As you may have noticed in the previous post 👉 https://beyondbaremetal.hashnode.dev/group-policy-objects-gpos-set-up we’ve set up Automatic updates via Group Policy Objects (GPOs), to download and install every Sunday at 4 am automatically.
That is NOT RECOMMENDED because there may be cases where Updates cause issues. The best practice is to have a dedicated Windows Server Update Services (WSUS) Server and a dedicated Engineer or Team who reviews the server periodically for known issues and then approves/applies the updates.
In our case, since the office is still small and in expansion, we will install the Windows Server Update Services (WSUS) role on BBM-FS01:
We created a dedicated WSUS (W) drive to store those updates (we can expand the size later).
Windows Server Update Services (WSUS) Install:
Navigate to Server Manager > Manage > Add Roles and Features > Server Roles > Windows Server Update Services
As we can see it will also add additional features (.NET, Web Server (IIS)):
Select Add features:
On the Features page just hit Next:
Now, some additional information, just select Next:
Review and check Role Services: WID Connectivity and WSUS Services:
On the Content page, we set the path to store the updates:
In our case it will be: W:\WSUS
Additional information about the Web Server Role (IIS), select Next:
Keep the defaults checked and hit Next:
We can check: Restart the destination server automatically if required and confirm; Yes:
The installation will start:
To complete the installation we need to set the Content directory path (leave it as it shows, W:\WSUS).
The installation will go on:
Success:
Then the WSUS Wizard will open, and we can opt out (uncheck) and hit Next:
In our case we will select: Synchronize from Microsoft Update:
No Proxy is needed for our setup, so just hit Next:
Connect to Upstream Server, Start connecting:
That will take between 10 and 30 minutes to connect, then hit Next:
Select the language, in our case only English:
Select the products, and be careful to not select ALL of them:
For our case, we will select Active Directory, Microsoft Defender Antivirus, Microsoft Defender for Endpoint, Microsoft Edge, Windows 10, and Windows 11.
For Classifications, we will select:
Critical Updates
Definition Updates
Security Updates
Updates
Upgrades
Let’s select Synchronize manually:
And just Next (without checking Begin initial synchronization)
All set:
Let’s go back to Server Manager > Tools > Windows Server Updates Services:
We can see that we have many other options for customization and settings:
Updates files and languages, Synchronization Schedule, Automatic Approvals, and much more:
Let’s go to run the initial synchronization now:
While the synchronization is cooking, let’s disable the previous GPO (for automatic updates):
Navigate to: Computer Configuration > Policies > Administrative Templates > Windows Components > Windows Update:
Let’s change it to Not Configured:
With that in place, let’s create a separate Group Policy Object (GPO):
Navigate to: Computer Configuration > Policies > Administrative Templates > Windows Components > Windows Update:
The first setting will be Specify intranet Microsoft update service location, in other words where the devices will reach out and pull the updates from.
NOTE: In a perfect scenario we will want to have an SSL certificate for this server, in our case we will continue without it.
Set the intranet update service for detecting updates to bbm-fs01:8530, this is the hostname of WSUS server and the default port: 8530.
Set the intranet statistic server: bbm-fs01:8530.
Let’s Configure Automatic Updates now:
Finally, let’s enable another option that will allow us to download optional features (language packs, language speech packs, and so on, that are NOT in WSUS) let’s navigate to Computer Configuration > Policies > Administrative Templates > System:
Specify Settings for optional component installation and component repair:
Set to Enabled.
Check on: Download repair content and optional features directly from Windows Update instead of Windows Server Update Services (WSUS).
Finally, let’s link the WSUS GPO to the domain:
After the Group Policy Objects (GPO) have been created and saved, let’s run the command to forcibly apply them:
gpupdate /force
Let’s verify on BBM-DC01:
Navigate to Settings > Windows Updates:
Notice it says: *Some settings are managed by your organization (View Policies).
We can also check for updates
Verify the GPOs previously created are applying correctly:
Let’s do the same process with BBM-WS01:
We can also verify that the devices (computers and servers) are showing up now on the WSUS console:
There you have lot of information about Updates: needed, installed, with errors and so on.
We can then review the Updates available:
We can select any of them, do right click Approve:
The best practice is to first research the specific KB for known issues, if none are found, proceed to Approve.
Those updates will be available to download on the Server / Workstations after some time and they will be applied (automatically installed or showing a notification based on the GPO set previously).
And with this, we’ve set up our WSUS Server to manage Windows Updates for our environment in the proper way.
The next steps will be setting up the Remote Desktop Services (RDS) Server, Setting up Emails, and much more!
Stay tuned for more content.
Thanks for reading!
Link to the series 👉 https://beyondbaremetal.hashnode.dev/series/beyond-bare-metal-setup