Windows Server Update Services 2012: Configuration
In part one of this series about Windows Server Update Services (WSUS) in Windows Server 2012, I described how to install the necessary prerequisite components for WSUS and how to carry out post-installation tasks. Today in part two, I’ll cover how to configure client computers to use your local WSUS instead of Microsoft Update, and how to configure WSUS to distribute updates to different groups of computers. Finally, in part three, I’ll go over WSUS 2012, reporting, and PowerShell.
Configuring Client Computers to Use WSUS
To configure our client computers to connect to the new WSUS server, we’re going to create a Group Policy Object (GPO) to apply the necessary settings across the selected devices:
- In Server Manager, click Group Policy Management from the Tools menu.
- Expand your AD forest and domain in the left pane of the Group Policy Management Console (GPMC). Right-click your AD domain and select Create a GPO in this domain, and Link it here… from the menu.
- In the New GPO dialog, name the new GPO WSUS and click OK.
- Right-click the WSUS GPO under your domain in the left pane of GPMC and select Edit from the menu. The Group Policy Management Editor will open in a separate window.
- In the Group Policy Management Editor window, expand Computer Configuration > Policies > Administrative Templates > Windows Components and click Windows Update.
- In the right pane, double-click Configure Automatic Updates.
- In the Configure Automatic Updates dialog, select Enabled.
- Under Options, select Auto download and notify for install and click OK.
- In the Group Policy Management Editor, double click Specify intranet Microsoft update service location.
- Check Enabled in the policy dialog box and type http://<servername>:8530 for the intranet update service and intranet statistics server under Options, replacing <servername> with the name of your WSUS server. Click OK to continue.
Don’t forget that Group Policy settings can take up to 90 minutes to apply. If you want to speed up this process to test if your WSUS configuration is working, log on to a machine in your domain with local administrator privileges and run gpupdate /force followed by wuauclt.exe /detectnow. Then open Windows Update in the Control Panel and click Check for updates. Even if there are no available approved updates on your WSUS server, the local machine should connect to WSUS and report that no update are available.
Create a WSUS Group
By default there are two WSUS groups: All Computers and Unassigned Computers. As a minimum, you should create an additional group that will include a selection of computers that you use for testing before deploying updates to all devices.
- Open Server Manager on your WSUS server from the desktop Task Bar or Start screen.
- Select Windows Server Update Services from the Tools menu.
- In the Update Services management console, expand Computers in the left pane and select All Computers. In the central pane, you should see all computers in your domain that are using WSUS to receive updates.
- In the Actions pane on the right, click Add Computer Group…
- In the Add Computer Group dialog, name the new group Testing and click Add.
- In the left pane, click All Computers. Right-click a computer(s) you want to add to the new Testing group and select Change Membership from the menu.
- In the Set Computer Group Membership dialog, check the Testing group and click OK.
- Now click the Testing group in the left pane under Computers and you should see any computers you selected in the last step listed.
Approve Updates Manually
Before WSUS will distribute any updates to clients, they must be approved by an administrator. It’s also possible to set updates to be automatically approved.
- Start by checking that WSUS has successfully synchronized updates by clicking Synchronizations in the left pane of the Update Services management console. There you should see at least one successful report. If not, right click Synchronizations in the left pane and select Synchronize Now from the menu and wait for the sync to complete.
- Once updates have been synchronized from Microsoft Update to WSUS, expand Updates in the left pane and select Critical Updates.
- For testing purposes, I’m going to approve only one update. Right-click the first update shown in the central pane and select Approve from the menu.
- In the Approve Updates dialog, click the icon to the left of the Testing group, select Approve for Install from the menu and click OK.
- Click Close in the Approval Progress dialog once the approval process has completed.
Log on to a machine on your network that’s a member of the WSUS Testing group as a local administrator, open Windows Update in the Control Panel and click Check for updates. You should now see an update available for download. Click Install updates to make sure everything is working properly.
Configure Automatic Approvals
If you don’t want to manually approve every update, WSUS allows you to automatically approve updates according to a simple set of rules. In this example, I’m going to approve all updates for the Testing group.
- In the left pane of the Update Services management console, click Options.
- In the central pane, click Automatic Approvals.
- On the Update Rules tab in the Automatic Approvals dialog, click New Rule.
- In the Add Rule dialog, click all computers under Step 2.
- In the Choose Computer Groups dialog, deselect all groups apart from Testing and click OK.
- In the Add Rule dialog, name the rule Testing in Step 3 and click OK.
- Make sure the Testing rule is selected and checked in the Automatic Approvals dialog and click Run Rule.