Learn the best practices that help System Administrators avoid settings that lead to poor performance when designing the configurations for Windows Server Update Services.
Windows Server Update Services (WSUS) supports up to 100,000 clients for every server, and the number increases to 150,000 when you use System Center Configuration Manager.
The best way to implement this feature is by using multiple servers that share the same database. The more the sharing of the servers, the safer you are; if one server goes down, your work is still safe.
The safety in numbers prevents what Admins call a “scan storm” that occurs when several clients change the WSUS servers in a scenario where the servers do not share a database.
The Service tracks server activity and alerts the other clients of the last thing that changed, and sends information on updates only.
This article covers the installation and configuration of the Windows Server Update Services on Windows Server 2019.
Different Approaches to Installing WSUS
The Service can download and store the Windows update files locally. Using servers in the network will get the updates from the WSUS servers and not from the Internet. The use of servers to manage the update process saves on bandwidth and Internet speed.
System Administrators can use the servers that update automatically as long as security files are installing from a central location. The configuration gives easy reports on the servers that need patching for a particular update.
Here are the different approaches to installing WSUS:
a) Installing Using the PowerShell
You can experience a fast and an easy way to install WSUS by running this command:
Install-WindowsFeature -Name UpdateServices, UpdateServices-WidDB, UpdateServices-Services, UpdateServices-RSAT, UpdateServices-API, UpdateServices-UI
Using the above command is the same as using Windows Internal Database (WID). With the SQL database, you must include the UpdateServices-DB option and not UpdateServices-WidDB.
b) Installing Using the GUI
WSUS is installable through the Server Manager. If you use this process, you’ll notice that it goes beyond running the PowerShell instruction above.
To start the installation using this method, you can open Server Manager and select Add roles and features.
Once the Add Roles and Feature Wizard shows, click Next.
On the Select installation type window, make sure that the Role-based or feature-based installation type is selected. Then, click Next.
On the Select destination server window, let all default settings remain as is, since the installation takes place on the server. Click Next.
On the next window for Select Server roles, scroll down and select Windows Server Update Services.
Click on the Add Features button to install new features alongside the IIS. Click Next.
The next window will show the automatically selected features from the previous step. Click Next.
On the Windows Server Update Services window, read the given advice indicating that at least one of your servers needs an Internet connection. Click Next.
If the main server can get updates from the Internet, then it is possible for the downstream servers on the Internet to get updates.
On the Role Services window that appears, click Next because you will use the Windows Internet Database (WID). If the intention is to use an SQL database, tick the SQL Server Connectivity option.
The next window is a Content local selection that gives an option of choosing where the WSUS updates will be installed.
It would make more sense if you had a secondary hard disk to keep the updates. The extra disk will save system Admins the headache of filling up the system disk with updates.
The capacity of the hard disk depends on the files chosen for the updates. You can ignore the store updates option to avoid file storage on the local drive.
This is not the recommended choice of action, unless you do not have enough storage space.
Bear in mind that no update will download unless their approval is manual or automatic.
On the Web Server Role (IIS) window, you will see a notification for using IIS 10.0. Click Next.
Select any additional roles that you want for the ISS. In this case, leave the defaults for WSUS and click Next.
On the final screen, confirm the installations by reviewing your choices and clicking the install button.
Configuration of the WSUS
Once the installation is complete, it is time to configure the updates. You need to start by opening the WSUS console from the Tools Menu in the Server Manager.
On the Complete WSUS Installation screen, select the location of the folder where you want to install the updates.
Click on the Run button and let the WSUS configuration Wizard run.
Read the information on the Windows Server Update Services Configuration Wizard and confirm if other windows machines can connect to the server (WSUS). The server can connect to the Internet for updates.
You have a choice of choosing whether you want to be part of the Microsoft Update Improvement Program.
Next, is the selection of the upstream server. If this is your first WSUS server, leave the defaults to synchronize from the updates.
If you have a separate server for updating the files, specify the location to synchronize with it as a downstream server.
You need to specify if the WSUS server should connect to the Internet through a proxy.
The next question is all about connecting to the upstream server directly from the Internet or within the network. The configuration takes some time to complete, so you have to be patient.
Choose the language that the system supports. Any additional languages mean you need more update files. You should only be worried if you are running low on disk space requirements.
On the Choose product screen, select the Microsoft Products within the network that needs WSUS update. Any updates for your selected products are stored on the WSUS server. File selection translates to more disk space.
Choose the types of updates to download. For instance, choose security and critical updates instead of all available updates.
Finally, set the synchronization schedule that will specify when WSUS checks for new updates. The system has a default setting for synchronization. System Administrators can change it to suit their preferences.
On the last screen, you have another option of checking the first synchronization that should start immediately you click the Finish button.
After the first synchronization, you can configure approvals, groups, reporting, and computers.
The installation and configuration of the WSUS server role in the Windows Server 2016 operating system are well covered in this article.
The installation takes place through PowerShell or Graphical User Interface (GUI). If happy with the installation, you can open the WSUS console and finish the configuration.
All the best!