Windows Server
United States (English) Sign in
Home Windows Server 2012 Windows Server 2008 R2 Windows Server 2003 Library Forums
2 out of 3 rated this helpful - Rate this topic

Step 3: Configure WSUS

Published: February 29, 2012

Updated: January 24, 2013

Applies To: Windows Server 2012

After installing the WSUS server role on your server, you need to properly configure it. The following checklist describes the steps involved in performing the initial configuration for your WSUS server.

 

Task Description

3.1. Configure network connections

Configure the cluster network by using the Network Configuration Wizard.

3.2. Configure WSUS by using the WSUS Configuration Wizard

Specify which credentials to use for system configuration and when adding new nodes to the cluster.

3.3. Configure client updates

Specify the naming convention to use when generating names automatically for new compute nodes.

3.4. Configure computer groups

Create a template that defines the steps to follow when configuring a compute node.

Before you start the configuration process, be sure that you know the answers to the following questions:

  1. Is the server's firewall configured to allow clients to access the server?

  2. Can this computer connect to the upstream server (such as the server that is designated to download updates from Microsoft Update)?

  3. Do you have the name of the proxy server and the user credentials for the proxy server, if you need them?

By default, WSUS is configured to use Microsoft Update as the location from which to obtain updates. If you have a proxy server on the network, you can configure WSUS to use the proxy server. If there is a corporate firewall between WSUS and the Internet, you might have to configure the firewall to ensure that WSUS can obtain updates.

TipTip
Although Internet connectivity is required to download updates from Microsoft Update, WSUS offers you the ability to import updates onto networks that are not connected to the Internet.

When you have the answers for these questions, you can start configuring the following WSUS network settings:

  • Updates   Specify the way this server will obtain updates (from Microsoft Update or from another WSUS server).

  • Proxy   If you identified that WSUS needs to use a proxy server to have Internet access, you need to configure proxy settings in the WSUS server.

  • Firewall   If you identified that WSUS is behind a corporate firewall, there are some additional steps that must be done at the edge device to properly allow WSUS traffic.

If there is a corporate firewall between WSUS and the Internet, you might have to configure that firewall to ensure WSUS can obtain updates. To obtain updates from Microsoft Update, the WSUS server uses port 8530 for HTTP protocol and port 443 for HTTPS protocol. Although most of corporate firewalls allow this type of traffic, there are some companies that restrict Internet access from the servers due the company’s security policies. If your company restricts access, you need to obtain authorization to allow Internet access from WSUS to the following list of URLs:

noteNote
WSUS 3.0 uses port 80, by default. However, in Windows Server 2012, by default WSUS 4.0 uses port 8530.

  • http://windowsupdate.microsoft.com

  • http://*.windowsupdate.microsoft.com

  • https://*.windowsupdate.microsoft.com

  • http://*.update.microsoft.com

  • https://*.update.microsoft.com

  • http://*.windowsupdate.com

  • http://download.windowsupdate.com

  • http://download.microsoft.com

  • http://*.download.windowsupdate.com

  • http://wustat.windows.com

  • http://ntservicepack.microsoft.com

ImportantImportant
For a scenario about where WSUS is failing to obtain updates due firewall configurations, see article 885819 in the Microsoft Knowledge Base.

The following procedure describes how to configure a corporate firewall that is positioned between WSUS and the Internet. Because WSUS initiates all the network traffic, you do not have to configure Windows Firewall on the WSUS server. Although the connection between Microsoft Update and WSUS requires ports 80 and 443 to be open, you can configure multiple WSUS servers to synchronize with a custom port.

This procedure assumes that you are using the WSUS Configuration Wizard, which appears the first time you launch the WSUS Management Console. Later in this topic, you will learn how to perform these configurations by using the Options page:

  1. In the Server Manager navigation pane, click Dashboard, click Tools, and then click Windows Server Update Services.

  2. If the Complete WSUS Installation dialog box appears, click Run.

  3. In the Complete WSUS Installation dialog box, click Close when the installation successfully finishes.

  4. The Windows Server Update Services Wizard appears. On the Before you Begin page, click Next.

  5. Read the instructions on the Join the Microsoft Update Improvement Program page and evaluate if you want to participate. If you want to participate in this program, click Next to proceed.

