installing windows server update services on windows server 2012 r2 essentials

Tom Ziegmann – http://www.tomontech.com – 10/20/2013

1

Installing Windows Server Update Services

(WSUS) on Windows Server 2012 R2 Essentials

With Windows Server 2012 R2 Essentials in your business, it is important to centrally

manage your workstations to ensure they are secure and up-to-date. With Windows

Server Update Services, you can do just that.

If you are running Windows Server 2012 Essentials, these directions will not work

without performing additional steps. The WSUS role on Windows Server 2012

Essentials (non-R2) requires some pre-configuration before it can be installed.

What you’ll need:

A server running Windows Server 2012 R2 Essentials with at least 4GB of RAM,

8GB or higher is recommended

SQL Server 2012 Management Studio – available from

http://download.microsoft.com/download/5/2/9/529FEF7B-2EFB-439E-A2D1-

A1533227CD69/SQLManagementStudio_x64_ENU.exe (download and copy to a

shared folder on the server)

Table of Contents:

Install Windows Server Update Services Role ......................................................................................... 2

Perform initial WSUS configuration ......................................................................................................... 6

Install SQL Server Management Studio ................................................................................................... 9

Move WSUS database to a new location .............................................................................................. 11

Adjust memory usage settings for Windows Internal Database ........................................................ 17

Configure WSUS to integrate with Group Policy.................................................................................. 18

Create automatic approval rules for update deployment ................................................................... 20

http://download.microsoft.com/download/5/2/9/529FEF7B-2EFB-439E-A2D1-A1533227CD69/SQLManagementStudio_x64_ENU.exe

http://download.microsoft.com/download/5/2/9/529FEF7B-2EFB-439E-A2D1-A1533227CD69/SQLManagementStudio_x64_ENU.exe


2

Install Windows Server Update Services Role

Connect to your server using

Remote Desktop Connection.

Click Start -> All Programs ->

Accessories -> Remote Desktop

Connection

Logon with the user name and

the password you use to

administer your server.

Once connected, click the

Administrative Tools icon on the

Start screen.

Scroll down and launch Server

Manager.

In Server Manager, click on Add

Roles and Features.


3

Click Next on the Before you Begin screen.

Accept defaults for the installation type, and

then click Next.

Select your Windows Server 2012 R2

Essentials system and click Next.

Select Windows Server Update Services on

the Server Roles selection, then click Next.


4

When prompted to add additional required

features for installation, click Add Features

then click Next.

Accept the defaults on the Features screen,

and click Next.

Read the description, and then click Next.

Accept the defaults for Role Services, then

click Next.


5

Create a folder on a drive with enough space

to handle the WSUS content.

Ensure the Store updates in the following

location is checked, specify the path to the

folder you created, and then click Next.

Confirm your installation selections, and then

click Install.

Installation will then proceed. This step can

take some time depending on your system.

After installation completes, click the blue

Launch Post-Installation tasks link near the

top of the results pane.

The Windows Server Update Services

Configuration Wizard will launch.


6

Perform initial WSUS configuration

Read the Before you Begin information, then

click Next.

Choose if you want to join the Microsoft

Update Improvement Program, then click

Next.

In most cases, you should be able to leave

the proxy server settings alone. However, if

you have a proxy server, you will need to

specify the information, then click Next.


7

WSUS will need to connect to obtain initial

metadata.

Click Start Connecting.

This process should be fairly quick.

After the download is complete, click Next.

Choose any necessary languages for the

client PCs that your server will support, then

click Next.

Choose the products you want your WSUS

server to house updates for, then click Next.


8

Choose the classifications want your server

to house, then click Next.

NOTE: Below the checklist is the description

of each classification. This can be helpful in

determining what to download. The

screenshot at right is similar to SBS systems

of the past and what classifications were

downloaded out of the box.

The classifications are:

- Critical Updates

- Definition Updates

- Security Updates

- Service Packs

- Update Rollups

Choose the appropriate synchronization

schedule for your environment, then click

Next.

Do not check the box to begin

synchronization at this point. The database

will be moved first from its default location

on the system partition to a different

partition to ensure that the system partition

does not run out of room because of WSUS

database growth.

Click Finish.


9

Install SQL Server Management Studio

Browse to where you downloaded the SQL

Server installer and double-click the file.

When the SQL Server Installation Center

loads, click New installation or add

features to an existing installation.

NOTE: If you do not have multiple

partitions, continue to install the SQL

Management Studio, then skip to the

Adjust memory usage settings for

Windows Internal Database section.

Allow the installer to download the latest

updates prior to installation, and click

Next.

Read and accept the license terms, and

then click Next.


10

Leave the defaults for feature selection and

then click Next.

Choose whether or not to enable Error

Reporting and then click Next.

The installation of SQL Server Management

Studio will then begin.


11

After installation is complete, click Close.

Move WSUS database to a new location

To prepare to move the database, the

WSUS service needs to be stopped.

Launch Command Prompt as an

Administrator, and run net stop

wsusservice.

Create a folder for the database to be

stored on a drive with plenty of storage.

This is likely to be the same drive as the

WSUS content storage.

After creating the folder, right click on it,

and click Properties.

For the database to function correctly, we

have to give the SQL service account the

ability to access this folder.


