Install, Configure WSUS on Windows Server 2012 R2 and Approve Patches using Powershell – Part 1

There are times when you would want to setup a WSUS server in your Lab quickly.
As you might have already guessed this is going to be a 2 Part series, In this post will show you how to Install, Configure WSUS on Windows Server 2012 R2 using Powershell. I will break the script into parts to explain what we are getting done and will post the complete script at the end.
Alright then if you want to follow along this is what you would need, A Windows Server 2012 R2 machine with Internet.We are going to Install WSUS with Windows Internal Database. (Will write some thing later on how to set it up using SQL).
First let us Install Windows Update Services with Windows Internal Database (WID) and also Include Management Tools by running the below line.
Install-WindowsFeature -Name UpdateServices -IncludeManagementTools -Verbose
Install_WSUS_PowershellWait for the Installation to complete. You can see, we have a message stating some additional configuration may be required before our WSUS server can be up and running. We still need to configure a location for the update files to be stored.This is where wsusutil.exe will come into play. This executable is located at C:\Program Files\Update Services\Tools. In wsusutil.exe there is a set of parameters that become available when you use the /PostInstall argument for specifying where to store the content. I don’t want all of the updates on my system drive, so I will create the folder on my E: drive and store them there.
New-Item -Name WSUS -Path E: -ItemType Directory
Set-Location $env:ProgramFiles'\Update Services\Tools'
.\WsusUtil.exe postinstall CONTENT_DIR='E:\WSUS'
We have now configured the content directory on E drive to save the update files under WSUS Folder.
Now lets configure the language pack, In this case we only want to enable English language pack for updates. We will next set that in the WSUS Server Configuration and Subscription Information.
#Get WSUS Server Name
$WSUS = Get-WSUSServer
#Get WSUS Server Configuration and Subscription Information
$WSUSConfig = $WSUS.GetConfiguration()
$WSUSSubScrip = $WSUS.GetSubscription()
#Set Update Language to English and save configuration settings
$WSUSConfig.AllUpdateLanguagesEnabled = $false
$WSUSConfig.AllUpdateLanguagesDssEnabled = $false
Next we will tell our server where we want to synchronize from, In this case we want to sync up with Microsoft Updates.
#Set WSUS to download from Microsoft Updates
Set-WsusServerSynchronization -SyncFromMU
By Default a list of Products and Classifications are enabled, Lets first disable All of them. We will enable just the ones we want later.
# Disable All Products and Classifications
Get-WsusClassification | Set-WsusClassification -Disable -Verbose
Get-WsusProduct | Set-WsusProduct -Disable -Verbose


Now that we have set our server to synchronize from Microsoft. We will Run the initial Synchronization For Category.
# Run the Initial Synchronization For Category
$WSUSSubScrip = $WSUS.GetSubscription()
Write-Verbose "Sync Inprogress.." -Verbose
While($WSUSSubScrip.GetSynchronizationStatus() -ne 'NotProcessing') 
   $WsusProd = (Get-WsusProduct).count
   Write-Verbose "Synchronized $WsusProd Products" -Verbose
   Start-Sleep -Seconds 10
Write-Verbose "Synchronization Completed !!" -Verbose
Initial Synchronization For Category takes some time, So ahead and grab a coffee..
Synchronization For Category has successfully completed. Next lets us Configure the Classifications, I usually select Update Rollups, Security Updates, Critical Updates, Service Packs, Definition Updates and Updates.
You could run Get-WsusClassification to get the list of available Classifications.
Get-WsusClassification | Where-Object {
   $_.Classification.Title -in (
   'Update Rollups',
   'Security Updates',
   'Critical Updates',
   'Service Packs',
   'Definition Updates',
} | Set-WsusClassification -Verbose
Next we will configure the Products, I only have Windows Server 2008 R2 & Windows Server 2012 R2 in my lab so will only enable them.
You might run Get-WsusProduct to get the list of available Products and add the products you want for you environment.
Get-WsusProduct | where-Object {
   $_.Product.Title -in (
   'Windows Server 2008 R2',
   'Windows Server 2012 R2')
} | Set-WsusProduct -Verbose


Finally lets kick-off a synchronization of the Classifications & Products.
While($WSUSSubScrip.GetSynchronizationStatus() -ne 'NotProcessing') 
   Start-Sleep -Seconds 10
   $Total = $WSUSSubScrip.GetSynchronizationProgress() | Select-Object -ExpandProperty TotalItems
   $Processed = $WSUSSubScrip.GetSynchronizationProgress() | Select-Object -ExpandProperty ProcessedItems
   $Phases = $WSUSSubScrip.GetSynchronizationProgress() | Select-Object -ExpandProperty Phase
   Write-Verbose "Synchronized $Processed of $Total $Phases" -Verbose
   Start-Sleep -Seconds 10
Write-Verbose "Synchronization Completed !!" -Verbose


It may take a while to complete the synchronization depending on the speed of your Internet.
That is all for today’s blog about Install, Configure WSUS on Windows Server 2012 R2. In Part2 of this blog I will deal with Creating Computer Target Group and approve or decline updates.

!! Preenesh

This entry was posted in Powershell and tagged , . Bookmark the permalink.

1 Response to Install, Configure WSUS on Windows Server 2012 R2 and Approve Patches using Powershell – Part 1

  1. Pingback: Install, Configure WSUS on Windows Server 2012 R2 and Approve Patches using Powershell – Part 2 | Deployment Mechanic

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s