Windows
Patching
Security

Automating Windows Server Updates with WSUS

Ashwani Paliwal
June 21, 2024

In today's fast-paced IT environment, keeping your Windows servers up-to-date with the latest patches and updates is crucial for maintaining security and stability. One of the most efficient ways to manage this process is by using Windows Server Update Services (WSUS). WSUS allows administrators to deploy the latest Microsoft product updates to computers running the Windows operating system. This blog will explore how to automate Windows Server updates with WSUS, from setup to configuration and maintenance.

Introduction to WSUS

Windows Server Update Services (WSUS) is a free add-on provided by Microsoft that allows administrators to manage the distribution of updates released through Microsoft Update to computers in a corporate environment. WSUS can obtain updates from Microsoft Update or another WSUS server and then distribute these updates to client computers.

Benefits of WSUS

  1. Centralized Update Management: WSUS allows centralized management of updates, ensuring that all servers and workstations receive the necessary patches.
  2. Bandwidth Efficiency: WSUS reduces bandwidth usage by downloading updates once and distributing them across the network.
  3. Compliance and Reporting: WSUS provides detailed reports on update status and compliance, helping ensure that all systems are up-to-date.
  4. Control Over Updates: Administrators can approve or decline updates, providing control over which updates are deployed in the network.

Setting Up WSUS

Setting up WSUS involves installing the WSUS role on a Windows Server and configuring it to download updates from Microsoft Update or another WSUS server.

Prerequisites

  • A server running Windows Server (2012 or later).
  • Adequate disk space for storing updates.
  • A stable internet connection.

Installation Steps

1. Install the WSUS Role:

  • Open Server Manager.
  • Click on Add roles and features.
  • Select Windows Server Update Services under the Roles section and follow the prompts to install the role.

2. Post-Installation Configuration:

  • After the role is installed, the WSUS Configuration Wizard will start automatically.
  • Choose a location to store updates. It's recommended to use a dedicated drive or partition.
  • Choose the languages of the updates you want to download.
  • Select the products for which you want to download updates (e.g., Windows Server, Office).
  • Choose the classifications of updates you want to download (e.g., Critical Updates, Security Updates).
  • Synchronize WSUS with Microsoft Update or an upstream WSUS server.

Configuring WSUS for Automated Updates

Creating Computer Groups

WSUS allows you to create computer groups to target specific updates to specific groups of machines.

  1. Open WSUS Administration Console.
  2. Navigate to Computers.
  3. Right-click All Computers, and then click Add Computer Group.
  4. Enter a name for the group (e.g., Servers, Workstations) and click Add.

Configuring Group Policies

To ensure that clients receive updates from the WSUS server, you need to configure Group Policy settings.

  1. Open Group Policy Management.
  2. Create a new GPO or edit an existing one linked to the Organizational Unit (OU) containing the computers you want to update.
  3. Navigate to Computer Configuration > Policies > Administrative Templates > Windows Components > Windows Update.
  4. Configure the following settings:
  • Specify intranet Microsoft update service location: Set this to the URL of your WSUS server (e.g., http://wsusserver:8530).
  • Enable client-side targeting: Set this to the name of the computer group you created in WSUS.
  • Automatic Updates: Configure this to automatically download and install updates.

Approving Updates

  1. Open WSUS Administration Console.
  2. Navigate to Updates.
  3. Select the updates you want to approve.
  4. Right-click the selected updates, and then click Approve.
  5. Choose the computer groups for which you want to approve the updates.

Automating Maintenance Tasks

Scheduled Synchronizations

You can configure WSUS to automatically synchronize updates from Microsoft Update.

  1. Open WSUS Administration Console.
  2. Navigate to Options > Synchronizations.
  3. Configure the synchronization schedule according to your needs (e.g., daily at 3 AM).

Cleanup Tasks

Regular cleanup of the WSUS database helps maintain performance.

  1. Open WSUS Administration Console.
  2. Navigate to Options > Server Cleanup Wizard.
  3. Select the tasks you want to perform (e.g., remove obsolete updates, or decline expired updates) and run the wizard.

Monitoring and Reporting

WSUS provides built-in reporting features to monitor update compliance.

  1. Open WSUS Administration Console.
  2. Navigate to Reports.
  3. Generate reports on update status, computer compliance, and more to ensure all systems are up-to-date.

Conclusion

Automating Windows Server updates with WSUS simplifies the patch management process, ensuring your servers are always up-to-date with the latest security and feature updates. By following the steps outlined in this guide, you can set up, configure, and maintain a WSUS server to automate the deployment of updates, improving the security and stability of your IT environment.

SecOps Solution is an award-winning agent-less Full-stack Vulnerability and Patch Management Platform that helps organizations identify, prioritize, and remediate security vulnerabilities and misconfigurations in seconds.

To schedule a demo, just pick a slot that is most convenient for you.

Related Blogs