In Part 2 and Part 3 of this series we focused a lot on the Unix and Macintosh side of things, in Part 1 we touched on using a Windows based computer as a proxy and in Part 2 we focussed heavily on the updates side of Apple devices. In this final part of the series I am going to show you how you can decrease your bandwidth usage as well as speed up your Internet by using a WSUS server (Windows Server Update Service). This basically does the same job as the Caching server we looked at last time but deals with the Microsoft devices that you have at home. Unfortunately Microsoft are a little bit more restrictive on the types of OS that you can run this on, generally when I have set this up it has been on a Windows Server 2003 to 2012, even the standard editions of this software can range from £300 to £500 per processor core (depending on the licensing model you have), this is not a good starting point for me, I have a server license for Windows server 2008 R2 and this is what I personally run, but I managed to find an .ISO from my MSDN account, for the trial server of Microsoft Windows Home Server 2011 (WHS20011 to save my fingers typing that out a couple of hundred times). This is a really good piece of kit if you have multiple windows devices and can be run on a cheap server or old desktop PC, my personal preference would be a HP Micro server as they are around £150 and sometimes even less depending on offers available on the internet, they are great and I would recommend them (full disclosure yes I used to work for HP a long time ago I left just before the merger with EDS). If you already have a recent intel based Mac Mini or other Mac then you can run this as a virtual machine so long as you have at least 6Gb of RAM and a reasonable spec CPU.
Who would need a WSUS Server?
OK so your reading this and still with me on some of the terminology, you have several Microsoft devices and computers, such as tablet PCs, Desktop and Laptops. The other scenario is that you build and test out new builds for PC’s or you just need to get your updates quickly without all of your devices connecting to the internet to download them. Big businesses use them to control which updates get delivered and when they are delivered according to the company policy, they also need to control the level of patching so that are machines are protected, but also they don’t want several thousand computers all downloading the same information from the internet at the same time, its just not an efficient or very good way of managing a lot of computers.
WHS2011 is £70 at retail however as this is now a discontinued product you can pic up a copy for around £30 as retailers want to offload the stock and not take such a hit on the balance sheet. What has replaced it is Windows Server 2012 Essentials which is a full blown server install just cut down to what you need, it also takes you from home user to System Admin in a huge leap.
What Does a WSUS Server Do?
The main focus of this is to make your external communications more efficient and less costly to those with usage caps. For example, the recent windows 10 upgrade is 6Gb in size and is soon to be forced on all home users (and some businesses) if you have 10 computers that’s a massive 60Gb of data that you’re going to be downloading from a 100Gb cap that’s 60% of it. Ok Still not convinced? If you also use Microsoft Office 2010 as as well then that will cost you another 4Gb in re downloading it plus the updates and patches to both products at around another 3Gb, if you are still with me on the math for this then that’s 130Gb or 30% over the usage cap, and that’s annoying, if you have other Microsoft products then that will also add to your data usage.
To put it into perspective when I started this blog installing WHS2011 to installing WSUS and configuring it to download all the updates from Windows 98 to the current Windows 10 and Server 2012 R2 and the applications that you can also upgrade (Microsoft ones only I’m afraid) is a staggering 219Gb or just over two months of my Sat broadband usage cap (so firewalls up during the day and open between midnight and 0600). Within that are 95,998 updates and patches for Microsoft patches which to be fair isn’t that bad for 18 years of products.
The investment in a WHS2011 and a small server is starting to look like a very good deal when if you look at data boosters for Sat Broadband can be as high at £67 for an extra 100Gb, also waiting for the latest patches to download sucks, why not have it easy like us Mac people with Caching servers, generally your internet connection is going to be slow (or why read this blog post) its going to be even slower when the computers are all downloading the monthly updates.
If your like me and build test machines all the time and then delete them and rebuild then having a WSUS server is great to get the patches and updates, as it only ever touches your cap throughout the night in the free download time (doesn’t affect usage cap) and you have all the updates and patches ready as soon as the machine is built.
So how does it all work?
