Windows server core update

Windows Server Update Services (WSUS) can use a lot of resources, so why not use Windows Server Core and make the most of the resources you have. In this post I’ll go through the initial steps on how to deploy and configure a WSUS server using command line and PowerShell. This guide is also suitable for regular GUI Windows Server installations.

Installing Windows Server Core

Boot the server from the Windows Server media and on the “Select the Operating System you want to install” screen, select the option “Windows Server Standard” or “Datacenter” edition. The other options with “Desktop Experience” in brackets are the options for the other server editions with a GUI also installed.

Please note: You can no longer add and remove the GUI (Desktop Experience) with Windows Server 2016 as you could with Windows Server 2012 & 2012 R2. This is due to numerous problems with keeping the installation and removal process consistent with updates. With Windows Server 2016, the only way to add or remove the GUI is to re-install and select one of the server editions with the “Desktop Experience” option.

Initial Configuration

Once the install process has completed, you will be prompted with a command line window, and asked to set the Administrator password.

1. Set the Administrator password.
2. Type sconfig to get the Server Configuration menu. It’s pretty straight forward. In the Server Configuration menu, you can configure all the basics required for the server.
3. For the first Domain Controller in the new forest, you’ll need to configure at least the Network Settings — IP address, subnet mask, gateway, and DNS.
4. You may also want to configure the computer name. Configuring the computer name will require a restart.
5. After the restart, log in to the server with the Administrator password you set in step 1.

Tip: “sconfig” is also present in the GUI version of Windows Server, making initial configuration of new servers easier.

Additional Storage Configuration

You may want to configure additional locally attached disks or iSCSI/MPIO storage. Creating new volumes that are locally attached can be done via the diskpart command line tool. Here’s the series of commands to create a new, NTFS formatted volume, with the drive letter of E:\ and the name “Data”, from a second disk in the server using the diskpart tool. First, run diskpart from the command line, then use the following commands:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12

list disk
select disk 1
online disk
attributes disk clear readonly
clean
convert mbr -or gpt
create partition primary
select part 1
active
format fs=ntfs label=Data quick
assign letter E:
list volume

iSCSI storage can be configured using the same GUI tools you would use in the GUI version of Windows Server. The MPIO feature must be installed before the tool is available. You can do this via PowerShell:

1

Install-WindowsFeature -Name 'Multipath-IO'

When MPIO is installed you can load the MPIO utility using mpiocpl. For the iSCSI utility you can use iscsicpl. iSCSI is installed as part of the base Windows Server feature set.

Install Windows Server Update Services (WSUS)

The following PowerShell command will install the WSUS feature:

1

Install-WindowsFeature -Name UpdateServices -IncludeManagementTools

Now we need to run some post install tasks. We’ll create a directory for the WSUS content on the E:\ drive.

To configure WSUS to use the directory we just created and the Windows Internal Database (WID is based on SQL Express), run the following command:

1
2

CD "C:\Program Files\Update Services\Tools"
.\wsusutil.exe postinstall CONTENT_DIR=E:\WSUS_Content

Alternatively you might want to use an external SQL server for the WSUS database, if so run the following command instead:

1
2

CD "C:\Program Files\Update Services\Tools"
.\wsusutil.exe postinstall SQL_INSTANCE_NAME="SQLSERVER\SQLINSTANCE" CONTENT_DIR=E:\WSUS_Content

WSUS is now running and able to be configured further. This is possible with PowerShell, but not as straightforward as the installation above so we’ll be using the WSUS MMC on a remote computer or on the server itself if you installed Windows Server with the Desktop Experience.

To obtain the WSUS MMC on a remote computer we’ll need to install the Remote Server Administration tools (RSAT), run the following command in an elevated PowerShell session:

1

Get-WindowsCapability -Name RSAT* -Online | Add-WindowsCapability -Online

To view WSUS reports you’ll also need to download and install the following:

• Microsoft Report Viewer 2012 Runtime redistributable
• Microsoft System CLR Types for Microsoft SQL Server 2012: x64 version, x86 version

In case the links to Microsoft System CLR Types fail in future, here is the main download page link. This page links to components from the Microsoft SQL Server 2012 Feature Pack, you need to go to the Install Instructions section and download the specific component you need.

Configuring Windows Server Update Services

Once you have downloaded and installed all the software listed above on our admin PC, you can continue with the configuration.

1. Open the Windows Service Update Services Microsoft Management Console (WSUS MMC).
2. You should see a “Before You Begin” wizard. Click Next.
3. Join the Microsoft Update Improvement Program if you wish.
4. Choose Upstream server, as this is the first WSUS server we’ll choose “Synchronize from Microsoft Update”.
5. Specify the Proxy Server settings if needed.
6. Click “Start Connecting”.
7. Select the applicable languages for our environment.
8. Select the applicable Products. I recommend selecting all products as we’ll only be downloading updates that we actually need.
9. Select the Classifications. I recommend selecting all except Drivers and Driver Sets. Drivers in WSUS increase the size of the database immensely.
10. Configure the Sync Schedule. I recommend leaving this on manual until setup and synchronisation has been completed.
11. Check the Begin initial synchronization box. This may also take a while.
12. Click Finish.

Once the initial configuration is complete, now we can start to configure WSUS for every day operation.

