WSUS without AD in WorkGroup Enviroment

Source

Today I will show you guys how to install WSUS Server in Window Server 2019 and push out update to machine in WorkGroup Enviroment without Active Directory
I use sources below as reference:

• https://www.youtube.com/watch?v=scrw27ER6Wk
• https://hackmd.io/@hviMWDL2Q6yrj_FR3CX2cw/BJoResJoF
• https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc708449(v=ws.10)?redirectedfrom=MSDN

Requirement

System Requirement

• https://docs.microsoft.com/en-us/windows-server/administration/windows-server-update-services/plan/plan-your-wsus-deployment
• Window Server 2019 GUI (or Window Server 2016)
• Minimum 60 GB storage for update (Optimal is 300 GB)

Configure Firewall on WSUS Server

To obtain updates from Microsoft Update, the WSUS server uses TCP port 80,443 and UDP port 53.
To push out update to client, allow inbow TCP port 8530 and 8531 (WSUS might already add this in)

You must allow Internet access from WSUS to the following list of URLs:

• http://windowsupdate.microsoft.com
• http://*.windowsupdate.microsoft.com
• https://*.windowsupdate.microsoft.com
• http://*.update.microsoft.com
• https://*.update.microsoft.com
• http://*.windowsupdate.com
• http://download.windowsupdate.com
• https://download.microsoft.com
• http://*.download.windowsupdate.com
• http://wustat.windows.com
• http://ntservicepack.microsoft.com
• http://go.microsoft.com
• http://dl.delivery.mp.microsoft.com
• https://dl.delivery.mp.microsoft.com

Install WSUS Server

Install Role

Manage -> Add Roles and Features

• Instalation Type: Role-based or feature-based installation
• Server Selection: Select a server from the server pool
• Server Roles:
  • Windows Server Update Services
  • Web Server (IIS)
• Features: Default
• WSUS
  • Role Services: WID Connectivity, WSUS Services
  • Content: Enter Path that store update content on your server (Example: C:\Update)
• Web Server Role (IIS): default
  
  Image Not Showing Possible Reasons

  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported

  Learn More →

Post-Installation Task

Configure WSUS Server

Tools -> Windows Server Update Services -> Options -> WSUS Server Configuration Wizard

• Choose Upstream Server: If this is your main WSUS server, choose Synchronize from Microsoft Update
• Specify Proxy Server:
  • Start Connecting : To synchronize first time to microsoft server to get updates. This may take bit time to finish
• Choose Languages: choose the language you want
• Choose Products: choose the products that you want do update
• Choose Classifications: optimally only choose Critical, Definition, Security Updates and Upgrades
• Configure Sync Schedule: configure how often WSUS server sync update with Microsoft
• Finished: Check begin initial synchronization
  
  Image Not Showing Possible Reasons

  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported

  Learn More →
  
  
  Image Not Showing Possible Reasons

  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported

  Learn More →

WSUS walkthrough

• Update Service: for viewing overall info about WSUS and download update process
• Updates: for aprove or decline updates
• Computers: for manage computer client which received update
• Report: for access report
• Synchronizations: for manual synchronize with microsoft server to get newest update
  • If you want to read sync report you need to install microsoft report viewer 2012 runtime then restart server. https://www.microsoft.com/en-us/download/details.aspx?id=35747
  • You might also need to install Microsoft System CLR Types for SQL Server 2012. https://www.microsoft.com/en-us/download/details.aspx?id=56041 (both SQLSysClrTypes.msi)
• Options: for additional configurations
  • Computers: change to "Use Group Policy or registry settings on computers"

Configure Client connect to WSUS Server

Create a registry script

Create a .reg file with the content below and run it with admin privilige

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate]
"AcceptTrustedPublisherCerts"=dword:00000001 
"ElevateNonAdmins"=dword:00000001 
"TargetGroup"="<Groupname>"
"TargetGroupEnabled"=dword:00000000 
"WUServer"="http://<WSUS IP Server>:8530"
"WUStatusServer"="http://<WSUS IP Server>:8530"

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU] 
"AUOptions"=dword:00000004 
"AUPowerManagement"=dword:00000001 
"AutoInstallMinorUpdates"=dword:00000001 
"DetectionFrequency"=dword:0000000a 
"DetectionFrequencyEnabled"=dword:00000001 
"IncludeRecommendedUpdates"=dword:00000001 
"NoAUAsDefaultShutdownOption"=dword:00000001 
"NoAUShutdownOption"=dword:00000001 
"NoAutoRebootWithLoggedOnUsers"=dword:00000001 
"NoAutoUpdate"=dword:00000000 
"RebootRelaunchTimeout"=dword:0000000a 
"RebootRelaunchTimeoutEnabled"=dword:00000001 
"RescheduleWaitTime"=dword:0000000a 
"RescheduleWaitTimeEnabled"=dword:00000001 
"ScheduledInstallDay"=dword:00000000 
"ScheduledInstallTime"=dword:00000003 
"UseWUServer"=dword:00000001

Note:

• Change <WSUS IP SERVER> to your server ip
• Change <Groupname> to name of the group that you want to put in. The groupname must match the group in WSUS server
• "TargetGroupEnabled"=dword:Enable or Disable Group fuction
  • 00000000 : If you want to disable
  • 00000001 : If you want to enable

Periodical Run command to force client update to WSUS Server

wuauclt /detectnow /reportnow

TroubleShooting

Client can't get update

We need to increase memory on Wsus Pool on IIS

• Right click Wsus Pool -> Advanced Setting
• Under Recyling Tab, change the Private Memory Limit to higher value or 0 (unlimit memory)
  
  Image Not Showing Possible Reasons

  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported

  Learn More →