2-WSUS without AD in WorkGroup Enviroment

Source

Today I will show you guys how to install WSUS Server in Window Server 2019 and push out update to machine in WorkGroup Enviroment without Active Directory
I use sources below as reference:

Requirement

System Requirement

Configure Firewall on WSUS Server

To obtain updates from Microsoft Update, the WSUS server uses TCP port 80,443 and UDP port 53.
To push out update to client, allow inbow TCP port 8530 and 8531 (WSUS might already add this in)

You must allow Internet access from WSUS to the following list of URLs:

Install WSUS Server

Install Role

Manage -> Add Roles and Features

  • Instalation Type: Role-based or feature-based installation
  • Server Selection: Select a server from the server pool
  • Server Roles:
    • Windows Server Update Services
    • Web Server (IIS)
  • Features: Default
  • WSUS
    • Role Services: WID Connectivity, WSUS Services
    • Content: Enter Path that store update content on your server (Example: C:\Update)
  • Web Server Role (IIS): default

Post-Installation Task

Configure WSUS Server

Tools -> Windows Server Update Services -> Options -> WSUS Server Configuration Wizard

  • Choose Upstream Server: If this is your main WSUS server, choose Synchronize from Microsoft Update
  • Specify Proxy Server:
    • Start Connecting : To synchronize first time to microsoft server to get updates. This may take bit time to finish
  • Choose Languages: choose the language you want
  • Choose Products: choose the products that you want do update
  • Choose Classifications: optimally only choose Critical, Definition, Security Updates and Upgrades
  • Configure Sync Schedule: configure how often WSUS server sync update with Microsoft
  • Finished: Check begin initial synchronization

WSUS walkthrough

  • Update Service: for viewing overall info about WSUS and download update process
  • Updates: for aprove or decline updates
  • Computers: for manage computer client which received update
  • Report: for access report
  • Synchronizations: for manual synchronize with microsoft server to get newest update
  • Options: for additional configurations
    • Computers: change to “Use Group Policy or registry settings on computers”

Configure Client connect to WSUS Server

Create a registry script

Create a .reg file with the content below and run it with admin privilige

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate]
"AcceptTrustedPublisherCerts"=dword:00000001
"ElevateNonAdmins"=dword:00000001
"TargetGroup"="<Groupname>"
"TargetGroupEnabled"=dword:00000000
"WUServer"="http://<WSUS IP Server>:8530"
"WUStatusServer"="http://<WSUS IP Server>:8530"

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU]
"AUOptions"=dword:00000004
"AUPowerManagement"=dword:00000001
"AutoInstallMinorUpdates"=dword:00000001
"DetectionFrequency"=dword:0000000a
"DetectionFrequencyEnabled"=dword:00000001
"IncludeRecommendedUpdates"=dword:00000001
"NoAUAsDefaultShutdownOption"=dword:00000001
"NoAUShutdownOption"=dword:00000001
"NoAutoRebootWithLoggedOnUsers"=dword:00000001
"NoAutoUpdate"=dword:00000000
"RebootRelaunchTimeout"=dword:0000000a
"RebootRelaunchTimeoutEnabled"=dword:00000001
"RescheduleWaitTime"=dword:0000000a
"RescheduleWaitTimeEnabled"=dword:00000001
"ScheduledInstallDay"=dword:00000000
"ScheduledInstallTime"=dword:00000003
"UseWUServer"=dword:00000001

Note:

  • Change <WSUS IP SERVER> to your server ip
  • Change <Groupname> to name of the group that you want to put in. The groupname must match the group in WSUS server
  • “TargetGroupEnabled”=dword:Enable or Disable Group fuction
    • 00000000 : If you want to disable
    • 00000001 : If you want to enable

Periodical Run command to force client update to WSUS Server

wuauclt /detectnow /reportnow

TroubleShooting

Client can't get update

We need to increase memory on Wsus Pool on IIS

  • Right click Wsus Pool -> Advanced Setting
  • Under Recyling Tab, change the Private Memory Limit to higher value or 0 (unlimit memory)