Windows Server Update Services (WSUS) can use a lot of resources, so why not use Windows Server Core and make the most of the resources you have. In this post I’ll go through the initial steps on how to deploy and configure a WSUS server using command line and PowerShell. Important note: If you need the to boot Windows Server 2016 ISO from a USB flash drive, use the Windows USB/DVD Tool available to download direct from Microsoft.
Installing Windows Server 2016 Core
Boot the server from the Windows Server 2016 media and on the Select the Operating System you want to install screen, select the option Windows Server 2016 Standard or Datacenter edition. The other options with Desktop Experience in brackets are the options for the other server editions with a GUI also installed. Important Note: You can no longer add and remove the GUI (Desktop Experience) with Windows Server 2016 as you could with Windows Server 2012 & 2012 R2. This is due to numerous problems with keeping the installation and removal process consistent with updates. With Windows Server 2016, the only way to add or remove the GUI is to re-install and select one of the server editions with the Desktop Experience option.
Once the install process has completed, you will be prompted with a command line window, and asked to set the Administrator password.
- Set the local Administrator password.
- Type sconfig to get the Server Configuration menu. It’s pretty straight forward.
- You’ll need to configure at least the Network Settings - IP address, subnet mask, gateway, and DNS.
- You may want to enable Remote Desktop.
- Add the server to the domain - you’ll be asked if you’d like to change the computer name, and prompted to restart the server.
- After the restart, log in as a user with administrator privileges to the server.
Tip: The sconfig menu is also present in the GUI version of Windows Server 2016, making initial configuration of new servers easier.
Additional Storage Configuration
You may want to configure additional locally attached disks or iSCSI/MPIO storage. Creating new volumes that are locally attached can be done via the diskpart command line tool. Below are the commands to create a new, NTFS formatted volume, with the drive letter of E:\ and the name “WSUS Content”, from a second disk in the server using the diskpart tool. First, run diskpart from the command line, then use the following commands:
iSCSI storage can be configured using the same GUI tools you would use in the GUI version of Windows Server. The MPIO feature must be installed before the tool is available. You can do this via PowerShell:
When MPIO is installed you can load the MPIO utility using mpiocpl. For the iSCSI utility you can use iscsicpl. iSCSI is installed as part of the base Windows Server 2016 feature set.
Install Windows Server Update Services (WSUS)
If you’ve just logged on to the server, type PowerShell into the command line window before running any of the commands below.
- First we need to install the WSUS feature:
Now we need to run some post install tasks.
- We’ll create a directory for the WSUS content on the E:\ drive.
- To configure WSUS to use the directory you just created and the Windows Internal Database (WID is based on SQL Express), run the following command:
- Alternatively you might want to use an external SQL server for the WSUS database, if so run the following command instead:
WSUS is now running and able to be configured further. This is possible with PowerShell, but not as straightforward as the installation above. For this next section I’ll be chickening out and using the GUI using the WSUS MMC on a Windows 10 admin PC. To obtain the WSUS MMC download and install the following:
- Remote Server Administration tools (RSAT) for Windows 10
- Microsoft Report Viewer 2012 Runtime redistributable
- Microsoft System CLR Types for Microsoft SQL Server 2012: x64 version, x86 version
In case the links to Microsoft System CLR Types fail in future, here is the main download page link. This page links to components from the Microsoft SQL Server 2012 Feature Pack, you need to go to the Install Instructions section and download the specific component you need.
Configuring Windows Server Update Services
Once you have downloaded and installed all the software listed above on your admin PC, you can continue with the configuration.
- Open the Windows Service Update Services Microsoft Management Console (WSUS MMC).
- You should see a Before You Begin wizard. Click Next.
- Join the Microsoft Update Improvement Program if you wish.
- Choose Upstream server, as this is the first WSUS server you’ll choose Synchronize from Microsoft Update.
- Specify the Proxy Server settings if needed.
- Click Start Connecting. This may take a while.
- Select the applicable languages for your environment.
- Select the applicable Products. I recommend selecting all products as we’ll only be downloading updates that we actually need.
