WSUS on Server Core

• Author
• Recent Posts

Sander Berkouwer

Sander Berkouwer is a Microsoft Certified Professional and a Microsoft Most Valuable Professional (MVP) with over a decade of experience in IT.

Latest posts by Sander Berkouwer (see all)

• Turn the tables on your organization with Adaxes 2018.1’s Web Interface and reporting capabilities - Thu, Sep 20 2018
• Review: Softerra Adaxes – Automating Active Directory management - Thu, Jun 4 2015
• Azure Multi-Factor Authentication – Part 8: Delegating Administration - Tue, Apr 28 2015

Keeping a networking environment up to date can be a tricky task. Microsoft is doing a pretty good job of giving you appropriate tools to keep software from Redmond up to date. This includes Windows clients, Windows Servers, Server products like SQL Server and Exchange Server, and Office installations, but also Silverlight installations, Xboxes, and all the Windows drivers you might be running.

Windows Server Update Services are the tools of choice of many administrators, since they allow for greater control and centralized reporting of updates in a networking environment. In the latest incarnation of WSUS (as bundled with Windows Server 2012), the services are also capable of updating third-party software (like Oracle’s Java and Adobe’s Reader), can be managed through PowerShell, and (you’ve guessed it!) are capable of running on Server Core installations. It’s no wonder that Microsoft labeled the bundled WSUS in Windows Server 2012 as version 4.0.

History

Server Core installations of Windows Server 2012 are the first Server Core installations to feature the Windows Server Update Services (WSUS) Server Role. Although it was possible to install WSUS on full installations of Windows Server 2003, Windows Server 2003 R2, Windows Server 2008, Windows Server 2008 R2, and Windows Server 2012, you could not install this Server Role on Server Core installations of Windows Server 2008 or Windows Server 2008 R2.

To understand why this is a big deal, I would like to remind you of the underlying infrastructure needed to run WSUS: you will need Internet Information Services (IIS) and Microsoft SQL Server (or the Windows Internal Database) to be able to run WSUS. Since SQL Server 2012 was the first SQL Server that could run on top of Server Core installations, Windows Server 2012 is the first logical Windows Server version that can include a SQL Server database. IIS was available on Server Core installations of Windows Server 2008 but could run ASP.NET content on Windows Server 2008 R2.

Overview

The Windows Server Update Services (WSUS) Server Role on Server Core installations of Windows Server 2012 consists of three role services underneath the WSUS moniker (UpdateServices):

• WID Database (UpdateServices-WidDB)
  In a default installation, WSUS is configured to use the Windows Internal Database as the data source for information on the connected clients.
• WSUS Services (UpdateServices-Services)
  Also, in a default installation, the Windows Server Update Services are installed on the disk of your Server Core installation. This Role Services handles downloading updates from Microsoft, communicating with WSUS clients, and handling configuration requests (except for the database).
• Database (UpdateServices-DB)
  The Database Role Service is not installed during a default installation and can be used to connect your Server Core–based Windows Server Update Server to a Windows Server running Express, Standard, or Enterprise editions of SQL Server 2008 R2 SP1+ or SQL Server 2012.
  Note:
  To this purpose, the database server must be in the same Active Directory domain as the WSUS server, or it must have a trust relationship with the Active Directory domain of the WSUS server. Additionally, the WSUS server and the database server must be in the same time zone or be synchronized to the same Coordinated Universal Time (Greenwich Mean Time) source.

How to install WSUS on Server Core

Let’s get cracking! After you’ve successfully configured your server with sconfig.cmd and activated it with slmgr.vbs, install the Windows Server Update Server on a Server Core installation of Windows Server 2012. Power up your PowerShell (by typing PowerShell at the command prompt) and then type:

Install-WindowsFeature UpdateServices

By default, this will install the following Server Roles and respective Role Services:

• Web Server IIS (Web-Server)
  • Web Server (Web-WebServer)
    • Common HTTP Features (Web-Common-Http)
      • Default Document (Web-Default-Doc)
      • Static Content (Web-Static-Content)
    • Performance (Web-Performance)
      • Dynamic Content Compression (Web-Dyn-Compression)
    • Security (Web-Security)
      • Request Filtering (Web-Filtering)
      • Windows Authentication (Web-Windows-Auth)
    • Application Development (Web-App-Dev)
      • .NET Extensibility 4.5 (Web-Net-Ext45)
      • ASP.NET 4.5 (Web-Asp-Net45)
      • ISAPI Extensions (Web-ISAPI-Ext)
      • ISAPI Filters (Web-ISAPI-Filter)
  • Management Tools (Web-Mgmt-Tools)
    • IIS 6 Management Compatibility (Web-Mgmt-Compat)
      • IIS 6 Metabase Compatibility (Web-Metabase)
• Windows Server Update Services (UpdateServices)
  • WID Database (UpdateServices-WidDB)
  • WSUS Services (UpdateServices-Services)
• .NET Framework 4.5 Features (NET-Framework-45-Features)
  • ASP.NET 4.5 (NET-Framework-45-ASPNET)
• Remote Server Administration Tools (RSAT)
  • Role Administration Tools (RSAT-Role-Tools)
    • Windows Server Update Services Tools (UpdateServices-RSAT)
      • API and PowerShell cmdlets (UpdateServices-API)
• Windows Internal Database (Windows-Internal-Database)
• Windows Process Activation Service (WAS)
  • Configuration APIs (WAS-Config-APIs)

Note:
If you want to use WSUS with a separate SQL Server, install WSUS using the UpdateServices-DB Role feature as the target Role Service, instead of the UpdateServices-WidDB Role Service.

