Deploy and configure WSUS 2019 for Windows patching needs
Everyone in IT knows that deploying a Windows machine is only part of the job. Regular maintenance to keep systems functioning properly and secure is paramount.
Part of that routine upkeep is a timely patching regimen. Like clockwork on the second Tuesday of every month, Microsoft delivers security updates to the supported products in its portfolio, such as the Windows operating system and Microsoft Office applications. Windows Server Update Services (WSUS) is the tool many organizations use to make sure these updates get pushed out to their Windows machines to close any weak points in the operating system.
Windows Server 2019 is the latest server operating system from Microsoft, and it includes the WSUS server role as part of its license. While the setup process for WSUS 2019 is fairly straightforward, there are some best practices from Microsoft that administrators should follow so the operations team can be sure when they issue patches that they make it to their intended targets.
WSUS 2019 supports up to 100,000 clients per server, but Microsoft recommends that enterprises spread out the updating workload when they have a large number of Windows machines. The company suggests administrators create multiple WSUS servers to share the task of running one SQL Server database that holds information related to the updates. This distributed arrangement prevents the network-wide hit that would otherwise occur when many Windows clients switch to a different WSUS server with its own unique database, which would require each client to do a complete scan to see if any updates are missing.
Other reasons to set up WSUS 2019 on more than one server include avoiding a complete breakdown if the sole server crashes and avoiding potential issues by exposing more than one server to the internet. For example, the WSUS 2019 server must connect to Microsoft's servers to pull down the updates. Administrators can designate one server in the multiple WSUS deployment as the upstream server that downloads the patches, then distributes the data to the other downstream servers.
The following transcript for this video tutorial by contributor Brien Posey walks administrators through the WSUS 2019 setup process.
Transcript - Deploy and configure WSUS 2019 for Windows patching needs
In this video, I want to show you how to deploy the Windows Server Update Services, or WSUS, in Windows Server 2019.
I'm logged into a Windows Server 2019 machine that is domain-joined. Open Server Manager and click on Manage, then go to Add Roles and Features to launch the wizard.
Click Next and choose the Role-based or feature-based installation option and click Next. Select your server from the server pool and click Next to choose the roles to install.
Scroll down and choose the Windows Server Update Services role, then click Add Features. There are no additional features needed, so click Next.
At the WSUS screen: If you need SQL Server connectivity, you can enable it here. I'm going to leave that checkbox empty and click Next.
I'm prompted to choose a location to store the updates that get downloaded. I'm going to store the updates in a folder that I created earlier called C:\Updates. Click Next to go to the confirmation screen. Everything looks good here, so I'll click Install.
After a few minutes, the installation process completes. Click Close.
The next thing that we need to do is to configure WSUS for use. Go to the notifications icon and click on that. We have some post-deployment configuration tasks that need to be performed, so click on Launch Post-Installation tasks. After a couple of minutes, the notification icon changes to a number. If I click on that, then we can see the post-deployment configuration was a success.
Close this out and click on Tools, and then click on Windows Server Update Services to open the console. Select the WSUS server and expand that to see we have a number of nodes underneath the server. One of the nodes is Options. Click on Options and then click on WSUS Server Configuration Wizard.
Click Next on the Before You Begin screen and then I'm taken to the Microsoft Update Improvement Program screen that asks if I want to join the program. Deselect that checkbox and click Next.
Next, we choose an upstream server. I can synchronize updates either from another Windows Server Update Services server or from Microsoft Update. This is the only WSUS server in my organization, so I'm going to synchronize from Microsoft Update, which is the default selection, and click Next.
I'm prompted to specify my proxy server. I don't use a proxy server in my organization, so I'm going to leave that blank and click Next.
Click the Start Connecting button. It can take several minutes for WSUS to connect to the upstream update server, but the process is finally finished.
Now the wizard asks to choose a language. Since English is the only language spoken in my organization, I'm going to choose the option to download updates in English and click Next.
I'm asked which products I want to download updates for -- I'm going to choose all products. I'll go ahead and click Next.
Now I'm asked to choose the classifications that I want to download. In this case, I'm just going to go with the defaults [Critical Updates, Definition Updates, Security Updates and Upgrades]. I'll click Next.
I'm prompted to choose a synchronization schedule. In a production organization, you're probably going to want to synchronize automatically. I'm going to leave this set to synchronize manually. I'll go ahead and click Next.
I'm taken to the Finished screen. At this point, we're all done, aside from synchronizing updates, which can take quite a while to complete. If you'd like to start the initial synchronization process, now all you have to do is select the Begin Initial Synchronization checkbox and then click Next, followed by Finish.
That's how you deploy and configure Windows Server Update Services.