---
tags: IT management
---
# WSUS without AD in WorkGroup Enviroment
## Source
Today I will show you guys how to install WSUS Server in Window Server 2019 and push out update to machine in WorkGroup Enviroment without Active Directory
I use sources below as reference:
* https://www.youtube.com/watch?v=scrw27ER6Wk
* https://hackmd.io/@hviMWDL2Q6yrj_FR3CX2cw/BJoResJoF
* https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc708449(v=ws.10)?redirectedfrom=MSDN
## Requirement
### System Requirement
* https://docs.microsoft.com/en-us/windows-server/administration/windows-server-update-services/plan/plan-your-wsus-deployment
* Window Server 2019 GUI (or Window Server 2016)
* Minimum 60 GB storage for update (Optimal is 300 GB)
### Configure Firewall on WSUS Server
To obtain updates from Microsoft Update, the WSUS server uses TCP port 80,443 and UDP port 53.
To push out update to client, allow inbow TCP port 8530 and 8531 (WSUS might already add this in)
You must allow Internet access from WSUS to the following list of URLs:
* http://windowsupdate.microsoft.com
* http://*.windowsupdate.microsoft.com
* https://*.windowsupdate.microsoft.com
* http://*.update.microsoft.com
* https://*.update.microsoft.com
* http://*.windowsupdate.com
* http://download.windowsupdate.com
* https://download.microsoft.com
* http://*.download.windowsupdate.com
* http://wustat.windows.com
* http://ntservicepack.microsoft.com
* http://go.microsoft.com
* http://dl.delivery.mp.microsoft.com
* https://dl.delivery.mp.microsoft.com
## Install WSUS Server
### Install Role
**Manage -> Add Roles and Features**
* **Instalation Type**: Role-based or feature-based installation
* **Server Selection**: Select a server from the server pool
* **Server Roles**:
* Windows Server Update Services
* Web Server (IIS)
* **Features**: Default
* **WSUS**
* Role Services: WID Connectivity, WSUS Services
* Content: Enter Path that store update content on your server (Example: C:\Update)
* **Web Server Role (IIS)**: default
**Post-Installation Task**
### Configure WSUS Server
**Tools -> Windows Server Update Services -> Options -> WSUS Server Configuration Wizard**
* Choose Upstream Server: If this is your main WSUS server, choose Synchronize from Microsoft Update
* Specify Proxy Server:
* Start Connecting : To synchronize first time to microsoft server to get updates. This may take bit time to finish
* Choose Languages: choose the language you want
* Choose Products: choose the products that you want do update
* Choose Classifications: optimally only choose Critical, Definition, Security Updates and Upgrades
* Configure Sync Schedule: configure how often WSUS server sync update with Microsoft
* Finished: Check begin initial synchronization
### WSUS walkthrough
* **Update Service**: for viewing overall info about WSUS and download update process
* **Updates**: for aprove or decline updates
* **Computers**: for manage computer client which received update
* **Report**: for access report
* **Synchronizations**: for manual synchronize with microsoft server to get newest update
* If you want to read sync report you need to install microsoft report viewer 2012 runtime then restart server. https://www.microsoft.com/en-us/download/details.aspx?id=35747
* You might also need to install Microsoft System CLR Types for SQL Server 2012. https://www.microsoft.com/en-us/download/details.aspx?id=56041 (both SQLSysClrTypes.msi)
* **Options**: for additional configurations
* Computers: change to "Use Group Policy or registry settings on computers"
## Configure Client connect to WSUS Server
### Create a registry script
Create a .reg file with the content below and run it with admin privilige
```
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate]
"AcceptTrustedPublisherCerts"=dword:00000001
"ElevateNonAdmins"=dword:00000001
"TargetGroup"="<Groupname>"
"TargetGroupEnabled"=dword:00000000
"WUServer"="http://<WSUS IP Server>:8530"
"WUStatusServer"="http://<WSUS IP Server>:8530"
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU]
"AUOptions"=dword:00000004
"AUPowerManagement"=dword:00000001
"AutoInstallMinorUpdates"=dword:00000001
"DetectionFrequency"=dword:0000000a
"DetectionFrequencyEnabled"=dword:00000001
"IncludeRecommendedUpdates"=dword:00000001
"NoAUAsDefaultShutdownOption"=dword:00000001
"NoAUShutdownOption"=dword:00000001
"NoAutoRebootWithLoggedOnUsers"=dword:00000001
"NoAutoUpdate"=dword:00000000
"RebootRelaunchTimeout"=dword:0000000a
"RebootRelaunchTimeoutEnabled"=dword:00000001
"RescheduleWaitTime"=dword:0000000a
"RescheduleWaitTimeEnabled"=dword:00000001
"ScheduledInstallDay"=dword:00000000
"ScheduledInstallTime"=dword:00000003
"UseWUServer"=dword:00000001
```
Note:
* Change <WSUS IP SERVER> to your server ip
* Change <Groupname> to name of the group that you want to put in. The groupname must match the group in WSUS server
* "TargetGroupEnabled"=dword:Enable or Disable Group fuction
* 00000000 : If you want to disable
* 00000001 : If you want to enable
