Deploying images is one thing but actually having to run the update gauntlet on every deploy is terrifying to me. It often results in no updates being installed (cause I just could not be bothered) and this can cause discrepancies between test systems or even you missing out on cool new features! So let's install the WSUS component to handle that. Later on we'll see how to configure WSUS and set an automatic "Approve All" rule. What we will be doing as, albeit not in this part, is leveraging the power of WSUS to update our installations right after deployment. Without joining a domain!
Go to the server roles wizard and select the "Windows Server Update Services".
You will be automatically presented with the prerequisites required for the WSUS component. Agree with the popup by selecting add Required Role Services.
Once you accept that you should take notice that the Web Server component is checked as well. Try not to install this role on a server which hosts other websites, it's possible but requires a bit more care…
Once again, read through the introduction page.
You don’t have to select anything extra on this screen as that has been taken care of by the popup you received earlier.
Install WSUS and the required role services by clicking the install button
Just like with the WDS role you will be presented with a progress screen. Once again it should be smooth sailing and no reboot will be required.
Once installation of WSUS is complete you will be presented with the following setup screen:
Accept the license terms (and you "should" actually read them -_-)
I don't really care about the reporting at this stage, just know that you can manage the machine just fine and all you will not be able to do is pull reports. If you care about those you can always install the report viewer later on.
You'll have to present WSUS with a folder where it can store the updates. I added an extra 250 GB LUN to the server to handle this and the MDT files.
If you have a database server, feel free to put the WSUS database on there, if you don't you can install the internal database from Microsoft on your server by choosing the first option and clicking next.
If you are running another website on your server you have the option to coexist with that website. It also means you have to keep track of your ports somewhere…
Once all have been taken care of you can go ahead and complete setup.
Another progress screen will present itself to keep you informed
Complete the WSUS setup by clicking finish in this window.
If the below window does not present itself you can access it from the start menu.
Up to you if you want to join the improvement program.
Unless you have another WSUS server somewhere that you can use there is not much choice in these options ;).
Enter any proxy servers which you might have in your network
An initial connection to the WSUS servers of Microsoft is needed to determine what can be pulled in. This might take a while so sit back and relax.
Once completed, click next.
If you are supporting multiple languages in your organization you have the option to select those specific update packs here.
The following window will give you a granular control of the products you will be downloading updates for. As you can see this includes legacy products so you are best off not to select the "all Products" option.
Populate the below selection fields where necessary to suit your needs.
Unless you feel the need to synchronise manually you can setup daily synchronizations in this window. Make sure to adapt the time if necessary!
Once all the settings have been configured you can launch your initial synchronization and pull down the updates.
Now go to start and open the Windows Server Update Services management tool.
You'll notice that none of our updates have been actually approved! Much good this server will do us not at this point…
So select every update (CTRL+A) and right click to select approve. (obviously this should not be done in a production environment. In such a key you should actually verify each update so it does not break your production services or third party applications)
Approve the updates for installation on the "all computers" group.
Erm yeah, this will take a while and you might be presented with a couple of additional screens to agree with license terms. If this process appears to be stuck try and minimizing your windows one by one. Sometimes the pop up screens go play hide-and-seek.
To avoid having to manually approve every new update in our lab environment you can go to options and click the "automatic Approvals" option to configure a default "approve all" rule.
As shown below
Update the classifications if necessary