Support #783
Updated by Daniel Curtis over 8 years ago
{{>toc}}
One of the uses for my Windows Server is to use Windows Server Update Services (WSUS) to manage centralized updates for the various Windows boxes on my network. This is a simple guide for setting up a standalone WSUS on a Windows Server 2012 R2 Core machine using PowerShell.
h2. Install WSUS
* From the command prompt, open a PowerShell session:
<pre>
powershell
</pre>
* Install the WSUS feature using the Windows Internal Database (WID) as the database:
<pre>
Install-WindowsFeature -Name UpdateServices -IncludeManagementTools
</pre>
* After installing WSUS, point the application to a location to store downloads:
<pre>
cd "C:\Program Files\Update Services\Tools\"
.\WsusUtil.exe PostInstall CONTENT_DIR=C:\WSUS
</pre>
h2. Remote Management
* Make sure to add the remote workstation being used to administer the windows server as a TrustedHost on the WSUS server:
<pre>
winrm set winrm/config/client @{TrustedHosts="rsat.example.com"}
</pre>
#* *NOTE*: If any other configuration changes are needed, use @winrm quickconfig@ to identify and remedy them:
<pre>
winrm quickconfig
</pre>
* And also enable remote powershell connections:
<pre>
Enable-PSRemoting -force
</pre>
* Add the Remote Desktop firewall rules on the WSUS server:
<pre>
netsh advfirewall firewall set rule group="Remote Desktop" new enable=Yes
</pre>
* Add the Windows Management Instrumentation (WMI) and Remote Event Log Management firewall rules on the WSUS server:
<pre>
netsh advfirewall firewall set rule group="Windows Management Instrumentation (WMI)" new enable=yes
netsh advfirewall firewall set rule group=“Remote Event Log Management” new enable=yes
</pre>
h3. Windows 7 Host
# Install the "Microsoft Report Viewer":https://www.microsoft.com/en-us/download/details.aspx?id=6576
# Download Windows Server Update Services 3.0 SP2 "KB972455":http://www.microsoft.com/en-us/download/details.aspx?id=5216 and install the *Administration Console only*.
# Once the console is installed, also install "KB2734608":http://support.microsoft.com/kb/2734608/en-us to add support for Windows 8 and Server 2012.
# Open Windows Server Update Services and connect to the remote server _wsus.example.com_ on port +8530+.
# On the computer that is running Server Manager, add remote servers to the local computer’s TrustedHosts list in a Windows PowerShell session:
<pre>
Set-Item wsman:\localhost\Client\TrustedHosts wsus.example.com -Concatenate -Force
</pre>
h3. Windows 8 Host
# Install the "Microsoft Report Viewer":https://www.microsoft.com/en-us/download/details.aspx?id=6576
# Install the "Windows 8 Remote Server Administration Tool":https://www.microsoft.com/en-us/download/details.aspx?id=28972
# Open Windows Server Update Services and connect to the remote server _wsus.example.com_ on port +8530+.
# On the computer that is running Server Manager, add remote servers to the local computer’s TrustedHosts list in a Windows PowerShell session:
<pre>
Set-Item wsman:\localhost\Client\TrustedHosts wsus.example.com -Concatenate -Force
</pre>
h2. Local Management
* Set the WSUS Server Object in the @$wsus@ variable:
<pre>
$wsus = Get-WSUSServer
</pre>
* Set the WSUS server configuration in the @$wsusConfig@ variable:
<pre>
$wsusConfig = $wsus.GetConfiguration()
</pre>
* Set to download updates from Microsoft Updates
<pre>
Set-WsusServerSynchronization –SyncFromMU
</pre>
* Set Update Languages to only use English and save configuration settings
<pre>
$wsusConfig.AllUpdateLanguagesEnabled = $false
$wsusConfig.SetEnabledUpdateLanguages(“en”)
$wsusConfig.Save()
</pre>
* Get WSUS Subscription and perform initial synchronization to get latest categories
<pre>
$subscription = $wsus.GetSubscription()
$subscription.StartSynchronizationForCategoryOnly()
While ($subscription.GetSynchronizationStatus() -ne ‘NotProcessing’) {
Write-Host “.” -NoNewline
Start-Sleep -Seconds 5
}
Write-Host “Sync is done.”
