Enabling WSUS on Windows Server 2012 Essentials

metroSkipping over the usual boring intro on the whys and wherefores of a subject i write about i thought id just crack on and tell you how to get this done.

First on your Essentials Server you will need to install this hotfix. After you install this hotfix the WSUS Role is available.

That is correct, WSUS is a ROLE not something you need to download as it was previously.

So given that i am partial to a bit of PowerShell i thought rather than use a boring GUI id do this the, er, PowerShell way.

Open an Administrative PowerShell window, and type in:

Add-WindowsFeature UpdateServices,UpdateServices-WidDB,UpdateServices-Services,UpdateServices-RSAT

Enable WSUS on Server 2012 Essentials

This will install the relevant components to your Essentials Server.

Enable WSUS on Server 2012 Essentials 2

We can then set about configuring WSUS, and getting your computers registered.

When you open WSUS from Administrative Tools you will need to chose a location where to store your updates, assuming you want to store them locally on this server and not have your clients download them directly from Microsoft.

Enable WSUS on Server 2012 Essentials Config Wizard 1

I created a folder on the C Drive called WSUS.

Enable WSUS on Server 2012 Essentials Config Wizard 2

Next a wizard will start when to configure the more detailed WSUS Settings.

You can chose things like whether to sync updates in different languages, what products to sync, the type of update to sync and also the schedule.

Enable WSUS on Server 2012 Essentials Config Wizard 5

Enable WSUS on Server 2012 Essentials Config Wizard 6

Enable WSUS on Server 2012 Essentials Config Wizard 7

Enable WSUS on Server 2012 Essentials Config Wizard 8

Enable WSUS on Server 2012 Essentials Config Wizard 9

Enable WSUS on Server 2012 Essentials Config Wizard 10

Enable WSUS on Server 2012 Essentials Config Wizard 11

Enable WSUS on Server 2012 Essentials Config Wizard 12

I recommend you review, and only select the products that are in use on your network.

Enable WSUS on Server 2012 Essentials Config Wizard 11a

Enable WSUS on Server 2012 Essentials Classifications

Enable WSUS on Server 2012 Essentials Config Wizard 13

I am choosing to leave the synchronisation schedule as manual until i have completed my WSUS Configuration.

Enable WSUS on Server 2012 Essentials Config Wizard 14

Enable WSUS on Server 2012 Essentials Config Wizard 15

I have chosen not to start the initial sync now, because i want to configure some additional items first.

Inside the WSUS Console go to Options, expand Computers, and right click on ‘All Computers’ Click Add Computer Group and type a name for the group. I am adding two groups, one for Client PC and one for the Essentials Server.

Configure WSUS

Configure WSUS Add Computer Group

Configure WSUS Add Computer Group 2

Next, go to Options. Click On Computers, and set the option to ‘Use Group Policy settings on Computers’

Configure WSUS Add Computer Group 3

This will allow us to automatically put Computers into the Groups we specify.

Next go to Automatic Approvals. Here we can create a rule to automatically approve updates of a certain type.

Configure WSUS Auto Approval Rule

I want to create a new rule to auto approve all Office 2013 Updates. Click New Rule.

Configure WSUS Auto Approval Rule 1

Check the box for ‘Specific Product’ and in ‘Step 2’ chose Microsoft Office 2013. You can then also chose only to apply this rule to a specific group of computers.

Configure WSUS Auto Approval Rule 2

Enter a Name for the Rule, and click OK to save.

Configure WSUS Auto Approval Rule 3

You can also go ahead and configure the Email reporting if you wish.

Next switch to the Group Policy Management Console.

We will create 3 group policies.

The first Policy we will create will be for generic settings. The other two will target the client computers and Server.

Right click your domain name, and click Create a GPO in this Domain, and link it here.

Name your policy: Essentials 2012 WSUS Settings.


Repeat this again to create: Essentials 2012 WSUS Client Settings & Essentials 2012 WSUS Server Settings.


If you have used the Essentials 2012, implement Group Policy wizard you will already have a WMI Filter in place that will detect a client PC. if you have not, you will need to create a WMI filter to filter your client computers.

We will then configure our Client GPO to use this WMI Filter.




You may want to consider creating a WMI filter for your Server Settings GPO using ‘Product Type 3’

Next we can configure the GPOs themselves.

Starting with our Generic policy, we can add the settings to tell the clients how to connect to WSUS.

Edit your GPO, and Navigate down to, Computer Configuration > Policies > Administrative Templates > Windows Components > Windows Update

Look for the setting named ‘Specify intranet Microsoft Update Service Location’ set this to enabled and enter your server name and port that WSUS is running on. By default it is 8530.



I am also configuring the detection frequency to 8 hours, turning on Recommended Updates.

Next, we can go to the Client Settings GPO and edit the setting for Enabling Client Side Targeting. We can type in the name of our Computer Group, and then we can set our policy settings for ‘Configure Automatic Updates’.



You can adjust these settings to suit your environment, and then repeat the same process for the final GPO which will apply only to the Essentials Server.

After a Group Policy refresh you should see your computers start to appear in WSUS in the groups we created.

