Installing WSUS on Windows Server 2012

Installing WSUS on Windows Server 2012

  • Comments 28
  • Likes

Summary: Honorary Scripting Guy, Boe Prox, talks about installing WSUS on Windows Server 2012 via Windows PowerShell.

Microsoft Scripting Guy, Ed Wilson, is here. Welcome back today to Honorary Scripting Guy, Boe Prox. Without further ado, here is Boe…

In a previous Hey, Scripting Guy! Blog post, Introduction to WSUS and PowerShell, I demonstrated how you can download the Windows Server Update Services (WSUS) installation file and use various parameters to customize a WSUS installation on a local or remote system. With Windows Server 2012, we get a new version of WSUS that can be installed through Server Manager and also by…you guessed it…Windows PowerShell!

We can do the installation by using the Install-WindowsFeature cmdlet and specifying the proper feature names that you would like to have installed. In the case of WSUS, we are looking only at the update services feature. I will also take a look at some of the new cmdlets that are available in the UpdateServices module, which is available in Windows Server 2012 to help configure the WSUS server.

Let’s take a look at the possible subfeatures that are available by using the Get-WindowsFeature cmdlet and specifying UpdateServices* for the Name parameter.

Get-WindowsFeature –Name UpdateServices*

Image of command output

You could try to install everything, but that will end badly for you because there will be a conflict between using the Windows Internal Database (WID) and using another SQL Server database (local or remote) to store the SUSDB database on.

Image of error message

So which one should I choose? That depends on your environment and what your requirements are to support patching in your enterprise. Luckily for you, I will show examples of using the WID database or using another SQL Server database as part of the WSUS installation. After the installation, I will show one last thing you can do as a post installation that will allow you to specify a new location for the software update files and where the database is located.

Let’s start with the easiest, which is the WID database. I say easiest because it really comes down to just running a single line of code to get everything installed. Just to see what might be installed, I can use the WhatIf switch first.

Install-WindowsFeature -Name UpdateServices -IncludeManagementTools –WhatIf

Image of command output

From the looks of it, not only will WSUS be installed, but we also will be installing the WID database and some IIS components that are used for client check-ins and other things. I am confident that this is what I need, so let’s remove WhatIf and let it run again.

Image of command output

Wait for a bit…

Image of command output

And we are now finished with the installation. As you can see, we have a message stating some additional configuration may be required before our WSUS server can be up and running. In this case, we still need to configure a location for the update files to be stored.

This is where wsusutil.exe will come into play. This executable is located at C:\Program Files\Update Services\Tools. Besides the usual parameters that you can use with this utility, there is another set of parameters that become available when you use the PostInstall argument.

.\wsusutil.exe postinstall /?

Image of command output

We have parameters for specifying where to store the content and for where to build the database, if needed. Note that this can be used to specify a database that is local or remote (you will see this used on a remote system later).

Before I say where I want the content, I had better create a folder to store it. I don’t want all of this on my system drive, so I will create the folder on my D: drive.

New-Item -Path D: -Name WSUS -ItemType Directory

Now I can run the following command to configure my content directory to download and save all of the update files to D:\WSUS.

.\wsusutil.exe postinstall CONTENT_DIR=D:\WSUS

Image of command output

And with that, we have now configured the content directory on another drive to save the update files. Very simple…and a big recommendation to do it regardless!

Specify an alternate SQL Server

What if I want to specify a different SQL Server for saving the data instead of relying on a WID instance locally? Fortunately for us (and as you saw previously), this is an available option by using WSUSUtil.exe PostInstall. Going back to the beginning, I will perform a different installation of WSUS, this time specifying that I want a different SQL Server database.

Install-WindowsFeature -Name UpdateServices-Services,UpdateServices-DB -IncludeManagementTools

Image of command output

Now we need to use WSUSUtil again to not only specify the Content directory, but also to specify the SQL Server database that I want to use for my WSUS server. The WSUS server must be on a domain for the remote SQL Server database build to work. If it isn’t, you will get a message that states the host is unknown.

.\wsusutil.exe postinstall SQL_INSTANCE_NAME="DC1\SQL2008" CONTENT_DIR=D:\WSUS

Image of command output

And after a few minutes, the configuration has completed with the Content directory on D:\WSUS and the SUSDB database configured on my remote SQL Server.

