Windows deployment - WSUS installation explained
After 3 years working in the deployment industry I still see customers hitting some basic roadblocks when using WSUS. For this very reason I decided to write one or more articles that would cover:
1. The installation of WSUS
2. The options explained
3. Windowsupdate.log troubleshooting
Let’s start with the Installation of WSUS:
1. These are the Pre-Requirements for WSUS:
· Microsoft Management Console 3.0
· Microsoft Report Viewer Redistributable 2008
· Internet Information Services (IIS) 6.0 or later versions
Under the following list you can find the full List:
https://www.microsoft.com/downloads/details.aspx?familyid=ba94a0d3-f22a-4e24-877e-6be6ce5da6d7&displaylang=en#filelist
2. Download WSUS 3.0 SP2:
https://www.microsoft.com/downloads/details.aspx?FamilyId=a206ae20-2695-436c-9578-3403a7d46e40&displaylang=en#filelist
3. Next we start the setup. I will only go through the relevant screens with you:
- The above screen shows you the location of the Database. This DB contains Information, Metadata, and History of all the synced updates. This DB can be part of either the WID (Windows Internal Database) which comes bundled with WSUS or it can be installed under at least SQL 2005 SP3. If you have a remote SQL Server you could also use this to host your Database.
For this article I will use the WID.
- I will install the server on port 8530. The default port is 80, but in certain scenarios this might be already in use if the server is not a dedicated WSUS Server.
After WSUS finishes the installation it will present you with a screen to setup the initial sync and options.
Next we will look at most of the options available to us:
The first radio box will turn this server into an USS (Upstream Server). This means all the updates are being synced down and downloaded from Microsoft Update. The underlying servers can be of 2 types: DSS and DSS Replica. The difference between the 2 can be viewed as following:
DSS:
- Receives it’s updates from an USS using either the WAN or LAN
- Updates are approved manually
- Basically a DSS is the same as an USS. The difference is the location from which they download their updates.
Replica:
- Receives it’s updates from an USS using either the WAN or LAN
- Updates/approvals and some settings are synced down from its master server.
You can change the role of a WSUS Server without reinstalling!
The options explained:
1. Update Source and Proxy Server
Here you can configure the role of the server as well as the proxy server should one be used
2. Products and Classifications
Under this option you specify which updates will be distributed by WSUS. The more updates you distribute the longer a detection will take on any given client take. This can represent problems for single core CPUs, and you may see 100% loads on svchost.exe during the detection.
The 2 main update groups that can cause this issue are:
a. Office 2003 Updates
b. Driver Updates
Should you need to distribute any of these, be sure to DECLINE the updates that have been superseeded or the ones that have expired, as the declined updates are ignored during a detection. The ones with NO STATUS are still checked for applicability.
3. Update Files and Languages
a. Download update Files to this server only when updates are approved
This option means that updates are downloaded ONLY when they are approved. If you notice that your WSUS Content folder is bigger than usual, you might want to check this option.
b. Download Express Installation Files
This options is what you are looking for if you have a slow WAN. The amount of data that a client receives over the wire is much smaller. The tradeoff for this feature is the size of the actual files that are being downloaded onto the USS (x2.5 times more data)
What actually happens is: During a detection the file that is supposed to be replaced with a newer version is analyzed and instead of the entire file being exchanged, only the delta is pulled from the USS which makes the load on the network considerable smaller.
The other options on the screenshot are straight forward.
4. Synchronization Schedule
This is used for planning automatic synchronizations of the Server
5. Automatic Approvals
Here you can setup automatic approvals and other conditions for different updates that might be critical for you environment. One example are the Forefront Definition Updates.
The default settings in the Advanced TAB have all the boxes checked.
6. Computers
A feature that most of my customers were not aware of is:
- Client Side Targeting
- Server Side Targeting
When new computers check into WSUS you can either move them manually into groups or you can have them automatically move themselves into a predestinated group. In big corporations with lots of clients this is the desired method. A group Policy is defined that tells a client to move into group x once they have synced with WSUS. The trick behind this is to also tell the WSUS Server which kind of targeting he should use. For this you need to set the option below:
7. Server Cleanup Wizard
The wizard should be run at least once per month in order to get rid of all the expired and superseded updates. If the server is under big load you might experience timeouts during this procedure.
Below I attached link to scripts that perform the same action. This is for companies which want to automate the cleanup process:
Normal Script with switches:
https://wsus.codeplex.com/releases/view/17612
Powershell Script:
https://www.peetersonline.nl/index.php/powershell/wsus-cleanup-with-powershell/
8. Reporting Rollup
Lets you view the status of computers that belong to a replica server on the USS.
9. E-mail Notifications
This option lets you setup to be notified of different events happening on the server.
I hope this article made some things clearer. If you have any questions, feel free to ask.
Tudor Dimboianu
- Support Engineer / Enterprise Platforms Support (Core)