Deploy Internet Protocol security (IPsec) to help secure network traffic. The listening interfaces and ports are configured in the IIS site(s) for WSUS and in any Group Policy settings used to configure client PCs. With WSUS we can configure all of our servers to be automatically updated, ensuring that security updates are installed quickly from a central location. Link this WSUS GPO to an active directory container that is appropriate for your environment. Install the WSUS server role. For more information about IPsec, see Creating and Using IPsec Policies. On the Specify Proxy Server page, select the Use a proxy server when synchronizing check box, and then type the proxy server name and port number (port 80 by default) in the corresponding boxes. Download WSUS WORKGROUP and execute the. In the Options pane, click Update Source and Update Server, and then click the Proxy Server tab. Selecting a subset of languages will save disk space, but it is IMPORTANT to choose all of the languages that are needed by all the clients of this WSUS server. If the update has been changed, it is not installed. By default, anonymous read access is enabled for the default and all new IIS websites. You should require SSL for the following virtual roots only: You should not require SSL for the following virtual roots: The certificate of the certification authority (CA) must be imported into the local computer Trusted Root CA store, or the Windows Server Update Service Trusted Root CA store on downstream WSUS servers. This is the same way that Microsoft Update distributes updates. Step 7: Click Finish to close the window. If you do not select this option, you need to use WSUS Management Console to perform the initial synchronization. The default ports are the same as those specified in the preceding section Connection between WSUS servers, and the firewall on the WSUS server must also be configured to allow inbound traffic on these ports. For more information about how to use SSL certificates in IIS, see Require Secure Sockets Layer (IIS 7). By default, Group Policy updates in the background every 90 minutes, with a random offset of 0-30 minutes. If this is your first WSUS server, you will likely want to leave the default setting to synchronize from Microsoft update over the Internet. if you choose Synchronize manually, you must start the synchronization process from the WSUS Administration Console. In the Command prompt window, type the following command: certificateName is the DNS name of the WSUS server. If you use any port other than 443 for SSL, you must include that port in the URL also. On the “Before you begin” page, click Next. In the Windows Update details pane, double-click Specify intranet Microsoft update service location. Accomplishing this turned into a manual task that was very hard to either do by hand or automate successfully. We can install WSUS with either PowerShell or through the GUI. You need to start by opening the WSUS console from the Tools Menu in the Server Manager. You should expect a 10 percent loss of performance because of the cost of encrypting all the metadata that is sent over the network. after discovering that it expired), WSUS offered no functionality to enable this. Select required installation type and click Next to move on. On the Choose Classifications page, select the update classifications that you want to obtain. Microsoft reduces the risk of sending update files over an unencrypted channel by signing each update. Next you will choose your upstream server. E-Mail Notifications WSUS can send an e-mail when new updates are synchronized, informing administrators that they should be evaluated, tested, and approved. Click Next 1 . 1. After you click Run, the WSUS Configuration Wizard will open which we will now run through. The following instructions configure a downstream server to synchronize to an upstream server that uses SSL. Log on to the server and open Server Manager (should normally open by default). This setting indicates to the WSUS server which group the client computer will use. Now we are asked to connect to an upstream server, click the start connecting button to save the information entered so far. Now the WSUS 3.0 is installing on the Windows 2003 server. Go to start, type CMD, right-click Command prompt, and then click Run as administrator. For example, if you specify that there should be four synchronizations per day, starting at 3:00 A.M., synchronizations will occur at 3:00 A.M., 9:00 A.M., 3:00 P.M., and 9:00 P.M. After selecting the appropriate synchronization options for your deployment, click Next to continue. By default, WSUS is configured to use Microsoft Update as the location from which to obtain updates. In this case, set one channel to use HTTP and the other channel to use HTTPS. When you configure SSL on client computers, you should consider the following issues: You must include a URL for a secure port on the WSUS server. Auto download and schedule the install. The software update point interacts with the WSUS services to configure the software update settings and to request synchronization of software updates metadata. Once the installation is complete, it is time to configure the updates. Auto download and notify for install. Selecting a product category selects all the products in that category. You must import the certificate to all computers that will communicate with the WSUS server. At the top of the start menu, right-click Command prompt, and then click Run as administrator. In the Command prompt window, go to the C:\Program Files\Update Services\Tools folder. Log on to the WSUS server by using an account that is a member of the WSUS Administrators group or the local Administrators group. WID is Windows Internal Database. If the proxy server requires that you use a specific user account, select the Use user credentials to connect to the proxy server check box. In addition, a hash is computed and sent together with the metadata for each update. Click Enabled, and then, server in the Set the intranet update service for detecting updates and Set the intranet statistics server text boxes, type the same URL of the WSUS server. The following procedures assume that your network runs active directory. Clients and downstream servers that are configured to use Transport Layer Security (TLS) or HTTPS must also be configured to use a fully qualified domain name (FQDN) for their upstream WSUS server. In a more complex environment, you might link multiple WSUS GPOs to several organizational units (OUs), which will enable you to apply different WSUS policy settings to different types of computers. Click start, click All Programs, click Administrative Tools, and then click Windows Server Update Service. Local administrators cannot disable Automatic Updates. It’s basically just advising you that at least one WSUS server in your network must be able to connect to the Internet in order to download the updates from Microsoft. Please follow the steps to do the initial configurations. If you want to participate in the program. This will take about 5-10 minutes. If you begin detection manually, you do not have to wait 20 minutes for the client computer to contact WSUS. Specify how and