{"id":166,"date":"2019-03-20T16:03:18","date_gmt":"2019-03-20T20:03:18","guid":{"rendered":"http:\/\/blog.jamesblakeley.ca\/?p=166"},"modified":"2020-02-06T14:35:43","modified_gmt":"2020-02-06T19:35:43","slug":"wsus-installation-on-server-2016-core","status":"publish","type":"post","link":"http:\/\/blog.jamesblakeley.ca\/?p=166","title":{"rendered":"WSUS Installation on Server 2016 Core or Server 2019 Core"},"content":{"rendered":"<h3><strong>Install Server 2016 Core<\/strong><\/h3>\n<p>Deploy Windows Server 2016\/2019 Core from Template<\/p>\n<p>To add a 2nd Data drive<\/p>\n<p>DISKPART&gt; list disk<br \/>\nDISKPART&gt; select disk (id)<br \/>\nDISKPART&gt; online disk (if the disk is not online)<br \/>\nDISKPART&gt; attributes disk clear readonly<br \/>\nDISKPART&gt; clean<br \/>\nDISKPART&gt; convert gpt<br \/>\nDISKPART&gt; create partition primary<br \/>\nDISKPART&gt; select part 1<br \/>\nDISKPART&gt; active (if\u00a0this is the\u00a0boot partition)<br \/>\nDISKPART&gt; format fs=ntfs label=WSUSData quick<br \/>\nDISKPART&gt; assign letter D<br \/>\nDISKPART&gt; list volume<\/p>\n<h3>Install WSUS\/WID Role<\/h3>\n<ul>\n<li>From the console of your newly deployed Windows Server 2016\/2019 Core System<\/li>\n<li>Login with your Administrator Account<\/li>\n<li>Open PowerShell<\/li>\n<li>Install-WindowsFeature -Name UpdateServices -IncludeManagementTools<\/li>\n<li><span class=\"crayon-r\">New<\/span><span class=\"crayon-o\">&#8211;<\/span><span class=\"crayon-v\">Item<\/span> <span class=\"crayon-o\">&#8211;<\/span><span class=\"crayon-i\">Path<\/span> D<span class=\"crayon-o\">:<\/span> <span class=\"crayon-o\">&#8211;<\/span><span class=\"crayon-e\">Name <\/span><span class=\"crayon-v\">WSUS<\/span> <span class=\"crayon-o\">&#8211;<\/span><span class=\"crayon-e\">ItemType <\/span><span class=\"crayon-e\">Directory<\/span><\/li>\n<li><span class=\"crayon-i\">CD<\/span> <span class=\"crayon-s\">&#8220;C:\\Program Files\\Update Services\\Tools&#8221;<\/span><\/li>\n<li><span class=\"crayon-sy\">.<\/span><span class=\"crayon-sy\">\\<\/span><span class=\"crayon-v\">wsusutil<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">exe <\/span><span class=\"crayon-e\">postinstall content_dir<\/span><span class=\"crayon-o\">=D<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-sy\">\\<\/span><span class=\"crayon-e\">WSUS<\/span><\/li>\n<li>Get-WSUSServer<\/li>\n<li><span class=\"crayon-v\">Set<\/span><span class=\"crayon-o\">&#8211;<\/span><span class=\"crayon-v\">WsusServerSynchronization<\/span> <span class=\"crayon-o\">&#8211;<\/span><span class=\"crayon-e\">SyncFromMU<\/span><\/li>\n<li><\/li>\n<\/ul>\n<h3><strong>Enable SSL for WSUS<\/strong><\/h3>\n<h4><strong>Create a signed Certificate<\/strong><\/h4>\n<p>I will be using an internal IIS &amp; Microsoft Certificate Authority to create and mint the certificate.<\/p>\n<p>You will require an IIS Console and Certificate Authority Administration tools installed on your workstation or server. (I will be using the Certificate Authority as my source)<\/p>\n<ul>\n<li style=\"list-style-type: none;\">\n<ul>\n<li>Open Administrative Tools and Select Internet Information Services (IIS) Manager<\/li>\n<li>Under IIS Select Server Certificates<\/li>\n<li>On the Actions pane Select <strong>Create Certificate Request<\/strong><\/li>\n<li>Enter the following as an example\n<ul>\n<li>Common Name: wsus.domain.local<\/li>\n<li>Organization: Company<\/li>\n<li>Ogranizational Unit: IT<\/li>\n<li>City\/Locality: City<\/li>\n<li>State\/Province: Province<\/li>\n<li>Country\/region: Canada<\/li>\n<\/ul>\n<\/li>\n<li>Click Next<\/li>\n<li>Save the certificate request to your documents or desktop give it a name such as WSUS.txt<\/li>\n<li>Click Next\/Finish<\/li>\n<li>Select <strong>Microsoft RSA SChannel Cryptographic Provide<\/strong>r<\/li>\n<li>Select Bit Length of <strong>2048<\/strong><\/li>\n<li>Click Next<\/li>\n<li>Open a browser to your Active Directory Certificates Services page <strong>http:\/\/CAServer\/certsrv<\/strong><\/li>\n<li>Select\u00a0<strong>Request a certificate<\/strong><\/li>\n<li>Select <strong>Submit a certificate request by using a base-64-encoded CMC or PKCS #10 file, or submit a renewal request by using a base-64-encoded PCKS #7 file<\/strong><\/li>\n<li>Open the WSUS.txt<\/li>\n<li>Select All and copy<\/li>\n<li>Paste the content into the Saved Request Section<\/li>\n<li>Select