The following article will guide you through all the needed steps to add a non-domain joined server or workstation to Windows Server Update Services (WSUS):
- Server to server connectivity
- Configure sever to server communication at the network level.
Test the network communication using ping or telnet. - Configure firewall rules described in the following article: How to Configure a Firewall for Software Updates
- Server to server connectivity
- Connect to WSUS server
- Access Internet Information Services (IIS) Manager
- Click the server node in the Connections tree.
Double-click Server Certificates.
- Click Create Self-Signed Certificate….
- Fill in the edit field Specify a friendly name for the certificate.
Select the Web Hosting certificate store.
Click OK. - Click WSUS Administration in the Connections tree.
- Click Bindings… in the Actions column.
- Click https 8531.
Click Edit…. - Select the SSL certificate you just created in the dropdown box.
Click View…. - Note the FQDN of the Issued to server.
Click OK. - Enter FQDN hostname you remembered from the Certificate window.
Click OK. - Expand WSUS Administration in the Connections tree.
Click on ClientWebService.
Double-click SSL Settings. - Click the checkbox Require SSL.
Click Apply. - Repeat the last two steps for: DssAuthWebService, ServerSyncWebService, and SimpleAuthWebService.
Close Internet Information Services (IIS) Manager.
- Start a command prompt in Administrator mode.
Change directory to C:\Program Files\Update Services\Tools.
Run WsusUtil.exe configuressl .
Make sure you get a similar URL response as shown.
Close the command prompt.
- Export the certificate from WSUS server
- Run MMC in Administrator mode.
Click File->Add/Remote Snap-in… - Click Certificates.
Click Add >.
- Click the radio button Computer account.
Click Next. - Click Finish.
- Click OK.
- Expand the Certificates (Local Computer)\Trusted Root Certification Authorities and click on Certificates.
Right-click on the certificate that matches the FQDN of this server.
Click All Tasks > Export…
- Import the certificate on domain and non-domain joined servers
- Copy the WSUS certificate to :
- In Run open MMC as administrator:
- Click on File → Add/Remove Snap-in
- Click on File → Add/Remove Snap-in
- In Run open MMC as administrator:
- Certificates → click Add
- Choose ‘Computer account‘. Click Next.
- Leave defaults under ‘Select Computer‘. Click Finish.
- Expand Certificates. Expand Trusted Root Certification Authorities. Right click Certificates, then choose All Tasks > Import.
- This brings up the Certificate Import Wizard. Click Next.
- Browse in Temporary Storage (D:) → RegistryKey and choose the certificate, then click Next.
- Make sure you are placing the cert in the correct certificate store (Trusted Root Certification Authorities for this step). Click Next.
- You will be given a summary. Click Finish.
- Wait to receive the message stating ‘The import was successful.’ Click OK.
- Repeat the same steps for Trusted Publishers.
- Finish by verifying if the WSUS self-signed certificate appears now both under Trusted Root Certification Authorities → Certificates and Trusted Publishers → Certificates.
- Client server RegistryKey changes:
Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate] "DisableDualScan"=dword:00000001 "DoNotConnectToWindowsUpdateInternetLocations"=dword:00000001 "ElevateNonAdmins"=dword:00000001 "TargetGroup"="Unassigned Computers – <em>or use your desired target group</em>" "TargetGroupEnabled"=dword:00000001 "WUServer"="<a href=\"https://wsuserver.contoso.com:8531\">https://wsuserver.contoso.com:8531</a>" "WUStatusServer"="<a href=\"https://wsuserver.contoso.com:8531\">https://wsuserver.contoso.com:8531</a>" [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU] "AllowMUUpdateService"=dword:00000001 "AlwaysAutoRebootAtScheduledTime"=dword:00000001 "AlwaysAutoRebootAtScheduledTimeMinutes"=dword:0000003c "AUOptions"=dword:00000004 "AUPowerManagement"=dword:00000001 "AutoInstallMinorUpdates"=dword:00000001 "AutomaticMaintenanceEnabled"=dword:00000001 "DetectionFrequency"=dword:00000002 "DetectionFrequencyEnabled"=dword:00000001 "IncludeRecommendedUpdates"=dword:00000001 "ScheduledInstallDay"=dword:00000000 "ScheduledInstallTime"=dword:00000003 "UseWUServer"=dword:00000001
- Modification of HOST file :
172.x.x.x WSUSSERVER.contoso.com 172.x.x.x WSUSERVER
- Test WSUS services the connectivity by accessing https://WSUSSERVER.contoso.com:8531/SimpleAuthWebService/SimpleAuth.asmx
As a good practice it is recommended to have a defined WSUS maintenance process scheduled in your environment.
Additional information can be found in this article by mr. J.C. Hornbeck: The complete guide to Microsoft WSUS and Configuration Manager SUP maintenance
In case you have any blockings with the procedure, do not hesitate to contact us.
Thank you,
Bogdan C.