Lead Image © sensay, 123RF.com

Lead Image © sensay, 123RF.com

Windows 10 Updates with WSUS

Medicine Cabinet

Article from ADMIN 41/2017
WSUS simplifies updating Windows 10 computers over the network, but first, you need to modify some settings and add new Group Policy templates to insure successful installation of the updates.

Windows Server Update Services (WSUS) is installed as a server role on Windows Server 2016. To be able to install Windows 10 updates, including upgrades such as the Anniversary Update (Redstone 1, Windows 10 v1607), you also need to complete some settings in the WSUS management console. Additionally, you need to add the new Group Policy templates (ADMX files) for Windows 10 v1607 [1] to your network. These are available for Windows Server 2012 R2 and 2016. The new ADMX files provide far more setting options than the default options in Windows Server 2016.

It is particularly important that the WSUS server have the latest updates; otherwise, the installation files for the Windows 10 updates will fail. In particular, decrypting the ESD files on the WSUS server with Windows Server 2012 R2 causes problems. Microsoft has addressed the issue in the Knowledge Base [2]. For Windows Server 2012 R2, the KB3095113 [3] update also plays an important role; therefore, install the necessary updates on the servers. When distributing Windows 10 updates, Windows Server 2016 is usually less troublesome than its predecessors.

WSUS's problems with Windows Server 2012 R2 when distributing Windows 10 updates mostly relate to the WSUS console being unable to connect to the server as soon as certain updates are installed. You can typically run the following command at the command line to resolve this:

> C:\Program Files\Update Services\Tools\wsusutil.exe" postinstall /servicing

Additionally, you need to install the HTTP Activation feature via the Server Manager – you will find it in the .NET Framework 4.5 features. Even if the feature causes problems, you should install it; otherwise, the Anniversary Update and its successor cannot be distributed on the network.

Setting up WSUS and Configuring Group Policies

Windows 10 is generally connected to WSUS as it is to Windows 7-8.1. You can therefore use the same default settings as with previous versions. Also, more options are available for Windows 10, which you should use with WSUS. The previously mentioned Group Policy templates are necessary to use the new features. Copy them onto the domain controller (DC) or onto the local computer, which then lets you manage the Group Policies. After that, WSUS and Windows 10 collaborate in a far better way.

You need to adapt the owner of the directory and the permissions so that the new ADMX files can be copied to the C:\Windows\PolicyDefinitions directory on the DC and the server on which the policy is edited. Also be sure to copy the ADML files to the appropriate language subdirectory (e.g., en-us for American English).

The new functions for managing Windows 10 v1607 updates are now also available in Windows Server 2016. You will find the Computer Configuration | Policies | Administrative Templates | Windows Components | Delivery Optimization menu item on servers with Windows Server 2012 R2/2016.

Then, in the management console's WSUS options, enable the Upgrades menu item below Products and Classifications in the Classifications tab. After doing so, updates, such as the Windows 10 v1607, can be distributed via WSUS. After changing these settings, resynchronization is required. In the WSUS options, you will also want to enable the various menu items for Windows 10 below Products and Classifications in the Products tab. The Windows 10 Anniversary Update and Later Servicing Drivers setting is especially important for distributing the Anniversary Update, but the other Windows 10 options also play a role (Figure 1).

Figure 1: In the WSUS console, you can configure settings for downloading Windows 10 updates, including selecting which product updates to retrieve.

After WSUS has synced, the various Windows 10 updates appear in the console's All Updates field. You will also find the Anniversary Update here. When approving the Anniversary Update, you also need to confirm the compulsory license terms, but this is a once-only action. Then the update can be distributed. This will also work in a similar way for the next major updates for Windows 10.

Grouping Computers

For Windows 10 updates, it may make sense to create different computer groups in WSUS and add the computers via Group Policy Object (GPO). This helps to distribute major updates, like the Anniversary Update, and to conserve the network's resources in a better way. This means that updates are rolled out gradually and not to all computers at the same time. In the Computers menu item, you can see all the connected computers below Unassigned Computers in the WSUS console. You will want to create a separate group of computers for Windows 10 computers here. Use the context menu to create the group and add members to it. Once you have created the group and set up the Group Policy so that Windows 10 computers receive updates from WSUS, Windows 10 updates can be approved in the Updates section. Synchronizing before doing this is important.

Once all the computers are assigned, you can choose the computer groups in which to install the updates with the Patch Approval Wizard. Within the groups, you can immediately see from each computer's context menu whether or not the patches are installed. To manage the settings via Group Policy, use the options below Computer Configuration | Policies | Administrative Templates | Windows Components | Windows Update . Using the Enable client-side targeting setting, you can choose to which computer group computers will be assigned when they are connected to WSUS. Additionally, enable the Use Group Policy or registry settings on computers option in the Options | Computers section of the WSUS management console. Incidentally, the definition updates for Windows Defender can also be distributed to workstations and servers via WSUS. It is important to release the Windows Defender updates for Windows 10 and Windows Server 2016 here.

If you want to use the reports in WSUS, the Microsoft Report Viewer 2012 Runtime tool [4] must be installed on the server. In addition, the common language run time (CLR0 types for SQL Server 2012 [5] are required on the server. To display update reports, click on Reports in the left panel of the WSUS management console and then the Update Status Summary option. Then filter the resulting list based on your desired criteria. Next, click Run Report in the window's toolbar. You can then save or print the reports as Excel spreadsheets or PDFs. To do so, click on the save icon in the toolbar.

Using SSL in WSUS

By default, WSUS uses HTTP to communicate with the client and the management console. In security-sensitive environments, you will want to enable SSL; this also makes sense for the Windows 10 connection. To do this, you first need to install a certificate on the server. Use a similar approach to installing server certificates in IIS Manager. You can also use an internal certification authority.

After you have installed the server certificate, call Sites | WSUS Administration in the IIS Manager. Click on Edit Bindings to edit the binding for SSL to port 8531. You can now select the installed certificate. Additionally, you need to call the SSL settings for the following subordinate directories of the WSUS administration tool:

  • ApiRemoting30
  • ClientWebService
  • DssAuthWebService
  • ServerSyncWebService
  • SimpleAuthWebService

and then enable the Require SSL checkbox. After you have enabled SSL for WSUS, you will receive an error message when you open the WSUS management console. For the console to work again, first open a command line and change to the C:\Programs\Update Services\Tools directory. Then type the following command:

> wsusutil ConfigureSSL certificate name

In the next step, remove the obsolete HTTP connection in the WSUS management console and add a new connection from the context menu. Type in the server name and the correct port number to connect to SSL. Also enable the Use Secure Sockets Layer (SSL) to connect to this server checkbox. After connecting to the server, click on the server name in the console. In the Connection field at the bottom, you will see that it now uses SSL to communicate.

Be sure to add Port 8531 to the Group Policy for the client connections. The HTTP port 8530 is no longer available. You will find the settings in Computer Configuration | Policies | Administrative Templates | Windows Components | Windows Update . Modify the Specify intranet Microsoft update service location setting when you get there.

Buy this article as PDF

Express-Checkout as PDF
Price $2.95
(incl. VAT)

Buy ADMIN Magazine

Get it on Google Play

US / Canada

Get it on Google Play

UK / Australia

Related content

comments powered by Disqus