Installing Windows Server Update Services (WSUS) on Windows Server 2012 R2 Essentials With Windows Server 2012 R2 Essentials in your business, it is important to centrally manage your workstations to ensure they are secure and up-to-date. With Windows Server Update Services, you can do just that. If you are running Windows Server 2012 Essentials, these directions will not work without performing additional steps. The WSUS role on Windows Server 2012 Essentials (non-R2) requires some pre-configuration before it can be installed. What you’ll need: A server running Windows Server 2012 R2 Essentials with at least 4GB of RAM, 8GB or higher is recommended SQL Server 2012 Management Studio – available from http://download.microsoft.com/download/5/2/9/529FEF7B-2EFB-439E-A2D1A1533227CD69/SQLManagementStudio_x64_ENU.exe (download and copy to a shared folder on the server) Table of Contents: Install Windows Server Update Services Role ......................................................................................... 2 Perform initial WSUS configuration ......................................................................................................... 6 Install SQL Server Management Studio ................................................................................................... 9 Move WSUS database to a new location .............................................................................................. 11 Adjust memory usage settings for Windows Internal Database ........................................................ 17 Configure WSUS to integrate with Group Policy.................................................................................. 18 Create automatic approval rules for update deployment................................................................... 20 Tom Ziegmann – http://www.tomontech.com – 10/20/2013 1 Install Windows Server Update Services Role Connect to your server using Remote Desktop Connection. Click Start -> All Programs -> Accessories -> Remote Desktop Connection Logon with the user name and the password you use to administer your server. Once connected, click the Administrative Tools icon on the Start screen. Scroll down and launch Server Manager. In Server Manager, click on Add Roles and Features. Tom Ziegmann – http://www.tomontech.com – 10/20/2013 2 Click Next on the Before you Begin screen. Accept defaults for the installation type, and then click Next. Select your Windows Server 2012 R2 Essentials system and click Next. Select Windows Server Update Services on the Server Roles selection, then click Next. Tom Ziegmann – http://www.tomontech.com – 10/20/2013 3 When prompted to add additional required features for installation, click Add Features then click Next. Accept the defaults on the Features screen, and click Next. Read the description, and then click Next. Accept the defaults for Role Services, then click Next. Tom Ziegmann – http://www.tomontech.com – 10/20/2013 4 Create a folder on a drive with enough space to handle the WSUS content. Ensure the Store updates in the following location is checked, specify the path to the folder you created, and then click Next. Confirm your installation selections, and then click Install. Installation will then proceed. This step can take some time depending on your system. After installation completes, click the blue Launch Post-Installation tasks link near the top of the results pane. The Windows Server Update Services Configuration Wizard will launch. Tom Ziegmann – http://www.tomontech.com – 10/20/2013 5 Perform initial WSUS configuration Read the Before you Begin information, then click Next. Choose if you want to join the Microsoft Update Improvement Program, then click Next. In most cases, you should be able to leave the proxy server settings alone. However, if you have a proxy server, you will need to specify the information, then click Next. Tom Ziegmann – http://www.tomontech.com – 10/20/2013 6 WSUS will need to connect to obtain initial metadata. Click Start Connecting. This process should be fairly quick. After the download is complete, click Next. Choose any necessary languages for the client PCs that your server will support, then click Next. Choose the products you want your WSUS server to house updates for, then click Next. Tom Ziegmann – http://www.tomontech.com – 10/20/2013 7 Choose the classifications want your server to house, then click Next. NOTE: Below the checklist is the description of each classification. This can be helpful in determining what to download. The screenshot at right is similar to SBS systems of the past and what classifications were downloaded out of the box. The classifications are: - Critical Updates - Definition Updates - Security Updates - Service Packs - Update Rollups Choose the appropriate synchronization schedule for your environment, then click Next. Do not check the box to begin synchronization at this point. The database will be moved first from its default location on the system partition to a different partition to ensure that the system partition does not run out of room because of WSUS database growth. Click Finish. Tom Ziegmann – http://www.tomontech.com – 10/20/2013 8 Install SQL Server Management Studio Browse to where you downloaded the SQL Server installer and double-click the file. When the SQL Server Installation Center loads, click New installation or add features to an existing installation. NOTE: If you do not have multiple partitions, continue to install the SQL Management Studio, then skip to the Adjust memory usage settings for Windows Internal Database section. Allow the installer to download the latest updates prior to installation, and click Next. Read and accept the license terms, and then click Next. Tom Ziegmann – http://www.tomontech.com – 10/20/2013 9 Leave the defaults for feature selection and then click Next. Choose whether or not to enable Error Reporting and then click Next. The installation of SQL Server Management Studio will then begin. Tom Ziegmann – http://www.tomontech.com – 10/20/2013 10 After installation is complete, click Close. Move WSUS database to a new location To prepare to move the database, the WSUS service needs to be stopped. Launch Command Prompt as an Administrator, and run net stop wsusservice. Create a folder for the database to be stored on a drive with plenty of storage. This