Windows Server Update Services (WSUS) is an update service that allows administrators to manage patches and security updates for Microsoft products centrally (Windows, Office, SQL Server, Exchange, etc.) on computers and servers on the corporate network. Briefly recall how the WSUS works. The WSUS server is scheduled to synchronize with the Microsoft Update servers on the Internet and download the latest updates for selected products. The WSUS administrator selects which updates must be installed on the workstations and servers of the company. WSUS clients download and install the required updates from the corporate update server according to the configured policies. Your own WSUS update server allows you to save Internet traffic and manage the update installation in the company more flexibly.
Microsoft also offers other systems of update installation for their products, such as SCCM (System Center Configuration Manager). However, unlike many other products, the WSUS server is completely free (in fact, the update software in SCCM – SUP, Software Update Point, is also based on WSUS).
There is nothing principally new in the new WSUS version in Windows Server 2012 R2/ 2016. Note that now the WSUS installation package cannot be downloaded separately from the Microsoft website, it is integrated into the Windows Server distribution and being installed as a separate server role. In addition, WSUS 6.0 introduced the ability to manage the installation of updates using PowerShell.
In this article, we will cover the basic issues of the WSUS role installation and configuration on Windows Server 2012 R2 / Windows Server 2016.
How to Install the WSUS Role on Windows Server 2012 R2 / 2016?
In Windows Server 2008, the WSUS was allocated to a separate role that can be installed through the Server Management console. In Windows Server 2012 R2 / 2016, this has not been changed. Open the Server Management console and select the role of Windows Server Update Services (the system will automatically select and offer to install the necessary components of the IIS web server).
Check the option WSUS Services, then you need to select the type of the database that the WSUS will use.
WSUS on Windows Server 2012 supports the following databases:
- Windows Internal Database (WID);
- Microsoft SQL Server 2008 R2 SP1, 2012, 2014, 2016 in the Enterprise / Standard / Express Editions.
Accordingly, you can use the Windows Internal Database WID (Windows Internal database), which is free and doesn’t require additional licensing. Or you can use a dedicated local or remote SQL Server database (on a different server) to store WSUS data.
The default WID base is called SUSDB.mdf and is stored in the folder %windir%\wid\data. This database supports only Windows authentication (not SQL). The internal (WID) database instance for WSUS is called server_name\Microsoft##WID. The WSUS database stores the update server settings, update metadata, and the WSUS client information.
The internal database (Windows Internal Database) is recommended if:
- Your organization doesn’t have and doesn’t plan to purchase licenses for SQL Server;
- It is not planned to use a WSUS load balancing (NLB WSUS);
- If you plan to deploy a child WSUS server (for example, in branch offices). In this case it is recommended to use the built-in WSUS database on the secondary servers.
The WSUS WID database can be administered through SQL Server Management Studio (SSMS), if you specify in the following connection string:
Note that in the free editions of SQL Server 2008/2012 Express there is a limit on the maximum database size – 10 GB. Most likely, this limit will not be reached (for example, the size of the WSUS database for 3000 clients is about 3 GB). The Windows Internal Database is limited to 524 GB.
If you install the WSUS role and the MS SQL database on different servers, there are some limitations:
- SQL Server with a WSUS database cannot be a domain controller;
- A WSUS server cannot be Remote Desktop Services Host at the same time.
If you plan to use the WID built-in database (it is quite recommended and workable option even for large infrastructures), check the Database option.
Then you need to specify the directory to store the updates (it is recommended there would be at least 10 GB of free space on the selected disk).
If you have previously chosen to use a separate SQL database, you must specify the name of the database server, DB Instance and check the connection.
Then the WSUS role with all necessary components will be installed. When the installation is over, run the WSUS Management Console in Server Manager.
You can also install a WSUS server with an internal database using the following PowerShell command:
Install-WindowsFeature -Name Updateservices,UpdateServices-WidDB,UpdateServices-services –IncludeManagementTools
Basic WSUS Configuration on Windows Server 2012 R2 / 2016
When you first start the WSUS console, the Update Server Configuration Wizard will automatically start. Let’s consider the basic steps for configuring a WSUS server using a wizard.
Specify whether the WSUS server takes updates from Microsoft Update website directly or it should download it from the upstream WSUS server. The second option is usually used in large networks to configure WSUS server of a large regional division, that receives updates from the WSUS in a central office (this configuration significantly reduces the load on the WAN channels between the HQ and the branch office).
If your WSUS server itself must download updates from Windows Update servers, and you access the Internet through a proxy server, you must specify the proxy server address, port, and the credentials to access it.
Next, the connection with the upstream update server is checked. Click Start Connecting.
Then you need to select the languages for which WSUS will download updates. We select English (the list of the languages can further be changed from the WSUS console).
Then specify the list of products for which the WSUS should download updates. You must select all Microsoft products that are used in your corporate network. Keep in mind that all additional updates take up disk space, so the extra products should not be checked. If you are sure that there are no computers running Windows XP or Windows 7 on your network, don’t select the check boxes for these OS. This will significantly save space on the WSUS server drive.
On the Classification Page, specify the types of updates to be distributed via WSUS. It is recommended to select: Critical Updates, Definition Updates, Security Packs, Service Packs, Update Rollups, Updates.
Next, you should specify an update synchronization schedule – it is recommended to use the automatic daily synchronization of the WSUS server with Microsoft Update server. The WSUS synchronization should be performed at night, in order not to overload the Internet channel during business hours.
The initial synchronization of the WSUS server with the upstream update server may take several days, depending on the number of products you chose earlier and your ISP.
After the wizard is done, the WSUS console is launched.
In order to improve the performance of the WSUS Server on Windows Server, it is recommended to exclude the following folders from the anti-virus scan:
Clients can now receive updates by connecting to the WSUS server on port 8530 (in Windows Server 2003 and 2008, port 80 is used by default). With a large number of computers (over 1000), the performance of the IIS WsusPoll pool, which distributes client updates, can be configured according to the article.
In other articles, we will take a look on how to further configure the WSUS server on Windows Server 2012 R2 / 2016: configure WSUS client settings using Group Policies, how to approve new updates, and copy approved updates between WSUS target groups.