Really like the more in-depth video style, that actually shows how things work in a typical environment, instead of showing how to press buttons in 10 minutes. Hopped onto your channel and was surprised you don't have a lot more videos like that. Would love to see more tutorials like this one from you. Cheers.
Hey man. I know these videos take time. Thank you for the post. I had a couple random questions since I am migrating my WSUS to a new VM and its been forever since I installed the service. Thank you for laying out the whole process. I appreciate it.
Heads up at 34:20, a threat actor can perform a man-in-the-middle attack and push out malicious software while posing as the WSUS server. I would recommend using SSL/TLS when possible. Otherwise, great video!
Very informative, thank you so much for educating us! Just a quick question: What should I study and where should I start to be able to comprehend (like you) such a vast amount of information on drivers, updates, OS, Servers and so on? I think it's very easy to confuse yourself and drawn into IT world and mess up everything in your head if you don't have any "mentor" or someone who could show you the path. I have recently passed my CCNA and it looks like I have to learn a lot more to be able to get into IT.
Hey there, thanks for the question! The key is to just keep learning and never stop. Always realize there's more people that know more than you, and be prepared to learn from them. Find yourself IT communities like VMUG and others, that you can connect with like minded folks int he industry. We all can't know everything, the key is to focus on what you enjoy, and keep you mind open to other things! :)
Awesome tutorial! Thanks for investing your time in creating this educative piece of work. My question quickly is this: how do you exempt the domain controller from automatically installing the updates as you mentioned that it is not safe to allow the server to run updates automatically? I noticed in this video, that you approved updates for the domain controller.
Hi Johnson, thanks for the feedback! As for your question, you should have different OUs (Organizational Units) for different computer objects. You always leave your domain controllers in the domain controllers OU (don't touch this), and your computers should be in the "Computers" OU. When you create GPOs, you should only link them to the OUs you want them to have effect on. So, with that being said, you can have both your DCs and Computers use your WSUS configuration GPO (which only specifies the WSUS server address), but then you'd want different GPOs for automatic updates. In most cases you'd have a GPO configured for automatic updates attached to Computers (or a custom OU you create), and then for your Domain Controllers, you'd leave it, or configure a GPO that disables automatic updates.
Great tutorial! Thank you very much. It was super clear and straightforward even for junior admins like me, who are installing the WSUS for the first time. I like your comments about two WSUS in A-vpn-B or about what yours servers should doing about 3 am :) I'm first time on this channel, so you definitely encourage me to check your others videos ;)
Without a code-signing certificate, you cannot publish third-party software updates into WSUS or ConfigMgr. By default, updates in WSUS are from Microsoft and client Windows devices inherently trust updates published by Microsoft.
This is a great video. thank you. Can you please assist with a question? I would like to know, for example, if in error you approve a Server 2016 update and deploy it to Server 2019 group in error, would this update be attempted to install on these 2019 servers? Also is there a way to schedule restarts via WSUS, because I would not like the servers to restart randomly after the updates are installed.
Hi Navin, thank you! And that's a great question! You should look at WSUS as an approval and caching mechanism, as it doesn't actually control Windows Updates on the servers, it only approves and makes the updates available. As far as controlling the behavior of Windows Updates on computers and servers, this is all done via GPO. On the GPOs you can specify things like to only download, download and install, etc, and you can also configure scheduled maintenance windows to install the updates. For example, in my environment, I confiugred the GPOs to only download the updates, as I would prefer to install them manually when I do updates every couple weeks. Hope this helps!
I have configured WSUS and it is working perfectly. But I have an issue with it as soon as I click check for updates, it automatically downloads and installs the update and restarts the system. Same thing was also seen at the time 49:50 of this video. How to get rid of auto install and restarts
Hey there and thanks for the comment! 🙂 You'll need to configure another GPO for your OUs to control whether they install or just download. Usually on servers you can configure it to download (This way it waits for an admin to initiate the install), and on workstations you can have it auto install.
Hi! Thanks for the video! One question. When you update all your computers using WSUS your main panel is telling you that there are no pending updates. Seems okay. But then, on the top of the panel I noticed "2151 security updates are waiting for approval", "950 critical updates..." and so on. About what approval is it talking about? As we saw on you video, your virtual machines didn't want new upgrades at all.
Hi ivor, I generally never pay attention to that list. Those are the updates pending approval that include updates that do not apply to your environment. I recommend only paying attention to the update list that by default only shows updates that are required and pending approval.
Okay, I got it working, but now I have 13k unapproved updates, and I'm wondering if I should do anything with them? I've rejected some obviously unneeded ones like ARM updates or language packs, but I was hoping you would explain it in the video.