### Periodical Run command to force client update to WSUS Server
```
wuauclt /detectnow /reportnow
```
# TroubleShooting
## Client can't get update
We need to increase memory on Wsus Pool on IIS
* Right click Wsus Pool -> Advanced Setting
* Under Recyling Tab, change the Private Memory Limit to higher value or 0 (unlimit memory)
<style>
/* Dark mode */
:root{
--white-text: #ddd;
--white-gray-text: #bbb;
--black-text: #333;
--gray-text: #666;
--navbar-background: #242424;
--navbar-alt-background: #363636;
--gray-background: #23272a;
--darkblue-background: #40788A;
--darkblue-alt-background: #2c5460;
--link-text: #339fff;
--link-hover-text: #2d6da4;
}
body,
.ui-comment-container .ui-comments-container {
background-color: var(--gray-background) !important;
}
a{
color: var(--link-text);
}
a:hover,
a:active{
color: var(--link-hover-text);
}
.navbar-default,
.navbar-default * label,
.navbar-default * span,
.ui-comment-container .ui-comment-header,
.ui-comment-container .ui-comment-input-container{
background-color: var(--navbar-background);
color: var(--white-text);
border-color: var(--gray-text);
}
.modal-dialog * .modal-body{
background-color: var(--navbar-background) !important;
color: var(--white-text) !important;
}
.ui-notification-label{
color: var(--white-text) !important;
background-color: var(--darkblue-background);
border-color: var(--darkblue-alt-background) !important;
}
.ui-notification-label:hover,
.ui-notification-label:active,
.ui-notification-label:focus{
background-color: var(--darkblue-alt-background);
}
.navbar-default .announcement-popover * ,
.modal-dialog * .modal-header,
.modal-dialog * .modal-footer,
.panel > .panel-heading,
.panel-body{
background-color: var(--gray-background) !important;
color: var(--white-text) !important;
}
.dropdown-menu,
.dropdown-menu>li>a{
background-color: var(--gray-background) ;
color: var(--white-text);
}
.markdown-body,
.ui-toc-dropdown .nav > .active > a,
.ui-comment-container .comment-blank-stats,
.markdown-body h1 .octicon-link,
.markdown-body h2 .octicon-link,
.markdown-body h3 .octicon-link,
.markdown-body h4 .octicon-link{
color: var(--white-text);
}
.ui-toc-dropdown .nav > .active > a:hover{
color: var(--gray-text);
}
.ui-lastchange,
.ui-status-lastchange{
color: var(--white-gray-text);
}
.markdown-body > blockquote{
border-left: 0.25em solid #5882a7;
color: var(--white-gray-text);
}
.markdown-body > table th,
.markdown-body > table tr:nth-child(2n){
background-color: var(--navbar-background);
}
.markdown-body > table tr{
background-color: var(--navbar-alt-background);
}
.panel-body .markdown-body tr{
background-color: var(--navbar-background);
border-color: var(--navbar-background);
}
.alert > blockquote{
border-left: 0.25em solid #ccc;
}
.ui-toc-dropdown {
background-color: #23272A;
border: 1px solid rgba(255,255,255,.15);
box-shadow: 0 6px 12px rgba(255,255,255,.175);
}
/* Dark mode code block */
/* Imported from titangene/hackmd-dark-theme */
.markdown-body pre {
background-color: #1e1e1e;
border: 1px solid #555 !important;
color: #dfdfdf;
font-weight: 600;
}
.token.operator, .token.entity,
.token.url, .language-css .token.string,
.style .token.string {
background: unset;
}
/* Dark mode alert boxes */
.alert-info {
color: #f3fdff;
background: #40788A;
border-color: #2F7A95;
}
.alert-warning {
color: #fffaf2;
background: #936C36;
border-color: #AE8443;
}
.alert-danger {
color: #fff4f4;
background: #834040;
border-color: #8C2F2F
}
.alert-success {
color: #F4FFF2;
background-color: #436643;
border-color: #358A28;
}
/* Stylized alert boxes */
.alert-warning>p::before,
.alert-danger>p::before,
.alert-info>p::before {
white-space: pre;
font-weight: bold;
}
</style>
<style>
/*
* Visual Studio 2015 dark style
* Author: Nicolas LLOBERA <nllobera@gmail.com>
*/
.hljs {
display: block;
overflow-x: auto;
padding: 0.5em;
background: #1E1E1E;
color: #DCDCDC;
}
.hljs-keyword,
.hljs-literal,
.hljs-symbol,
.hljs-name {
color: #569CD6;
}
.hljs-link {
color: #569CD6;
text-decoration: underline;
}
.hljs-built_in,
.hljs-type {
color: #4EC9B0;
}
.hljs-number,
.hljs-class {
color: #B8D7A3;
}
.hljs-string,
.hljs-meta-string {
color: #D69D85;
}
.hljs-regexp,
.hljs-template-tag {
color: #9A5334;
}
.hljs-subst,
.hljs-function,
.hljs-title,
.hljs-params,
.hljs-formula {
color: #DCDCDC;
}
.hljs-comment,
.hljs-quote {
color: #57A64A;
font-style: italic;
}
.hljs-doctag {
color: #608B4E;
}
.hljs-meta,
.hljs-meta-keyword,
.hljs-tag {
color: #9B9B9B;
}
.hljs-variable,
.hljs-template-variable {
color: #BD63C5;
}
.hljs-attr,
.hljs-attribute,
.hljs-builtin-name {
color: #9CDCFE;
}
.hljs-section {
color: gold;
}
.hljs-emphasis {
font-style: italic;
}
.hljs-strong {
font-weight: bold;
}
.hljs-bullet,
.hljs-selector-tag,
.hljs-selector-id,
.hljs-selector-class,
.hljs-selector-attr,
.hljs-selector-pseudo {
color: #D7BA7D;
}
.hljs-addition {
background-color: #144212;
display: inline-block;
width: 100%;
}
.hljs-deletion {
background-color: #600;
display: inline-block;
width: 100%;
}
</style>
Sign in with Wallet
Connect another wallet