What is WSUS?
WSUS helps controlling Windows update on client and server machines. In this article, we are not doing local publishing.
Firewall (Egress)
The following is needed to be allowed (access can be managed with proxy server):
- http://windowsupdate.microsoft.com
- http://*.windowsupdate.microsoft.com
- https://*.windowsupdate.microsoft.com
- http://*.update.microsoft.com
- https://*.update.microsoft.com
- http://*.windowsupdate.com
- http://download.windowsupdate.com
- https://download.microsoft.com
- http://*.download.windowsupdate.com
- http://wustat.windows.com
- http://ntservicepack.microsoft.com
- http://go.microsoft.com
- http://dl.delivery.mp.microsoft.com
- https://dl.delivery.mp.microsoft.com
We’ll need to allow TCP port 80, 443, 8530, and 8531 to the above.
Firewall (Ingress)
- Port 8530-8531
System Requirement
In this article, we are using Windows Server 2019 Standard with the following specs:
- 1 CPU x 4 core (Xeon)
- 4 GB RAM
- Disk space
- 100GB C:\ for system, and
- 200GB E:\ for SQL and WSUS data
- Database
- SQL (default instance), and
- SSMS (can be installed on your own machine instead of server)
Domain Group used
- WSUS Administrators (assigned as database administrators too)
- If unable to login as group has been created recently, log off from WSUS server and log back in
Installation
DB Connection
First, we’ll check the DB connection.
- Launch SSMS with user in WSUS Administrators group
- Connect to WSUS server (e.g. WSUS01.example.com)
- Note down the SQL Server instance name
Server Manager
- Add role & feature
- Choose Windows Server Update Services
- On WSUS Role, uncheck WID Connectivity and instead pick SQL (as per required)
- Pick the directory of WSUS data (e.g. E:\WSUS\)
- Choose the installed database server instance
- After which, we can start installation process
WSUS console (client)
We can install WSUS console on our daily-driver using RSAT:
# Require elevated PowerShell
Get-WindowsCapability -Name RSAT* -Online | Select-Object -Property DisplayName, State
Server Configuration
Post-Installation Task
- Open Post-deployment configuration for WSUS
- The task will auto complete without prompt
- Next, we’ll open the WSUS console from Server Manager > Tools
- Follow the configuration screen
Some of the configuration will require synchronization to be completed or cancelled
Remember to optimize the following:
- Products & Classification
- Languages
Securing
We are securing the WSUS server with internal CA
Requesting SSL from Internal CA
- Open elevated certlm.msc on wsus server
- Right click on Personal and choose Request New Certificate
- Type is WebServer
- Add the following value
- Common Name: single entry FQDN (e.g. wsus01.example.com)
- Country: 2 character country code (e.g. SG)
- OU
- Organization
- Locality
- State
- DNS: FQDN + computer name + CNAME (e.g. wsus01.example.com, wsus01, wsus)
- IP: IP address of this machine
- OK then enroll
Issue with cert will generate error 80072F8F
Applying SSL Certificate
On IIS, apply SSL Certificate for WSUS Administration site from HTTPS bindings settings
Force HTTPS
For each of the WSUS web services below, choose SSL Settings and Enable Require SSL, while ignoring Client certificates options:
- ApiRemoting30
- ClientWebService
- DSSAuthWebService
- ServerSyncWebService
- SimpleAuthWebService
Use SSL for client connection
Run the following in remote powershell (or elevated if running on wsus server directly)
cd "C:\Program Files\Update Services\Tools"
wsusutil configuressl $certificatename
# Certificate name is DNS name of wsus serverFirewall
Double check WSUS firewall on server is configured:
- TCP Protocol Port 8531 for secure communication is allowed
- TCP Protocol Port 8530 for normal communication is allowed
IIS Fine-Tuning
Summarized from Windows Server Update Services (WSUS) best practices – Configuration Manager | Microsoft Docs
- Open IIS
- Select WSUS Server > Application Pools, open advanced settings of WsusPool
- Configure the settings as per below
| Setting | Value |
| Queue Length | 2000 |
| CPU Limit | 70-80% |
| Limit Action | Throttle |
| Idle Time-Out (mins) | 0 |
| Ping Enabled | False |
| Private Memory Limit (KB) | 0 (unlimited, depend on the OS) |
| Regular Time Interval (mins) | 0 (prevent recycle) |
Client Update Configuration
Approach Summary
There are 2 ways to configure update clients (windows machine) to get updates from wsus server:
- Server-side targeting (default)
Assign client computers to computer groups by WSUS Admin console - Client-side targeting
Assign each client computer to computer groups by using policy settings. This is easier way to manage CI/CD
In this article, we are using client-side targeting.
Server Configuration
- In WSUS Administration Console, go-to Update Services > WSUS server > options
- Click on Computers
- Choose Use Group Policy or registry settings on computers and save the settings
Create Computer Groups
We will need to create computer groups by using WSUS Administration Console, whether we are using server-side targeting or client-side targeting.
- From Update Services Management Console, right click All Computers, and add new group
- We can add nested group
My group hierarchy as follow:
- Internal/Client
- Server/Client
Group Policy
Computer Configurations> Policies > Administrative Templates > Windows Components > Windows Update
- Configure Windows Update
- Automation Updates Detection Frequency
- Update Service location: https://wsus01.example.com:8531 for both update and statistics server
- Allow Automatic Update immediate installation
- Turn on recommended updates via Automatic Updates
- No auto-restart with logged on users for scheduled automatic updates
- Enable Client-Side Targetting
We’ll need to include custom CA root cert in Computer Configuration > Policies > Windows Settings > Security Settings > Public Key Policies > Trusted Root Certificate Authority.