Good video! I have configured and set up WSUS and it is working except for home users connecting via VPN. When I look at the computer in WSUS it shows the IP address of our firewall instead of the computer. If I ping the computer from the WSUS server it resolves the correct IP. So the WSUS server knows the correct IP of the computer. It's just that WSUS itself doesn't know the correct IP. I also can ping the server from the computer. The VPN computers are also not reporting to WSUS and I'm assuming that it is because of the IP issue. Any thoughts? Thanks!
Hi CryptoChristian, What type of VPN are you using and how do you have it configured? Technically this type of config should work fine. I've completed many deployments where systems either VPN in, or they connect via Site-to-Site VPNs.
hi bro, i just follow up all of the steps, also the sync finished. but at my computers section, the only computers that are showing is the DC and the wsus itself, any idea of what i might be missing?
Hey Homero, it sounds like those two computers are the only ones that received the group policy updates. Are the rest of your systems domain joined? And is the policy applying to other systems? Also, did you give it time for them to run through the invisible first time processes?
I had recently bought the "HPE ProLiant MicroServer Gen10 Plus v2" and would like to run Windows Server 2022 Essentials, however MS no longer provides the iso for this and I was wondering if anyone knows how to obtain this? What makes this worse is the Microserver that I have does NOT come with an optical drive. Any help is appreciated.
A help, I have Windows server 2022 with 5 remote RDP users, in some situations where when logging on the black screen, without any action. In the client I already disabled the bitmap, and one detail, this black screen has already happened when I try to log in with the user administrator. Has anyone ever experienced this? Thanks
Hi Anderson, I've never seen this before. Is there a chance that a 3rd party application is causing this? Additionally, were all the applications installed properly using install mode on the RDS Server?
@@StephenWagner After that I tried removing and re installing the role but now it's not producing any temp file for the event and just giving fatal error, if you can share your mail, I'll send the screenshot of it
Hi Naruto, if you uninstalled the role, there's a chance the old database is still present. You'll have to clear the WSUS database and reinitialize it to restart the configuration of the role.
@@StephenWagner I used the WID instead of SQL DB, but as I can see some other processes are also using WID.. But my AD is not installed in this server fyi
What helped me is removing the 'WSUS Administration' website in IIS manager and restart the post configuration. After that, the post configuration was completed succesfully.
Not really sure why you said not to let MSFT send improvement information - "thank you very much". I understand if you are worried about people spying on your data but it seems safe and helps with improving products. I will do it on companies I trust and MSFT and Nvidia come to mind.
I understand what you're saying and it's a valid point. But you know how it goes, IT people always crack jokes about EULAs as well as sending diagnostic information. And on a serious note, I just don't like software transmitting information from my network, especially when monitoring outbound traffic not knowing what something is.
Amen to that buddy! lol I'm still surprised when I see people use the Start Menu to find applications. You just need 2 clicks and maybe the first 3-4 letters. :) Thanks for leaving the tip for the viewers!
Really like the more in-depth video style, that actually shows how things work in a typical environment, instead of showing how to press buttons in 10 minutes. Hopped onto your channel and was surprised you don't have a lot more videos like that. Would love to see more tutorials like this one from you.
Cheers.
I really appreciate the feedback and support. Comments like these push me to make more videos! I'll do my best!!!
Thankyou for making this elaborately explained long video on the WSUS topic. Its much better than all the short videos out there on the subject.
Glad it was helpful!!!
Thank you so very much for making these videos. Finally someone who explains process's well and I can understand the person speaking. Very helpful.
Glad it was helpful and I appreciate the feedback! :)
Great video. Just for reference, the WSUS changed to "Configuration successfully completed" around 13:00.
Hey man. I know these videos take time. Thank you for the post. I had a couple random questions since I am migrating my WSUS to a new VM and its been forever since I installed the service. Thank you for laying out the whole process. I appreciate it.
Tech support specialist here; amazing video! Will be using this to implement WSUS at work!
Glad it helped!
Heads up at 34:20, a threat actor can perform a man-in-the-middle attack and push out malicious software while posing as the WSUS server. I would recommend using SSL/TLS when possible. Otherwise, great video!
Great point! In production, SSL (with a valid cert) should always be used!
Great tutorial, easy to follow and understand! Keep up the good work.
Thank you for creating this content. This helps a lot!
Happy that it helps! 🙂
Thanks for this video. This really helped in setting up WSUS in my lab.
Thank you so much! Excellent video.
you are very good thanks for this tutorial.
You're certainly welcome! Glad it helped!
