Quick Start Guide

This is for configuring the environment from scratch.

 

Install WSUS

The Patch Solution supports Windows Server Core or the Windows Server Full Installation

  1. My recommendation, Add a Secondary Data Disk for WSUS Content
Diskpart.exe
  Select Disk 1
   Online Disk
   Attrib Disk clear readonly
   Clean
   Create Part Primary
List Vol
Select Vol 3
   Assign Letter=E
   Exit
Echo Y|Format E: /V:WSUSData01 /Q

--- OR ---
POWERSHELL:

Get-Disk

# Use the output and set the disknumber to the disk that you want to use for the data disk (In most cases, Disk 1)




$disknumber = 1


Get-Disk -Number $disknumber  | Set-Disk -IsOffline $false

Get-Disk -Number $disknumber  | Set-Disk -IsReadOnly $false

Initialize-Disk -Number $disknumber

Get-Disk $disknumber


$partition = New-Partition -DiskNumber $disknumber -UseMaximumSize -AssignDriveLetter

Format-Volume -DriveLetter $partition.DriveLetter -FileSystem NTFS -NewFileSystemLabel WSUSData01 -Confirm:$false



  1. Allow connections to the CNAME "WSUS" or "WSUS.DomainName.com"
Reg add HKLM\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0 /v BackConnectionHostNames /t  REG_MULTI_SZ /d "%COMPUTERNAME%"\0"%COMPUTERNAME%.%USERDNSDOMAIN%"\0"WSUS"\0"WSUS.%USERDNSDOMAIN%"

Reg add HKLM\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters /v DisableStrictNameChecking /t  REG_DWORD /d 1
  1. Prepare the Automatic Update Service
Sc config wuauserv start= auto
Net start wuauserv
  1. Install WSUS
PowerShell -Command "Install-WindowsFeature UpdateServices-Services, UpdateServices-WidDB,UpdateServices-API

 

  1. WSUS Post Configuration
C:
CD \Program Files\Update Services\Tools
Mkdir E:\WSUS
WsusUtil.exe postinstall CONTENT_DB=E:\WSUS
 

Infrastructure Configuration

  1. Create a DNS CNAME Record to your WSUS Server (Ex. PATCH01)
PS C:\Windows\system32> $zone = "myDnsZone.com"
PS C:\Windows\system32> Add-DnsServerResourceRecordCName -ZoneName $zone -HostNameAlias "PATCH01.$zone" -Name WSUS -ComputerName $zone
  1. Create WSUS Service Account "SVC_WSUS"
Net LocalGroup "WSUS Reporters" /Add domain\svc_wsus
Create an Exchange Mailbox for the user, do not show in GAL

 

Install Patch Solution Code / Share

  1. Install the solution to a Share Reachable to all WSUS Clients (Use the WSUS Server)
PowerShell -Command "New-Item -Type Directory C:\PatchSolution"
PowerShell -Command "New-SmbShare -Name WSUS -Path C:\PatchSolution -FullAccess 'corp\Domain Admins','corp\svc_WSUS' -ReadAccess 'SYSTEM','corp\Domain Computers','corp\Domain Controllers' -Description 'Patch Solution'"
  1. Edit the Config File
    Change the values. Ensure that the mail from is svc_wsus@CompanyDomain.com

Create and Configure Group Policy

  1. Create a group policy called “PatchSolution”. You can use any name or existing policy. Just when the update script is run, it will delete any schedule tasks that exist in it.
  2. Inside PatchSolution or any of your other Group Policies, configure:
    1. Computer Configuration / Administrative Templates / Windows Components / Windows Updates / Specify intranet Microsoft Update services location
      1. Enabled
      2. Intranet update service for detecting updates: http://wsus.demo.local:8530
      3. Intranet statistics server: http://wsus.demo.local:8530
    2. Computer Configuration / Administrative Templates / Windows Components / Windows Updates / Configure Automated Updates
      1. Enabled
      2. Configure automatic Updating: 3 – Auto download and notify for install
    3. Computer Configuration / Administrative Templates / Windows Components / Windows Updates / Turn on recommended updates via Automatic Updates
      1. Enabled
  3. Run:PowerShell –ExecutionPolicy bypass \\wsus\wsus\PatchSolutionUpdateGPO.ps1
  4. Look in the Group Policy Preferences for the Computer (Computer / Preferences / Control Panel Settings / Scheduled Tasks)

Patch Solution Reporting

  1. Install-WindowsFeature NET-Framework-Core,RSAT -IncludeAllSubFeature -Source D:\Sources\SXS
  2. Grant Logon As Batch Job to SVC_WSUS (Use GPEDIT or ntrights.exe)
  3. Create two scheduled tasks for PatchReport-Cryptic.ps1 and -Full Parameter
  4. Import the GPO
    Double check that the server names are the same in the task sequence powershell parameter action



Last edited Sep 3, 2015 at 10:43 PM by arafuse, version 4