  6. On the Choose Upstream Server page, you have the option to synchronize the updates with Microsoft Update or with another WSUS server.

    • If you choose to synchronize from another WSUS server, specify the server name and the port on which this server will communicate with the upstream server.

    • To use SSL, select the Use SSL when synchronizing update information check box. The servers will use port 443 for synchronization. (Make sure that this server and the upstream server support SSL).

    • If this is a replica server, select the This is a replica of the upstream server check box.

  7. After selecting the proper options for your deployment, click Next to proceed.

  8. On the Specify Proxy Server page, select the Use a proxy server when synchronizing check box, and then type the proxy server name and port number (port 80 by default) in the corresponding boxes.

    ImportantImportant
    You must complete the previous step if you identified that WSUS needs a proxy server to have Internet access.

  9. If you want to connect to the proxy server by using specific user credentials, select the Use user credentials to connect to the proxy server check box, and then type the user name, domain, and password of the user in the corresponding boxes. If you want to enable basic authentication for the user who is connecting to the proxy server, select the Allow basic authentication (password is sent in cleartext) check box.

  10. At this point, you are finished with the proxy server configuration. Click Next to go to the next page, where you can start to set up the synchronization process.

  11. On the Connect to Upstream Server page, click Start Connecting.

  12. When it connects, click Next to proceed.

  13. On the Choose Languages page, you have the option to select the languages from which WSUS will receive updates—all languages or a subset of languages. Selecting a subset of languages will save disk space, but it is important to choose all of the languages that are needed by all the clients of this WSUS server. If you choose to get updates only for specific languages, select Download updates only in these languages, and then select the languages for which you want updates; otherwise, leave the default selection.

  14. After selecting the appropriate language options for your deployment, click Next to continue.

    WarningWarning
    If you select the option Download updates only in these languages, and this server has a downstream WSUS server connected to it, this option will force the downstream server to also use only the selected languages.

  15. The Choose Products page allows you specify the products for which you want updates. Select product categories, such as Windows, or specific products, such as Windows Server 2008. Selecting a product category selects all the products in that category.

  16. After selecting the appropriate product options for your deployment, click Next to continue.

  17. On the Choose Classifications page, select the update classifications that you want to obtain. Choose all the classifications or a subset of them, and then click Next to continue.

  18. On the Set Sync Schedule page, choose whether to perform synchronization manually or automatically.

    • If you choose Synchronize manually, you must start the synchronization process from the WSUS Administration Console.

    • If you choose Synchronize automatically, the WSUS server will synchronize at set intervals.

    Set the time for the First synchronization and specify the number of Synchronizations per day that you want this server to perform. For example, if you specify that there should be four synchronizations per day, starting at 3:00 A.M., synchronizations will occur at 3:00 A.M., 9:00 A.M., 3:00 P.M., and 9:00 P.M.

  19. After selecting the appropriate synchronization options for your deployment, click Next to continue.

  20. On the Finished page, you have the option to start the synchronization now by selecting the Begin initial synchronization check box. If you do not select this option, you need to use WSUS Management Console to perform the initial synchronization. Click Next if you want to read more about additional settings, or you can click Finish to conclude this wizard and finish the initial WSUS setup.

  21. After you click Finish, the WSUS Management Console appears.

Now that you have performed the basic WSUS configuration, read the next sections for more details about changing the settings by using WSUS Management Console.

WSUS Setup automatically configures IIS to distribute the latest version of Automatic Updates to each client computer that contacts the WSUS server. The best way to configure Automatic Updates depends on the network environment.

  • In an environment that uses Active Directory directory service, you can use an existing domain–based Group Policy Object (GPO) or create a new GPO.

  • In an environment without Active Directory, use the Local Group Policy Editor to configure Automatic Updates, and then point the client computers to the WSUS server.

ImportantImportant
The following procedures assume that your network runs Active Directory. These procedures also assume that you are familiar with Group Policy and you use it to manage the network.