So still with me on how this is a really good thing to have and that you have found a copy of of WHS2011 and found an old desktop of laptop with at least 300Gb of space on the hard drive, or decided to get yourself a HP Micro Server (other brands are available), if you have a Windows Based Proxy and have gone down the Intel NUC route with that project you could in fact run this along side the proxy so long as you have the space to download the updates. I personally have all the updates downloaded but if you don’t own a certain type of Microsoft product for example Exchange Server updates, then you don’t select the option to download. So when the WHS2011 is all setup and ready configured on your dedicated PC/Micro server and WSUS has been downloaded and configured it will perform the following functions for you
- Set a schedule of a time to check the update servers for new patches and downloads for Microsoft products, as well as some Adobe and Java applications.
- You will have to manually add your computers to the WSUS server to get the updates, its not easy but with WHS client software its made slightly easier, if you are running a Domain Controller and full server then you would have the WSUS server as a policy to connect to WSUS servers already, but on WHS2011 you have to target them. Not as easy as a Mac sorry
- The WSUS software will download the new patches and will await approval from yourself to install them on client devices, again not as easy as a Mac, its just more steps. Although if you are lazy (like me) you can set auto approve and disable updates based on rules
- Once approved you can set a time limit on all devices to receive the updates or you can stager them based on the membership of the group, don’t be put off by this as it just a technical term for which folder you have filed the types of computers under.
- Once the updates have been installed on the client PC’s the clients will report back to show which updates have been installed and which are required by each client PC.
So you have probably guessed by now that the WSUS service is not a service you can just enable on the WHS2011 but is a separate application that is installed on top of the server OS, luckily Microsoft offer the application for free (Steve Ballmer was in a good mood the day of release). Whilst WSUS has been installed on test machines to run on the Client OS its not supported and you have to do several very technical workarounds to get it to work successfully.
Once installed upon first boot it will look a little bit like this, I had this already configured and downloading updates when the screenshot was taken. As you can see its not as user friendly as a caching server but it does have pretty pie charts.
To find the Application you will find it on the start menu under Start/All Programs/Administrative Tool/ Windows Server Update Service
I short its well hidden unless you know where to look. Thanks Microsoft for making everything so user friendly. OK I whine about how Microsoft turn computer hobbyist types into low paid Sys Admins ruining the pay rate of a Sys Admin a lot, but for a company who is hell bent on the GUI instead of the CLI, doesn’t really put a lot of effort or thought into the actual GUI (he says typing the draft up in Office 2016 for the Mac (Pages is available I know)).
So is this going to be easy to set up?
In a word No.
To quantify the above, its not as easy as say the caching server where I showed you the steps in a couple of steps and did the install and overview and setup of the service in a few clicks and about 40 minutes to write up and take screenshots (It actually took me a lot longer to do the screenshot as I already had a functioning server so had to build a test one in my virtual lab), it’s a long and involved process to get this installed and configured.
Even in a corporate environment with several thousand PC’s and Servers, with a Active directory (that’s the user accounts and passwords) and Group Policy Objects (basically this sets out the company policy for the computers and where to look for things like the proxy, what the home page is on Internet Explorer and where to find the WSUS server), this could take a week to setup and confirm that every computer was connected and accounted for, this would mean checking the audit physically against what is being reported in WSUS as well as Active Directory.
To put it into Perspective I was asked by a NHS GP CCG to install WSUS to 106 sites (GP Surgeries) with 111 Server across a county as well as unify the Active Directory and Group Policy, the estimate for this work was 12 months from planning to implementation with a cost of around £78,000 + VAT I must add they had 106 different sites working independently with different Active Directories and Group Policies and required a Single Active Directory and Group Policy Model, so basically tidy up a haystack finding the sewing needle and making a nice shiny system (Basically the IT equivalent of a miracle). This would have taken me working 5 days a week and between 8 and 16 hours a day, as well as working closely with the two third party vendors supplying the IT service to that CCG. Just to be clear they pay a lot more than that per year just to have a help desk (and yes it’s farmed out to a service provider just like most other public services and yes they really do normally charge them 3 times what the job is worth). Sadly, with a Windows 7 Deployment a Windows 8.1 Pro and upcoming Windows 10 deployment they didn’t take me up on that offer and when they did need that service I was unfortunately tied to another customer.
