Windows Server Update Services (WSUS) is a server of updates for the operating systems and other Microsoft products that allows administrators to centrally manage patches and updates on corporate network computers. Briefly recall how the WSUS works: the WSUS server is synchronized with Microsoft Update Server on a schedule and downloads the latest updates for selected products. WSUS administrator selects which updates must be installed on the workstations and servers of the company, that download and install the required updates from the corporate WSUS server according to the configured policies. Using your own WSUS update server allows to save Internet traffic and manage the update installation in the company more flexibly.
Microsoft also offers other means of update installation to their products, such as SCCM 2007/2012, however, unlike these products, a WSUS server is absolutely free.
There is nothing principally new in the new WSUS version in Windows Server 2012. Note that now the WSUS installation package cannot be downloaded separately from the Microsoft website, it is integrated into the Windows Server distribution as a separate role. In addition, WSUS 6.0 allows managing the installation of updates via Powershell.
In this article, we will cover the basic issues of the WSUS installation and configuration on Windows Server 2012.
How to Install the WSUS Role on Windows Server 2012
In Windows Server 2008, the WSUS service has already become a separate role that you can install through the Server Management console. In Windows Server 2012, this has not been changed. Open the Server Management console and select the role of Windows Server Update Services (the system will automatically install the necessary components of IIS).
Check the option WSUS Services, then you should choose the type of the database that the WSUS will use.
- Windows Internal Database (WID)
- Microsoft SQL Server 2008 R2 SP1 Enterprise / Standard / Express Edition
- Microsoft SQL Server 2012 Enterprise / Standard / Express Edition
- WID (Windows Internal database) is an integrated Windows database
- Database – a local or external database in the SQL server will be used for WSUS
The default WID base is called SUSDB.mdf and stored in windir%\wid\data\. This database supports only Windows authentication (but not SQL). The name of the WSUS database instance is server_name\Microsoft##WID.
The internal database (Windows Internal Database) is recommended if:
- The company does not have and is not going to buy the SQL Server licenses.
- It is not planned to use a WSUS load balancing (NLB WSUS).
- If you plan to deploy a number of WSUS (e.g., in branches). In this case it is recommended to use the integrated WSUS database in the secondary servers.
A WID base can not be administered using standard graphics consoles or management tools (only CLI).
If you install a WSUS role and a database server on different servers, there are some limitations:
- A WSUS database server cannot be a domain controller
- A WSUS server cannot be Remote Desktop Services Host at the same time
If you have previously chosen to use a separate SQL database, you have to specify the name of the database server, DB Instance and check the connection.
Then the WSUS role with all necessary components will be installed. When the installation is over, run the WSUS Management Console in Server Manager.
Basic Configuration of the WSUS Update Server in Windows Server 2012
When you first start the WSUS console, the setup wizard of the update server starts automatically. Let’s consider the main points of the configuration.
Specify whether the WSUS server takes updates from Microsoft Update directly or from the parent WSUS server (usually used in large networks to configure WSUS server of a large regional division, that takes updates from the WSUS in a central office which significantly reduces the load on the communications bandwidth between the central office and its branch).
If you access the Internet through a proxy server, specify the parameters and user name/password to log in to it.
Then it checks the connection with the upstream update server. Click Start Connecting.
Then you have to choose the language for which the WSUS is going to download updates. We select English (the list of the languages can further be changed from the WSUS console).
Then specify the list of products for which the WSUS should download updates. You have to select all Microsoft products used in your corporate network. Keep in mind that all updates take up additional disk space, so the extra products should not be checked.
On the Classification Page, specify the types of updates to be distributed via WSUS. It is recommended to select: Critical Updates, Definition Updates, Security Packs, Service Packs, Update Rollups, and Updates.
Next, you should specify an update synchronization schedule – it is recommended to use the automatic daily synchronization of the WSUS server with Microsoft Update server.
After the wizard is done, the WSUS console is launched.
In the next article we will consider further configuration of the WSUS server on Windows Server 2012, and configure WSUS client settings using Group Policies.