Project

General

Profile

Support #783

Install WSUS on Windows Server 2012 Core

Added by Daniel Curtis almost 9 years ago. Updated over 8 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Daniel Curtis
Category:
Server Management
Target version:
Windows Server 2012
Start date:
03/20/2016
Due date:
% Done:

100%

Estimated time:
2.00 h
Spent time:
7.50 h

Description

One of the uses for my Windows Server is to use Windows Server Update Services (WSUS) to manage centralized updates for the various Windows boxes on my network. This is a simple guide for setting up a standalone WSUS on a Windows Server 2012 R2 Core machine using PowerShell.

Install WSUS

  • From the command prompt, open a PowerShell session:
    powershell
  • Install the WSUS feature using the Windows Internal Database (WID) as the database:
    Install-WindowsFeature -Name UpdateServices -IncludeManagementTools
  • After installing WSUS, point the application to a location to store downloads:
    cd "C:\Program Files\Update Services\Tools\" 
.\WsusUtil.exe PostInstall CONTENT_DIR=C:\WSUS

Remote Management

  • Make sure to add the remote workstation being used to administer the windows server as a TrustedHost on the WSUS server:
    winrm set winrm/config/client @{TrustedHosts="rsat.example.com"}
    • NOTE: If any other configuration changes are needed, use winrm quickconfig to identify and remedy them:
      winrm quickconfig
  • And also enable remote powershell connections:
    Enable-PSRemoting -force
  • Add the Remote Desktop firewall rules on the WSUS server:
    netsh advfirewall firewall set rule group="Remote Desktop" new enable=Yes
  • Add the Windows Management Instrumentation (WMI) and Remote Event Log Management firewall rules on the WSUS server:
    netsh advfirewall firewall set rule group="Windows Management Instrumentation (WMI)" new enable=yes
netsh advfirewall firewall set rule group=“Remote Event Log Management” new enable=yes

Windows 7 Host

  1. Install the Microsoft Report Viewer
  2. Download Windows Server Update Services 3.0 SP2 KB972455 and install the Administration Console only.
  3. Once the console is installed, also install KB2734608 to add support for Windows 8 and Server 2012.
  4. Open Windows Server Update Services and connect to the remote server wsus.example.com on port 8530.
  5. On the computer that is running Server Manager, add remote servers to the local computer’s TrustedHosts list in a Windows PowerShell session:
    Set-Item wsman:\localhost\Client\TrustedHosts wsus.example.com -Concatenate -Force

Windows 8 Host

  1. Install the Microsoft Report Viewer
  2. Install the Windows 8 Remote Server Administration Tool
  3. Open Windows Server Update Services and connect to the remote server wsus.example.com on port 8530.
  4. On the computer that is running Server Manager, add remote servers to the local computer’s TrustedHosts list in a Windows PowerShell session:
    Set-Item wsman:\localhost\Client\TrustedHosts wsus.example.com -Concatenate -Force

Local Management

  • Set the WSUS Server Object in the $wsus variable:
    $wsus = Get-WSUSServer
  • Set the WSUS server configuration in the $wsusConfig variable:
    $wsusConfig = $wsus.GetConfiguration()
  • Set to download updates from Microsoft Updates
    Set-WsusServerSynchronization –SyncFromMU
  • Set Update Languages to only use English and save configuration settings
    $wsusConfig.AllUpdateLanguagesEnabled = $false           
$wsusConfig.SetEnabledUpdateLanguages(“en”)           
$wsusConfig.Save()
  • Get WSUS Subscription and perform initial synchronization to get latest categories
    $subscription = $wsus.GetSubscription()
$subscription.StartSynchronizationForCategoryOnly()

While ($subscription.GetSynchronizationStatus() -ne ‘NotProcessing’) {
    Write-Host “.” -NoNewline
    Start-Sleep -Seconds 5
}

Write-Host “Sync is done.”
  • Configure the Platforms that WSUS will use to receive updates:
    Get-WsusServer | Get-WsusProduct | Where-Object -FilterScript { $_.product.title -match "Office" } | Set-WsusProduct -Verbose
Get-WsusServer | Get-WsusProduct | Where-Object -FilterScript { $_.product.title -match "Windows" } | Set-WsusProduct -Verbose
Get-WsusServer | Get-WsusProduct | Where-Object -FilterScript { $_.product.title -match "Windows Server 2012 R2" } | Set-WsusProduct -Verbose
  • Configure the Classifications
    Get-WsusClassification | Where-Object {
    $_.Classification.Title -in (
    ‘Update Rollups’,
    ‘Security Updates’,
    ‘Critical Updates’,
    ‘Service Packs’,
    ‘Updates’)
} | Set-WsusClassification –Verbose
  • Configure Synchronizations
    $subscription.SynchronizeAutomatically=$true
  • Set synchronization scheduled for midnight each night
    $subscription.SynchronizeAutomaticallyTimeOfDay= (New-TimeSpan -Hours 0)
$subscription.NumberOfSynchronizationsPerDay=1
$subscription.Save()
  • Start a synchronization:
    $subscription.StartSynchronization()
  • To check on the progress of the synchronization:
    $subscription.GetSynchronizationProgress()
  • When the synchronization finishes, check the status:
    $subscription.GetLastSynchronizationInfo()

Connect Non-Domain Hosts

  • Create a wsus.reg file:
    Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate] 
"AcceptTrustedPublisherCerts"=dword:00000001 
"ElevateNonAdmins"=dword:00000001 
"TargetGroup"="Workstations" 
"TargetGroupEnabled"=dword:00000000 
"WUServer"="http://wsus.example.com:8530"; 
"WUStatusServer"="http://wsus.example.com:8530";

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU] 
"AUOptions"=dword:00000002 
"UseWUServer"=dword:00000001
  • Then import the wsus.reg file into the Windows registry.

NOTE: If you receive an error when checking for updates, try resetting the authorization cookie on the client:

wuauclt.exe /resetauthorization /detectnow

Resources

Also available in: Atom PDF