Very informative, thank you so much for educating us! Just a quick question: What should I study and where should I start to be able to comprehend (like you) such a vast amount of information on drivers, updates, OS, Servers and so on? I think it's very easy to confuse yourself and drawn into IT world and mess up everything in your head if you don't have any "mentor" or someone who could show you the path. I have recently passed my CCNA and it looks like I have to learn a lot more to be able to get into IT.
Hey there, thanks for the question! The key is to just keep learning and never stop. Always realize there's more people that know more than you, and be prepared to learn from them. Find yourself IT communities like VMUG and others, that you can connect with like minded folks int he industry. We all can't know everything, the key is to focus on what you enjoy, and keep you mind open to other things! :)
@@StephenWagner Thank you! Appreciated🙏
Thank you for detailed tutorial.
You are welcome!
thanks for the information.
Glad it helped!
Awesome tutorial! Thanks for investing your time in creating this educative piece of work. My question quickly is this: how do you exempt the domain controller from automatically installing the updates as you mentioned that it is not safe to allow the server to run updates automatically? I noticed in this video, that you approved updates for the domain controller.
Hi Johnson, thanks for the feedback! As for your question, you should have different OUs (Organizational Units) for different computer objects. You always leave your domain controllers in the domain controllers OU (don't touch this), and your computers should be in the "Computers" OU. When you create GPOs, you should only link them to the OUs you want them to have effect on.
So, with that being said, you can have both your DCs and Computers use your WSUS configuration GPO (which only specifies the WSUS server address), but then you'd want different GPOs for automatic updates. In most cases you'd have a GPO configured for automatic updates attached to Computers (or a custom OU you create), and then for your Domain Controllers, you'd leave it, or configure a GPO that disables automatic updates.
Great tutorial! Thank you very much. It was super clear and straightforward even for junior admins like me, who are installing the WSUS for the first time. I like your comments about two WSUS in A-vpn-B or about what yours servers should doing about 3 am :) I'm first time on this channel, so you definitely encourage me to check your others videos ;)
Thanks Scynk, I really appreciate feedback like this! Thank you so much and I'm happy if the videos are of help! :)
Great Videos keep up the good work
Thanks, will do! I appreciate the feedback!
Well done.
thank you, pura vida!!
Big Like
Big thanks! :D
I prefer WSUS to SCCM when it comes to patching servers. WSUS old school but the best
Without a code-signing certificate, you cannot publish third-party software updates into WSUS or ConfigMgr. By default, updates in WSUS are from Microsoft and client Windows devices inherently trust updates published by Microsoft.
Hi. How uninstalling Windows Server 2022 as a Virtual Machine is done?
This is a great video. thank you. Can you please assist with a question? I would like to know, for example, if in error you approve a Server 2016 update and deploy it to Server 2019 group in error, would this update be attempted to install on these 2019 servers? Also is there a way to schedule restarts via WSUS, because I would not like the servers to restart randomly after the updates are installed.
Hi Navin, thank you! And that's a great question! You should look at WSUS as an approval and caching mechanism, as it doesn't actually control Windows Updates on the servers, it only approves and makes the updates available. As far as controlling the behavior of Windows Updates on computers and servers, this is all done via GPO.
On the GPOs you can specify things like to only download, download and install, etc, and you can also configure scheduled maintenance windows to install the updates. For example, in my environment, I confiugred the GPOs to only download the updates, as I would prefer to install them manually when I do updates every couple weeks.
Hope this helps!
@@StephenWagner Thank you very much for the reply and great info!
nice treadmill.
Thanks! :D
Can we deploy the updates to Byos laptops as well,those are having the Windows 10/11 home editions through WSUS?
To be honest I'm not too sure if the home editions support using WSUS servers. You'd have to test.
I have configured WSUS and it is working perfectly. But I have an issue with it as soon as I click check for updates, it automatically downloads and installs the update and restarts the system. Same thing was also seen at the time 49:50 of this video. How to get rid of auto install and restarts
Hey there and thanks for the comment! 🙂 You'll need to configure another GPO for your OUs to control whether they install or just download. Usually on servers you can configure it to download (This way it waits for an admin to initiate the install), and on workstations you can have it auto install.
Hi! Thanks for the video! One question. When you update all your computers using WSUS your main panel is telling you that there are no pending updates. Seems okay. But then, on the top of the panel I noticed "2151 security updates are waiting for approval", "950 critical updates..." and so on. About what approval is it talking about? As we saw on you video, your virtual machines didn't want new upgrades at all.
Hi ivor, I generally never pay attention to that list. Those are the updates pending approval that include updates that do not apply to your environment. I recommend only paying attention to the update list that by default only shows updates that are required and pending approval.
