Windows wsus server requirements

You can store updates remotely on Microsoft Update servers. This option is useful if most client computers connect to the WSUS server over a slow WAN connection, but they connect to the Internet over a high-bandwidth connection. After you approve the updates, the client computers download the approved updates from Microsoft Update servers. When you deploy a WSUS server hierarchy, you should determine which language updates are required throughout the organization.

You should configure the root WSUS server to download updates in all languages that are used throughout the entire organization. For example, the main office might require English and French language updates, but one branch office requires English, French, and German language updates, and another branch office requires English and Spanish language updates.

You would then configure the first branch office WSUS server to download updates in English, French, and German only, and configure the second branch office to download updates in English and Spanish only. Always include English in addition to any other languages that are required throughout your organization. All updates are based on English language packs.

Downstream servers and client computers will not receive all the updates they need if you have not selected all the necessary languages for the upstream server. Make sure you select all the languages that will be needed by all the client computers that are associated with all the downstream servers. This selection guarantees that all downstream servers and client computers will receive updates in the languages that they require.

If you are storing updates locally, and you have set up a WSUS server to download updates in a limited number of languages, you may notice that there are updates in languages other than the ones you specified. Many update files are bundles of several different languages, which include at least one of the languages specified on the server. Configure upstream servers to synchronize updates in all languages that are required by downstream replica servers.

You will not be notified of needed updates in the unsynchronized languages. Updates will appear as Not Applicable on client computers that require the language. To avoid this, make sure all operating system languages are included in your WSUS server's synchronization options.

You can see all the operating system languages by going to the computers view of the WSUS Administration Console and sorting the computers by operating system language.

However, you may want to include more languages if there are Microsoft applications in more than one language for example, if the French version of Microsoft Word is installed on some computers that use the English version of Windows 8. Choosing languages for an upstream server is not the same as choosing languages for a downstream server. The following procedures explain the differences.

To get updates in all languages, click Download updates in all languages, including new languages. To get updates only for specific languages, click Download updates only in these languages , and then select the languages for which you want updates.

You should do this even though you want the downstream server to download the same languages as the upstream server. This setting causes the upstream server to download updates in all languages, including languages that were not originally configured for the upstream server. If you add languages to the upstream server, you should copy the new updates to its replica servers.

Changing language options on the upstream server alone might cause a mismatch between the number of updates that are approved on the central server and the number of updates approved on the replica servers. WSUS allows you to target updates to groups of client computers, so you can ensure that specific computers always get the right updates at the most convenient times. For example, if all the computers in one department such as the Accounting team have a specific configuration, you can set up a group for that team, decide which updates their computers need and what time they should be installed, and then use WSUS reports to evaluate the updates for the team.

If a WSUS server is running in replica mode, computer groups cannot be created on that server. All the computer groups that are needed for client computers of the replica server must be created on the WSUS server that is the root of the WSUS server hierarchy.

Computers are always assigned to the All computers group, and they remain assigned to the Unassigned computers group until you assign them to another group. Computers can belong to more than one group. Computer groups can be set up in hierarchies for example, the Payroll group and the Accounts Payable group below the Accounting group. Updates that are approved for a higher group will automatically be deployed to lower groups, in addition to the higher group.

In this example, if you approve Update1 for the Accounting group, the update will be deployed to all the computers in the Accounting group, all the computers in the Payroll group, and all the computers in the Accounts Payable group. Because computers can be assigned to multiple groups, it is possible for a single update to be approved more than once for the same computer.

However, the update will be deployed only once, and any conflicts will be resolved by the WSUS server. To continue with the previous example, if computerA is assigned to the Payroll group and the Accounts Payable group, and Update1 is approved for both groups, it will be deployed only once. You can assign computers to computer groups by using one of two methods, server-side targeting or client-side targeting.

Following are the definitions for each method:. Server-side targeting : You manually assign one or more client computers to multiple groups simultaneously. Client-side targeting : You use Group Policy or edit the registry settings on client computers to enable those computers to automatically add themselves into the previously created computer groups. The server applies the following rules to resolve conflicts and determine the resultant action on clients:. The actions associated with the group of the highest priority override the actions of other groups.

The deeper a group appears within the hierarchy of groups, the higher its priority. Priority is assigned only based on depth; all branches have equal priority. For example, a group two levels beneath the Desktops branch has a higher priority than a group one level beneath the Server branch.

Both the Desktop computers and Server groups are at the same hierarchical level. In this example, the group two levels beneath the Desktop computers branch Desktops L2 has a higher priority than the group one level beneath the Server branch Servers L1. Accordingly, for a computer that has membership in both the Desktops-L2 and the Servers-L1 groups, all actions for the Desktops-L2 group take priority over actions specified for the Servers-L1 group. Install actions override uninstall actions.

Required installs override optional installs optional installs are only available through the API and changing an approval for an update using the WSUS Administration Console will clear all optional approval. Actions that have a deadline override those with no deadline. Actions with earlier deadlines override those with later deadlines. There are some areas that you should carefully plan before deploying WSUS so that you can have optimized performance. The key areas are:. Use DNS netmask ordering for roaming client computers, and configure roaming client computers to obtain updates from the local WSUS server.

You can approve updates, and download the update metadata before you download the update files, this method is called deferred downloads. When you defer downloads, an update is downloaded only after it is approved. We recommend that you defer downloads because it optimizes network bandwidth and disk space.