Image of menu

Inspect the WSUS Installation State

By using my current installation of WSUS and the remote SQL Server database, we can now check the Best Practices Analyzer to see if anything else is required before we configure the WSUS server and kick off synchronization get all of the update metadata.

Invoke-BpaModel -ModelId Microsoft/Windows/UpdateServices

Image of command output

Now let’s see the results of our scan…

Get-BpaResult -ModelId Microsoft/Windows/UpdateServices |

Select Title,Severity,Compliance | Format-List

Image of command output

With the exception that I haven’t configured the WSUS server to use a required language pack (English in my case), everything else is compliant. Now it is time to finish configuring the WSUS server and get this synchronization kicked off.

First I’ll configure the languages and tell my server where I want to synchronize. In this case I want to sync up with Microsoft Updates. After I do that, I will perform an initial synchronization to pull down all of the available categories, classifications, and possible updates that can be approved.

Note   For more information about some of the configuration properties that are set in the following code, see IUpdateServerConfiguration Properties  on MSDN.

#Get WSUS Server Object

$wsus = Get-WSUSServer

#Connect to WSUS server configuration

$wsusConfig = $wsus.GetConfiguration()

 

#Set to download updates from Microsoft Updates

Set-WsusServerSynchronization –SyncFromMU

 

#Set Update Languages to English and save configuration settings

$wsusConfig.AllUpdateLanguagesEnabled = $false           

$wsusConfig.SetEnabledUpdateLanguages("en")           

$wsusConfig.Save()

 

#Get WSUS Subscription and perform initial synchronization to get latest categories

$subscription = $wsus.GetSubscription()

$subscription.StartSynchronizationForCategoryOnly()

 

While ($subscription.GetSynchronizationStatus() -ne 'NotProcessing') {

    Write-Host "." -NoNewline

    Start-Sleep -Seconds 5

}

Write-Host "Sync is done."

You may have noticed that I didn’t have to run Import-Module before using the UpdateServices module cmdlets. This is because Windows PowerShell 3.0 supports automatic loading of the modules when a specific cmdlet from a module is used.

Now that we have pulled down the classifications and platforms, it is time to filter the platforms for which I want updates and the classifications I want. Your preference for platforms and classifications will vary based on your environment and requirements.

When that is done, we will configure WSUS to synchronize once a day automatically at midnight, and kick off another synchronization to pull down the update metadata (not the actual update files) from the Microsoft Update server.

#Configure the Platforms that we want WSUS to receive updates

Get-WsusProduct | where-Object {

    $_.Product.Title -in (

    'CAPICOM',

    'Silverlight',

    'SQL Server 2008 R2',

    'SQL Server 2005',

    'SQL Server 2008',

    'Exchange Server 2010',

    'Windows Server 2003',

    'Windows Server 2008',

    'Windows Server 2008 R2')

} | Set-WsusProduct

 

#Configure the Classifications

Get-WsusClassification | Where-Object {

    $_.Classification.Title -in (

    'Update Rollups',

    'Security Updates',

    'Critical Updates',

    'Service Packs',

    'Updates')

} | Set-WsusClassification

 

#Configure Synchronizations

$subscription.SynchronizeAutomatically=$true

#Set synchronization scheduled for midnight each night

$subscription.SynchronizeAutomaticallyTimeOfDay= (New-TimeSpan -Hours 0)

$subscription.NumberOfSynchronizationsPerDay=1

$subscription.Save()

 

#Kick off a synchronization

$subscription.StartSynchronization()

It may take a while to complete the synchronization. When it has completed, you can begin reviewing the available updates that your systems require. Whether you want to keep everything installed and configured on a single server or you want to keep your SUSDB database on a remote SQL Server, you will find that it is easily accomplished by using Windows PowerShell.

That is all for today’s blog about working with WSUS on Windows Server 2012. The next blog I have lined up will deal with using the UpdateServices module to configure the clients and approve or decline updates. In addition, we will dip our toes into WSUS API to set up Computer Groups for the clients and to remove clients from WSUS.

~Boe

Thank you, Boe, for a great blog post. Join us tomorrow for a guest blog by Honorary Scripting Guy and Windows PowerShell MVP, Don Jones.

I invite you to follow me on Twitter and Facebook. If you have any questions, send email to me at scripter@microsoft.com, or post your questions on the Official Scripting Guys Forum. See you tomorrow. Until then, peace.