1. In the WSUS MMC go to the Options node.
2. Setup a Synchronization Schedule. I recommend once or twice a day, out of regular hours. Click OK.
3. Go to Automatic Approvals.
4. There’s a built-in rule to automatically approve Critical and Security updates, meaning that they will be downloaded and distributed via WSUS without any admin interaction. I recommend enabling this, but don’t run the rule.
5. You may also want to add a rule for Definition Updates from Exchange, Office, and Windows Defender if applicable to you. Click OK.
6. Now go to Computers.
7. Set the option here to Use Group Policy or registry settings on computers and click OK.
8. Go to E-Mail notifications and enable them if you want status reports and Emails about the new updates that have been synchronised. Click OK.
9. In the WSUS MMC, go to the Computers node.
10. Create the computer groups that you require here. I recommend a ‘pilot’ group and a ‘regular’ group both for client devices and servers.

Configuring Group Policy

To enable our clients to get updates from WSUS using the settings above, you’ll need to configure the group policy for them.

1. Open the Group Policy Management MMC and go to the Group Policy Objects node.
2. Right click on the node and select New to create a new GPO for WSUS. Give it a name and click OK.
3. Right click on the new GPO and click Edit to open it.
4. Navigate to Computer Configuration/Policies/Administrative Templates/Windows Components/Windows Update/Manage updates offered from Windows Server Update Service
5. Go to the setting “Specify intranet Microsoft update service location”.
6. We’ll configure both “Set the intranet update service for detecting updates” and “Set the intranet statistics server” to http://wsus-server-name.contoso.com:8530
7. Go to “Enable client-side targeting” and enter the name of a group that you created in WSUS.
8. For multiple groups, repeat steps 2 — 7 for each group.
9. You can use Active Directory Security Groups to control which client devices have read access to the GPO with the desired WSUS group configuration.

There are lots of other settings in GPO to configure Windows Update that I recommend taking a look, specifically “Configure Automatic Updates” located in Computer Configuration/Policies/Administrative Templates/Windows Components/Windows Update/Manage end user experience which controls when client devices install updates.

Managing Updates

After some time (approximately 24 hours) our client devices should have contacted the WSUS server and be in the correct group. Now we need to approve the updates required for our environment.

1. On the overview of our WSUS server, click on “Updates needed by computers”.
2. Change the drop down menu “Approval” to “Unapproved” and click “Refresh”.
3. Right-click on the Title bar and enable the “Supersedence” column.
4. Click on the very tiny “Supersedence” column to sort the updates by Supersedence.
5. Approve the top critical, security and any other updates you want to be installed on our devices.
6. Once the devices have downloaded, installed, and reported back to the WSUS server, we’ll have a better idea if any more updates are required.

Maintenance and Troubleshooting

Keeping WSUS running over time requires some maintenance. I created a custom PowerShell script that runs every day to perform the maintenance on the database. More specifically it declines and deletes old updates, and old computers. It can also send a notification over e-mail or a webhook with information about it’s clean up run. I’ve posted about it here.

You can also clean up the WSUS database manually using the “Server Cleanup Wizard” found in Options. You can also run this via PowerShell:

1
2

Get-WsusServer -Name Wsus-Server-Name -PortNumber 8530
Get-WsusServer | Invoke-WsusServerCleanup –CleanupObsoleteUpdates -CleanupUnneededContentFiles -CompressUpdates -DeclineExpiredUpdates -DeclineSupersededUpdates

You may encounter an error when trying to connect to the WSUS server using the MMC — Error: Unexpected Error, appears as Event ID 7053 in Event Viewer.

I’ve known this error to occur frequently. One fix is to navigate to %appdata%\Microsoft\MMC and delete the wsus file and then try connecting again.

IIS Configuration

I highly recommend configuring these IIS AppPool settings relating to WSUS. In an elevated PowerShell session run the following commands:

1
2
3
4
5
6
7

Import-Module WebAdministration
Set-ItemProperty -Path IIS:\AppPools\WsusPool -Name queueLength -Value 25000
Set-ItemProperty -Path IIS:\AppPools\WsusPool -Name cpu.resetInterval -Value "00.00:15:00"
Set-ItemProperty -Path IIS:\AppPools\WsusPool -Name processModel.idleTimeout -Value "00.00:00:00"
Set-ItemProperty -Path IIS:\AppPools\WsusPool -Name failure.loadBalancerCapabilities -Value "TcpLevel"
Set-ItemProperty -Path IIS:\AppPools\WsusPool -Name recycling.periodicRestart.privateMemory -Value 0
Set-ItemProperty -Path IIS:\AppPools\WsusPool -Name recycling.periodicRestart.time -Value "00.00:00:00"

In the IIS Manager these PowerShell commands change the following values:

WSUS -> Application Pools -> WsusPool -> Advanced Settings

General:
Queue Length: 25000

CPU:
Limit Interval (minutes): 15

Process Model:
Idle Time-out (minutes): 0

Rapid-Fail Protection:
“Service Unavailable” Response: TcpLevel

Recycling:
Private Memory Limit (KB): 0
Regular Time Interval (minutes): 0

Finally, you can also try the following command, if needed:

1
2

CD "C:\Program Files\Update Services\Tools"
.\wsusutil.exe postinstall /servicing

Support My Work

If you would like to support me, please check out the link below.

• PayPal

If you have any questions or comments, please leave them below.

Thanks
-Mike