WSUS

Windows Server Update Services

1. Clients

1.1. Useful commands

Enter the following commands at a Command Prompt with administrative privileges.

gpupdate.exe /force
wuauclt.exe /detectnow
wuauclt.exe /detectnow /resetauthorization
wuauclt.exe /updatenow

Powershell.exe $updateSession = new-object -com "Microsoft.Update.Session"; $updates=$updateSession.CreateupdateSearcher().Search($criteria).Updates
wuauclt.exe /reportnow

1.2. Troubleshoot

Enter the following commands at a Command Prompt with administrative privileges.

PowerShell.exe Test-NetConnection -ComputerName SMRU-IT03 -Port 8530
net.exe stop wuauserv
rmdir /q /s C:\Windows\SoftwareDistribution
REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" /f
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate" /v AccountDomainSid /f
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate" /v PingID /f
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate" /v SusClientId /f
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate" /v SusClientIdValidation /f
net.exe start wuauserv
gpupdate.exe /force
wuauclt.exe /detectnow /resetauthorization
wuauclt.exe /reportnow
pause

2. Installation

Install Remote Server Administration Tools.
Install Microsoft Report Viewer Redistributable.

3. Configuration

Todo: See https://docs.microsoft.com/en-us/previous-versions/orphan-topics/ws.11/dn343567(v=ws.11) on how to use SSL.

Perform the following actions for both the ADadmin and ADuseradmin user accounts.

Start Windows Server Update Services with ADadmin or ADuseradmin privileges.
- Right-click Start | Programs | Windows Administrative Tools | Windows Server Update Services
  while holding down the Shift key and select Run as different user.
Right-click Update Services and select Connect to Server.

Type SMRU-IT03 for the server name.

Server name:    SMRU-IT03
Port number:    8530
□ Use Secure Sockets Layer (SSL) to connect to this server

Click Connect.
Close Windows Server Update Services.

4. Usage

4.1. Decline Updates

Start Windows Server Update Services with ADadmin privileges.
Select SMRU-IT03 > Updates > All Updates.
Select Approval: | Any Except Declined.
Select Status: | Any.
Click Refresh.

Sort the updates by Supersedence by clicking on the Supersedence icon in the table header.
Select all updates that are superseded.
Right-click all selected updates and select Decline.
Click Yes to confirm.
Click Refresh.

Click All Updates | Search in the Actions panel at the right.
Type arm64 in the Text field.
Click Find Now.
Select all arm64 updates.
Right-click all selected updates and select Decline.
Click Yes to confirm.
Click Close.
Click Refresh.

Click All Updates | Search in the Actions panel at the right.
Type x86 in the Text field.
Click Find Now.
Select all x86 updates.
Right-click all selected updates and select Decline.
Click Yes to confirm.
Click Close.
Click Refresh.

4.2. Approve Updates

4.2.1. For WSUS-TestGroup

Start Windows Server Update Services with ADadmin privileges.
Select SMRU-IT03 > Updates > All Updates.
Select Approval: | Unapproved.
Select Status: | Needed.
Click Refresh.
Sort the updates by Title.
Select all Upgrade to Windows 11 updates.
Select all Windows 11 (business editions), version 22H2 en-us x64 updates.
Select all Windows 11 (consumer editions), version 22H2 en-us x64 updates.
Select all Windows 11, version 22H2 x64 updates.
Select all Windows 11, version 23H2 x64 updates.
Select all Windows 11, version 24H2 x64 updates.
Right-click all selected updates and select Decline.
Click Yes to confirm.
Click Refresh.
Select all Not approved updates.
Right-click all selected updates and select Approve.
Right-click Computers-WSUSTestGroup and select Approved for Install.
Click OK.
Click Close.

4.2.2. For all computers

Start Windows Server Update Services with ADadmin privileges.
Select SMRU-IT03 > Updates > All Updates.
Select Approval: | Approved.
Select Status: | Needed.
Click Refresh.
Select all Install and Install (1/6) updates.
Right-click all Install and Install (1/6) updates and select Approve.
Right-click All Computers and select Approved for Install.
Right-click All Computers and select Apply to Children.
Click OK.
Click Close.
Close Windows Server Update Services.

4.3. Email Notifications

Start Windows Server Update Services with ADadmin privileges.
Select SMRU-IT03 | Options.
Select E-Mail Notifications.
Select the General tab.
Check Send status reports.
Select Weekly for the frequency.
Set the send reports at 02:00:00.
Select 02:00:00 for send reports at.

Type smru-it@shoklo-unit.com for the recipients.

■ Send status reports
  Frequency:            Weekly
  Send reports at:      02:00:00
  Recipients:           smru-it@shoklo-unit.com
  Language:             English

Select the E-Mail Server tab.

Outgoing e-mail server (SMTP):  10.10.1.170
Port number:                    25
Sender name:
E-mail address:                 WSUS@shoklo-unit.com
□ My SMTP server requires authentication
  User name:
  Password:

Click Test.
Click Close.
Click Apply.
Click OK.
Close Windows Server Update Services.

