WSUS on Server 2019 core

Home / WSUS on Server 2019 core

Learn how to install the Windows Server Update Services (WSUS) rols on a core installation of Windows Server 2019 or Windows Server 2016 (Including SSL setup).

The core version of Windows Server (or server without desktop experience) is a nice feature. It allows servers to run with a very small footprint and helps saving precious computing resources. One disadvantage of the core servers are the lack of GUIs for the functions and features the server is providing. This requires administrators to switch more often to Powershell to install, configure and administrate basic functionalities, which (on earlier versions) had a full-featured GUI.

After switching to core server and having a lot of hard work to set it up (partially due to my lack of Powershell skills in certain scenarios), I decided to write this guide to help you set up your WSUS on a core installation of Windows Server 2019 (Which works exactly the same on 2016) by using Powershell only (Plus the setup for SSL alternatively via GUI, if you want to use it).

Prerequisites

  • Installed and configured Windows Server 2016 or 2019 core
  • Server is already added to the domain and has the required network settings, firewall rules, etc set up
  • The server has an additional volume for the update files (Does not have to be setup within the server)
  • Microsoft SQL-Server instance is already installed (If you want to use SQL server instead of the Windows internal database)
  • An SSL certificate (If you want to use one) with private key and the password as pfx file
  • Installed IIS Manager on your client, if you want to manage the IIS with a GUI

This guide will start directly with the installation, so all basic settings have to be done upfront. Use the command sconfig to open a tool for the main settings.

Important: This guide is provided as is and does not guarantee to be without errors or mistake. Use a test environment and create all necessary backups before proceeding.

Installation

Logon to your server and open a Powershell prompt (Via console, remote shell or remote desktop).

Preparing disk, volumes and drives

If your drives are all setup completely including initialization, formatting and drive letters, then you can skip this chapter.

The first thing you might want to change is the letter of your CD/DVD drive. Many tutorials set the WSUS hard disk on drive letter D, but that’s where the CD/DVD is often assigned to.

To change this, you are using the following command to change the drive letter from D to R:

Get-WmiObject -Class Win32_volume -Filter "DriveLetter = 'd:'" |Set-WmiInstance -Arguments @{DriveLetter='R:'}

Next you have to initialize the second hard disk for the update files. Enter

Get-Disk

to get a list of hard disks.

Check the column operational status. If one disk is shown as offline, remember the disk id and switch it to online (Change the 1 after number to your disk number):

Set-Disk -Number 1 -IsOffline $false

Now that disk has to be initialized. Use the same disk number for this command.

Initialize-Disk -Number 1

This initializes the disk using GPT partition style. If you want to use MBR add the parameter -PartitionStyle MBR to the command.

Next step is the creation of a partition.

New-Partition -DiskNumber 1 -Size 90GB -AssignDriveLetter

This creates a 90GB partition and assigns it a drive letter. If the partition should use the entire disk, replace the -Size parameter with -UseMaximumSize:

New-Partition -DiskNumber 1 -UseMaximumSize -AssignDriveLetter


Remember the drive letter of that drive. If you want to use a different letter:

Set-Partition –DriveLetter F -NewDriveLetter D

Now format the newly created drive.

Format-Volume -DriveLetter D -FileSystem NTFS -NewFileSystemLabel WSUS

The file system has to be NTFS (WSUS does not support ReFS) and I prefer the drive to be labeled WSUS, but you can name it whatever you want.

Now create a subfolder WSUS on the new drive as WSUS does not like its content folder to be placed in root.

New-Item -Path D: -Name WSUS -ItemType Directory

Install WSUS

Now, that the server is prepared for the WSUS role, let’s start with the installation.

If you would like to see all WSUS related features, use the Get-WindowsFeauter cmdlet:

Get-WindowsFeature –Name UpdateServices*

Important: The next command is different, depending on if you want to use the Windows Internal Database (WID) or an SQL server instance.
WID:

Install-WindowsFeature -Name UpdateServices-Services -IncludeManagementTools

With SQL server instance:

Install-WindowsFeature -Name UpdateServices-Services,UpdateServices-DB -IncludeManagementTools


If you have used the wrong command, uninstall the features with

Uninstall-WindowsFeature -Name names-from-the-command-used

and then enter the correct command again.

This will install the necessary files and services for your WSUS.

The last step is to tell your server, which SQL instance to use (If you are not using WID) and where to store the update files. Change to the tools folder in the WSUS application directory:

cd 'C:\Program Files\Update Services\tools'

You are going to use the program WSUSutil.exe, which offers many configuration possibilities for your WSUS. The parameter you are using is postinstall. It requires additional parameters depending on your environment.
Important: The next command is different, depending on if you want to use the Windows Internal Database (WID) or an SQL server instance.
WID:

.\WsusUtil.exe postinstall CONTENT_DIR=D:\WSUS

Change the directory if you are using a different path.
MS SQL server:

.\WsusUtil.exe postinstall SQL_INSTANCE_NAME="SQLServer\Instance" CONTENT_DIR=D:\WSUS

Change the SQL server name and instance and the path, if you are using a different folder.

An optional step is to analyze your WSUS installation using the best practice analyzer:

Invoke-BpaModel -ModelId Microsoft/Windows/UpdateServices
Get-BpaResult -ModelId Microsoft/Windows/UpdateServices | Select Title,Severity,Compliance | Format-List

This gives you some hints on how to optimize your system.

And that’s it. Your WSUS is up and running. It does not use SSL and listens on port 8530. You can use the RSAT tools to manage the products, classifications and updates. The RSAT tools for Windows 7 can be downloaded here. Windows 10 as of version 1809 do not need an additional download. The RSAT tools have been moved to optional software features.

There are some optimizations, which are generally recommended for a WSUS installation. The first allows the IIS to use more memory (All available memory) and the second allows it to start more than one worker processes.
First change the private memory limit of the WSUS IIS application pool to 0:

Set-WebConfiguration -Filter "/system.applicationHost/applicationPools/add[@name='WsusPool']/recycling/periodicRestart/@privateMemory" -Value 0

And now change the maximum number of worker processes also to 0 (unlimited):

Set-WebConfiguration -Filter "/system.applicationHost/applicationPools/add[@name='WsusPool']/processModel/@maxProcesses" -Value 0

Configure SSL

Using Powershell

The first step is to import your SSL certificate. As you need to provide the password for your certificate and the cmdlets do not accept the password as plaintext, you need one step more. There are different ways to get the password as secure string. I decided to use the Get-Credential cmdlet:

$mypwd = Get-Credential -UserName 'Enter password below' -Message 'Enter password below'

The certificate file can be located on a local drive or a network or DFS path.

Import-PfxCertificate -FilePath "C:\mypfx.pfx" -CertStoreLocation Cert:\LocalMachine\My -Password $mypwd.Password -Exportable

The certificate store has to be in local machine. Otherwise you cannot use the certificate for your IIS.

And now back to the IIS.

To manage the ISS, you need an additional module:

Import-Module WebAdministration

First check if your WSUS website has bee published successfully:

Get-Website

This list should contain a website “WSUS Administration”.

You will perform 3 steps: you add the SSL certificate to the WSUS website, change some subfolders to require SSL and complete the SSL activation using Wsusutil.exe.

To add the certificate to the IIS binding, you need that binding as object:

$bind = Get-WebBinding -Name 'WSUS Administration' -Protocol https


Please be aware, that the image is not correct. The protocol is case sensitive and requires lowercase letters only. You do not get an error message otherwise, but it simply will not work.

Additionally you need the hash value for your certificate. You can get the hash of your certificate using this command:

Get-ChildItem cert:\LocalMachine\My


Now can you retrieve the object containing your certificate:

$SSLCert=Get-Item cert:\LocalMachine\My\HashOfCertificate

Replace HashOfCertificate with the hash (or thumbprint). Alternatively you can use the TAB key after my\ to switch through all certificates.
With these 2 object, you can finally merge them:

$bind.AddSslCertificate($SSLCert.GetCertHashString(),"my")

The WSUS website is available with SSL encryption as of now. This can be tested by opening https://yourwsus:8531 in a browser. Check the certificate details. If it is not working properly, you may have to restart the website by using the IISRESET command or restarting your server.

