Deploying images is one thing but actually having to run the update gauntlet on every deploy is terrifying to me. It often results in no updates being installed (cause I just could not be bothered) and this can cause discrepancies between test systems or even you missing out on cool new features! So let's install the WSUS component to handle that. Later on we'll see how to configure WSUS and set an automatic "Approve All" rule. What we will be doing as, albeit not in this part, is leveraging the power of WSUS to update our installations right after deployment. Without joining a domain!

 

Go to the server roles wizard and select the "Windows Server Update Services".

clip_image001

 

 

 

 

 

 

 

 

 

You will be automatically presented with the prerequisites required for the WSUS component. Agree with the popup by selecting add Required Role Services.

clip_image002

 

 

 

 

 

 

 

 

 

Once you accept that you should take notice that the Web Server component is checked as well. Try not to install this role on a server which hosts other websites, it's possible but requires a bit more care…

clip_image003

 

 

 

 

 

 

 

 

 

Once again, read through the introduction page.

clip_image004

 

 

 

 

 

 

 

 

 

You don’t have to select anything extra on this screen as that has been taken care of by the popup you received earlier.

clip_image005

 

 

 

 

 

 

 

 

 

Install WSUS and the required role services by clicking the install button

clip_image006

 

 

 

 

 

 

 

 

 

Just like with the WDS role you will be presented with a progress screen. Once again it should be smooth sailing and no reboot will be required.

clip_image007

 

 

 

 

 

 

 

 

 

Once installation of WSUS is complete you will be presented with the following setup screen:

clip_image008

 

 

 

 

 

 

 

 

 

Accept the license terms (and you "should" actually read them -_-)

clip_image009

 

 

 

 

 

 

 

 

 

I don't really care about the reporting at this stage, just know that you can manage the machine just fine and all you will not be able to do is pull reports. If you care about those you can always install the report viewer later on.

clip_image010

 

 

 

 

 

 

 

 

 

You'll have to present WSUS with a folder where it can store the updates. I added an extra 250 GB LUN to the server to handle this and the MDT files.

clip_image011

 

 

 

 

 

 

 

 

 

If you have a database server, feel free to put the WSUS database on there, if you don't you can install the internal database from Microsoft on your server by choosing the first option and clicking next.

clip_image012

 

 

 

 

 

 

 

 

 

If you are running another website on your server you have the option to coexist with that website. It also means you have to keep track of your ports somewhere…

clip_image013

 

 

 

 

 

 

 

 

 

Once all have been taken care of you can go ahead and complete setup.

clip_image014

 

 

 

 

 

 

 

 

 

Another progress screen will present itself to keep you informed

clip_image015

 

 

 

 

 

 

 

 

 

Complete the WSUS setup by clicking finish in this window.

clip_image016

 

 

 

 

 

 

 

 

 

If the below window does not present itself you can access it from the start menu.

clip_image017

 

 

 

 

 

 

 

 

 

 

 

Up to you if you want to join the improvement program.

clip_image018

 

 

 

 

 

 

 

 

 

 

 

Unless you have another WSUS server somewhere that you can use there is not much choice in these options ;).

clip_image019

 

 

 

 

 

 

 

 

 

 

 

Enter any proxy servers which you might have in your network

clip_image020

 

 

 

 

 

 

 

 

 

 

 

An initial connection to the WSUS servers of Microsoft is needed to determine what can be pulled in. This might take a while so sit back and relax.

clip_image021

 

 

 

 

 

 

 

 

 

 

 

Once completed, click next.

clip_image022

 

 

 

 

 

 

 

 

 

 

 

If you are supporting multiple languages in your organization you have the option to select those specific update packs here.

clip_image023

 

 

 

 

 

 

 

 

 

 

 

The following window will give you a granular control of the products you will be downloading updates for. As you can see this includes legacy products so you are best off not to select the "all Products" option.

clip_image024

 

 

 

 

 

 

 

 

 

 

 

Populate the below selection fields where necessary to suit your needs.

clip_image025

 

 

 

 

 

 

 

 

 

 

 

Unless you feel the need to synchronise manually you can setup daily synchronizations in this window. Make sure to adapt the time if necessary!

clip_image026

 

 

 

 

 

 

 

 

 

 

 

Once all the settings have been configured you can launch your initial synchronization and pull down the updates.

clip_image027

 

 

 

 

 

 

 

 

 

 

 

Click finish

clip_image028

 

 

 

 

 

 

 

 

 

 

 

Aaaaaaaaand close

clip_image029

 

 

 

 

 

 

 

 

 

Now go to start and open the Windows Server Update Services management tool.

clip_image030

 

 

 

 

 

 

 

 

 

 

 

 

You'll notice that none of our updates have been actually approved! Much good this server will do us not at this point…

clip_image031

 

 

 

 

 

So select every update (CTRL+A) and right click to select approve. (obviously this should not be done in a production environment. In such a key you should actually verify each update so it does not break your production services or third party applications)

clip_image032

 

 

 

 

 

 

 

Approve the updates for installation on the "all computers" group.

clip_image033

 

 

 

 

 

 

 

 

Click ok.

clip_image034

 

 

 

 

 

 

 

 

Erm yeah, this will take a while and you might be presented with a couple of additional screens to agree with license terms. If this process appears to be stuck try and minimizing your windows one by one. Sometimes the pop up screens go play hide-and-seek.

clip_image035

 

 

 

 

 

 

 

 

To avoid having to manually approve every new update in our lab environment you can go to options and click the "automatic Approvals" option to configure a default "approve all" rule.

clip_image036

 

 

 

 

 

As shown below

clip_image037

 

 

 

 

 

 

 

 

 

 

 

 

Update the classifications if necessary

clip_image038