Project

General

Profile

Support #783

Updated by Daniel Curtis over 8 years ago

{{>toc}} 

 One of the uses for my Windows Server is to use Windows Server Update Services (WSUS) to manage centralized updates for the various Windows boxes on my network. This is a simple guide for setting up a standalone WSUS on a Windows Server 2012 R2 Core machine using PowerShell. 

 h2. Install WSUS 

 * From the command prompt, open a PowerShell session: 
 <pre> 
 powershell 
 </pre> 

 * Install the WSUS feature using the Windows Internal Database (WID) as the database: 
 <pre> 
 Install-WindowsFeature -Name UpdateServices -IncludeManagementTools 
 </pre> 

 * After installing WSUS, point the application to a location to store downloads: 
 <pre> 
 cd "C:\Program Files\Update Services\Tools\" 
 .\WsusUtil.exe PostInstall CONTENT_DIR=C:\WSUS 
 </pre> 

 h2. Remote Management 

 * Make sure to add the remote workstation being used to administer the windows server as a TrustedHost on the WSUS server: 
 <pre> 
 winrm set winrm/config/client @{TrustedHosts="rsat.example.com"} 
 </pre> 
 #* *NOTE*: If any other configuration changes are needed, use @winrm quickconfig@ to identify and remedy them: 
 <pre> 
 winrm quickconfig 
 </pre> 

 * And also enable remote powershell connections: 
 <pre> 
 Enable-PSRemoting -force 
 </pre> 

 h3. Windows 7 Host 

 # Install the "Microsoft Report Viewer":https://www.microsoft.com/en-us/download/details.aspx?id=6576 
 # Download Windows Server Update Services 3.0 SP2 "KB972455":http://www.microsoft.com/en-us/download/details.aspx?id=5216 and install the *Administration Console only*.  
 # Once the console is installed, also install "KB2734608":http://support.microsoft.com/kb/2734608/en-us to add support for Windows 8 and Server 2012. 
 # Open Windows Server Update Services and connect to the remote server _wsus.example.com_ on port +8530+. 
 # On the computer that is running Server Manager, add remote servers to the local computer’s TrustedHosts list in a Windows PowerShell session: 
 <pre> 
 Set-Item wsman:\localhost\Client\TrustedHosts wsus.example.com -Concatenate -Force 
 </pre> 
 h3. Windows 8 Host 

 # Install the "Microsoft Report Viewer":https://www.microsoft.com/en-us/download/details.aspx?id=6576 
 # Install the "Windows 8 Remote Server Administration Tool":https://www.microsoft.com/en-us/download/details.aspx?id=28972 
 # Open Windows Server Update Services and connect to the remote server _wsus.example.com_ on port +8530+. 
 # On the computer that is running Server Manager, add remote servers to the local computer’s TrustedHosts list in a Windows PowerShell session: 
 <pre> 
 Set-Item wsman:\localhost\Client\TrustedHosts wsus.example.com -Concatenate -Force 
 </pre> 

 h2. Local Management 

 * Set the WSUS Server Object in the @$wsus@ variable: 
 <pre> 
 $wsus = Get-WSUSServer 
 </pre> 

 * Set the WSUS server configuration in the @$wsusConfig@ variable: 
 <pre> 
 $wsusConfig = $wsus.GetConfiguration() 
 </pre> 

 * Set to download updates from Microsoft Updates 
 <pre> 
 Set-WsusServerSynchronization –SyncFromMU 
 </pre>  

 * Set Update Languages to only use English and save configuration settings 
 <pre> 
 $wsusConfig.AllUpdateLanguagesEnabled = $false            
 $wsusConfig.SetEnabledUpdateLanguages(“en”)            
 $wsusConfig.Save() 
 </pre> 

 * Get WSUS Subscription and perform initial synchronization to get latest categories 
 <pre> 
 $subscription = $wsus.GetSubscription() 
 $subscription.StartSynchronizationForCategoryOnly() 

 While ($subscription.GetSynchronizationStatus() -ne ‘NotProcessing’) { 
     Write-Host “.” -NoNewline 
     Start-Sleep -Seconds 5 
 } 

 Write-Host “Sync is done.” 
 </pre> 

 * Configure the Platforms that WSUS will use to receive updates: 
 <pre> 
 Get-WsusServer | Get-WsusProduct | Where-Object -FilterScript { $_.product.title -match "Office" } | Set-WsusProduct -Verbose 
 Get-WsusServer | Get-WsusProduct | Where-Object -FilterScript { $_.product.title -match "Windows" } | Set-WsusProduct -Verbose 
 Get-WsusServer | Get-WsusProduct | Where-Object -FilterScript { $_.product.title -match "Windows Server 2012 R2" } | Set-WsusProduct -Verbose 
 </pre> 

 * Configure the Classifications 
 <pre> 
 Get-WsusClassification | Where-Object { 
     $_.Classification.Title -in ( 
     ‘Update Rollups’, 
     ‘Security Updates’, 
     ‘Critical Updates’, 
     ‘Service Packs’, 
     ‘Updates’) 
 } | Set-WsusClassification –Verbose 

 </pre> 

 * Configure Synchronizations 
 <pre> 
 $subscription.SynchronizeAutomatically=$true 
 </pre> 

 * Set synchronization scheduled for midnight each night 
 <pre> 
 $subscription.SynchronizeAutomaticallyTimeOfDay= (New-TimeSpan -Hours 0) 
 $subscription.NumberOfSynchronizationsPerDay=1 
 $subscription.Save() 
 </pre> 
 
 * Start a synchronization: 
 <pre> 
 $subscription.StartSynchronization() 
 </pre> 

 * To check on the progress of the synchronization: 
 <pre> 
 $subscription.GetSynchronizationProgress() 
 </pre> 

 * When the synchronization finishes, check the status: 
 <pre> 
 $subscription.GetLastSynchronizationInfo() 
 </pre> 

 h2. Connect Non-Domain Hosts 

 * Create a wsus.reg file: 
 <pre> 
 Windows Registry Editor Version 5.00 

 [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate]  
 "AcceptTrustedPublisherCerts"=dword:00000001  
 "ElevateNonAdmins"=dword:00000001  
 "TargetGroup"="Workstations"  
 "TargetGroupEnabled"=dword:00000000  
 "WUServer"="http://wsus.example.com:8530";  
 "WUStatusServer"="http://wsus.example.com:8530"; 
 </pre> 

 * Then import the wsus.reg file into the Windows registry. 

 h2. Resources 

 * https://4sysops.com/archives/install-wsus-on-server-2012-with-powershell/ 
 * https://www.microsoft.com/en-us/download/details.aspx?id=28972 
 * http://www.shnake.com/?p=821 
 * https://technet.microsoft.com/en-us/library/dd939916(v=ws.10).aspx 
 * https://technet.microsoft.com/en-us/library/dd939859(v=ws.10).aspx 
 * https://p0w3rsh3ll.wordpress.com/2013/02/05/wsus-on-windows-server-2012-core-from-scratch/ 
 * https://blogs.technet.microsoft.com/heyscriptingguy/2013/04/15/installing-wsus-on-windows-server-2012/ 
 * http://social.technet.microsoft.com/wiki/contents/articles/13444.windows-server-2012-server-manager-troubleshooting-guide-part-ii-troubleshoot-manageability-status-errors-in-server-manager.aspx 
 * https://technet.microsoft.com/en-us/library/hh831453 
 * https://4sysops.com/archives/enable-powershell-remoting-on-a-standalone-workgroup-computer/

Back