Now that we have our clients on the domain we can manage computer updates and patches centrally from the server. This can help with saving internet bandwidth, as resources only have to be downloaded a single time as opposed to multiple times from every computer independently. First, we must install the Windows Server Update Service role.
Install the Windows Server Update Services Role
Server Manager > Manage > Add Roles and Features > Next > Next > Next > Windows Server Update
Services > Choose WID Database and WSUS Services at the following screen
It is best practice to choose a separate drive not shared with OS drive as the WSUS folder can get very large. > Next > Finish
Configure Windows Server Update Services
Server Manager > Tools > Windows Server Update Services > Next
Chec, the 'Yes I would like to join the Microsoft Update Improvement Program > Next
Synchronize from Microsoft Update > Next
Start Connecting > Next
It can take several minutes from pushing the Start Connecting button before the progress bar reaches completion. Please be patient.
Select what products you need, keeping in mind the available storage space you have for these. > next
Set these as default > Next
Synchronize automatically > set the first synchronization time > one synchronization per day > next
Begin initial synchronization > Next
Finish
After pressing Finish, the WSUS console should startup . You can see what Updates there are in ServerName > Update > All Updates. By default all Updates are set to Not Approved. Set them to Approved and they will install.
Now that we've finished configuring the Windows Server Update Services, we can create a GPO to configure the WSUS settings on the client workstations.
Create a GPO to Configure the Windows Server Update Services
Server Manager > Tools > Group Policy Management > Right-click Group Policy Objects > New > Name the GPO something like WSUS Settings >
Go to Computer Configuration \ Policies \ Administrative Templates \ Windows Components \ Windows Update > and Enable the following Options at least to get WSUS working
Enable 'Configure Automatic Updates'
Enabled > Set to 4 - Auto download and schedule the install > 0- Every day > Time > Apply > OK
Enable 'Client-side Targetting'
Set 'Target group name for this computer' to 'All Computers'
Enable 'Specify intranet Microsoft Update service location'
Use the following address format for all three text inputs
http://ServerName:8530
Now that we've enabled these three options, WSUS should not work. Let's link the GPO to our target Organizational Units and we'll be done.
Apply the GPO to the Target Organizational Unit
Server manager > Tools > Group Policy Management > ServerName > Link an Existing GPO... >
choose the GPO by the name you created earlier (WSUS Settings) > OK
And now you're ready to Update and Patch all your client workstations.
In the next and final installment of this series we will cover how to backup your server onto a local drive using Windows Backup Service.
Comments
Post a Comment