Links

WSUS

Cheatsheet

1. Install WSUS
  • Open Server Manager -> Add roles and features -> WSUS
2. Configure WSUS
  • Open WSUS -> Complete the Configuration Wizard
3. Create Computer Groups
  • WSUS Console -> Computers -> Create a Computer Group
4. Approve Updates
  • WSUS Console -> Updates -> Approve Updates
5. Deploy WSUS to Clients
  • Group Policy -> Configure Update Source -> Point to WSUS Server
6. Monitor Update Installations
  • WSUS Console -> Reports -> Update Status
7. Manage WSUS Configurations
  • WSUS Console -> Options -> WSUS Server Configuration Wizard
8. Synchronize Updates
  • WSUS Console -> Synchronizations -> Start Synchronization
9. Cleanup WSUS
  • WSUS Console -> Options -> Server Cleanup Wizard
10. Secure WSUS Communication
Configure SSL on WSUS -> Update Group Policy for Secure Communication

Examples for Hardening with WSUS

1. Install WSUS Role
Install-WindowsFeature -Name UpdateServices -IncludeManagementTools
2. Configure WSUS Post-Installation
& "$env:ProgramFiles\Update Services\Tools\WsusUtil.exe" postinstall CONTENT_DIR=D:\WSUS
3. Create a Computer Group in WSUS
Navigate through WSUS Console -> Computers -> Add Computer Group -> Name: "SecureGroup"
4. Approve Updates for a Group
Navigate through WSUS Console -> Updates -> Select an Update -> Approve -> Select "SecureGroup"
5. Configure WSUS on Clients via GPO
  • Open Group Policy Management -> Create a GPO -> Navigate to: Computer Configuration -> Policies -> Administrative Templates -> Windows Components -> Windows Update -> Configure Automatic Updates & Specify intranet Microsoft update service location -> Define WSUS Server
6. Start WSUS Synchronization
Get-WsusServer | Get-WsusSubscription | Start-WsusSynchronization
7. Retrieve Update Status
Navigate through WSUS Console -> Reports -> Update Status
8. Configure WSUS to Use SSL
  • Configure SSL on WSUS Server -> Update Group Policy to use "https://[WSUS_SERVER]"
9. Run WSUS Cleanup
Get-WsusServer | Invoke-WsusServerCleanup -CleanupObsoleteComputers -CleanupObsoleteUpdates -CleanupUnneededContentFiles -CompressUpdates -DeclineExpiredUpdates -DeclineSupersededUpdates
10. Set WSUS to Download from Microsoft Update
Navigate through WSUS Console -> Options -> Update Source and Proxy Server -> Synchronize from Microsoft Update
11. Configure Update Files and Languages
Navigate through WSUS Console -> Options -> Update Files and Languages -> Store update files locally on this server
12. Configure Automatic Approvals
Navigate through WSUS Console -> Options -> Automatic Approvals -> Add Rule
13. Retrieve WSUS Synchronization Status
PowerShellCopy codeGet-WsusServer | Get-WsusSubscription | Get-WsusSynchronizationStatus
14. Configure WSUS Email Notifications
Navigate through WSUS Console -> Options -> Email Notifications -> Configure SMTP Server and Notification Options
15. Manually Add a Computer to WSUS
PowerShellCopy codeAdd-WsusComputer -ComputerToAdd "ComputerName" -TargetGroupName "SecureGroup"
16. Retrieve WSUS Update Installations
Navigate through WSUS Console -> Reports -> Update Installations
17. Configure WSUS Reporting Rollup
Navigate through WSUS Console -> Options -> Reporting Rollup -> Enable roll up of update status from replica downstream servers
18. Set WSUS Clients to Download from Peers
  • Configure Delivery Optimization on Clients via GPO -> Set Download Mode to "LAN" (Value: 1)
19. Retrieve WSUS Computer Status
Navigate through WSUS Console -> Computers -> Select a Computer Group -> Status
20. Configure WSUS Products and Classifications
Navigate through WSUS Console -> Options -> Products and Classifications -> Select Products to Update