Enabling WSUS on Windows Server 2012 Essentials
May 31, 2013 22 Comments
Skipping over the usual boring intro on the whys and wherefores of a subject i write about i thought id just crack on and tell you how to get this done.
First on your Essentials Server you will need to install this hotfix. After you install this hotfix the WSUS Role is available.
That is correct, WSUS is a ROLE not something you need to download as it was previously.
So given that i am partial to a bit of PowerShell i thought rather than use a boring GUI id do this the, er, PowerShell way.
Open an Administrative PowerShell window, and type in:
Add-WindowsFeature UpdateServices,UpdateServices-WidDB,UpdateServices-Services,UpdateServices-RSAT
This will install the relevant components to your Essentials Server.
We can then set about configuring WSUS, and getting your computers registered.
When you open WSUS from Administrative Tools you will need to chose a location where to store your updates, assuming you want to store them locally on this server and not have your clients download them directly from Microsoft.
I created a folder on the C Drive called WSUS.
Next a wizard will start when to configure the more detailed WSUS Settings.
You can chose things like whether to sync updates in different languages, what products to sync, the type of update to sync and also the schedule.
I recommend you review, and only select the products that are in use on your network.
I am choosing to leave the synchronisation schedule as manual until i have completed my WSUS Configuration.
I have chosen not to start the initial sync now, because i want to configure some additional items first.
Inside the WSUS Console go to Options, expand Computers, and right click on ‘All Computers’ Click Add Computer Group and type a name for the group. I am adding two groups, one for Client PC and one for the Essentials Server.
Next, go to Options. Click On Computers, and set the option to ‘Use Group Policy settings on Computers’
This will allow us to automatically put Computers into the Groups we specify.
Next go to Automatic Approvals. Here we can create a rule to automatically approve updates of a certain type.
I want to create a new rule to auto approve all Office 2013 Updates. Click New Rule.
Check the box for ‘Specific Product’ and in ‘Step 2’ chose Microsoft Office 2013. You can then also chose only to apply this rule to a specific group of computers.
Enter a Name for the Rule, and click OK to save.
You can also go ahead and configure the Email reporting if you wish.
Next switch to the Group Policy Management Console.
We will create 3 group policies.
The first Policy we will create will be for generic settings. The other two will target the client computers and Server.
Right click your domain name, and click Create a GPO in this Domain, and link it here.
Name your policy: Essentials 2012 WSUS Settings.
Repeat this again to create: Essentials 2012 WSUS Client Settings & Essentials 2012 WSUS Server Settings.
If you have used the Essentials 2012, implement Group Policy wizard you will already have a WMI Filter in place that will detect a client PC. if you have not, you will need to create a WMI filter to filter your client computers.
We will then configure our Client GPO to use this WMI Filter.
You may want to consider creating a WMI filter for your Server Settings GPO using ‘Product Type 3’
Next we can configure the GPOs themselves.
Starting with our Generic policy, we can add the settings to tell the clients how to connect to WSUS.
Edit your GPO, and Navigate down to, Computer Configuration > Policies > Administrative Templates > Windows Components > Windows Update
Look for the setting named ‘Specify intranet Microsoft Update Service Location’ set this to enabled and enter your server name and port that WSUS is running on. By default it is 8530.
I am also configuring the detection frequency to 8 hours, turning on Recommended Updates.
Next, we can go to the Client Settings GPO and edit the setting for Enabling Client Side Targeting. We can type in the name of our Computer Group, and then we can set our policy settings for ‘Configure Automatic Updates’.
You can adjust these settings to suit your environment, and then repeat the same process for the final GPO which will apply only to the Essentials Server.
After a Group Policy refresh you should see your computers start to appear in WSUS in the groups we created.
Once you are happy with this you can start the initial sync of WSUS which will start to download the patches and updates you have selected, and then start to push them out to your clients, and then configure the sync schedule to occur automatically.
If your computer is not a member of the domain then you will need to configure the Local Group Policy, or the Registry in order to point it to your WSUS Server. I will cover those steps in a follow up post!
About Robert Pearman
Title (Required) 
great write up!
Hey Robert….As always a great and very detailed how to…Being a WSUS Admin for almost 9 years myself (Going back to the WSUS 2.0 days) I can honestly say you covered the important and implementation specifics in setting up a WSUS in a network environment …I do love in 2012 how you can start the basic install in Power shell.
Just wish Microsoft would finally update WSUS into something more modern and automated, It has been 7 years since WSUS 3.0’s release.