when automatic updates are applied to client computers. For example, type http://servername in both boxes (where servername is the name of the WSUS server). To set up two proxy servers, each of which will handle one protocol for WSUS, use the following procedure: Log on to the computer that is to be the WSUS server by using an account that is a member of the local Administrators group. To install the WSUS server role. After looking at the log file indicated in the Notification window, here is what I found: The best way to configure Automatic Updates depends on the network environment. Once installation has successfully completed, we can open the WSUS console and complete our configuration. Click Options, and then click Update Source and Proxy Server. WSUS can be installed through server manager, simply follow the process below, however be warned that there is a lot more work involved here than simply running the PowerShell cmdlet above. After I successfully added WSUS as a service role to the server, I need to run the Post-installation process to complete the whole installation. In an environment without active directory, use the Local Group Policy editor to configure Automatic Updates, and then point the client computers to the WSUS server. Alternatively if you already have another WSUS server that stores the update files, you can specify it here to synchronize with it as a downstream server. On the Choose Upstream Server page, there are two options: Synchronize the updates with Microsoft Update, Synchronize from another Windows Server Update Services server. WSUS also uses SSL to encrypt update metadata. Select the appropriate product options for your deployment, and then click Next. This video is a step by step guide to deploy or how to install and configure WSUS ( Windows Server Update Services ) in Windows Server 2016. When launching the wizard, click Next 1 . Install from power shell and voila youre done!! By default manual synchronization is set, however we will change this to happen a few times per day. WSUS has the ability to publish custom update packages to update Microsoft and non-Microsoft products. Under the updates node is where I can take a look at all of the updates that we’ve now downloaded that correspond with Windows Server 2016, as well as Windows 10. Consider the following examples: If you use the industry standard port of 443 for HTTPS traffic, WSUS uses the industry standard port 80 for clear HTTP traffic. 2. If the complete WSUS Installation dialog box appears, click Run. The Choose Products page allows you specify the products for which you want updates. if you choose to synchronize from another WSUS server, specify the server name and the port on which this server will communicate with the upstream server. Although Internet connectivity is required to download updates from Microsoft Update, WSUS offers you the ability to import updates onto networks that are not connected to the Internet. You can set up one proxy server that handles both protocols for WSUS during the WSUS server software installation. Updates for the selected products will be stored on our WSUS server, so the more you pick the more disk space you will require. For client computers that are configured with a domain-based Group Policy Object, it can take about 20 minutes for Group Policy to apply the new policy settings to the client computer. When the initial synchronization has completed we’ll be able to configure computer groups, approvals and reporting which we will cover in separate posts. if you choose Synchronize automatically, the WSUS server will synchronize at set intervals. There are two default computer groups: All computers and Unassigned computers. You’ll need to wait a while while WSUS attempts to connect to an upstream server, either from the Internet or within your own network based on your selection in the last step. If you want to enable basic authentication for the user who is connecting to the proxy server, select the Allow basic authentication (password is sent in cleartext) check box. 2.2. Once you have installed WSUS through either PowerShell or the GUI we can proceed to configure WSUS. Also keep in mind that update files will not be downloaded until they have been approved. Because waiting for detection to start can be a time-consuming process, you can use the following procedure to initiate detection immediately. Choose whether or not you want to join the Microsoft Update Improvement Program, as I am running a test instance I have select to not join and provide any false test data. Use the following procedures to configure Automatic Updates for client computers: Step 4: Configure Group Policy Settings for Automatic Updates, 2.3. I consider that the best way to master WSUS is to deploy and configure it in the test or lab setup first. After installing the WSUS server role on your server, you need to properly configure it. Although the connection between Microsoft Update and WSUS requires ports 80 and 443 to be open, you can configure multiple WSUS servers to synchronize with a custom port. Log on to the server on which you plan to install the WSUS server role by using an account that is a member of the Local Administrators group. For client computers that are configured by using the Local Group Policy editor, the GPO is applied immediately, and the update takes about 20 minutes. When an update is downloaded, WSUS checks the digital signature and hash. In the Set computer Group Membership dialog box, select the test group that you created, and then click OK. WSUS Setup automatically configures IIS to distribute the latest version of Automatic Updates to each client computer that contacts the WSUS server. This post is part of our Microsoft 70-744 Securing Windows Server 2016 exam study guide series. In the first place let me cover about WSUS lab setup. To add a proxy server that uses the HTTP protocol. The Configure Automatic Updates policy opens. If you have a proxy server on the network, you can configure WSUS to use the proxy server. Some additional features have already automatically been selected for us as per the previous step. When you have the answers for these questions, you can start configuring the following WSUS network settings: Updates Specify the way this server will obtain updates (from Microsoft Update or from another WSUS server). So let's start. Basically you should confirm that other Windows machines can connect to the WSUS server, and that the WSUS server can connect to the Internet to download updates. In the left pane, expand the server name, and then click Options. Step 2: Configure the Automation Server Routing Rule . On the Connect to Upstream Server page, click start Connecting. In the add computer Group dialog box, in Name, specify the name of the new group, and click then add. Navigate to the %ProgramFiles%\Update Services\Tools\ folder. Allow local admin to choose setting. To start this process, simply open the WSUS console from within the Tools menu in Server Manager.From the Complete WSUS Installation window, we will select that we wish to store our updates locally in the folder specified.After you click Run, the WSUS Configuration Wizard will open which we will now run through.