is likely to be the same drive as the WSUS content storage. After creating the folder, right click on it, and click Properties. For the database to function correctly, we have to give the SQL service account the ability to access this folder. Tom Ziegmann – http://www.tomontech.com – 10/20/2013 11 Click the Security tab, and then click the Advanced button. Click the Add button. Click the Select a Principal link. Tom Ziegmann – http://www.tomontech.com – 10/20/2013 12 On the Select Users or Groups screen, click Locations and change the location to your server name, then click OK. The account that needs to be added is called NT SERVICE\MSSQL$MICROSOFT##WID. Type the account name, click Check Names, and then click OK. On the right side of the window, click Show advanced permissions. The service account needs the following permissions checked. List folder / read data Read attributes Read extended attributes Create files / write data Create folders / append data Write attributes Write extended attributes Delete Read permissions Click OK to add the account and its permissions. Click OK to close the Advanced screen. Tom Ziegmann – http://www.tomontech.com – 10/20/2013 13 Click OK to close the properties dialog. Go to the Start screen, click the arrow in the lower left hand corner to show All Apps, then right click on SQL Server Management Studio. Click Run as Administrator. Accept the User Account Control prompt that appears. On the Connect to server screen, type \\.\pipe\MICROSOFT##WID\tsql\query. Ensure that Windows Authentication is selected, then click Connect. Expand Databases in the Object Explorer, and right-click on SUSDB. Click on Tasks > Detach. Tom Ziegmann – http://www.tomontech.com – 10/20/2013 14 On the Detach Database screen, check the Drop Connections checkbox, and click OK. Browse to C:\Windows\WID\Data You may need to accept a User Account Control prompt. Move SUSDB.mdf and SUSDB_log.ldf to the database folder created earlier. Go back to SQL Server Management Studio and right click on Databases, then click Attach. Tom Ziegmann – http://www.tomontech.com – 10/20/2013 15 Click Add to locate the database. Browse to the folder where the database files have been moved to, and then click on SUSDB.mdf. Click OK. Verify that the information is correct for the location of the Data and Log files and then click OK. Verify that SUSDB appears in the database listing. Restart the WSUS Service, by launching Command Prompt as an Administrator, and type net start wsusservice. Tom Ziegmann – http://www.tomontech.com – 10/20/2013 16 Adjust memory usage settings for Windows Internal Database Launch SQL Server Management Studio and Run as an Administrator if it is not already running. Connect to the server. Right click on \\.pipe\MICROSOFT##WID\tsql\query and click on Properties. Click on the Memory tab and then specify the Maximum server memory to be between 256512MB, then click OK. Most WSUS installations in the 2012 R2 Essentials space should not require much more RAM for SQL than this due to the smaller number of connected clients. Tom Ziegmann – http://www.tomontech.com – 10/20/2013 17 For the new memory settings to take effect, the service needs to be restarted. Right click on \\.pipe\MICROSOFT##WID\tsql\query and then click Restart. Click Yes. The service will then restart. Now that the database has been moved, the initial synchronization of updates can occur. To begin the sync, go to Administrative Tools from the Start screen, and locate Windows Server Update Services. Click Synchronizations from the left pane. Click Synchronize Now. The status of the synchronization will appear in the bottom middle pane. It will also show in the listing above the status pane. Configure WSUS to integrate with Group Policy If the WSUS console isn’t already running, go to Administrative Tools from the Start screen, and locate Windows Server Update Services. Tom Ziegmann – http://www.tomontech.com – 10/20/2013 18 Click on Options in the left hand pane. Click on Computers on the right pane. In the Computers property window that appears, click on Use Group Policy or registry settings on computers. By enabling this option, we can use Client-Side Targeting within Group Policy to add computers to the appropriate groups within WSUS. In the navigation pane, expand Computers, and then right click on All Computers and click Add Computer Group. Tom Ziegmann – http://www.tomontech.com – 10/20/2013 19 Create two computer groups, or more if needed for your environment. For example, I have created the groups Servers and Workstations. After the groups have been created, verify that they appear in the navigation pane. Create automatic approval rules for update deployment Next, we will create Automatic Approval rules. These rules can be used to auto approve updates for specific update types and / or computer groups. To create rules, click Options in the left hand pane, and then click Automatic Approvals. For this example, we will modify the default rule to automatically approve Critical, Security, and Definition updates for workstations only. I would strongly suggest taking some time to figure out how you want approve updates before building your ruleset. Click on the blue all computers link. Tom Ziegmann – http://www.tomontech.com – 10/20/2013 20 Check the box for Workstations only and then click OK. Click the blue Critical Updates, Security Updates link. Check the box for Definition Updates then click OK. Tom Ziegmann – http://www.tomontech.com – 10/20/2013 21 Ensure the box is checked next to the name of the rule, click Apply. Then to run the rule, click the Run Rule button. Repeat the automatic approval rule steps until you are satisfied with the rules you’ve created. To configure your systems to connect to your WSUS server it is strongly recommended to use Group Policy. Configuring Group Policy is outside the scope of this document, however, I have prepared some sample group policy settings that can be used as a base for building your policy on top of. Those policy settings and necessary WMI filters can be found at http://www.tomontech.com/2013/10/configuringgroup-policy-for-windows-server-update-services-on-windows-server-2012-r2-essentials. Congratulations! You have installed Windows Server Update Services on Windows Server 2012 R2 Essentials! Tom Ziegmann – http://www.tomontech.com – 10/20/2013 22