In basic scenario Windows patching requires end machine to communicate directly with Windows Update service. In some circumstances it may be needed to do these operations in a restricted internet environment or even in completely offline mode.
In such cases you need to install and configure Windows Server Update Services (WSUS). Below you can find step by step manual on configuring it to work with VSA Software Management 2.0.
The whole process incorporates these steps:
- Install WSUS.
- Import and configure WSUS Agent Procedures.
- Deploy Agent Procedures to end machines.
Step 1. WSUS installation.
The minimum hardware requirements for WSUS are:
Processor: 1.4 gigahertz (GHz) x64 processor (2 Ghz or faster is recommended).
Memory: WSUS requires an additional 2 GB of RAM more than what is required by the server and all other services or software.
Available disk space: 40 GB or greater is recommended.
Network adapter: 100 megabits per second (Mbps) or greater (1GB is recommended).
Supporting Operating Systems:
- Windows Server 2022.
- Windows Server 2019.
- Windows Server 2016.
- Windows Server 2012 R2.
- Windows Server 2012.
Configure network connections
Configure your firewall to allow your first WSUS server to connect to Microsoft domains on the internet.
Your WSUS server must have outbound access to ports 80 and 443 on the following domains:
You must configure your firewall to allow the WSUS server to access any URL within these domains. The IP addresses associated with these domains are constantly changing, so don't try to use IP address ranges instead.
Configure your firewall to allow client computers to access a WSUS server.
Your client computers will all connect to one of your WSUS servers. The client computer must have outbound access to two ports on the WSUS server. By default, these are ports 8530 and 8531.
To install WSUS you just need to execute the powershell script provided in the attachment (installWSUS.ps1). It will do the following operations:
- Download and install .Net 3.5.
- Download and install Microsoft Report View.
- Download and install Sql Express.
- Configure WSUS.
- Do initial sync of WSUS.
- Configure Products (configurable).
- Configure Classifications (configurable).
- Configure AutoSync (once per day at midnight).
- Decline updates (configurable).
- Configure Default Approval Rules.
You can edit the powershell file to match your rules.
Step 2. Import and configure Agent Procedures.
Once WSUS is configured we need to make adjustments in registry keys on end machines to use local WSUS server for scan and patch procedures.
To simplify this we provide Agent Procedures to make these adjustments in an automated way. You can use agent procedures in the attachment (Procedure Folder WSUS Configuration.xml).
Import agent procedures.
Use System -> Server Management -> Import Center page to import XML file with agent procedures:
Set WSUS server name
The final step here is to set the actual WSUS server name or ip address. You can do this by opening Agent Procedure editor:
- Open Agent Procedures -> Schedule / Create.
- Click on the "Set WSUS Registry" procedure in the Shared -> WSUS Configuration folder.
- Click "Edit Procedure" button.
- Edit and Save.
Step 3. Deploy Agent Procedures to end machines.
The last step is to deploy "Set WSUS Registry" procedure to end machines.
You have two options to do that:
- Schedule or Run execution via Agent Procedure dialog.
- Assign this procedure to a specific Policy via Policy Management module and then assign end machines to use this Policy. For assignment use Policy Management -> Assignment section.
- Official Microsoft WSUS documentation: https://docs.microsoft.com/en-us/windows-server/administration/windows-server-update-services/get-started/windows-server-update-services-wsus.
- Plan your WSUS deployment: https://docs.microsoft.com/en-us/windows-server/administration/windows-server-update-services/plan/plan-your-wsus-deployment