Good morning my fellow readers. Today I am going to show you how to set up WSUS on Windows Server 2008 R2. WSUS is fantastic for centralising management of Windows Updates throughout your network. Installing a WSUS server makes deploying patches and security fixes much easier and so by default makes your life easier too!!
For the purpose of this tutorial I will be using Windows Server 2008 R2 SP1 with 1.5 Gb of RAM (you would use much more than this in a production environment).
Open up Server Manager. Right click on Roles and then click Add Roles.
When asked to select which roles you want to install click Windows Server Update Services and when prompted Add the additional roles that are required (eg Web Server IIS)
During installation you will be prompted to accept the license agreement and then you will be asked where do you want to store all the updates. Either choose a new folder or accept the defaultC:\\WSUS location.
You will now be asked to choose whether you want to install the Windows Internal Database or use an existing one instead. I tend to just install the database on the C drive in C:\\WSUS but the choice is yours.
Next you will be asked for your web site preference. You can use the default IIS web site to access WSUS over the network or you can specify your own one. Again I quite happily choose the default for this.
On the last page page review your options and then click next.
The installation itself takes a long time but once installed the first thing we need to do is synchronize the WSUS server with Microsoft Update (or another WSUS server on the network) so expandServer Manager – Windows Server Update Services – Update Services – Options – Update Source and Proxy Server.
For the purpose of this tutorial I will synchronise with Microsoft Update.
Next we have to choose which products to download updates for so click on Products and Classifications.
Choose all the products which you require updates for and click OK.
Next we have to decide what languages to download the updates in (if you select all available languages your downloads will take a long time and take up a loads of disk space). Click onUpdate Files and Languages and then the Update Languages tab. Choose your language and then click Apply.
We now need to decide when to check for new updates and when to download them. To accomplish this we need to click on Synchronization Schedule (shown below).
You can synchronize manually but it is better to synchronize automatically on a daily schedule. Once you have set your daily schedule click Apply.
With all the housekeeping done all that is left to do is to perfrom the initial synchronization so expand Server Manager – Windows Server Update Services – Update Services – Synchronize and then right click and go to Synchronize Now. This will start the synchronize process.
That is the configuration for the WSUS server complete.
Distributing Updates across the network
To accomplish this we need to set up a Windows Update Group Policy and then distribute it to all computers in the domain.
To do this expand Start – Administrative Programs – Group Policy Management. Once the Group Policy Management Console is open expand Group Policy Management – Forest – Domains – “your domain” – Group Policy Objects. Right click on Group Policy Objects and go toNew.
When the New GPO box appears eneter a name for the new GPO and then click OK. Your new GPO should be visible on the screen (as shown below). Right click on it and go to Edit.
Now in the left panel expand Computer Configuration – Policies – Administrative Templates – Windows Components – Windows Update to get the screenshot below.
The first setting to configure is Specify intranet Microsoft update service location. Right click and go to Edit.
As shown above set this to enabled. Enter the location of your WSUS Server where required and then click Apply.
The next setting to configure is Configure Automatic Updates. Set this to enabled and specify how the downloads should be installed and at what time. Once configured click Apply.
Next we have to configure the Automatic Updates Detection Frequency policy.
Enable the policy and set to 1 hr. Click Apply.
Last thing we need to do on the GPO front is link it to the domain.
The next time the computers on your domain restart their group policy settings will be updated and they will be pointed to the new WSUS server (screenshot of client computer shown below).