Windows Updates provide various types of updates for many Microsoft products. They fix security bugs, install feature updates, and update drivers for popular hardware devices. As you can tell - it’s a powerful tool, and updates should be deployed correctly in all organizations. That’s where WSUS comes in!
What Is WSUS?
If you use Windows on your personal computer, you’ll be familiar with Microsoft’s update service: Windows Updates or Microsoft Updates. However, for the everyday computer user, this service can be unpredictable. For example, it decides for itself when it’s going to restart your computer, and the events of October 2018 proved just how dangerous that could be (the Windows 10 update from that month was capable of deleting your personal data, something that was thankfully corrected) - you can read more about it in this article.
WSUS is the equivalent service (public, managed by Microsoft) for administrators. You can download all the updates for your desired computers in one go via your WSUS server (which will connect to Microsoft’s servers) and then decide how to deploy and distribute these updates.
You’ll take back control over the update cycle for your IT equipment, making it the ideal solution for avoiding problems with users.
Managing updates is a complex topic. It’s often hard for people to understand the benefits. Unfortunately, this also goes for business users.
Imagine that a manager at Gift Ltd. has their work interrupted with a notification to run an operating system update:
They don’t have the time (some major updates can take several hours).
They don’t know what impact the update will have (some updates correct vulnerabilities but impact compatibility with other software).
With all this in mind, it’s essential to have updates under control.
Install the WSUS Role
Once again, head to Server Manager and install the WSUS role.
More precisely, you’ll need WSUS Services. You’ll see that several features are required. WSUS uses many deployment options to minimize bandwidth on the network as well as web-related features. Getting and deploying updates relies on these services.
Think carefully about how to structure this service in production. It eats up a lot of disk space and is very greedy when it comes to databases for storing different pieces of additional data (metadata) regarding updates. For example, WSUS will get the different patches, a description, information regarding impact (particularly whether a reboot is required or not), and category and target information.
You should end up on the following screen for the freshly-installed WSUS tool:
There is a management menu on the left:
Updates retrieved by your server.
Computers correctly configured as clients.
Any servers that you might have configured to increase the security level (i.e., you can put WSUS in the DMZ to get the updates from Microsoft servers and have your WSUS server connected to clients, who will be placed on your LAN).
Synchronization information and configuration.
Reports.
Options.
Let’s consider the options before attempting anything.
Here, you can manage your server options, some of which you need to configure carefully:
Update Source and Proxy Server: this is where you configure how you will get your updates. You can declare different modes of operation, such as protected internet access with a proxy or a WSUS server in DMZ.
Products and Classifications: this is the most interesting WSUS option. It lets you choose which, out of many Microsoft products, you will get the updates for! You can choose from a huge library - including Microsoft Office!
You can get updates for the Microsoft products installed (a long list). Classifications let you target which updates you want for the products selected: patches, security, or drivers:
With these two tabs, you’ll have full control over the next round of equipment updates. For example, you can target only critical ones for your devices (which is what I’ve done here):
Update Files and Languages: in these options, you’ll be able to limit bandwidth by managing the download method for files, the number of versions, and the languages to update (by default, all languages will be downloaded).
Synchronization Schedule: this is where you’ll schedule your server synchronization (i.e., the retrieval of Microsoft Update files) by selecting the time and number of synchronizations per year. Make sure you carefully schedule this task, as it will eat up a lot of bandwidth!
Automatic Approvals: this option confirms WSUS as a must-have in the Microsoft environment. You can automatically approve certain updates. For example, you can automatically approve the security patches you want to apply! Similarly, if you need to test driver updates, you can refuse approval and carry out your tests on a group of “test” client computers. With this test, you can approve them and launch deployment across your inventory if everything goes well.
Computers: this option lets you choose how you group your computers. It’s better to manage this using GPOs, but you can do it manually with WSUS through the WSUS Services console.
Server Cleanup Wizard: this option lets you do a bit of housekeeping by deleting unused updates, computers that have not connected for 30 days or more, useless files, etc. You’ll have a handle on disk usage and the size of your database.
Reporting Rollup: option for grouping computer status reports.
E-Mail Notifications: this option sends you email notifications depending on set criteria.
Microsoft Update Improvement Program: you can give or withhold permission to send anonymized data to Microsoft about your WSUS usage.
Personalization: these options let you customize which tasks you see on your WSUS console.
WSUS Server Configuration Wizard: restarts the initial configuration of WSUS services on your server with the initial update synchronization.
Use the WSUS Role
Now that you’re familiar with all of these options and have a basic idea of how WSUS works, let’s implement a policy. By default, you won’t have any clients on your server. So let’s add one: the WSUS server itself.
To do this, you have two options:
Use GPOs if you have Active Directory—it’s what they’re for.
Use the Windows Directory if you do not have Active Directory (don’t worry, it happens).