WSUS Registered 2

WSUS Registered

Once you are happy with this you can start the initial sync of WSUS which will start to download the patches and updates you have selected, and then start to push them out to your clients, and then configure the sync schedule to occur automatically.

Sync Sched

If your computer is not a member of the domain then you will need to configure the Local Group Policy, or the Registry in order to point it to your WSUS Server. I will cover those steps in a follow up post!

About Robert Pearman
Robert Pearman is a UK based Small Business Server enthusiast. He has been working within the SMB IT Industry for what feels like forever. Robert likes Piña colada and taking walks in the rain, on occasion he also enjoys writing about Small Business Technology like Windows Server Essentials or more recently writing PowerShell Scripts. If you're in trouble, and you can find him, maybe you can ask him a question.

22 Responses to Enabling WSUS on Windows Server 2012 Essentials

  1. Paul says:

    great write up!

  2. Hey Robert….As always a great and very detailed how to…Being a WSUS Admin for almost 9 years myself (Going back to the WSUS 2.0 days) I can honestly say you covered the important and implementation specifics in setting up a WSUS in a network environment …I do love in 2012 how you can start the basic install in Power shell.

    Just wish Microsoft would finally update WSUS into something more modern and automated, It has been 7 years since WSUS 3.0’s release.

    Take care and write soon.

  3. clark says:

    You Sir, are a Gentleman

  4. Andrew says:

    Just ran through this tutorial this morning, and applied the settings as specified. I did turn off IPv6 on the Essentials server (only using IPv4) and the server will not populate into WSUS. not sure if I’m missing a step or something else. (I did wait about 2 hours before rechecking the computers list in WSUS, brand new server with nothing else connected as yet.) any idea’s comments or assistance would be appreciated.

    • why did you turn off ipv6?

      • Hi Andrew, here are a few recommendations….

        1. Insure that your WSUS GPO is properly linked to the desired OU (The One with your servers or workstations or in) in your GPM Console.

        2. Insure the timing on your DC is synchronized with the rest of your domain workstations & Servers wither either a NTP Time Server or if you can access the internet a Internet Time Server.

        3. On your clients try typing in the “RUN” box the following commands…
        wuauclt.exe ./detctnow
        wuauclt.exe /reportnow

        If you are running Windows Vista or above clients (For Servers Windows 2008 or above) go to windows update and do a “Check Now for New updates”. Please Note this will only work if your WSUS GPO is properly linked to the desired Computer OU.

        5. Wait a few minutes and check your WSUS for Computers in either Unassigned Computers or All Computers. In the top of the panes for each of the categories insure uou have it to where it’s “ANY” as far as types.

        As far as disabling the IPV6 on the server or DC running WSUS it is recommended you leave IPV6 on for it to work properly (especially a DC) however you can safely disable on the clients.

        I hope this helps.

      • Andrew says:

        We have nothing using IPv6, and no plans to implement. if it is needed, it can be turned back on. just as an aside, the server did finally show up, but for some reason it is in the unassigned Computer group, I verified the filter in GPO and did set it for product 3 as was shown. also the IP address of the server is shown as ::1, so pretty sure that isn’t working correctly.

      • mcbsys says:

        Andrew, re. not populating the server automatically, I believe the WMI ProductType filter should be “2” for a Domain Controller, not “3” as mentioned in the article. Or just catch all servers:

        select * from Win32_OperatingSystem Where (ProductType = “2” OR ProductType = “3”)

  5. Hi Andrew.

    Pretty much Nobody uses IPV6 (I sure as hell don’t) but MS has hard coded it into there newer server builds from 2008 on that if it is not turned on it may cause some problems. This happened to someone using the newer version of Exchange (2010) and was fixed upon IPV 6 being turned on.

    Just FYI when a new Computer is registered by WSUS it always defaults to “Unassigned Computers” from there you move it to a desired location. The ::1 is the IPV6 IP assigned to the Client, there is nothing wrong with that. That will generally show as the assigned IP for the WSUS Server from 2008R2 on up, but it is working correctly.

    Good lock with the rest of your setup.

    • Andrew says:

      thanks for the heads up and quick reply. I see the server in unassigned and chose the use Group policy to assign them. that being said, I cannot move it to another group as the change membership option is grayed out. not sure if I need to change anything in the filters or if it is some other setting. I’ve worked on 2k8-2k11 servers and several 2k3 versions, but so far.. not having any fun with 2012 or windows 8 8.1 for that matter. ;)

  6. Andrew says:

    Extremely new to using GPO for WSUS, always had windows SBS process most everything. I created the GPO’s as stated above and am unsure of where to place the group information other that what was stated. I will see if I can check against one of our sbs servers for the correct location/information… all help appreciated.. and thank you again for the time and replies.

  7. Shawn says:

    Microsoft’s link for the hotfix is broken, is it possible for you t post the hot fix?

  8. miles267 says:

    Would you please post the settings for when WSUS is installed on the same WSE12R2 box? I can’t seem to get my Essentials Server to show up under the correct COMPUTERS entry. It stays in UNASSIGNED COMPUTERS group. Thanks.

  9. intexx says:

    Will this be the same for WSE 2016?

Leave a reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: