Welcome to my tutorial for the Windows Server Update Services Part 2: Planning / Prerequisites
Plan your WSUS setup
The easiest and fastest way of deploying a WSUS environment is a single server setup. But that might not be the best approach for your organization.
A WSUS setup consists of 2 components: The WSUS role and a database.
The WSUS role can be installed on any Windows Server version. Plus it can be installed on core (non GUI) versions of Windows Servers (but not on a nano version). You can install your WSUS role on an existing server, but keep in mind that WSUS takes a lot of disk space plus it requires a lot of network bandwidth when sending updates to your clients. Also installing WSUS on a domain controller is not recommended by Microsoft.
The database can be stored either locally on the WSUS server using the Windows internal Database (WID), which is basically a lightweight MS SQL express server. The alternative is a full MS SQL server or MS SQL server express (or an instance on an existing server).
If you can’t afford an additional server of don’t have any licenses left, an existing server with other roles or services can be used.
My recommendation is to use a separate server or -even better- a virtual machine for WSUS plus a MS SQL / MS SQL Express instance for the database. This helps improving the performance of your system (By adding more RAM or additional cores to it) and lets you easily rebuild your WSUS (which sometimes might be a good solution for troubleshooting).
Microsoft’s WSUS hardware recommendation
These are Microsoft’s requirements for a WSUS server, but honestly they are very undersized:
Processor: 1.4 gigahertz (GHz) x64 processor (2 Ghz or faster is recommended)
Memory: WSUS requires an additional 2 GB of RAM more than what is required by the server and all other services or software.
Available disk space: 10 GB (40 GB or greater is recommended)
Network adapter: 100 megabits per second (Mbps) or greater
Andy’s WSUS hard recommendation
My first recommendation is to use a virtual machine for your WSUS. This allows you to easily adapt your server hardware to your needs (Might be necessary in the beginning plus when your company grows).
Processor: 2 or better 4 core processor. >2 Ghz should be sufficient for most scenarios.
Memory: 4 GB minimum. Better 8 GB. If you are using the Windows internal database or a SQL server on the same machine, add 2-4 GB.
Disk space: If possible, use 2 disk:
One for the operating system with 50 GB (Server with GUI) or 25 GB (Core server).
The second disk is for the update repository. 500GB can be easily eaten up, but more disk space might be required depending on how many products, versions and languages you have to support.
If you want to use the Windows internal database (WID), then there is nothing to do right now.
For a MS SQL server on the machine or an external server, you have to installed it before installing your WSUS.
This guide does not cover the installation of a database server.
Make sure that you notice the server and instance name and that IP connections are allowed (For external DB servers).
Your server will need internet access. It uses port 443 (HTTPS) for downloading updates which some firewall might detect as ms-update application or similar. The URLs called are (According to Microsoft https://docs.microsoft.com/en-us/windows-server/administration/windows-server-update-services/deploy/2-configure-wsus):
Microsoft report viewer
To display reports, the system(s) where you are using the WSUS console on, will need to have the Microsoft report viewer redistributable installed on.
For Windows 7, 8, 8.1 and Server 2012/2012R2, use the Microsoft Report Viewer Redistributable 2008 (https://www.microsoft.com/en-us/download/details.aspx?id=6576). For Windows 10 and Server 2016 and newer, use Microsoft Report Viewer Runtime 2012 (https://www.microsoft.com/en-us/download/details.aspx?id=35747).
Microsoft .Net Framework 4.0
Make sure that at least .Net 4.0 is installed on your server.
The NT Authority\Network Service account must have Full Control permissions for the following folders so that the WSUS Administration snap-in displays correctly:
- %windir%\Microsoft.NET\Framework\v4.0.30319\Temporary ASP.NET Files (That path might not be present before installing the IIS role.)
I prefer to use the WSUS with a dedicated DNS alias like wsus.mycompany.com. This allows you to replace your WSUS server with a new one without needing to update your client’s settings.
If you want to use SSL for your WSUS communication, you have a have your certificate as .pfx file with its private key included. The necessary steps for the setup are described in the installation.
Internet facing deployment / External access
If you are having clients, which need to have access to your WSUS without being in your network or connected via VPN, you can easily set this up.
What you will need is access to the name server for your external domain, the DNS settings plus your company’s firewall and network settings.