For the average home deployment of 10 PC’s as the numbers of devices are rather low you should be able to get through the deployment and testing phases in a weekend. Depending on your connection to the internet to do the initial patch downloads. Once you have configured your initial client PC then the rest will just fall into place rather easily, at most a couple of weekends. You can configure the clients whilst awaiting the patches to be downloaded which will save time though. If you want someone like me to do it for you then if you provide the computer and WHS2011 (or server essentials 2012), then it can be as little as £300 (including Hardware and OS), or around £900 for the Micro Server and Server OS, as well as the setup of up to 10 Client PC’s. So basically following this blog post could potentially save you around £900 and actually lose me money (how good am I to you guys?).
Setting up the Server for WSUS
Ok so your still with me and my phone hasn’t rang because you want me to install one of these for you, and you have installed and configured your WHS2011 or WS2012E. You have also connected your computers to the WHS2011 using the supplied CD to automatically connect you to the new server. You will notice that the WSUS service isn’t available to you yet, but as already mentioned this is an Addon pack that you can download free of charge from the Microsoft site based here. Don’t forget if your using WHS2011 or Server 2012 its the x64 bit version that you will need its 82.8Mb if your installing on Server 2008 x86 then you would need to download the x86 version.
- Once you have downloaded it, you will need to double click on the install When the installation window appears, choose:
- Full server installation including Administrative Console > Next
- Accept the Terms > Next
- WSUS Setup will choose the volume with the most space. You can change this to D:\WSUS or E:\WSUS as required > Next
- Use the built in Windows Internal Database > Next
- Use the existing IIS Default Web site (Recommended) > Next
Note: If you do not choose the Default IIS Web site, you’ll need to specify the Microsoft update service location policy differently as follows (for example):
Specify intranet Microsoft update service location – Enabled
- When setup completes, cancel the Configuration Wizard that appears. Open WSUS by navigating to Administrative Tools > Windows Server Update Services
- On the left, expand SERVERNAME > Computers > All Computers. You can create computer groups, such as Workstations, Servers and Notebooks. When your workstations report to WSUS, they’ll appear in the All Computers group, but can be moved as required.
- Click on Options > Source and Proxy Server > Proxy Server (tab). Enter your proxy and port, then click OK.
- You should have this information from Part 1 of in this Series of Blog posts
- Products and Classifications. By default few products are displayed, but don’t worry. Choose Windows 7 or Windows 8 as a minimum as well as any WHS2011 or WS2012E as a minimum. Click the Classifications tab and enable:
- -Critical Updates
- -Definition Updates
- -Security Updates
- -Update Rollups
- -Updates, then click OK.
- Update Files and Languages > Update Languages (tab) > Download updates only in these languages. Tick English and/or any others you use, then click OK.
- Synchronization Schedule > Synchronize Automatically. Specify 00:10:00 and 1 Synchronizations per day. Click OK.
- The time really can be set to your preference but I suggest if you have usage cap and free usage time then use this time to do the updates.
- Automatic Approvals. Tick to enable Default Automatic Approval Rule. Just below this, click the Critical Updates link. Tick to enable
- -Critical Updates
- -Definition Updates
- -Security Updates
- -Update Rollups
- -Updates, click OK, and OK.
For the Email settings I have left this disabled because my setup changes frequently and never has the same amount of servers and clients and they change as well (it’s a lab environment). But if you want to set this up then you can do the following
- E-Mail Notifications. Tick to enable Send e-mail notification when new updates are synchronized. Enter your e-mail address.
- Tick to enable Send Status Reports. Specify:
- Frequency: Weekly
- Send reports at: 06:00:00 (or whatever you think is best)
- Recipients: Enter your e-mail address
- Click the E-mail Server tab. Specify your SMTP server. If you do not know this, enquire with your LA or ISP.