</pre>
* Configure the Platforms that WSUS will use to receive updates:
<pre>
Get-WsusServer | Get-WsusProduct | Where-Object -FilterScript { $_.product.title -match "Office" } | Set-WsusProduct -Verbose
Get-WsusServer | Get-WsusProduct | Where-Object -FilterScript { $_.product.title -match "Windows" } | Set-WsusProduct -Verbose
Get-WsusServer | Get-WsusProduct | Where-Object -FilterScript { $_.product.title -match "Windows Server 2012 R2" } | Set-WsusProduct -Verbose
</pre>
* Configure the Classifications
<pre>
Get-WsusClassification | Where-Object {
$_.Classification.Title -in (
‘Update Rollups’,
‘Security Updates’,
‘Critical Updates’,
‘Service Packs’,
‘Updates’)
} | Set-WsusClassification –Verbose
</pre>
* Configure Synchronizations
<pre>
$subscription.SynchronizeAutomatically=$true
</pre>
* Set synchronization scheduled for midnight each night
<pre>
$subscription.SynchronizeAutomaticallyTimeOfDay= (New-TimeSpan -Hours 0)
$subscription.NumberOfSynchronizationsPerDay=1
$subscription.Save()
</pre>
* Start a synchronization:
<pre>
$subscription.StartSynchronization()
</pre>
* To check on the progress of the synchronization:
<pre>
$subscription.GetSynchronizationProgress()
</pre>
* When the synchronization finishes, check the status:
<pre>
$subscription.GetLastSynchronizationInfo()
</pre>
h2. Connect Non-Domain Hosts
* Create a wsus.reg file:
<pre>
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate]
"AcceptTrustedPublisherCerts"=dword:00000001
"ElevateNonAdmins"=dword:00000001
"TargetGroup"="Workstations"
"TargetGroupEnabled"=dword:00000000
"WUServer"="http://wsus.example.com:8530";
"WUStatusServer"="http://wsus.example.com:8530";
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU]
"AUOptions"=dword:00000002
"UseWUServer"=dword:00000001
</pre>
* Then import the wsus.reg file into the Windows registry.
*NOTE*: If you receive an error when checking for updates, try resetting the authorization cookie on the client:
<pre>
wuauclt.exe /resetauthorization /detectnow
</pre>
h2. Resources
* https://4sysops.com/archives/install-wsus-on-server-2012-with-powershell/
* https://www.microsoft.com/en-us/download/details.aspx?id=28972
* http://www.shnake.com/?p=821
* https://technet.microsoft.com/en-us/library/dd939916(v=ws.10).aspx
* https://technet.microsoft.com/en-us/library/dd939859(v=ws.10).aspx
* https://p0w3rsh3ll.wordpress.com/2013/02/05/wsus-on-windows-server-2012-core-from-scratch/
* https://blogs.technet.microsoft.com/heyscriptingguy/2013/04/15/installing-wsus-on-windows-server-2012/
* http://social.technet.microsoft.com/wiki/contents/articles/13444.windows-server-2012-server-manager-troubleshooting-guide-part-ii-troubleshoot-manageability-status-errors-in-server-manager.aspx
* https://technet.microsoft.com/en-us/library/hh831453
* https://4sysops.com/archives/enable-powershell-remoting-on-a-standalone-workgroup-computer/
* https://www.packet6.com/unable-to-remote-desktop-into-windows-server-2012-r2-core/
* http://joe.blog.freemansoft.com/2013/02/enabling-remote-management-for-windows.html