4.4. Remove Computer from WSUS

Start Windows Server Update Services with ADadmin privileges.
Select SMRU-IT03 > Computers > All Computers.
Right-click the <Computer name> and select Delete.
Click Yes to confirm.
Close Windows Server Update Services.

5. Windows Updates

5.1. By Group Policy

If the following group policy is apply to the clients, the below update behavior will occur to the clients.

Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate
Name                            Type            Data
-------------------             ---------       ---------------------
ElevateNonAdmins                REG_DWORD       0x00000000 (0)
TargetGroup                     REG_SZ          Computers
TargetGroupEnabled              REG_DWORD       0x00000001 (1)
WUServer                        REG_SZ          http://smru-it03:8530
WUStatusServer                  REG_SZ          http://smru-it03:8530

Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
Name                            Type            Data
-----------------------------   ----------      ------------
AUOptions                       REG_DWORD       0x00000004 (4)
AUPowerManagement               REG_DWORD       0x00000001 (1)
AutoInstallMinorUpdates         REG_DWORD       0x00000001 (1)
DetectionFrequency              REG_DWORD       0x00000016 (22)
DetectionFrequencyEnabled       REG_DWORD       0x00000001 (1)
IncludeRecommendedUpdates       REG_DWORD       0x00000001 (1)
NoAUShutdownOption              REG_DWORD       0x00000001 (1)
NoAutoRebootWithLoggedOnUsers   REG_DWORD       0x00000001 (1)
NoAutoUpdate                    REG_DWORD       0x00000000 (0)
RebootRelaunchTimeout           REG_DWORD       0x0000000f (15)
RebootRelaunchTimeoutEnabled    REG_DWORD       0x00000001 (1)
RescheduleWaitTime              REG_DWORD       0x0000000f (15)
RescheduleWaitTimeEnabled       REG_DWORD       0x00000001 (1)
ScheduledInstallDay             REG_DWORD       0x00000000 (0)
ScheduledInstallTime            REG_DWORD       0x0000000c (12)
UseWUServer                     REG_DWORD       0x00000001 (1)

If there are the updates from the WSUS server, the clients will detect it and download it at 12:00 anyday.
But some computer will delay the download (15 minutes) after 12:00 anyday.
And then the updates will install it on the day after the updates download at 12:00.
If the computer from Maesot move to any clinic, the automatic update will occur after the first group policy run.

To get the updates automatically from the WSUS server, the clients should be on two days in minimum around 11:50 - 17:00.

6. PowerShell

Log on as SMRU\ADadmin on a Windows computer with RSAT WSUS Tools installed.

Enter the following commands at a PowerShell Command Prompt.

. 'C:\Program Files\Delta Software Labs\Windows-Tools\Debug.ps1'
$Name = "SMRU-IT03"
$PortNumber = 8530
$UpdateServer = Get-WsusServer -Name $Name -PortNumber $PortNumber

Get-WsusClassification -UpdateServer $UpdateServer
Get-WsusProduct -UpdateServer $UpdateServer
Get-WsusProduct -UpdateServer $UpdateServer | Where-Object { $_.Product.Title -match "Windows 11" }
Get-WsusUpdate -UpdateServer $UpdateServer -ErrorAction SilentlyContinue -UpdateId 72e7624a-5b00-45d2-b92f-e561c0a6a160

# Get all unapproved updates.
# Note: The following command takes about 30 minutes.
Get-Date; $WsusUpdates = Get-WsusUpdate -UpdateServer $UpdateServer; Get-Date

# Get all updates.
Get-Date; $WsusUpdates1 = Get-WsusUpdate -UpdateServer $UpdateServer -Approval AnyExceptDeclined; Get-Date
# Note: The following command takes about 66 minutes.
Get-Date; $WsusUpdates2 = Get-WsusUpdate -UpdateServer $UpdateServer -Approval Declined; Get-Date
$WsusUpdates1.Count     #  4718
$WsusUpdates2.Count     # 15892
$WsusUpdates = @()
$WsusUpdates += $WsusUpdates1
$WsusUpdates += $WsusUpdates2
$WsusUpdates.Count      # 20610

$Updates = @($WsusUpdates | Where-Object { $_.Update.Title -match "Windows 7" })
$Updates.Count
$Updates | Deny-WsusUpdate

# Remove declined updates.
# Note: The following command may take quite some time, depending on how many updates reside on the WSUS server.
Get-Date; $WsusDeclinedUpdates = Get-WsusUpdate -UpdateServer $UpdateServer -Approval Declined; Get-Date
# See https://learn.microsoft.com/en-us/previous-versions/windows/desktop/aa349863(v=vs.85)
$WsusDeclinedUpdates | ForEach-Object { $UpdateServer.DeleteUpdate($_.Update.Id.UpdateId.ToString()); Write-Host $_.Update.Title removed }