After installing the Windows Server Update Services Server Role, you will receive a notice on the console that additional configuration may be required:

Install WSUS on Server Core

You might expect this to be another PowerShell cmdlet that you can put to good use, but alas… For this post-installation task, you will need good old wsustutil.exe. The configuration task, namely, is to place the updates somewhere on the disk and to create the WSUS database.

First, let’s create a folder on the disk of our server. This folder will contain all our updates, accumulating to several GBs. As a best practice, you can place these files on a separate (virtual) hard disk or volume, but for a simple WSUS server, you can create a folder on the C:\ drive with the following command:

md C:\WSUS

Next, perform the post-installation task to configure the content directory to download and save all of the update files to:

"C:\Program Files\Update Services\Tools\wsusutil.exe" postinstall CONTENT_DIR=C:\WSUS

WSUS Post Install

Presto! Your Windows Server Update Server is now ready for business.

Managing WSUS on Server Core

The Windows Server Update Services Server Role on Server Core installations can be managed both locally (on the console) and remotely.

Local management

To manage the Windows Server Update Services Server Role locally on the console of your Server Core installation, you’d best use the WSUS PowerShell cmdlets:

• Get-WsusServer
  The Get-WsusServer cmdlet shows you the configuration of the Windows Server Update Server.
• Get-WsusUpdate
  Using the Get-WsusUpdate cmdlet, you can gain information on updates available from your Windows Server Update Server.
• Get-WsusComputer and Add-WsusComputer
  Although you can point your domain-joined computers to the Windows Server Update Server through Group Policy, you will need these two PowerShell cmdlets to manage the relationship between client computers and target groups.
• Approve WsusUpdate and Deny-WsusUpdate
  These two PowerShell cmdlets are pretty self-explanatory, but in all their simplicity they allow for immediate approval (and denial) of all Windows Updates offered by the Windows Server Update Server.
• Get-WsusClassification and Set-WsusClassification
  Since your Windows Server Update Server utilizes classifications to target software products to WSUS clients, these two cmdlets allow you to manage these classifications and their synchronization settings. Classifications include applications, updates, drivers, feature packs, service packs, and tools.
• Get-WsusProduct and Set-WsusProduct
  Products represent software run by the WSUS clients. Products include Windows, Office, Windows Server, Exchange Server, and SQL Server. With these two cmdlets, you can manage the products you want to synchronize WSUS content for.
• Invoke-WsusServerCleanup
  Since your Windows Server Update Server synchronizes all sorts of content from Microsoft and gets fed client computers by Active Directory, it helps to perform a spring cleanup every year. The following PowerShell command can be used for this purpose:
  Invoke-WsusServerCleanup -CleanupObsoleteComputers –CleanupObsoleteUpdates
  Your Windows Server Update Server will tell you afterwards how many obsolete updates and obsolete client computers it has cleaned up.
  
• Set-WsusServerSynchronization
  With the Set-WsusServerSynchronization cmdlet, you can set whether the Windows Server Update Server synchronizes from Microsoft Update, or an upstream server and the upstream server properties.

WSUS PowerShell cmdlets

Of course, wsusutil.exe is also at your disposal to configure every nitty-gritty setting of your Windows Server Update Server setting.

Remote management

While you can configure the Windows Server Update Server at the command prompt, you can also use the WSUS Management Console from a full installation of Windows Server 2012 or from a Windows 8 installation with the Remote Server Administration Tools (RSAT) installed.

The WSUS Management Console is a graphical management tool to manage Windows Server Update Servers remotely.

After you start Windows Server Update Services from the Start Screen, right-click the Update Services node in the left pane and select Connect to Server… from the context menu. Type the name of your Windows Server Update Server and click Connect.

The first time you connect to a Windows Server Update Server, it will display the Windows Server Configuration Wizard. You can use the wizard to quickly configure your Windows Server Update Server, or cancel it and configure the server manually. If needed, the wizard can be started again from the Options.

WSUS Remote Wizard

Concluding

The Windows Server Update Server is a valuable Server Role to have on Server Core installations of Windows Server 2012. While the initial installation is a bit quirky with a PowerShell part and an old-school wsusutil.exe part, once you have the server running, you’ve got yourself a lean, mean update machine.