- Sender name: WSUS
- E-mail address: WSUS@yourdomain.com then click OK.
- Click Synchronizations (near the top left), then near the top right click Synchronize Now. Wait for the synchronization process to complete, then return back to Options Products and Classifications. This will now be fully populated. Click additional products such as Windows 7, Windows Server 2008 R2 and Office 2010 depending on your requirements. Click OK, return back to Synchronizations then click Synchronize Now (this depending on your options is going to take an age, grab a coffee, something to eat and set about configuring your clients using the above information.
Not a hard setup but the waiting for downloads could be a pain in the backside, and its where most of your time is going to be taken up, if you let it. My advice is go for a break, setup the clients and then go do something else like walk the dogs, paint the house or something constructive, if like me you will start a new project like building a script to install windows and import it into a WDS server, which I will be showing you how to do in a future blog.
Setting up Non Domain Clients
If you are going to be using WHS2011 then you wont technically have a domain and you definitely wont have a group policy for your network and so you will need to jump through a few hoops to get your WSUS server and your clients I have copied the below information for your convenience from the Microsoft website here. In the first part of this as well as created a little batch file that you can edit for your needs in the second part.
NOTE: – I don’t need to tell you not to believe everything you read on the internet and don’t just copy and paste and hope for the best with scripts found on the internet, not everyone is helpful and some people may want to harm your PC, my advice is always to check the work with another source and test with a virtual PC first and never use on your main PC in the first instance. That being said I have checked my work and I am genuine but feel free to search alternative sources of information as well (in fact I ask you to so that you get into the habit of doing so).
Using the registry editor
Administrators who do not wish to use Group Policy may set up client computers using the registry. Registry entries for the WSUS server are located in the following subkey:
The keys and their value ranges are listed in the following table.
Windows Update registry keys
|Entry name||Data type||Values|
|AcceptTrustedPublisherCerts||Reg_DWORD||Range = 1|0|
1 = Enabled. The WSUS server will distribute signed third-party updates if available.
0 = Disabled. The WSUS server will not distribute third-party updates.
|ElevateNonAdmins||Reg_DWORD||Range = 1|0|
1 = Users in the Users security group are allowed to approve or disapprove updates.
0 = Only users in the Administrators user group can approve or disapprove updates.
|TargetGroup||Reg_SZ||Name of the computer group to which the computer belongs, used to implement client-side targeting (for example, “TestServers.”) This policy is paired with TargetGroupEnabled.|
|TargetGroupEnabled||Reg_DWORD||Range = 1|0|
1 = Use client-side targeting.
0 = Do not use client-side targeting. This policy is paired with TargetGroup.
|WUServer||Reg_SZ||HTTP(S) URL of the WSUS server used by Automatic Updates and (by default) API callers. This policy is paired with WUStatusServer; both must be set to the same value in order for them to be valid.|
|WUStatusServer||Reg_SZ||The HTTP(S) URL of the server to which reporting information will be sent for client computers that use the WSUS server configured by the WUServer key. This policy is paired with WUServer; both must be set to the same value in order for them to be valid.|
|DisableWindowsUpdateAccess||Reg_DWORD||Range = 1|0|
1 = Disables access to Windows Update.
0 = Enables access to Windows Update.
Using the Script
Like I have said before, check what is in the below script with what is above, as well as by visiting the Microsoft website above and google what you want to do using this search term
“how to setup WSUS to target non domain connected computers”.
rem Registry edit of non-domain computer to use local WSUS server using WSUS example http://Home-Server:85 change the values to suit your environment.
