WSUS Installation on Server 2016 Core or Server 2019 Core

Install Server 2016 Core

Deploy Windows Server 2016/2019 Core from Template

To add a 2nd Data drive

DISKPART> list disk
DISKPART> select disk (id)
DISKPART> online disk (if the disk is not online)
DISKPART> attributes disk clear readonly
DISKPART> convert gpt
DISKPART> create partition primary
DISKPART> select part 1
DISKPART> active (if this is the boot partition)
DISKPART> format fs=ntfs label=WSUSData quick
DISKPART> assign letter D
DISKPART> list volume

Install WSUS/WID Role

  • From the console of your newly deployed Windows Server 2016/2019 Core System
  • Login with your Administrator Account
  • Open PowerShell
  • Install-WindowsFeature -Name UpdateServices -IncludeManagementTools
  • NewItem Path D: Name WSUS ItemType Directory
  • CD “C:\Program Files\Update Services\Tools”
  • .\wsusutil.exe postinstall content_dir=D:\WSUS
  • Get-WSUSServer
  • SetWsusServerSynchronization SyncFromMU

Enable SSL for WSUS

Create a signed Certificate

I will be using an internal IIS & Microsoft Certificate Authority to create and mint the certificate.

You will require an IIS Console and Certificate Authority Administration tools installed on your workstation or server. (I will be using the Certificate Authority as my source)

    • Open Administrative Tools and Select Internet Information Services (IIS) Manager
    • Under IIS Select Server Certificates
    • On the Actions pane Select Create Certificate Request
    • Enter the following as an example
      • Common Name: wsus.domain.local
      • Organization: Company
      • Ogranizational Unit: IT
      • City/Locality: City
      • State/Province: Province
      • Country/region: Canada
    • Click Next
    • Save the certificate request to your documents or desktop give it a name such as WSUS.txt
    • Click Next/Finish
    • Select Microsoft RSA SChannel Cryptographic Provider
    • Select Bit Length of 2048
    • Click Next
    • Open a browser to your Active Directory Certificates Services page http://CAServer/certsrv
    • Select Request a certificate
    • Select Submit a certificate request by using a base-64-encoded CMC or PKCS #10 file, or submit a renewal request by using a base-64-encoded PCKS #7 file
    • Open the WSUS.txt
    • Select All and copy
    • Paste the content into the Saved Request Section
    • Select your Web Server Template
    • In the additional attributes will be adding in various Subject Alternative Names (SAN) – as this should cover any SSL warnings/errors
    • SAN:DNS=WSUS&DNS=WSUS.domain.local&DNS=ShortComputerName&DNS=FullyQualifiedDomainName
    • Click Submit
    • Select Base 64 encoded
    • Download certificate
    • save the cer to your documents or desktop (specify a unique name)
    • Minimize the browser and return to the IIS Manager
    • In the Actions pane select Complete Certificate Request
    • In the first box find the certificate we just created
    • In the friendly name choose something that fits your standards (WSUS.domain.local)
    • Click OK

We will now export the certificate so we can import into our WSUS server

    • Select the Server Certificate right click and select export
    • Select a place to save the pfx such as documents or desktop and give it a unique name
    • Enter a password to be used later for example WSUS
    • Click OK

We will now import the certificate to our WSUS server. This will install into the Local Computer Personal Certificates

    • Copy the .pfx file to a temporary location on the WSUS Server in my example c:\tools
    • Connect to the WSUS server through RDP or through a VMware console
    • From the cmd prompt type the following
    • certutil -p WSUS -importpfx “c:\tools\WSUS.pfx”
    • You should get the following messages
      • Certificate was added to store
      • Certutil: importPFX command completed successfully

To verify the import is successfully from a Manager Server

    • Open MMC
    • Add/Remove Snap In Select Certificates then add
    • Select Computer Account
    • Click Finish
    • Select Another Computer and enter in your WSUS Server
    • Click Finish
    • Click OK
    • Expand the certificates
    • Expand \\hostname\personal\certificates

If all has gone to plan you should now see the Certificate we created

Enable IIS/Remote web management

Because we are using Windows Server 2016 Core to house the WSUS Server i will be using server manager to remotely manage the IIS site which is disabled by default
This section will walk through the requirements in managing IIS from a remote computer

Note: I will research and add in the PowerShell version at a later date

    • Login to the Console / RDP Session to your WSUS Server
    • From the command prompt launch PowerShell
    • To install the features type Install-WindowsFeature -name Web-Mgmt-Service
    • Set-ItemProperty -Path  HKLM:\SOFTWARE\Microsoft\WebManagement\Server -Name EnableRemoteManagement  -Value 1
    • or
    • Open Regedit
    • Navigate to HKLM/Software/Microsoft/WebManagement/Server/
    • Change EnableRemoteManagement to 1
    • Close Regedit
    • Exit PowerShell to return to a command prompt
    • run the following to enabled the service to start automatically
    • SC Config WMSVC Start=Auto
    • Net Start WMSVC

You should now be able to connect to the WSUS IIS from a Remote Computer

BIND SSL certificate / enable https

Connect to your Workstation / Server with Remote Management Capabilities

    • Launch IIS Console
    • Right Click on the Start Page and select Connect to a Server
    • Enter in your WSUS Site
    • Enter in your Administrator details
    • Click Connect
    • Expand your server, expand the Sites and select WSUS Administration
    • Right Click and Select Edit Bindings
    • Select the https site and click Edit
    • Select the SSL Certificate we created earlier
    • Click OK
    • We now need to enforce SSL encryption on the following virtual roots
      • ApiRemoting30
      • ClientWebService
      • DSSAuthWebService
      • ServerSyncWebService
      • SimpleAuthWebService
    • To do so expand WSUS Administration
    • Select the virtual site
    • In the main pane select SSL Settings
    • Select Require SSL and Client Certificates set to ignore
    • Click Apply in the Actions pane menu
    • Repeat for each virtual root
    • To ensure WSUS uses the SSL certificate we will be issuing the following command from the WSUS server Console
    • Change to the following directory c:\Program Files\Update Services\Tools
    • run the following with the FQDN of the WSUS server we will be using
    • WSUSUtil.exe configuressl wsus.domain.local
    • Restart the WSUS server shutdown /r /t 0 for changes to take affect

Once the Server reboot is complete we will be verifying that the certificate is working properly

      • Navigate to https://FQDN:8531
      • Check that the cert is trusted and time to move onto the next section

Be the first to comment on "WSUS Installation on Server 2016 Core or Server 2019 Core"

Leave a comment

Your email address will not be published.


This site uses Akismet to reduce spam. Learn how your comment data is processed.