The first difference with WSUS on Windows Server 2012 is that WSUS is now a feature. To install WSUS on Windows Server 2012:
- Install the WSUS feature and any associated required features and services it requests
- Choose a type of database, either WID database or SQL database
- Choose a location for the database and credentials if required
- Wait for the WSUS install to complete
- Launch Windows Server Update Services from the start menu
- Click Run to set the database location and whether updates will be downloaded locally (recommended if you have the space – you’ll need about 50Gb)
- Click Close when it’s finished
- Keep hitting Next following the wizard to install WSUS
- You may with to use an upstream WSUS server if you have one, otherwise synchronizing with Microsoft Update is recommended
- Set any proxy details required to access the internet (Click Start Connecting to get information about updates available to the WSUS catalogue)
- Hit Next and choose the language, products and update classifications that you’d like to download updates for
- Configure a synchronization schedule for WSUS to download updates to
- You may at this point configure WSUS to use SSL. This is beyond the scope of this article, but I imagine you’d do this through Server Certificates in IIS…
This completes the installation of WSUS on Windows Server 2012, next you have to point the clients to the WSUS server to get their Windows Updates. My preference is to do this with a group policy. To point clients to the WSUS server:
- In the WSUS server, open Computers -> All Computers and create new computer groups to allocate update policies to. How many groups you create will depend on your Windows Update policy. You may wish to have only one group and put all the computers on the same update schedule or you may wish to set deferent update schedules and policies for each department… As a basic, my preference is to create a group for workstations and servers. The servers group, I set to download updates automatically, but install manually, the workstations I set to download and install automatically and laptops in the organisation I set as the workstations, but to get their updates from the internet rather than the WSUS server. The trick is to create fewer groups so it’s easier to administer.
- Once you’ve created your computer groups in WSUS, the next thing to do is create Group Policies for each group. To do this, open the AD Group Policy Management tool and create a new policy for each computer group in WSUS. Link the GPO’s to the appropriate OUs in AD.
- Edit each GPO and choose appropriate settings for the computer group targeted. The WSUS settings can be found here:
Computer Configuration -> Policies -> Windows Components -> Windows Update
At very least, you will need to enable Client-side targeting and point computers to the computer group you created in WSUS, Specify intranet Microsoft update service location, giving the URL of the WSUS server. Finally, you will probably want to set the Configure Automatic Updates GPO setting.
WSUS setup FAQ
Probably the most asked question when installing and setting up WSUS is What is the URL of my WSUS server? Well, this is difficult to answer, because it’s whatever you set the URL to be 🙂 The WSUS URL is made up of the server name and a port number. The port number you would have specified in the installation. By default the WSUS port is 8530, making the WSUS server URL:
If you don’t know the port number, you can get this from IIS. Simply go to IIS (Start -> Run, then type inetmgr) and drill down to the WSUS Administration website. Select this and click Bindings on the action pane. The port you selected will be listed here.
The next most asked question would be How to change my WSUS port number? Well, start IIS, select the WSUS Administration website and click Bindings on the action pane. You can change the WSUS port number here.
Another question that seems to be asked a lot is how to force a client to check in with wsus? Forcing a client to check in with WSUS is a great way to troubleshoot WSUS or see if it’s working. To force a client to check in with WSUS, update the group policy on the client then run the following command in the command promt:
To help remember the command, it stands for Windows Update Automatic Update Client. Be aware that it doesn’t return a response when you run the command… You just have to have faith that the command caused the client to check in with WSUS 🙂
If you have any other WSUS questions, tips or tricks, please feel free to leave a comment. I may also make a How to change the WSUS database location article if I get around to it…