rem Target URL of the WSUS server
reg.exe add “HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate” /v “WUServer” /D ” http://Home-Server:85”;
rem Target URL of the server to which reporting information will be sent for client computers that use the WSUS server
reg.exe add “HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate” /v “WUStatusServer” /D ” http://Home-Server:85”;
rem Target WSUS Group the computer belongs to
reg.exe add “HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate” /v “TargetGroup” /D “Workstations”
rem Use client-side targeting
reg.exe add “HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate” /v “TargetGroupEnabled” /D 1 /t reg_dword
rem Automatically download and notify of installation
reg.exe add “HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU” /v “AUOptions” /D 3 /t reg_dword
rem Logged-on user gets to choose whether or not to restart his or her computer
reg.exe add “HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU” /v “NoAutoRebootWithLoggedOnUsers” /D 1 /t reg_dword
rem Enable Automatic Updates
reg.exe add “HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU” /v “NoAutoUpdate” /D 0 /t reg_dword
rem The WSUS Server is not used unless this key is set
reg.exe add “HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU” /v “UseWUServer” /D 1 /t reg_dword
rem restart Windows Update service
net stop “Windows Update”
net start “Windows Update”
rem check for Windows Updates
wuauclt /reportnow /detectnow
Copy the above (between but not including “Start and End”) and paste it into notepad and save it as a .reg file, to do this when using save as save as all files and remove the .txt and save as .reg, this will give you a .reg file to double click and run on your client PC’s, it will come up with a warning asking if you are sure you want to add the values to your registry, select YES only when you are sure.
For the Http URL, change this to your server ports (mine are on 85) and the home-server should be the hostname of the WSUS server.
NOTE : – As you will see I have marked “Workstations” in red, change this to the folders that you have created and add your computer to this group (if it doesn’t get added automatically to this group). Other than that it should work.
Setting up Domain Connected Clients
If you have an Active Directory (lucky you), the Windows Server 2012 Essentials (or any Microsoft Server 2003 upwards), then you can setup a group policy to tell the clients connected to your domain where to get the updates, you do this on the server and this will eventually update each of the clients with the policy but can take a couple of days and several reboots.
- To enable your workstations to report to your WSUS server, navigate to Computer Config > Admin Templates > Windows Components > Windows Update
- Specify the following policies:
- Do not display ‘Install Updates and Shutdown’ option in Shutdown Windows dialogue box – Not Configured
- Do not adjust default option to ‘Install Updates and Shutdown’ in Shutdown Windows dialogue box – Not Configured
- Enabling Windows Update Power Management to automatically wake up the system to install scheduled updates – Not Configured
- Configure Automatic Updates – Enabled
- 4 – Auto download and schedule the install
- 0 – Everyday
- Specify intranet Microsoft update service location – Enabled
- Automatic Updates detection frequency – Enabled
- 1 Hour(s)
- Allow non-administrators to receive update notifications – Disabled
- Turn on Software Notifications – Not Configured (enable if you want JAVA and Adobe updates)
- Allow Automatic Updates immediate installation – Enabled
- Turn on recommended updates via Automatic Updates – Disabled
- No auto-restart with logged on users for scheduled automatic updates installations – Enabled
- Re-prompt for restart with scheduled installations – Enabled or Disabled (want nagging or not to reboot?)
- Delay restart for scheduled installations – Not Configured
- Reschedule Automatic Updates scheduled installations – Enabled
- 15 Minutes
- Enable client-side targeting – Enabled
- Allow signed updates from an Intranet Microsoft Update service location – Disabled
- Your Domain Connected workstations will then start reporting to your WSUS console.
- WSUS setup complete all from the server console J that was easy.
Well thats the steps that you will be required to take if you were to setup your own WSUS server. I must apologise for the lack of screen shots, I have two good reasons for this, 1, showing you the screen shots of my internal lab could expose some of my customers names, which would be a bad idea and 2, it would expose my lab environment again something that I don’t really want to do. Hopefully in the next couple of weeks I will have a new environment that I can play one and not it will be totally separate so that I can actually add video content to the site of me actually working!..
In the next blog I have a very, very quick and interesting one for you, it how Apple have made the Mac Mini 2014 a pain in the bum to upgrade if you don’t buy the one with the SSD/HDD (Fusion Drive) when you buy it from Apple, I will also show you how you can get round this and give you the part numbers so that you can upgrade it yourself :)..