install the updates. Click Enabled, and then select one of the following options under the Configure automatic updating setting: Notify for download and notify for install. In this case we are using the Windows Internal Database (WID), if you’re going to be using an SQL database instead, include the UpdateServices-DB option rather than UpdateServices-WidDB. Log on to the server on which you plan to install the WSUS server role by using an account that is a member of the Local Administrators group. 2. Type the required user name, domain, and password into the corresponding text boxes. This post is part of our Microsoft 70-744 Securing Windows Server 2016 exam study guide series. For example, if you use port 8531 for HTTPS, WSUS will use port 8530 for HTTP. Applies To: Windows Server 2019, Windows Server (Semi-Annual Channel), Windows Server 2016, Windows Server 2012 R2, Windows Server 2012. Type the following command: wsusutil ConfigureSSLproxy [< proxy_server proxy_port>] -enable, where: proxy_server is the name of the proxy server that supports HTTPS. If a computer attempts to retrieve update files on the HTTPS port, the transfer will fail. In the Proxy server name text box, type the name of the proxy server. The Set Sync Schedule page enables you to select whether to perform synchronization manually or automatically. Move the remote database server and the WSUS server to a private network. When launching the wizard, click Next 1 . Retain the default selection, or clear the check box, and then click Next. If the database connection must be secured, consider the following recommendations: Move the WSUS database to the WSUS server. Auto download and notify for install. That’s it, on the finished screen you can optionally check to begin the initial synchronization which will start downloading updates from the Internet after you click finish. Install from power shell and voila youre done!! Select product categories, such as Windows, or specific products, such as Windows Server 2012. … Firewall If you identified that WSUS is behind a corporate firewall, there are some additional steps that must be done at the edge device to properly allow WSUS traffic. Type wuauclt.exe /detectnow, and then press ENTER. We’re going to go half way through the WSUS Setup Wizard and exit. For example, type http://servername in both boxes (where servername is the name of the WSUS server). Configuration of the WSUS. The installation of WSUS Role it's easy without complexity. If the status is set to Enabled, this computer will identify itself as a member of a particular computer group when it sends information to the WSUS server, which uses it to determine which updates are deployed to this computer. In the Command prompt window, type the following command: certificateName is the DNS name of the WSUS server. The WSUS database can be local or a remote SQL 2008/2012 server. On the Main tab 1 , configure the WSUS server URL 2 and the behavior of Windows Update 3 . To install the WSUS server role. To install WSUS, open Server Manager and go to Management - Add Roles and Features. Deploy Internet Protocol security (IPsec) to help secure network traffic. You can use the Secure Sockets Layer (SSL) protocol to help secure the WSUS deployment. In the wizard that opens, add the Windows Server Update Services role. Check the box for Windows Server Update Services (WSUS). – Remote SUP site system role might or can be installed with WID connectivity. Windows Server Update Services: The software update point site system role must be created on a server that has WSUS installed. If you do not select this option, you need to use WSUS Management Console to perform the initial synchronization. Unsubscribe any time. In the right pane, expand the server name. proxy_port is the proxy server port number. In Start Search, type Command prompt. If you want to enable basic authentication for the user who is connecting to the proxy server, select the Allow basic authentication (password is sent in cleartext) check box. WSUS uses SSL to authenticate client computers and downstream WSUS servers to the WSUS server. Microsoft reduces the risk of sending update files over an unencrypted channel by signing each update. Because you cannot require SSL on the server, the only way to make sure that client computers can use a security channel is by using a URL that specifies HTTPS. Choose whether or not you want to join the Microsoft Update Improvement Program, as I am running a test instance I have select to not join and provide any false test data. In an environment without active directory, use the Local Group Policy editor to configure Automatic Updates, and then point the client computers to the WSUS server. Step 2: Configure the Automation Server Routing Rule . If this has occurred, you must re-enable the anonymous read access before you can successfully install and operate WSUS. On the Update Source page, select Synchronize from another Windows Server Update Services server. Right-click the computer names that you selected in the previous step, and then click change Membership. The certificate should be imported into the local computer Trusted Root CA store or into the Windows Server Update Service Trusted Root CA store. For stand-alone WSUS install, check the following post WSUS installation on Windows Server 2019. Click