your Web Server Template<\/li>\n<li>In the additional attributes will be adding in various Subject Alternative Names (SAN) &#8211; as this should cover any SSL warnings\/errors<\/li>\n<li>SAN:DNS=WSUS&amp;DNS=WSUS.domain.local&amp;DNS=ShortComputerName&amp;DNS=FullyQualifiedDomainName<\/li>\n<li>Click Submit<\/li>\n<li>Select <strong>Base 64 encoded<\/strong><\/li>\n<li>Download certificate<\/li>\n<li>save the cer to your documents or desktop (specify a unique name)<\/li>\n<li>Minimize the browser and return to the IIS Manager<\/li>\n<li>In the Actions pane select\u00a0<strong>Complete Certificate Request<\/strong><\/li>\n<li>In the first box find the certificate we just created<\/li>\n<li>In the friendly name choose something that fits your standards (WSUS.domain.local)<\/li>\n<li>Click OK<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<p>We will now export the certificate so we can import into our WSUS server<\/p>\n<ul>\n<li style=\"list-style-type: none;\">\n<ul>\n<li>Select the Server Certificate right click and select export<\/li>\n<li>Select a place to save the pfx such as documents or desktop and give it a unique name<\/li>\n<li>Enter a password to be used later for example WSUS<\/li>\n<li>Click OK<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<p>We will now import the certificate to our WSUS server. This will install into the Local Computer Personal Certificates<\/p>\n<ul>\n<li style=\"list-style-type: none;\">\n<ul>\n<li>Copy the .pfx file to a temporary location on the WSUS Server in my example c:\\tools<\/li>\n<li>Connect to the WSUS server through RDP or through a VMware console<\/li>\n<li>From the cmd prompt type the following<\/li>\n<li><span style=\"color: #000000;\"><strong>certutil -p WSUS -importpfx &#8220;c:\\tools\\WSUS.pfx&#8221;<\/strong><\/span><\/li>\n<li>You should get the following messages\n<ul>\n<li>Certificate was added to store<\/li>\n<li>Certutil: importPFX command completed successfully<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<p>To verify the import is successfully from a Manager Server<\/p>\n<ul>\n<li style=\"list-style-type: none;\">\n<ul>\n<li>Open <strong>MMC<\/strong><\/li>\n<li>Add\/Remove Snap In Select Certificates then add<\/li>\n<li>Select Computer Account<\/li>\n<li>Click Finish<\/li>\n<li>Select Another Computer and enter in your WSUS Server<\/li>\n<li>Click Finish<\/li>\n<li>Click OK<\/li>\n<li>Expand the certificates<\/li>\n<li>Expand \\\\hostname\\personal\\certificates<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<p>If all has gone to plan you should now see the Certificate we created<\/p>\n<h4 class=\"entry-title\">Enable IIS\/Remote web management<\/h4>\n<p>Because we are using Windows Server 2016 Core to house the WSUS Server i will be using server manager to remotely manage the IIS site which is disabled by default<br \/>\nThis section will walk through the requirements in managing IIS from a remote computer<\/p>\n<p><span style=\"color: #ff0000;\">Note: I will research and add in the PowerShell version at a later date<\/span><\/p>\n<ul>\n<li style=\"list-style-type: none;\">\n<ul>\n<li>Login to the Console \/ RDP Session to your WSUS Server<\/li>\n<li>From the command prompt launch PowerShell<\/li>\n<li>To install the features type\u00a0<strong>Install-WindowsFeature -name Web-Mgmt-Service<\/strong><\/li>\n<li>Set-ItemProperty -Path\u00a0 HKLM:\\SOFTWARE\\Microsoft\\WebManagement\\Server -Name EnableRemoteManagement\u00a0 -Value 1<\/li>\n<li>or<\/li>\n<li>Open <strong>Regedit<\/strong><\/li>\n<li>Navigate to HKLM\/Software\/Microsoft\/WebManagement\/Server\/<\/li>\n<li>Change EnableRemoteManagement to 1<\/li>\n<li>Close Regedit<\/li>\n<li>Exit PowerShell to return to a command prompt<\/li>\n<li>run the following to enabled the service to start automatically<\/li>\n<li><strong>SC Config WMSVC Start=Auto<\/strong><\/li>\n<li><strong>Net Start WMSVC<\/strong><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<p>You should now be able to connect to the WSUS IIS from a Remote Computer<\/p>\n<ul>\n<li style=\"list-style-type: none;\"><\/li>\n<\/ul>\n<h4 class=\"entry-title\">BIND SSL certificate \/ enable https<\/h4>\n<p>Connect to your Workstation \/ Server with Remote Management Capabilities<\/p>\n<ul>\n<li style=\"list-style-type: none;\">\n<ul>\n<li>Launch IIS Console<\/li>\n<li>Right Click on the Start Page and select\u00a0<strong>Connect to a