Use the following procedures to configure Automatic Updates for client computers:

Perform the first two procedures on the domain–based GPO of your choice, and perform the last procedure at a command prompt on the client computer.

If you have set up Active Directory in your network, you can configure one or multiple computers simultaneously by including them in a Group Policy Object (GPO), and then configuring that GPO with WSUS settings. We recommend that you create a new GPO that contains only WSUS settings.

Link this WSUS GPO to an Active Directory container that is appropriate for your environment. In a simple environment, you might link a single WSUS GPO to the domain. In a more complex environment, you might link multiple WSUS GPOs to several organizational units (OUs), which will enable you to apply different WSUS policy settings to different types of computers.

  1. In the Group Policy Management Console (GPMC), browse to the GPO on which you want to configure WSUS, and then click Edit.

  2. In the GPMC, expand Computer Configuration, expand Policies, expand Administrative Templates, expand Windows Components, and then click Windows Update.

  3. In the details pane, double-click Configure Automatic Updates.

  4. Click Enabled, and then click one of the following options under the Configure automatic updating setting:

    • Notify for download and notify for install. This option notifies a logged-on administrative user before you download and install the updates.

    • Auto download and notify for install. This option automatically begins downloading updates and then notifies a logged-on administrative user before installing the updates.

    • Auto download and schedule the install. This option automatically begins downloading updates and then installs the updates on the day and time that you specify.

    • Allow local admin to choose setting. This option lets local administrators to use Automatic Updates in Control Panel to select a configuration option. For example, they can choose a scheduled installation time. Local administrators cannot disable Automatic Updates.

  5. Click OK.

  6. In the Windows Update details pane, double-click Specify intranet Microsoft update service location.

  7. Click Enabled, and then type the URL of the same WSUS server in the Set the intranet update service for detecting updates box and in the Set the intranet statistics server box. For example, type http://servername in both boxes (where servername is the name of the WSUS server), and then click OK.

WarningWarning
When you type the intranet address of your WSUS server make sure to specify which port is going to be used. By default WSUS will use port 8530 for HTTP and 8531 for HTTPS. For example, if you are using HTTP, you should type http://servername:8530.

After you set up a client computer, it will take several minutes before the computer appears on the Computers page in the WSUS Administration Console. For client computers that are configured with a domain-based Group Policy Object, it can take about 20 minutes for Group Policy to apply the new policy settings to the client computer. By default, Group Policy updates in the background every 90 minutes, with a random offset of 0–30 minutes. If you want to update Group Policy sooner, you can open a Command Prompt window on the client computer and type gpupdate /force.

For client computers that are configured by using the Local Group Policy Editor, the GPO is applied immediately, and the update takes about 20 minutes. If you begin detection manually, you do not have to wait 20 minutes for the client computer to contact WSUS.

Because waiting for detection to start can be a time-consuming process, you can use the following procedure to initiate detection immediately.

  1. On the client computer, open a Command Prompt window with elevated privileges.

  2. Type wuauclt.exe /detectnow, and then press ENTER.

Computer groups are an important part of Windows Server Update Services (WSUS) deployments. Computer groups permit you to test and target updates to specific computers. There are two default computer groups: All Computers and Unassigned Computers. By default, when each client computer first contacts the WSUS server, the server adds that client computer to both of these groups.

You can create as many custom computer groups as you need to manage updates in your organization. As a best practice, create at least one computer group to test updates before you deploy them to other computers in your organization.

Use the following procedure to create a new group and assign a computer to this group:

  1. In the WSUS Administration Console, expand Computers, right-click All Computers, and then click Add Computer Group.

  2. In the Add Computer Group dialog box, specify the Name of the new test group, and click then Add.

  3. Click Computers, and then select the computers that you want to assign to this new group.

  4. Right-click the computer names that you selected in the previous step, and then click Change Membership.

  5. In the Set Computer Group Membership dialog box, select the test group that you created, and then click OK.

Did you find this helpful?
(1500 characters remaining)

Community Additions

ADD
© 2013 Microsoft. All rights reserved.