Ed Wilson, Microsoft Scripting Guy 

Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment
  • Hi,

    Great article. Thanks Boe :-)

    Let me just add that the way you use the Get-WsusClassification cmdlet will only work on English culture ($host.CurrentCulture). Titles are actually translated. In French, 'Security Updates' is translated to "Mise à jour de la sécurité".

    The Microsoft.UpdateServices.Internal.BaseApi.UpdateServer has also an ID property that could be use for automation in multi-language environments.

    /Emin

  • Nice.. and I know this is Powershell and all - but when you want to use the GUI, you'll find that it doesn't work as ReportViewer2008 and dotnet 2 aren't installed. This isn't as simple as you'd think. These additional steps are then needed.

    Basically, to get dotnet in place (you'll get a warning that you already have 3.5, so go away, if you just try and do it)

    Dism /online /enable-feature /featurename:NetFX3 /featurename:NetFx3ServerFeatures /Source:D:\sources\sxs

    Note: D: is the drive letter of DVD drive on the computer, adjust it accordingly.

    You can then install ReportViewer 2008. This info from blogs.technet.com/.../windows-server-2012-beta-how-to-configure-wsus-reporting.aspx

    Can't help but think it's a staggering fail that MS rolled this out, and you can't actually use the GUI unless you search the web for a blog post explaining how to use it...

  • @_Emin_ Glad you enjoyed the article! Also thanks for the tip!

    @andreww Thanks for the comment as well!

  • @andreww, we're looking at upgrading to Report Viewer 2012 in the future. Thanks for the feedback!

  • Hey Boe...

    This is great! I.T. will get a kick out of your current update with windows. Can't say that programs run faster then humans, but we are sure handy to them.

    Ok! Boe. Thanks for the update.

  • @Ben Herila [MSFT] Thanks for the feedback!

    @Jose Rojas Thanks for the comment!

  • Hello. Good article but I have one big problem. I see we can set the products for which we want to receive updates but how can we remove products that we don't want? Because I saw that some products are check by default. And also I didn't find some function to list the products that are checked. Thank you.

  • Anyway we could get a default server powershell and a client install script.  There's so many words on this screen.

  • I just installed with the wizard, reading this article would have taken longer.  +1 Yum -1 powershell   And I like windows!  Drive space?  really?  That's why you extend primary volumes.

  • @So many words

    I can see what I can do for a server install script. As for a client install script, because it can be done with one line, I don't really see a good reason to have a script. Here is the one-liner for the client installation:

    Install-WindowsFeature -Name UpdateServices-RSAT

  • @less monologing.

    Thank you for your comment. There is a lot of writing here and that is by design as I want to ensure I explain everything that is going on (teaching to fish). Sure the time it takes to read may be longer than going through the wizard, but the idea here is to better learn the PowerShell method of accomplishing the same task which will in turn take a shorter time to install the role.

    I'm unsure about what you mean by drive space, but I will assume you are talking about my reason for placing everything on the D: drive vs. a system drive. This is considered a 'best practice' to keep data files such as the database and update files on a separate drive from the system not only for security purposes, but also performance (run the Best Practices Analyzer and you will see). See also technet.microsoft.com/.../cc720525(v=ws.10).aspx

  • @dann23

    You can use the same approach that I showed on filtering for Products and then just pipe that into Set-WSUSProduct and use the -Disable switch.

    You can find what products are approved via the following code:

    $wsus = Get-WsusServer

    $wsus.GetSubscription().GetUpdateCategories()

  • Thanks for the article Boe. Trying to setup NLB on wsus 2012 server, but cannot find a guide. Already setup the first wsus server with remote sql db, As per wsus 3.0 SP1 the subsequent frontend wsus need to be setup without creating a new database, is there a cmdlet that will install the wsus 2012 without creating the database but pointing to current db for nlb setup ?

  • @_nid

    Unfortunately, there is not a cmdlet that can be used to tell where to point WSUS to for a database. You will have to use the wsusutil.exe command to point to your remote database. The following is an example of what you can do:

    Install-WindowsFeature -Name UpdateServices-Services,UpdateServices-DB -IncludeManagementTools

    .\wsusutil.exe postinstall SQL_INSTANCE_NAME="<YOUR DATABASE SERVER\INSTANCE>" CONTENT_DIR=D:\WSUS

  • Nice article, used the scripts successfully with minor mods. Thanks!