12

Click the Security tab, and then click the

Advanced button.

Click the Add button.

Click the Select a Principal link.


13

On the Select Users or Groups screen,

click Locations and change the location to

your server name, then click OK.

The account that needs to be added is

called NT

SERVICE\MSSQL$MICROSOFT##WID.

Type the account name, click Check

Names, and then click OK.

On the right side of the window, click

Show advanced permissions.

The service account needs the following

permissions checked.

List folder / read data

Read attributes

Read extended attributes

Create files / write data

Create folders / append data

Write attributes

Write extended attributes

Delete

Read permissions

Click OK to add the account and its

permissions.

Click OK to close the Advanced screen.


14

Click OK to close the properties dialog.

Go to the Start screen, click the arrow in

the lower left hand corner to show All

Apps, then right click on SQL Server

Management Studio.

Click Run as Administrator. Accept the

User Account Control prompt that appears.

On the Connect to server screen, type

\\.\pipe\MICROSOFT##WID\tsql\query.

Ensure that Windows Authentication is

selected, then click Connect.

Expand Databases in the Object Explorer,

and right-click on SUSDB.

Click on Tasks > Detach.


15

On the Detach Database screen, check the

Drop Connections checkbox, and click OK.

Browse to C:\Windows\WID\Data

You may need to accept a User Account

Control prompt.

Move SUSDB.mdf and SUSDB_log.ldf to

the database folder created earlier.

Go back to SQL Server Management

Studio and right click on Databases, then

click Attach.


16

Click Add to locate the database.

Browse to the folder where the database

files have been moved to, and then click on

SUSDB.mdf.

Click OK.

Verify that the information is correct for

the location of the Data and Log files and

then click OK.

Verify that SUSDB appears in the database

listing.

Restart the WSUS Service, by launching

Command Prompt as an Administrator,

and type net start wsusservice.


17

Adjust memory usage settings for Windows Internal Database

Launch SQL Server Management Studio and Run

as an Administrator if it is not already running.

Connect to the server.

Right click on

\\.pipe\MICROSOFT##WID\tsql\query and click

on Properties.

Click on the Memory tab and then specify the

Maximum server memory to be between 256-

512MB, then click OK.

Most WSUS installations in the 2012 R2 Essentials

space should not require much more RAM for SQL

than this due to the smaller number of connected

clients.


18

For the new memory settings to take effect, the

service needs to be restarted.

Right click on

\\.pipe\MICROSOFT##WID\tsql\query and then

click Restart.

Click Yes. The service will then restart.

Now that the database has been moved, the initial

synchronization of updates can occur.

To begin the sync, go to Administrative Tools

from the Start screen, and locate Windows Server

Update Services.

Click Synchronizations from the left pane.

Click Synchronize Now.

The status of the synchronization will appear in

the bottom middle pane.

It will also show in the listing above the status

pane.

Configure WSUS to integrate with Group Policy

If the WSUS console isn’t already running, go to

Administrative Tools from the Start screen, and

locate Windows Server Update Services.


19

Click on Options in the left hand pane.

Click on Computers on the right pane.

In the Computers property window that appears,

click on Use Group Policy or registry settings

on computers.

By enabling this option, we can use Client-Side

Targeting within Group Policy to add computers

to the appropriate groups within WSUS.

In the navigation pane, expand Computers, and

then right click on All Computers and click Add

Computer Group.


20

Create two computer groups, or more if needed

for your environment.

For example, I have created the groups Servers

and Workstations.

After the groups have been created, verify that

they appear in the navigation pane.

Create automatic approval rules for update deployment

Next, we will create Automatic Approval rules.

These rules can be used to auto approve

updates for specific update types and / or

computer groups.

To create rules, click Options in the left hand

pane, and then click Automatic Approvals.

For this example, we will modify the default rule

to automatically approve Critical, Security, and

Definition updates for workstations only.

I would strongly suggest taking some time to

figure out how you want approve updates

before building your ruleset.

Click on the blue all computers link.


21

Check the box for Workstations only and then

click OK.

Click the blue Critical Updates, Security

Updates link.

Check the box for Definition Updates then click

OK.


22

Ensure the box is checked next to the name of

the rule, click Apply. Then to run the rule, click

the Run Rule button.

Repeat the automatic approval rule steps until

you are satisfied with the rules you’ve created.

To configure your systems to connect to your WSUS server it is strongly recommended to use Group

Policy. Configuring Group Policy is outside the scope of this document, however, I have prepared some

sample group policy settings that can be used as a base for building your policy on top of. Those policy

settings and necessary WMI filters can be found at http://www.tomontech.com/2013/10/configuring-

group-policy-for-windows-server-update-services-on-windows-server-2012-r2-essentials.

Congratulations! You have installed Windows Server Update Services on Windows Server 2012 R2

Essentials!

http://www.tomontech.com/2013/10/configuring-group-policy-for-windows-server-update-services-on-windows-server-2012-r2-essentials

http://www.tomontech.com/2013/10/configuring-group-policy-for-windows-server-update-services-on-windows-server-2012-r2-essentials

installing windows server update services on windows server 2012 r2 essentials

Documents

server manager

recommended sql server

server roles selection

server table of contents

tom ziegmann http

windows internal database

role services

wsus role