Okay, I got it working, but now I have 13k unapproved updates, and I'm wondering if I should do anything with them? I've rejected some obviously unneeded ones like ARM updates or language packs, but I was hoping you would explain it in the video.
Hi, when looking at the view listing updated, do you have "Unapproved" and "Failed or Needed" selected? The number of update should be less.
is it best practice to create a separate server for wsus or can it be in the DC?
Never install WSUS on a DC. It should be on it's own server, or a server that you verify can house multiple services.
@@StephenWagner if you were starting fresh in IT now, what skills would you focus on?
@mrmuffin5046, starting fresh, I'd say: VMware vSphere, VMware Horizon, Networking, and cloud integrations (Azure AD/Entra ID, etc)! :)
Can you provide cleanup procedure for WSUS Server 2022. I have assign 300 GB for WSUS download Destination drive, but it is full with in 2 days.
If you need more space, I would recommend moving the WSUS data to another drive/volume. There's a process and workflow to do this.
@@StephenWagner, Thanks for your valuable reply kindly share the process or workflow details if you have them. thanks ones again.
👍🏾
Good video! I have configured and set up WSUS and it is working except for home users connecting via VPN. When I look at the computer in WSUS it shows the IP address of our firewall instead of the computer. If I ping the computer from the WSUS server it resolves the correct IP. So the WSUS server knows the correct IP of the computer. It's just that WSUS itself doesn't know the correct IP. I also can ping the server from the computer. The VPN computers are also not reporting to WSUS and I'm assuming that it is because of the IP issue. Any thoughts? Thanks!
Hi CryptoChristian, What type of VPN are you using and how do you have it configured? Technically this type of config should work fine. I've completed many deployments where systems either VPN in, or they connect via Site-to-Site VPNs.
hi bro, i just follow up all of the steps, also the sync finished. but at my computers section, the only computers that are showing is the DC and the wsus itself, any idea of what i might be missing?
Hey Homero, it sounds like those two computers are the only ones that received the group policy updates. Are the rest of your systems domain joined? And is the policy applying to other systems? Also, did you give it time for them to run through the invisible first time processes?
@@StephenWagner It was a problem with the firewall, now everything showed up. thanks a lot!!
W00t! Glad to hear!
I had recently bought the "HPE ProLiant MicroServer Gen10 Plus v2" and would like to run Windows Server 2022 Essentials, however MS no longer provides the iso for this and I was wondering if anyone knows how to obtain this? What makes this worse is the Microserver that I have does NOT come with an optical drive. Any help is appreciated.
Hello, I believe the "Essential Experience" is now a Windows Server Feature and Role that you install after you install the operating system.
A help, I have Windows server 2022 with 5 remote RDP users, in some situations where when logging on the black screen, without any action. In the client I already disabled the bitmap, and one detail, this black screen has already happened when I try to log in with the user administrator. Has anyone ever experienced this? Thanks
Hi Anderson, I've never seen this before. Is there a chance that a 3rd party application is causing this? Additionally, were all the applications installed properly using install mode on the RDS Server?
Hi, I am facing fatal error in post configuration step. Could you help?
Hi Naruto, does it say anything else other than fatal error?
@@StephenWagner After that I tried removing and re installing the role but now it's not producing any temp file for the event and just giving fatal error, if you can share your mail, I'll send the screenshot of it
Hi Naruto, if you uninstalled the role, there's a chance the old database is still present. You'll have to clear the WSUS database and reinitialize it to restart the configuration of the role.
@@StephenWagner I used the WID instead of SQL DB, but as I can see some other processes are also using WID.. But my AD is not installed in this server fyi
What helped me is removing the 'WSUS Administration' website in IIS manager and restart the post configuration. After that, the post configuration was completed succesfully.
I hate this guy. Handsome, fit, good hair, Wagner as surname....oh my god. GIGACHAD!
Gigachad loves the support! 😁😂
Not really sure why you said not to let MSFT send improvement information - "thank you very much". I understand if you are worried about people spying on your data but it seems safe and helps with improving products. I will do it on companies I trust and MSFT and Nvidia come to mind.
I understand what you're saying and it's a valid point. But you know how it goes, IT people always crack jokes about EULAs as well as sending diagnostic information. And on a serious note, I just don't like software transmitting information from my network, especially when monitoring outbound traffic not knowing what something is.
Pro Tip - open start menu and just type wsus....
Amen to that buddy! lol I'm still surprised when I see people use the Start Menu to find applications. You just need 2 clicks and maybe the first 3-4 letters. :) Thanks for leaving the tip for the viewers!