Keeping clients and servers updated is one of the basic rules of Information Technology. There are many ways to update computers depending on the dimension of your company. In the end, there are three possibilities:
- Managed with default Windows Update
- Managed with WSUS
- Managed with SCCM
The last one is used by medium-large companies because System Center Configuration Manager is not only a patch manager but is also a full platform to administer the entire IT infrastructure. In this article we will see how to manage clients and servers with WSUS.
Windows Server Update Services is a role present in Windows Server since 2008, but it has been in place since 2001 under the name Software Update Services. WSUS enables administrators to manage the distribution of updates and hotfixes released for Microsoft products to computers in a corporate environment.
Install and Configure WSUS
To enable WSUS, it is necessary to select the related role in Server Manager, as shown in figure 1.
Leave all the settings in their default values, but select what role services must be installed (figure 2). The classic configuration uses the Windows Internal Database, based on SQL Express, and is fully managed by Windows.
To increase performance, it’s possible to use SQL Server. This can help to reduce the effort (CPU and RAM) on the WSUS machine. This scenario is also useful when there are many computers. Obviously, this has a cost, unless you already own a SQL Server license.
In the last tab of this wizard you have to select the path where WSUS will store the updates. The filesystem in this path must be NTFS and the size should be at least 150GB. If you use a virtual machine, add a dedicated disk only for WSUS.
Confirm all the selections and close the wizard. At the end of this procedure, you will be able to open the WSUS console from the start menu.
The wizard allows you to configure:
- Upstream Server: if the server is master or source
- Language of Updates
- Products to manage
- Schedule Time (I suggest at least 4 sync per day)
I will not go over the details because they’re very easy. The only point that I want to clarify is the classification, because it’s necessary to select all the checkboxes to provide updates for everything. On the Products, I will select only Windows Server 2019, but you should choose the operating system and software you have in your infrastructure.
Note: remember that Office 365 ProPlus cannot be managed via WSUS. The product is present in the catalog but unless you have SCCM, there’s no way to provide updates for it. More details are available in this article: https://blogs.technet.microsoft.com/wsus/2016/04/13/office-365-client-updates-via-wsus/
While your WSUS is working to synchronize the catalog, we have time to create the Group Policy to set our computers to use the local server to catch updates. This is an important aspect because there are many articles about the strategy to apply. It’s a must to set the auto-install policy for clients, but, for most servers, you should set the download mode only and install the updates manually during the non-business hours; you could also have a bunch of servers that can be installed automatically (depends if there’s a critical Line-of-Business application).
Create a new GPO called Manage WSUS – Server (for clients it can be Manage WSUS – Client) into the OU where servers are collocated. Don’t forget the OU Domain Controllers to avoid downloading the patches from external for each DC.
The parameters to manage updates are available in the folder Computer Configuration – Policies – Administrative Templates – Windows Components – Windows Update
The most important settings to change are:
- Configure Automatic Updates: Enabled – Auto Download and notify for install – Everyday
- Specify intranet Microsoft update service location – Enabled – set WSUS path in FQDN format (ex. http://myserver.contoso.com:8530) for both rows
- Automatic Updates detection frequency – Enabled – set interval every 1 hour
To better manage the computers, WSUS uses a logical group to deploy approved updates. A single computer can be member of many groups; thus, you can deploy patches based on scope. To create a new group, right-click on Computers – All Computers and select Add Computer Group – figure 6.
Note: the group name cannot be changed after creation, so decide on the naming convention before starting.
To assign one or more computers to a group, select it and choose Change Membership, as shown in figure 7.
Once you have assigned clients and servers to the target groups, we can proceed to approve updates. From the area Updates – All Updates we can see all of the patches that should be deployed in our infrastructure. We suggest you change the table view – figure 8 – adding the columns Supersedence and Needed Count. This can help you to get rid of old updates and understand how many computers need a specific update.
Remember to decline all the updates that are already expired: you can find them by the icon shown in column Supersedence – figure 9.
To approve the updates, right-click on them and then on Approve – figure 10.
Select the target group to apply the updates – figure 11 – and click OK.
WSUS will start to download the packages from Microsoft Catalog – figure 12. The execution time will depend on your Internet connection. After this, the endpoints will be able to detect the new updates from WSUS.
Install Updates into Clients
Open the Windows Update panel in your machine and check the presence of new items. As you can see, there’s a warning message that informs us that the settings have been overridden by the administrator.
If you choose to download and install the updates, the task will be running during the period selected in the GPO. Otherwise, the updates will be available for install.
In the Options area, there’s a great tool to clean your server. For example, it’s possible to delete expired updates or computers no longer present in your environment. It’s important to run this wizard at least once a month to keep database size smaller and to avoid disk space waste.
Migrate Content Folder
If you want to migrate the repository folder, you can follow these steps:
- Open a command in WSUS installation directory – (ex. C:\Program Files\Update Services\Tools)
- Run the command: exe movecontent “new path for content” “new path for logs”
This operation could take several hours, so be careful to run the command outside of business hours.
If you want to migrate your database from a remote database, maybe a SQL Server, follow the official documentation from Microsoft Docs: https://docs.microsoft.com/en-us/windows-server/administration/windows-server-update-services/manage/wid-to-sql-migration
Windows Server Update Services should be a must have within every company to automate and simplify patch management. As we saw in just a few steps we installed and enabled the roles to provide updates to all computers of our infrastructure.