Hello, in this fourth part of this series, I will discuss how to install or configure a Windows Server Updates Services (WSUS) role as part of your bare-metal provisioning process. In part 1 of this series, I provided an overview of the bare-metal provisioning process with SCVMM, but I did not mention WSUS, so where does it fit in?
WSUS will be integrated with the bare-metal reference image development process. We will be creating a fully updated server image. There are two common approaches to updating a reference image. One is to have the image reach out to Microsoft Update for all the updates, and the other is with WSUS. Most organizations opt to leverage WSUS primarily since it allows up to be selective about which updates to integrate into their environment and which types of updates as well. For instance, an organization may choose to delay the addition of a service pack into their imaging process until their test their line of business applications with it, but will choose to quickly integrate all security updates and critical operating system updates into their imaging process. These decisions are not available through an automated imaging process with Microsoft Update. They are with WSUS.
So let's begin! First you need to add the WSUS role to your Windows Server. If you already have a WSUS server in your organization, you can skip this part. To add the WSUS role on a Windows Server 2012 / R2 server using PowerShell:
Install-WindowsFeature UpdateServices -IncludeManagementTools
This adds the role, and installs and performs an initial configuration of the WSUS role with a WID database (Windows Internal Database). For the purposes of a server imaging environment, this database is sufficiently sized. Next, open the WSUS Management Console. This will begin several configuration steps. The first one is to specify where updates will be stored. Specify a path with enough disk space to store all the updates needed as part of your server imaging process and click Run to continue. This process takes several minutes. Once finished, click the Close button.
The next window you will see should be the Windows Server Update Services Configuration Wizard. Click Next at the Before You Begin window
If this is the first WSUS server in your organization, click Next, otherwise, you can have this WSUS server installation sync its content from an upstream WSUS server here.
Next, specify any proxy server settings you use to access the Internet if any and click Next to continue.
Next, click the Start Connecting button to connect to Microsoft Update. This process is needed to retrieve an update list of products that can be updated and associated languages. For instance, if you installing WSUS on Windows Server 2012, this step will allow fetch an updated product catalog listing that includes Windows Server 2012 R2 so that your imaging process can include updates to 2012 or 2012 R2. This process takes several minutes.
Next, choose which languages are applicable in your environment and click Next. By default, only updates in English are downloaded.
Next, choose the products for which you want updates downloaded. In this Products pane, you will notice certain products are already pre-selected if you scroll down. For the purpose of updating our reference image, you may want only the updates for Windows Server 2012 / 2012 R2 to be downloaded. To do this, click the All Products checkbox twice. This selects all products and then deselects all products.
Scroll down near the bottom of the list to select Windows Server 2012 / 2012 R2
Next, select the types of updates you want downloaded. As a minimum, I recommend Critical and Security updates to always be included in your images. The Updates is another classification you may want to consider as well.
Next, specify whether to download updates manually by initiating a manual sync or automatically. Click Next and accept all remaining defaults from the wizard after this window. Once finished, the wizard will launch the WSUS management snap-in.
From the Update Services snap-in, click on Automatic Approvals
Next, select which types of updates you want to be automatically approved. This is an optional step if your organization wants to test and approve every single update released by Microsoft. In my reference image build environments, I choose to auto-approve all Critical and Security updates and manually approve Updates classifications. Ensure this policy is applicable on all computers. Since the reference image build and capture must be done by non-domain joined computers, this is an important step.
Finally, click on Synchronize Now to sync the WSUS server with MS Update. By default, WSUS will only download meta data about the updates when you do this. It only downloads the actual updates the first time a client computer requests that update. This is done to reduce the amount of disk space needed on the WSUS server.
That's it! Your WSUS server installation is ready to be part of your reference image development process. Next, I will walk you through the actual process of developing a server image and importing it to SCVMM.
We are almost there!
Till next time.