ComTech: IT Support Stirling
TwitterFacebookGoogle

How to set up WSUS on Windows Server 2008 R2

ComTech: IT Support Stirling


Good morning my fellow readers. Today I am going to show you how to set up WSUS on Windows Server 2008 R2.  WSUS is fantastic for centralising management of Windows Updates throughout your network.  Installing a WSUS server makes deploying patches and security fixes much easier and so by default makes your life easier too!!

For the purpose of this tutorial I will be using Windows Server 2008 R2 SP1 with 1.5 Gb of RAM (you would use much more than this in a production environment).

Open up Server Manager.  Right click on Roles and then click Add Roles.

When asked to select which roles you want to install click Windows Server Update Services and when prompted Add the additional roles that are required (eg Web Server IIS)

During installation you will be prompted to accept the license agreement and then you will be asked where do you want to store all the updates.  Either choose a new folder or accept the default C:\\WSUS location.

You will now be asked to choose whether you want to install the Windows Internal Database or use an existing one instead.  I tend to just install the database on the C drive in C:\\WSUS but the choice is yours.

Next you will be asked for your web site preference.  You can use the default IIS web site to access WSUS over the network or you can specify your own one.  Again I quite happily choose the default for this.

On the last page page review your options and then click next.

The installation itself takes a long time but once installed the first thing we need to do is synchronize the WSUS server with Microsoft Update (or another WSUS server on the network) so expand Server Manager – Windows Server Update Services – Update Services – Options – Update Source and Proxy Server.

For the purpose of this tutorial I will synchronise with Microsoft Update.

Next we have to choose which products to download updates for so click on Products and Classifications.

Choose all the products which you require updates for and click OK.

Next we have to decide what languages to download the updates in (if you select all available languages your downloads will take a long time and take up a loads of disk space).  Click on Update Files and Languages and then the Update Languages tab. Choose your language and then click Apply.

We now need to decide when to check for new updates and when to download them.  To accomplish this we need to click on Synchronization Schedule (shown below).

You can synchronize manually but it is better to synchronize automatically on a daily schedule.  Once you have set your daily schedule click Apply.

With all the housekeeping done all that is left to do is to perfrom the initial synchronization so expand Server Manager – Windows Server Update Services – Update Services – Synchronize and then right click and go to Synchronize Now. This will start the synchronize process.

That is the configuration for the WSUS server complete.

Distributing Updates across the network

To accomplish this we need to set up a Windows Update Group Policy and then distribute it to all computers in the domain.

To do this expand Start – Administrative Programs – Group Policy Management. Once the Group Policy Management Console is open expand Group Policy Management – Forest – Domains – “your domain” – Group Policy Objects. Right click on Group Policy Objects and go to New.

When the New GPO box appears eneter a name for the new GPO and then click OK.  Your new GPO should be visible on the screen (as shown below).  Right click on it and go to Edit.

Now in the left panel expand Computer Configuration – Policies – Administrative Templates – Windows Components – Windows Update to get the screenshot below.

The first setting to configure is Specify intranet Microsoft update service location. Right click and go to Edit.

As shown above set this to enabled. Enter the location of your WSUS Server where required and then click Apply.

The next setting to configure is Configure Automatic Updates.  Set this to enabled and specify how the downloads should be installed and at what time.  Once configured click Apply.

Next we have to configure the Automatic Updates Detection Frequency policy.

Enable the policy and set to 1 hr.  Click Apply.

Last thing we need to do on the GPO front is link it to the domain.

The next time the computers on your domain restart their group policy settings will be updated and they will be pointed to the new WSUS server (screenshot of client computer shown below).

 

About the Author

Hi I am Chris Wakefield the owner of ComTech IT Support. I provide Windows and Linux based IT Support, laptop repairs and computer repairs to both business and personal clients in and around Stirling.

For a list of what I can offer you why not visit my website www.comtech247.net where you will find a list of my services, testimonials, blog and much more.

 

3 thoughts on “How to set up WSUS on Windows Server 2008 R2

  1. https://isc.sans.edu/diary/Help+eliminate+unquoted+path+vulnerabilities/14464

    Is there a way trought Group Policy to check for the bin path (Long path name) of a patch after installed and if the bin path is unquote go ahead and replace the bin path with the short name path preventing the vulnerability mention above? I uderstand the short path name (8.3) needs to be enable in the registry. Is it feasible for short fix until the patch is available by vendor.

  2. Is there a way, I could change a attribute in manifest of the patch before path getting install in target machine or after is install to overwrite the bin path from long path name to short path name. The reason behind this. There is a vulnerability of paches of services associate it with a path directory (environment variable) as unquote and directory contaning embedded space in the name of diretory such as \Program Files\.
    Is there a way by using group policy to check for bin path either or after patch is install and use the short path name version…. I know this is only created by the OS if enable.
    Besides requesting an update patch from verndor is there a feasible solution either short or long term….. thank for your input.

Leave a comment

Your email address will not be published.

CyberChimps
Follow

Get every new post delivered to your Inbox

Join other followers

WordPress SEO fine-tune by Meta SEO Pack from Poradnik Webmastera
WP Like Button Plugin by Free WordPress Templates