Options, and then click Update Source and Proxy Server. The Add Roles and Features Wizard window will appear, click the Next button. Config… The firewall on the WSUS server must be configured to allow inbound traffic on these ports. You’ll need to wait a while while WSUS attempts to connect to an upstream server, either from the Internet or within your own network based on your selection in the last step. You must import the certificate to all computers that will communicate with the WSUS server. Alternatively if you already have another WSUS server that stores the update files, you can specify it here to synchronize with it as a downstream server. We recommend that you create a new GPO that contains only WSUS settings. To enable anonymous read access, follow the steps for the applicable version of IIS: Enable Anonymous Authentication (IIS 7), as documented in the IIS 7 Operations Guide. Use the following options to modify the existing proxy server configuration: Select the check box for Use a proxy server when synchronizing. Windows Server Update Services Lab Setup. With WSUS we can save Internet bandwidth and also speed up the Windows update process. Once installation has successfully completed, we can open the WSUS console and complete our configuration. after discovering that it expired), WSUS offered no functionality to enable this. To enable custom update signing, you must install a package signing certificate on your WSUS server. To start this process, simply open the WSUS console from within the Tools menu in Server Manager. Enabling Anonymous Authentication (IIS 6.0), as documented in the IIS 6.0 Operations Guide. Now that you have performed the basic WSUS configuration, read the next sections for more details about changing the settings by using WSUS Management Console. The private key must be installed on the WSUS server, and the public key must be explicitly installed in the trusted certificate store on all client PCs and servers which are to receive custom-signed updates. When MPIO is installed you can load the MPIO utility using mpiocpl.For the iSCSI utility you can use iscsicpl. At the top of the start menu, right-click Command prompt, and then click Run as administrator. WSUS Configuration. You must complete this step if you identified that WSUS needs a proxy server to have Internet access. A summary of the WSUS role is displayed, click Next 1 . Use the following procedures to configure Automatic Updates for client computers: Step 4: Configure Group Policy Settings for Automatic Updates, 2.3. By default, this option is selected. In addition, a hash is computed and sent together with the metadata for each update. On the Before you Begin page, review the information, and then click Next. The following instructions configure a downstream server to synchronize to an upstream server that uses SSL. Alternatively you can untick the store updates check box and update files will not be stored locally, they will be downloaded from Microsoft as needed. If you use any port other than 443 for SSL, you must include that port in the URL also. You must consider the following limitations when you use SSL to secure a WSUS deployment: Using SSL increases the server workload. On the client computer, open a Command prompt window with elevated privileges. In an environment that uses active directory directory service, you can use an existing domain-based Group Policy Object (GPO) or create a new GPO. For more related posts and information check out our full 70-744 study guide. Click Next if you want to read more about additional settings, or you can click Finish to conclude this wizard and finish the initial WSUS setup. WSUS can be installed through server manager, simply follow the process below, however be warned that there is a lot more work involved here than simply running the PowerShell cmdlet above. Copyright © 2021 RootUsers | Privacy Policy | Terms and Conditions. Although most of corporate firewalls allow this type of traffic, there are some companies that restrict Internet access from the servers due the company's security policies. To install the WSUS in Windows Server 2016 follow the below steps: Go to Server Manager – click Manage and click Add roles and Features as shown in below window. Click Next again. This option automatically begins downloading updates and then notifies a logged-on administrative user before installing the updates. If the complete WSUS Installation dialog box appears, click Run. In my experience I suggest dedicating a secondary disk drive for the updates, this way you will not risk filling up the primary operating system drive. However, the port that you set up for SSL also determines the port that WSUS uses to send clear HTTP traffic. if this is a replica server, select the This is a replica of the upstream server check box. For example, if you specify that there should be four synchronizations per day, starting at 3:00 A.M., synchronizations will occur at 3:00 A.M., 9:00 A.M., 3:00 P.M., and 9:00 P.M. After selecting the appropriate synchronization options for your deployment, click Next to continue. The Configure Automatic Updates policy opens. This setting indicates to the WSUS server which group the client computer will use. WSUS also uses SSL to encrypt update metadata. In my test environment the WSUS server connects