Post

Windows Server Update Service - WSUS

Posted Updated
By Joshua Neumann 4 min read

Windows Server Update Service - WSUS

The Windows Server Update Service or short WSUS let the administrator download updates for specific programms and distributes the to the clients. The Software which is distributed the most often consists of patches / security updates. Microsoft publishes them in regular periods to close known security risks. To guarantee that this process is running without a huge effort, WSUS is used.

Structure and Function of WSUS

The Windows Server Update Service is a Client-Server-System. The core softwarecomponent is a SQL Database that manages versiondata of updates and client-reports. During a from the admin defined point of time the Server establishes a connection to the Microsoft-Update-Server ad downloads the necessary updates for its clients. These are then provided through the local network for the clients. The clients decides when it asks for new updates, who asks for them regulary. It can be set for important patches that they have to be downloaded until a certain date. This central processed workflow brings many advantages to the adminitrator, p.e. that he does not have to update every client manually. Updates can be processed and delivierd to groups. The whole clientconfiguration can be manages through GPOS. The Service BITS - Background Intelligent Transfer Service is integrated into the Clients and transfers the updates to the clients when the network banthwith allows it. The usage of WSUS requires a consistent usage of the whole Microsoft-system. Special usecases are not easily automated and may require manual work.

Installation of WSUS

The WSUS-Server is added as server-role through the server-manager. Important Points are:

  • Make sure that all management tools are included during the installtion, p.e. the IIS - Webserver
  • Define an install-location

After the installation the server needs do some after-installation work which can take some time.

Configuration of the serverrole WSUS

After the installation of WSUS has succeeded, the WSUS-role can be configured. For that, the server need to establish a connection to the Windows Update Server (internet). During the configuration, it can be decided in which language the updates shall be provided, which Microsoft-products are included and which type of update classification is synchronised. A time plan for the synchronisation of updates can be set during the configuration process. At the end of the configuration, the server will start to do a first time synchronisation of updates.

Administer the WSUS Server

The WSUS Server can be administrated through the MMC which is avaiable in the server Manager.

WSUS PowerShell commands

Getting and overview over all commands

get-help

1
2
3
4
5

get-help wsus

or

Get-Command -Module UpdateServices

Shows an overview of all avaible WSUS commands

1

get-help Add-WsusComputer -examples

Help with an example

Get-WsusServer

to work with wsus commands, a connection to the wsus server has to be established first. The Information regarding the wsus server is stored in a variable.

1
2
3
4
5

PS C:\Users\Administrator> $WSUS = Get-WsusServer -Name Win2019-WSUS -PortNumber 8530
PS C:\Users\Administrator> $WSUS

Name : Win2019-WSUS


1

$WSUS | Member

A List of all methods

Information about the Wsus server

General configuration data:

1

$WSUS.GetConfiguration()

Sync status:

1

$WSUS.GetSubscription()

Amount of all updates (declined and approved):

1

$WSUS.GetStatus()

Information about computer and computergroups

WSUS-Clients:

1

get-WsusComputer

Computergroups:

1

$WSUS.GetComputerTargetGroups()

Creating new Computer groups:

1

$WSUS.CreateComputerTargetGroup("Testgroup")

Adding a Client to a computer group:

1
2
3
4
5
6
7
8
9
10
11

#first, define a variable for the group
$group = $wsus.GetComputerTargetGroups() | ? {$_.Name -eq "TestGruppe"}

#Another variable for the client
$client = $wsus.GetComputerTargetByName("Win2019-2.domain.local")

#Adding the client
$group.AddComputerTarget($client)

#show the result:
$client.GetComputerTargetGroups()

Removing a client:

1

$group.RemoveComputerTarget($client)

Deleting a group:

1

$group.Delete()

Listing Methods for a group:

1

$group | Get-Member

Listing Methods for a client:

1

$client | Get-Member

Information about Updates

Show all approved updates:

1

Get-WsusUpdate -UpdateServer $WSUS -Classification All -Approval Approved -Status Any

Show only approved updates for a certain product

1

Get-WsusUpdate -UpdateServer $WSUS -Classification All -Approval Approved -Status Any | ? Products -like "Windows Server 2019"

Those views can be filtered more. Those can be shown with:

1

get-help get-WsusUpdate -full

The most relevant are Approval, Classification and Status.

Parameters for Classification:

  • All
  • Critical
  • Security
  • WSUS

Parameters for Approval:

  • Unapproved
  • Approved
  • Declined
  • AnyExpectDeclined

Parameters for Status:

  • FailedOrNeeded
  • InstalledOrNotApplicableOrNoStatus
  • InstalledOrNotApplicable
  • Failed
  • Needed
  • NoStatus
  • Any

Deny all updates that have the status “InstalledOrNotApplicable”:

1

Get-WsusUpdate -UpdateServer $WSUS -Approval AnyExceptDeclined -Status InstalledOrNotApplicable | ? Products -like "Windows Server 2019" | Deny-WsusUpdate

Allow Update:

1

Approve-WsusUpdate
Active Directory
WSUS Active Directory SERV12F
This post is licensed under CC BY 4.0 by the author.