Server<\/strong><\/li>\n<li>Enter in your WSUS Site<\/li>\n<li>Enter in your Administrator details<\/li>\n<li>Click Connect<\/li>\n<li>Expand your server, expand the Sites and select <strong>WSUS Administration<\/strong><\/li>\n<li>Right Click and Select\u00a0<strong>Edit Bindings<\/strong><\/li>\n<li>Select the https site and click Edit<\/li>\n<li>Select the SSL Certificate we created earlier<\/li>\n<li>Click OK<\/li>\n<li>We now need to enforce SSL encryption on the following virtual roots\n<ul>\n<li>ApiRemoting30<\/li>\n<li>ClientWebService<\/li>\n<li>DSSAuthWebService<\/li>\n<li>ServerSyncWebService<\/li>\n<li>SimpleAuthWebService<\/li>\n<\/ul>\n<\/li>\n<li>To do so expand <strong>WSUS Administration<\/strong><\/li>\n<li>Select the virtual site<\/li>\n<li>In the main pane select <strong>SSL Settings<\/strong><\/li>\n<li>Select <strong>Require SSL<\/strong> and Client Certificates set to <strong>ignore<br \/>\n<\/strong><\/li>\n<li>Click Apply in the Actions pane menu<\/li>\n<li>Repeat for each virtual root<\/li>\n<li>To ensure WSUS uses the SSL certificate we will be issuing the following command from the WSUS server Console<\/li>\n<li>Change to the following directory <strong>c:\\Program Files\\Update Services\\Tools<\/strong><\/li>\n<li>run the following with the FQDN of the WSUS server we will be using<\/li>\n<li><strong>WSUSUtil.exe configuressl wsus.domain.local<\/strong><\/li>\n<li>Restart the WSUS server\u00a0<strong>shutdown \/r \/t 0\u00a0<\/strong>for changes to take affect<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<p>Once the Server reboot is complete we will be verifying that the certificate is working properly<\/p>\n<ul>\n<li style=\"list-style-type: none;\">\n<ul>\n<li style=\"list-style-type: none;\">\n<ul>\n<li>Navigate to https:\/\/FQDN:8531<\/li>\n<li>Check that the cert is trusted and time to move onto the next section<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n<div class=\"twitter-share\"><a href=\"https:\/\/twitter.com\/intent\/tweet?via=mad_manc\" class=\"twitter-share-button\">Tweet<\/a><\/div>\n","protected":false},"excerpt":{"rendered":"<p>Install Server 2016 Core Deploy Windows Server 2016\/2019 Core from Template To add a 2nd Data drive DISKPART&gt; list disk DISKPART&gt; select disk (id) DISKPART&gt; online disk (if the disk is not online) DISKPART&gt; attributes disk clear readonly DISKPART&gt; clean DISKPART&gt; convert gpt DISKPART&gt; create partition primary DISKPART&gt; select part 1 DISKPART&gt; active (if\u00a0this is the\u00a0boot partition) DISKPART&gt; format fs=ntfs label=WSUSData quick DISKPART&gt; assign letter D DISKPART&gt; list volume Install WSUS\/WID Role From the console of your newly deployed Windows Server 2016\/2019 Core System Login with your Administrator Account Open PowerShell Install-WindowsFeature -Name UpdateServices -IncludeManagementTools New&#8211;Item &#8211;Path D: &#8211;Name WSUS &#8211;ItemType Directory CD &#8220;C:\\Program Files\\Update Services\\Tools&#8221; .\\wsusutil.exe postinstall content_dir=D:\\WSUS Get-WSUSServer [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[6,8],"tags":[],"class_list":["post-166","post","type-post","status-publish","format-standard","hentry","category-microsoft","category-wsus"],"_links":{"self":[{"href":"http:\/\/blog.jamesblakeley.ca\/index.php?rest_route=\/wp\/v2\/posts\/166","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/blog.jamesblakeley.ca\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/blog.jamesblakeley.ca\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/blog.jamesblakeley.ca\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/blog.jamesblakeley.ca\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=166"}],"version-history":[{"count":15,"href":"http:\/\/blog.jamesblakeley.ca\/index.php?rest_route=\/wp\/v2\/posts\/166\/revisions"}],"predecessor-version":[{"id":176,"href":"http:\/\/blog.jamesblakeley.ca\/index.php?rest_route=\/wp\/v2\/posts\/166\/revisions\/176"}],"wp:attachment":[{"href":"http:\/\/blog.jamesblakeley.ca\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=166"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/blog.jamesblakeley.ca\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=166"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/blog.jamesblakeley.ca\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=166"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}