directly out to the Internet so I’ll just select next, however if you’re using a proxy server specify its details here. Create computer groups in the WSUS administration console to manage updates in your organization. Click to share on Facebook (Opens in new window), Click to share on Twitter (Opens in new window), Click to share on LinkedIn (Opens in new window), Click to share on Tumblr (Opens in new window), Click to share on Reddit (Opens in new window), Click to share on Pinterest (Opens in new window), Click to share on Pocket (Opens in new window), Click to email this to a friend (Opens in new window), Red Hat Certified Engineer (RHCE) 7 EX300 Study Guide, Red Hat Certified System Administrator (RHCSA) 8 EX200 Study Guide, Microsoft 70-744 Securing Windows Server 2016 Study Guide, How To Install Iptables Firewall In CentOS 7 Linux, Create and edit text files – RHEL 8 RHCSA, Create, delete, copy, and move files and directories – RHEL 8 RHCSA, Create hard and soft links – RHEL 8 RHCSA, How To Enable Ping In Windows Server 2019 Firewall. In the Windows Update details pane, double-click Specify intranet Microsoft update service location. Local administrators cannot disable Automatic Updates. WID is Windows Internal Database. The next item you will want to do is create a no_sms_on_drive.sms file on each of the drives you do not want SCCM content on. After looking at the log file indicated in the Notification window, here is what I found: You must create the group on the WSUS server, and add domain-member computers to that group. Accomplishing this turned into a manual task that was very hard to either do by hand or automate successfully. Enter a local admin account that is in the WSUS Administrators group and click Next. Choose the languages that you want to download updates for. WSUS can be used to automatically download Windows update files and store them locally. After installing and configure the WSUS server role, the next step is to configure group policy settings to determine how WSUS clients will receive the updates. With WSUS we can configure all of our servers to be automatically updated, ensuring that security updates are installed quickly from a central location. How to install WSUS. Opinions will differ here with how people will advise you set this up. Receive new post notifications by email for free! if you choose Synchronize manually, you must start the synchronization process from the WSUS Administration Console. If the User Account Control dialog box appears, enter the appropriate credentials (if requested), confirm that the action it displays is what you want, and then click Continue. This video is a step by step guide to deploy or how to install and configure WSUS ( Windows Server Update Services ) in Windows Server 2016. If you have set up active directory in your network, you can configure one or multiple computers simultaneously by including them in a Group Policy Object (GPO), and then configuring that GPO with WSUS settings. Installing WSUS with PowerShell is the fastest and easiest way, simply run the command below in PowerShell. Selecting a product category selects all the products in that category. To add a proxy server that uses the HTTP protocol. Read the instructions on the Join the Microsoft Update Improvement Program page and evaluate if you want to participate. Selecting a subset of languages will save disk space, but it is IMPORTANT to choose all of the languages that are needed by all the clients of this WSUS server. In the GPMC, expand computer Configuration, expand Policies, expand Administrative Templates, expand Windows components, and then click Windows Update. Secure WSUS with the Secure Sockets Layer Protocol, Enabling Anonymous Authentication (IIS 6.0). Install Windows Server Update Services (WSUS) If you've just logged on to the server, type PowerShell into the command line window before running any of the commands below. Sorry, your blog cannot share posts by email. Type the port number that the server uses for SSL connections into the Port number text box. There are several considerations associated with custom update signing. In the Command prompt window, go to the C:\Program Files\Update Services\Tools folder. Because WSUS initiates all the network traffic, it is not necessary to configure Windows Firewall on the WSUS server. The following procedures assume that your network runs active directory. Open Server Manager; Click Manage -- Add Roles & Features; Click Next Keep the default settings and click Next. Can this computer connect to the upstream server (such as the server that is designated to download updates from Microsoft Update)? If you select the option Download updates only in these languages, and this server has a downstream WSUS server connected to it, this option will force the downstream server to also use only the selected languages. Select the Use SSL when synchronizing update information check box, and then click OK. Unless select the local Server and click Next. After installing the WSUS server role on your server, you need to properly configure it. iSCSI is installed as part of the base Windows Server 2016 feature set. Consider the following examples: If you use the industry standard port of 443 for HTTPS traffic, WSUS uses the industry standard port 80 for clear HTTP traffic. Also the ability