You can change this default setting. For example, you can configure an upstream server to perform full, immediate synchronizations, and then configure a downstream server to defer the downloads. If you deploy a hierarchy of connected WSUS servers, we recommend that you do not deeply nest the servers. If you enable deferred downloads and a downstream server requests an update that is not approved on the upstream server, the downstream server's request forces a download on the upstream server.

The downstream server then downloads the update on a subsequent synchronization. In a deep hierarchy of WSUS servers, delays can occur as updates are requested, downloaded, and then passed through the server hierarchy.

By default, deferred downloads are enabled when you store updates locally. You can change this option manually. WSUS lets you filter update synchronizations by language, product, and classification. You can reconfigure download servers to receive only a subset of the languages. By default, the products to be updated are Windows and Office, and the default classifications are Critical updates, Security updates, and Definition updates.

To conserve bandwidth and disk space, we recommend that you limit languages to those that you actually use. Updates typically consist of new versions of files that already exist on the computer that is being updated. On a binary level, these existing files might not differ very much from updated versions. I would recommend storing the updates on another drive and not on your C: drive.

Hence choose either a separate drive or store the updates on remote server. The role services to install web server IIS are select automatically. Do not change anything here and click Next. A final confirmation before you install WSUS.

Review the settings and click Install. This is a one time configuration where you will configure some important WSUS options. Specify Proxy server information if you have got one. If this option is selected, ensure you specify proxy server name and port number. In addition to that specify the credentials to connect to the proxy server. If you want to enable basic authentication for the user connecting to the proxy server, click Allow basic authentication password in clear text.

On the Choose Languages page, you have the option to select the languages from updates. If you choose to download updates in all languages, you would find updates with all languages in the WSUS console. However if you choose to get updates only for specific languages, select Download updates only in these languages.

Select the languages for which you want updates. This is the page where you select the products for which you want the updates. A product is a specific edition of an operating system or application. From the list of products you can select individual products or product families for which you want your server to synchronize updates. In this case I am going to select Windows Server and Windows 10 as products.

In the beginning of the post I have listed the types of updates. On the Choose Classifications page, select the required classifications. You must decide on how do you want to perform WSUS sync. The Set Sync Schedule page lets you select whether to perform synchronization manually or automatically. With this option selected, you have to manually perform the sync every time.

Therefore do not select this option if you are setting up the WSUS in production. You can set the time of First synchronization. Then set the number of synchronizations per day. From the drop-down you can choose the value between Finally on the last page, click Finish. This completes the steps to configure WSUS. After you install and configure WSUS, the next important task is to configure group policy settings for automatic updates.

Using group policy you can point your client machines to new WSUS server. You can create the group policy and apply it at domain level. While there are many Windows Update policy settings, I am going to configure few of them. For a list of all windows update policy settings, read this article from Microsoft. Under Configure automatic updating, select the desired option. Under Schedule install day , select the day when you want the updates to be installed.

Set the scheduled install time. In case you select Auto download and schedule the updates install, you get some options to limit updating frequency. If you have configured the settings, click Apply and OK. The next setting that you should configure is specify an intranet Microsoft update service location. The idea behind this is to ensure the client computers contact the specified intranet server instead of downloading updates from internet. To enable the policy, click Enabled. Specify the intranet update service and intranet statistics server.

Click Apply and OK. You can also verify the intranet update service location on client computers using registry. By creating computer groups you can first test and target updates to specific computers. You can create custom computer groups to manage updates in your organization. Test updates before you deploy them to other computers in your organization. Expand computers, right-click All computers, and then click Add computer Group. In the add computer Group dialog box, specify the name of the new group, and then click Add.

Click All Computers and you should see list of computers. Select the computers, right click and click Change Membership. On the Set Computer Group Membership box, select the new group that you just created.

Click OK. Once you have a test computer group created, your next task to deploy the updates to the test group. To do so you must first approve and deploy WSUS updates.

Most of all in the Approve Updates dialog box, select your test group, and then click down arrow. Click Approved for Install. You an also set a deadline to install the updates. The Approval Progress window appears, which shows the progress of the tasks that affect update approval. When the approval process is complete, click Close.

Check the box When an update is in a specific classification. Select the classifications. You can also approve the update for computers groups. I am going to select Windows 10 as that is my test computer group.

Finally you can set a deadline for the update approval and specify auto approval rule name. On the Automatic Approvals window, you can find the rule that you just created. If you wish to run this rule, click Run Rule. WSUS comes with several reports to help you find the updates deployment status, sync reports and computers reports.

This completes the steps to install and configure WSUS. I am sure this guide will help you to setup WSUS in your lab setup. If you have any questions related to WSUS, do let me know in comments section.

Synchronization Error Details WebException: The underlying connection was closed: An unexpected error occurred on a send. GetAuthConfig at Microsoft. After installation and first initialization completed. Which GPO option we have to choose. In a domain environment, you must always use Domain group policy to configure and apply policies to domain computers. I went through your WSUS guide, its excellent and help me lot. I have question regarding the port open between upstream server and downstream server.

Here we use default port, Any idea of why? Please help. Thanks in advanced. WSUS was working fine on Server but it was on older hardware that was starting to fail. I when through these steps: 1. Then, click Next. Step 3: In the Select installation type page, select Role-based or feature-based installation option. Click Next. Step 4: On the Server Selection page, verify the server name and click Next. Then, you have installed WSUS successfully. Step 2: Extract the zipped file and double-click UpdateGenerator to open it.

Step 3: Next, select the updates you want to download and configure the Options. Step 5: Now, you can install updates on a computer that is not connected to the internet. Step 7: There are two folders: client and iso.