Take care and write soon.
Thanks John.
I remember the days of SUS as well!
You Sir, are a Gentleman
Just ran through this tutorial this morning, and applied the settings as specified. I did turn off IPv6 on the Essentials server (only using IPv4) and the server will not populate into WSUS. not sure if I’m missing a step or something else. (I did wait about 2 hours before rechecking the computers list in WSUS, brand new server with nothing else connected as yet.) any idea’s comments or assistance would be appreciated.
why did you turn off ipv6?
Hi Andrew, here are a few recommendations….
1. Insure that your WSUS GPO is properly linked to the desired OU (The One with your servers or workstations or in) in your GPM Console.
2. Insure the timing on your DC is synchronized with the rest of your domain workstations & Servers wither either a NTP Time Server or if you can access the internet a Internet Time Server.
3. On your clients try typing in the “RUN” box the following commands…
wuauclt.exe ./detctnow
wuauclt.exe /reportnow
If you are running Windows Vista or above clients (For Servers Windows 2008 or above) go to windows update and do a “Check Now for New updates”. Please Note this will only work if your WSUS GPO is properly linked to the desired Computer OU.
5. Wait a few minutes and check your WSUS for Computers in either Unassigned Computers or All Computers. In the top of the panes for each of the categories insure uou have it to where it’s “ANY” as far as types.
As far as disabling the IPV6 on the server or DC running WSUS it is recommended you leave IPV6 on for it to work properly (especially a DC) however you can safely disable on the clients.
I hope this helps.
We have nothing using IPv6, and no plans to implement. if it is needed, it can be turned back on. just as an aside, the server did finally show up, but for some reason it is in the unassigned Computer group, I verified the filter in GPO and did set it for product 3 as was shown. also the IP address of the server is shown as ::1, so pretty sure that isn’t working correctly.
Andrew, re. not populating the server automatically, I believe the WMI ProductType filter should be “2” for a Domain Controller, not “3” as mentioned in the article. Or just catch all servers:
select * from Win32_OperatingSystem Where (ProductType = “2” OR ProductType = “3”)
Hi Andrew.
Pretty much Nobody uses IPV6 (I sure as hell don’t) but MS has hard coded it into there newer server builds from 2008 on that if it is not turned on it may cause some problems. This happened to someone using the newer version of Exchange (2010) and was fixed upon IPV 6 being turned on.
Just FYI when a new Computer is registered by WSUS it always defaults to “Unassigned Computers” from there you move it to a desired location. The ::1 is the IPV6 IP assigned to the Client, there is nothing wrong with that. That will generally show as the assigned IP for the WSUS Server from 2008R2 on up, but it is working correctly.
Good lock with the rest of your setup.
thanks for the heads up and quick reply. I see the server in unassigned and chose the use Group policy to assign them. that being said, I cannot move it to another group as the change membership option is grayed out. not sure if I need to change anything in the filters or if it is some other setting. I’ve worked on 2k8-2k11 servers and several 2k3 versions, but so far.. not having any fun with 2012 or windows 8 8.1 for that matter. ;)
you have to specefy the group to join in one of the gpo options. it is norhing to do with the wmi filters.
Extremely new to using GPO for WSUS, always had windows SBS process most everything. I created the GPO’s as stated above and am unsure of where to place the group information other that what was stated. I will see if I can check against one of our sbs servers for the correct location/information… all help appreciated.. and thank you again for the time and replies.
meant to include these but hadn’t put them up yet.
http://www.trblshootr.com/images/server/GPO.jpg
http://www.trblshootr.com/images/server/WSUS.jpg
Screen shot of the other GPO settings?
have been out of the office, I have posted the images in zip folders on my site. you can browse it directly http://www.trblshootr.com/images/server/
3 separate zip files, client, settings, server with the enabled options imaged.
thank you again for you time on this..
Microsoft’s link for the hotfix is broken, is it possible for you t post the hot fix?
I just downloaded it – do you want to try it again?
I just tried again and no luck, this is the link I was sent, is this the same link you have?http://hotfixv4.microsoft.com/Windows%20Server%202012%20Essentials/latest/KB2762663/6.2.9200.16384/free/459475_intl_x64_zip.exe
Finally the link is active again! Thanks for your earlier reply.
Would you please post the settings for when WSUS is installed on the same WSE12R2 box? I can’t seem to get my Essentials Server to show up under the correct COMPUTERS entry. It stays in UNASSIGNED COMPUTERS group. Thanks.
Will this be the same for WSE 2016?