Now you need to enforce SSL for certain virtual directories:

Set-WebConfigurationProperty -PSPath 'MACHINE/WEBROOT/APPHOST' -Location 'WSUS Administration/ApiRemoting30' -Filter "system.webServer/Security/access" -Name "sslFlags" -Value "Ssl"
Set-WebConfigurationProperty -PSPath 'MACHINE/WEBROOT/APPHOST' -Location 'WSUS Administration/ClientWebService' -Filter "system.webServer/Security/access" -Name "sslFlags" -Value "Ssl"
Set-WebConfigurationProperty -PSPath 'MACHINE/WEBROOT/APPHOST' -Location 'WSUS Administration/DSSAuthWebService' -Filter "system.webServer/Security/access" -Name "sslFlags" -Value "Ssl"
Set-WebConfigurationProperty -PSPath 'MACHINE/WEBROOT/APPHOST' -Location 'WSUS Administration/ServerSyncWebService' -Filter "system.webServer/Security/access" -Name "sslFlags" -Value "Ssl"
Set-WebConfigurationProperty -PSPath 'MACHINE/WEBROOT/APPHOST' -Location 'WSUS Administration/SimpleAuthWebService' -Filter "system.webServer/Security/access" -Name "sslFlags" -Value "Ssl"

The last step is to complete the SSL configuration for the WSUS. This steps also allows you to specify a different URL (Example: Your server is called SRV01, but you would like to use wsus.company.local):

& 'C:\Program Files\Update Services\Tools\WsusUtil.exe' configuressl wsus.company.local


Restart the server to complete the installation.

Restart-Computer

This concludes the installation and setup of your WSUS and SSL using Powershell only.

Using a GUI

Already sick of using Powershell? Or do you still prefer a GUI? Then this section explains you how to switch your WSUS to SSL using (mainly) a GUI.
Please make sure, that you have installed the IIS manager on your client.

But before you can use a GUI, you have to do some steps in preparation.
The first step is to import your SSL certificate. As you need to provide the password for your certificate and the cmdlets do not accept the password as plaintext, you need one step more. There are different ways to get the password as secure string. I decided to use the Get-Credential cmdlet:

$mypwd = Get-Credential -UserName 'Enter password below' -Message 'Enter password below'

The certificate file can be located on a local drive or a network or DFS path.

Import-PfxCertificate -FilePath "C:\mypfx.pfx" -CertStoreLocation Cert:\LocalMachine\My -Password $mypwd.Password -Exportable

The certificate store has to be in local machine. Otherwise you cannot use the certificate for your IIS.

To administrate the IIS from a remote computer, you have to install a role and allow remote management via a registry key.

Install-WindowsFeature Web-Mgmt-Service


This feature contains all necessary files for remote management, but it is blocked by default as a security measure.
To enable remote connections, update the registry key HKEY_LOCAL_MACHINE\Software\Microsoft\WebManagement\Server\EnableRemoteManagement to 1:

Set-ItemProperty -Path HKLM:\Software\Microsoft\WebManagement\Server -Name EnableRemoteManagement -Value 1

Now start the remote management service:

Start-Service wmsvc

And now back to the GUI:
Open the IIS manager. Click on the “File” menu and select Connect to a server.
Enter the name or IP address of your server.

On the next screen, enter the credentials of an administrator for the IIS.

In the connections section, open your server, then Sites and click on WSUS Administration.

Click on Bindings… on the right side.

Select the row with https and click on edit….
Choose your SSL certificate from the dropdown list below and click OK.

Close the bindings window.

This step has assigned your certificate to the https version of your WSUS websites. The next step is to enforce SSL for certain sites with your WSUS.
Expand your WSUS Administration site and select ApiRemoting30.

Double click on SSL Settings in the middle section.

Check the box Require SSL and select Ignore.

Click Apply on the right side.
Repeat these steps for the following directories (They are all under WSUS Administration):

  • ApiRemoting30 (You already did this in the example)
  • ClientWebService
  • DSSAuthWebService
  • ServerSyncWebService
  • SimpleAuthWebService

The last step is to complete the SSL configuration for the WSUS. This again needs Powershell or a command prompt (My commands are for Powershell). It also allows you to specify a different URL (Example: Your server is called SRV01, but you would like to use wsus.company.local):

& 'C:\Program Files\Update Services\Tools\WsusUtil.exe' configuressl wsus.company.local

Restart the server to complete the installation.

Restart-Computer

One thought on “WSUS on Server 2019 core”

  1. Thanks for tip about “Set-WebConfigurationProperty” was trying to change SSL configuration through GUI from remote server and it kept saying “Insufficient permissions”. This command solved it!

Leave a Reply

Your email address will not be published. Required fields are marked *