Monday, January 3, 2011

Configuring Windows Server Update Service (WSUS)

You will need to go here to download the installer:  Link

If you are looking for 32 bit WSUS download the x86 File and if 64 Bit WSUS, select x64.

Once you have it downloaded, run it and just install the default install settings.  You can change the port if you want but it is easier if you leave it on port 80.

The WSUS configuration wizard will pop up.  The defaults are still good until you reach the "Choose Language".  You must click connect to move forward. The next selection is the products you want WSUS to download patches for.  I recommend only selecting the ones you actually have installed because every patch downloaded takes up space.

Next section is the "Choose Classifications".  I like to choose all of them except for drivers, Feature Packs, and Tools.  Drivers can really screw machines up.  Drivers are best downloaded from the manufacture's website.

Configure the server to synchronize automatically sometime in the middle of the night so you are able to download all necessary patches without increasing the load time on the server.

Click Finish.

The next step is configuring group policy to tell the workstations where to get their updates from.  Open the group policy editor.  There is many ways to do this, any of them work.

Go to Computer Configuration --> Administrative Templates --> Windows Components --> Windows Updates

** IF by some chance you select that and there is only two settings listed, the WSUS template was not added.  To add it right click "Administrative Templates" and click "Add/Remove Templates".  The Windows Update is called "wuau".  If it isn't listed select add and locate the file C:\Windows\inf\wuau.adm.  Click open, then ok and the page will refresh and they should show up now. Source: Link

The minimum that needs to be configured are "Configure Automatic Updates" and "Specify Intranet Microsoft Update Service Location".

Under "Configure Automatic Updates", Select Enable, 4 - Auto Download and schedule the install.  Most commonly the patches are installed during the night to not interrupt the user. So you want to choose 0- Everyday and a time > 12:00 AM.

Under "Specify Intranet Microsoft Update Service Location", Select Enable, and enter http://thefullyqualifieddomainname.

The computer will check in with the server within the next 0-30 minutes to get any changes to group policy.

If you want to force this sooner, on the client machine open a command prompt (Start -> Run -> cmd or command) and type gpupdate /force.  After it pulls down the new policy, it can be checked by running rsop.msc from the command prompt.  Navigate to Computer Configuration --> Administrative Templates --> Windows Components --> Windows Updates.  You should see settings that match what you just entered.

To force it to check in with the WSUS server run wuauclt /detectnow from the command prompt.  After running the command run the wuauclt /reportnow for the machine to push what updates it needs to the WSUS server.

Some other commands that can be used with wuauclt are listed below:


Source: Link

After a while, check back in the WSUS console and your workstations should start showing up.