Enabling WSUS on Windows Server 2012 Essentials
May 31, 2013 22 Comments
First on your Essentials Server you will need to install this hotfix. After you install this hotfix the WSUS Role is available.
That is correct, WSUS is a ROLE not something you need to download as it was previously.
So given that i am partial to a bit of PowerShell i thought rather than use a boring GUI id do this the, er, PowerShell way.
Open an Administrative PowerShell window, and type in:
This will install the relevant components to your Essentials Server.
We can then set about configuring WSUS, and getting your computers registered.
When you open WSUS from Administrative Tools you will need to chose a location where to store your updates, assuming you want to store them locally on this server and not have your clients download them directly from Microsoft.
I created a folder on the C Drive called WSUS.
Next a wizard will start when to configure the more detailed WSUS Settings.
You can chose things like whether to sync updates in different languages, what products to sync, the type of update to sync and also the schedule.
I recommend you review, and only select the products that are in use on your network.
I am choosing to leave the synchronisation schedule as manual until i have completed my WSUS Configuration.
I have chosen not to start the initial sync now, because i want to configure some additional items first.
Inside the WSUS Console go to Options, expand Computers, and right click on ‘All Computers’ Click Add Computer Group and type a name for the group. I am adding two groups, one for Client PC and one for the Essentials Server.
Next, go to Options. Click On Computers, and set the option to ‘Use Group Policy settings on Computers’
This will allow us to automatically put Computers into the Groups we specify.
Next go to Automatic Approvals. Here we can create a rule to automatically approve updates of a certain type.
I want to create a new rule to auto approve all Office 2013 Updates. Click New Rule.
Check the box for ‘Specific Product’ and in ‘Step 2’ chose Microsoft Office 2013. You can then also chose only to apply this rule to a specific group of computers.
Enter a Name for the Rule, and click OK to save.
You can also go ahead and configure the Email reporting if you wish.
Next switch to the Group Policy Management Console.
We will create 3 group policies.
The first Policy we will create will be for generic settings. The other two will target the client computers and Server.
Right click your domain name, and click Create a GPO in this Domain, and link it here.
Name your policy: Essentials 2012 WSUS Settings.
Repeat this again to create: Essentials 2012 WSUS Client Settings & Essentials 2012 WSUS Server Settings.
If you have used the Essentials 2012, implement Group Policy wizard you will already have a WMI Filter in place that will detect a client PC. if you have not, you will need to create a WMI filter to filter your client computers.
We will then configure our Client GPO to use this WMI Filter.
You may want to consider creating a WMI filter for your Server Settings GPO using ‘Product Type 3’
Next we can configure the GPOs themselves.
Starting with our Generic policy, we can add the settings to tell the clients how to connect to WSUS.
Edit your GPO, and Navigate down to, Computer Configuration > Policies > Administrative Templates > Windows Components > Windows Update
Look for the setting named ‘Specify intranet Microsoft Update Service Location’ set this to enabled and enter your server name and port that WSUS is running on. By default it is 8530.
I am also configuring the detection frequency to 8 hours, turning on Recommended Updates.
Next, we can go to the Client Settings GPO and edit the setting for Enabling Client Side Targeting. We can type in the name of our Computer Group, and then we can set our policy settings for ‘Configure Automatic Updates’.
You can adjust these settings to suit your environment, and then repeat the same process for the final GPO which will apply only to the Essentials Server.
After a Group Policy refresh you should see your computers start to appear in WSUS in the groups we created.
Once you are happy with this you can start the initial sync of WSUS which will start to download the patches and updates you have selected, and then start to push them out to your clients, and then configure the sync schedule to occur automatically.
If your computer is not a member of the domain then you will need to configure the Local Group Policy, or the Registry in order to point it to your WSUS Server. I will cover those steps in a follow up post!