Add WSUS Clients Using GPO
This method is recommended, especially if you have a sizable amount of equipment. Enter the settings in Computer Configuration > Policies > Administrative Templates > Windows Components > Windows Update, and then you have the following options:
Do not display ‘Install Updates and Shut Down’ option in the Shut Down Windows dialog box.
Do not adjust the default option to ‘Install Updates and Shut Down’ in the Shut Down Windows dialog box.
Configure Automatic Updates.
Specify intranet Microsoft Update service location.
Automatic Updates detection frequency.
Allow non-administrators to receive update notifications.
Allow Automatic Updates immediate installation.
Turn on recommended updates via Automatic Updates.
No auto-restart with logged on users for scheduled automatic updates installations.
Allow signed content from intranet Microsoft update service location.
Add WSUS Clients via the Directory
Follow these steps if you want to modify the directory to run the same configuration:
You can find most of the settings in:
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate
"WUServer"=http://servername/(where servername is the DNS name of your WSUS server)."WUStatusServer"=http://servername/(same as above)."TargetGroupEnabled"=dword:00000001(here you’re enabling targeting by client group)."TargetGroup"=CLIENTS-W10-Test(this is the name of the group in which clients are displayed on the WSUS console)."ElevateNonAdmins"=dword:00000000(lets you specify if you want elevation of privilege for non-administrators).
The final mandatory registry key to modify is:
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
"UseWUServer"=dword:00000001(Explicitly define that you use a WSUS server)
You’ll find other options here:
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
These options will let you carry out more advanced WSUS client configurations:
"NoAutoRebootWithLoggedOnUsers"=dword:00000000(Will you allow a reboot if users are logged onto the computer?)"NoAutoUpdate"=dword:00000000(Will you allow automatic updates?)"AUOptions"=dword:00000004(These are options that you can set up on the client: update installation, downloading updates without installing, etc.)"ScheduledInstallDay"=dword:00000000(Update installation date…)"ScheduledInstallTime"=dword:0000000f(…and time)"AutoInstallMinorUpdates"=dword:00000001(Do you want to automatically install minor updates?)“DetectionFrequencyEnabled"=dword:00000001(Do you want to automatically detect updates?)"DetectionFrequency"=dword:00000001(How often, between every 16 and 20 hours?)"RebootWarningTimeout"=dword:00000004(Do you want a warning of imminent reboots?)"RebootWarningTimeoutEnabled"=dword:00000001(To enable the previous option)"RebootRelaunchTimeout"=dword:00000006(Do you want to allow a reboot relaunch?)"RebootRelaunchTimeoutEnabled"=dword:00000001(To enable the previous option)"RescheduleWaitTimeEnabled"=dword:00000001(Do you want to be able to delay a reboot?)"RescheduleWaitTime"=dword:00000002(And when should the reboot happen?)
Once you’ve configured one of these options, restart your server, and you’ll see that your computer appears in the console. You’ll also get an overview of the updates present on your WSUS, which your computer will assess:
Approve WSUS Updates
Updates won’t install without your approval. Here, as you’ve updated your server before starting to install roles, they should be installed (following what you chose for the first synchronization).
To approve and update, go to the Updates section, and right-click to see the Action menu, which will enable you to approve or decline an update.
Why would we decline an update?
It’s best to test updates before deploying them on a large scale. If, during your test, you note that it isn’t compatible with an application or the operating system, refuse the update. It will not deploy, and you’ll have saved yourself problems across your entire inventory:
Microsoft provides you with lots of information about each update:
This way, you can click on an update to see if it requires a reboot, if another update replaces it, and if it updates the Microsoft license contract. You’ll also see a description of what it delivers (a brief one – for a complete description, click on the link to the Microsoft knowledge base, which will look like this: kb/xxxxx).
You now have all the skills you need to set up a consistent and controlled security policy for your inventory of client computers and servers using Windows!
Additional Resources
If you want to take this to the next level, you can install the Report Viewer component from Microsoft. It gives you reports on updates, their conformity with your equipment regarding your security policy, or just the health of your WSUS.
Microsoft guide to setting up WSUS.
Tool for simplifying the configuration of a computer to WSUS without GPO (N.B. these are only the sources).
Let’s Recap!
Windows Server lets you take back control over Microsoft updates to your IT equipment through WSUS.
With WSUS, you can implement a deployment strategy based on simple criteria (such as date or time of deployment) or more advanced criteria (depending on the type of patches).
Microsoft provides lots of information about updates, which it makes available for WSUS: description, impact in terms of reboots, target, impact on the license, etc.
Configure client computers to consider their new update source (WSUS). There are two methods: GPO or directory modification (for computers managed without Active Directory).
In the next and final part of this course, you’ll continue to learn about Windows Server administration, particularly with the PowerShell scripting tool and virtualization using Hyper-V.