to monitor the updates, see who’s getting them and who isn’t, and to spit out reports on that kind of information is pretty much a requirement in a world where non-updated systems are vul… E-Mail Notifications WSUS can send an e-mail when new updates are synchronized, informing administrators that they should be evaluated, tested, and approved. Next you will choose your upstream server. Allow local admin to choose setting. By default manual synchronization is set, however we will change this to happen a few times per day. Choose all the classifications or a subset of them, and then click Next. Microsoft Update Improvement Program Disabled by default, you can enable this option to send Microsoft some high … If the update has been changed, it is not installed. The listening interfaces and ports are configured in the IIS site(s) for WSUS and in any Group Policy settings used to configure client PCs. Select server 1 and click Next 2 . Select the appropriate product options for your deployment, and then click Next. Notify me of follow-up comments by email. Basically you should confirm that other Windows machines can connect to the WSUS server, and that the WSUS server can connect to the Internet to download updates. For example, they can choose a scheduled installation time. Configure computer groups in this topic. WSUS has the ability to publish custom update packages to update Microsoft and non-Microsoft products. This is the WSUS console and this console will be factored towards whatever machine you happen to be plugging it into, which in my case is this machine WSUS. To use SSL, select the Use SSL when synchronizing update information check box. WSUS requires two ports for SSL: one port that uses HTTPS to send encrypted metadata, and one port that uses HTTP to send updates. Validate dependencies by clicking Add features 1. To remove a proxy server from the WSUS configuration, clear the check box for Use a proxy server when synchronizing. if you choose Synchronize automatically, the WSUS server will synchronize at set intervals. We can manually or automatically approve individual updates, as we’ll see later. This is the same way that Microsoft Update distributes updates. WSUS encrypts update metadata only. By default, these ports are configured as follows: On WSUS 3.2 and earlier, port 80 for HTTP and 443 for HTTPS, On WSUS 6.2 and later (at least Windows Server 2012 ), port 8530 for HTTP and 8531 for HTTPS are used. By default, when each client computer first contacts the WSUS server, the server adds that client computer to both of these groups. The software update point interacts with the WSUS services to configure the software update settings and to request synchronization of software updates metadata. Go to start, type CMD, right-click Command prompt, and then click Run as administrator. Computer groups permit you to test and target updates to specific computers. This option lets local administrators to use Automatic Updates in Control Panel to select a configuration option. After you set up a client computer, it will take several minutes before the computer appears on the computers page in the WSUS Administration Console. If you plan on using an SQL database, tick the SQL Server Connectivity option first. After you click Finish, the WSUS Management Console appears. When you configure SSL on client computers, you should consider the following issues: You must include a URL for a secure port on the WSUS server. To obtain updates from Microsoft Update, the WSUS server uses port 443 for HTTPS protocol. Certificate Updates/Revocation. On the “Select Installation type” select “Role-based or feature-based installation” and click Next. Log on to the WSUS server by using an account that is a member of the WSUS Administrators group or the local Administrators group. There are two default computer groups: All computers and Unassigned computers. In the next article, we will configure the WSUS server role in Windows Server 2019. In this post we will cover how to install and configure Windows Server Update Services (WSUS) in Microsoft’s Windows Server 2016. On the Select server roles screen, scroll down and select “Windows Server Update Services”. Updates for the selected products will be stored on our WSUS server, so the more you pick the more disk space you will require. In this case, one proxy server is configured to use HTTP, and the other proxy server is configured to use HTTPS. In this case, set one channel to use HTTP and the other channel to use HTTPS. In Server Manager, click Manage, and then click add Roles and Features. Install the WSUS server role. Now we are asked to connect to an upstream server, click the start connecting button to save the information entered so far. If there is a corporate firewall between WSUS and the Internet, you might have to configure that firewall to ensure WSUS can obtain updates. If you begin detection manually, you do not have to wait 20 minutes for the client computer to contact WSUS. Once you have installed WSUS through either PowerShell or the GUI we can proceed to configure WSUS. Use the following procedure to create a new group and assign a computer to this group: In the WSUS Administration Console, under Update Services, expand the WSUS server, expand computers, right-click All computers, and then click add computer Group.