- Select the Classifications. I recommend selecting all except Drivers and Driver Sets. Drivers in WSUS increase the size of the database immensely.
- Configure the Sync Schedule. I recommend leaving this on manual until setup and synchronisation has been completed.
- Check the Begin initial synchronization box. This may also take a while.
- Click Finish.
Once the initial configuration is complete, now we can start to configure WSUS for every day operation.
- In the WSUS MMC go to the Options node.
- Setup a Synchronization Schedule. I recommend once or twice a day, out of regular hours. Click OK.
- Go to Automatic Approvals.
- There’s a built-in rule to automatically approve Critical and Security updates, meaning that they will be downloaded and distributed via WSUS without any admin interaction. I recommend enabling this, but don’t run the rule.
- You may also want to add a rule for Definition Updates from Exchange, Office, and Windows Defender if applicable to you. Click OK.
- Now go to Computers.
- Set the option here to Use Group Policy or registry settings on computers and click OK.
- Go to E-Mail notifications and enable them if you want status reports and Emails about the new updates that have been synchronised. Click OK.
- In the WSUS MMC, go to the Computers node.
- Create the computer groups that you require here. I recommend a ‘pilot’ group and a ‘regular’ group both for client devices and servers.
Configuring Group Policy
To enable your clients to get updates from WSUS using the settings above, you’ll need to configure the group policy for them.
- Open the Group Policy Management MMC and go to the Group Policy Objects node.
- Right click on the node and select New to create a new GPO for WSUS. Give it a name and click OK.
- Right click on the new GPO and click Edit to open it.
- Navigate to Computer Configuration/Policies/Administrative Templates/Windows Components/Windows Update
- Go to the setting Specify intranet Microsoft update service location.
- Set it to http://WsusServer.Contoso.com:8530 in both text boxes.
- Go to Enable client-side targeting and enter the name of a group that you created in WSUS.
- For multiple groups, repeat steps 2 - 7 for each group.
- You can use Active Directory Security Groups to control which client devices get which GPO and therefore go into the desired WSUS group.
There lots of other settings in GPO to configure Windows Update that I recommend taking a look, specifically Configure Automatic Updates which controls when client devices install updates.
After some time (approximately 24 hours) your client devices should have contacted the WSUS server and be in the correct group. Now you need to approve the updates required for your environment.
- On the overview of your WSUS server, click on Updates needed by computers.
- Change the drop down menu Approval to Unapproved and wait for the list to refresh.
- Right-click on the Title bar and enable the Supersedence column.
- Click on the very tiny Supersedence column to sort the updates by Supersedence.
- Approve the top critical, security and any other updates you want to be installed on your client devices.
- Once the client devices have downloaded, installed, and reported back to the WSUS server, you will have a better idea if any more updates are required.
Maintenance and Troubleshooting
Keeping WSUS running over time requires some maintenance. I created a custom PowerShell script that runs every day to perform the maintenance on the database. More specifically it declines and deletes old updates, and old computers. It can also e-mail a notification with information about it’s clean up run. My script is available on the Microsoft TechNet Gallery, the PowerShell Gallery and I’ve also posted about it here. You can also clean up the WSUS database manually using the Server Cleanup Wizard found in Options. Here are the PowerShell commands to do this:
You may sometimes encounter an error when trying to connect to the WSUS server using the MMC. Error: Unexpected Error, and appears as Event ID 7053 in Event Viewer.
I’ve known this error to occur frequently. To combat it we must reconfigure some IIS AppPool settings relating to WSUS, but as this is a Windows Server Core installation the regular IIS configuration tool isn’t available. Luckily, we can do this using PowerShell: Log on to the WSUS server with an administrative account and run PowerShell from the command line, then type the following commands:
Finally, you can also try the following command, if needed:
I take great care to test my ideas and make sure my articles are accurate before posting, however mistakes do slip through sometimes. If you’d like to get in touch with me please use the comments, Twitter (you can tweet me and my DMs are open) or my contact form. I hope this article helps you out, please consider supporting my work here. Thank you.