In this article, I will set up WSUS with automated patch approvals based on groups.
The patches will be assigned to different groups to adhere to technical drivers, functional drivers, and generalization:
- Pilot=> Ensure that the patches do not “break” the computers
- Global1 => Ensure that the applications continue to function
- Global2 => Deployment across the entire fleet.
WSUS Installation
Role Installation
- Add the Windows Server Update Services Role.
- Leave the default IIS installation choices.
- We will use the database integrated into Windows Server; leave the default options.
- Regarding the storage location:
- If you just want to validate the patches to install, don’t check anything (
- If you want to validate and host the patches to save bandwidth, specify a path.
In this tutorial I will choose not to store the patches on my WSUS server. In this case, WSUS will be used to validate the patches on my devices, but the clients will download the patches directly from the Microsoft servers.
Configuration Rôle
- Select WSUS on tools
- Click on RUN to initialize WSUS
Initialization
- Synchronize WSUS with the Internet.
- The first connection will be necessary to get the updated list of products.
- You can then choose the products (Here Windows 10 and Windows 11).
- Also choose the criticality of the patches to install.
- Specify the time for automatic synchronization.
- Do not initiate the first synchronization (we need to create other rules first).
Additional Components
Also install to display reports in the WSUS console:
Configuration
Create Group
- On WSUS Console Create our Group
- I used Pilot, Global1 and Global2
Assignment for the first group using WSUS
Automatic Patch Approval can be set up for computer groups. The assignment to the first group will be done through WSUS, while for the assignment to other groups, a PowerShell script will be used.
- We will create groups for the computers. These groups will later allow us to approve different patches for these groups.
- In the options, we will create an automatic approval rule.
- All patches will be automatically approved for a group (Pilot group).
All patches will be installed as soon as they are available on the computers assigned to this group.
- Select security patch
- And select the pilot group
- You can then initiate the synchronization with our approval rule.
- After Synchronisation, all new patch (with security criteria) is assigned to pilot group
Configuration for GPO
- Configure automatic assignment of computers to groups
Without this option, computers will not be assigned to our groups despite assignment by registry key or GPO.
Change to https (8531)
The use of HTTPS on port 8531 has become mandatory for Windows 10 and Windows 11.
Creation of the certificate template (on the PKI).
ref : Installing and Configuring an Enterprise Root Certificate
- On PKI server, select Certification Authority
- on Certificate Templete select Manage
- You can duplicate the “Web Server” template on your root certificate server.
- Give it a name.
- Grant Enroll permissions for your WSUS server.
Provide enrollment permissions to your WSUS server.
- Open the IIS console on WSUS server
- Click on your server and select “Server Certificates”.
- Click on “Create Domain Certificate…”.
- Enter the information.
- Choose the certification authority (CA) of your domain and the friendly name.
Certificate Associate
- In the IIS console, click on “WSUS Administration” and then click on “Edit Bindings”.
- Edit port 8531 and select the certificate.
- Edit port 8531 and select the certificate.
- Force SSL encryption for virtual applications :
- ApiRemoting30
- ClientWebService
- DSSAuthWebService
- ServerSyncWebService
- SimpleAuthWebService
Configure SSL on WSUS
- Launch a Command Prompt (as an administrator).
- Enter the command:
cd "c:\Program Files\Update Services\Tools"
WsusUtil.exe configuressl wsus.leblogosd.lan
- Restart the server
Memory configuration
I have experienced WSUS crashes related to memory configuration. Here’s an example of a configuration to prevent service crashes.
- In the IIS settings, under the Advanced options of the WsuPool.
- Configure the memory => 0 for unlimited.
Computer Configuration
By GPO
The first thing to do is to update the ADMX on your Active Directory to have the new GPOs for WSUS.
The Legacy Policies folder should no longer be used as it represents the old generation of GPOs.
- Automatic Installation
This simply involves setting the installation time. Option 4 is the most important in this configuration to force the installation.
- Automatic reboot
This GPO is more suitable for “Industrial” Computers with patch installation scheduled at night.
- WSUS Servers
The WSUS server name will be specified.
- WSUS Targeting
This option is very important as it will determine whether the computer is a pilot machine (installing patches before everyone else) or a production machine.
A manual action or script is often put in place to move a machine from the TEST group to the PRODUCTION group after xxx days.
By Registry Key
A tool is available to configure the WSUS client registry keys in graphical mode. It can be found at: https://github.com/blndev/wsusworkgroup
This tool is capable of displaying the configuration coming from a GPO.
0 Comments