Steps to connect a non-domain joined server to WSUS

The following article will guide you through all the needed steps to add a non-domain joined server or workstation to Windows Server Update Services (WSUS):

1. Server to server connectivity

1. Configure sever to server communication at the network level.
   Test the network communication using ping or telnet.
2. Configure firewall rules described in the following article: How to Configure a Firewall for Software Updates

2. Server to server connectivity

1. Connect to WSUS server
2. Access Internet Information Services (IIS) Manager
3. Click the server node in the Connections tree.
   Double-click Server Certificates.
   
4. Click Create Self-Signed Certificate….
   
5. Fill in the edit field Specify a friendly name for the certificate.
   Select the Web Hosting certificate store.
   Click OK.
6. Click WSUS Administration in the Connections tree.
7. Click Bindings… in the Actions column.
   
8. Click https 8531.
   Click Edit….
9. Select the SSL certificate you just created in the dropdown box.
   Click View….
10. Note the FQDN of the Issued to server.
    Click OK.
11. Enter FQDN hostname you remembered from the Certificate window.
    Click OK.
12. Expand WSUS Administration in the Connections tree.
    Click on ClientWebService.
    Double-click SSL Settings.
13. Click the checkbox Require SSL.
    Click Apply.
14. Repeat the last two steps for: DssAuthWebService, ServerSyncWebService, and SimpleAuthWebService.
    Close Internet Information Services (IIS) Manager.
    
15. Start a command prompt in Administrator mode.
    Change directory to C:\Program Files\Update Services\Tools.
    Run WsusUtil.exe configuressl .
    Make sure you get a similar URL response as shown.
    Close the command prompt.

3. Export the certificate from WSUS server

1. Run MMC in Administrator mode.
   Click File->Add/Remote Snap-in…
2. Click Certificates.
   Click Add >.
   
3. Click the radio button Computer account.
   Click Next.
4. Click Finish.
5. Click OK.
   
6. Expand the Certificates (Local Computer)\Trusted Root Certification Authorities and click on Certificates.
   Right-click on the certificate that matches the FQDN of this server.
   Click All Tasks > Export…

4. Import the certificate on domain and non-domain joined servers

1. Copy the WSUS certificate to :
   2. In Run open MMC as administrator:
      1. Click on File → Add/Remove Snap-in
         

• Certificates → click Add
  
• Choose ‘Computer account‘. Click Next.
  
• Leave defaults under ‘Select Computer‘. Click Finish.
  
• Expand Certificates. Expand Trusted Root Certification Authorities. Right click Certificates, then choose All Tasks > Import.
• This brings up the Certificate Import Wizard. Click Next.
  
• Browse in Temporary Storage (D:) → RegistryKey and choose the certificate, then click Next.
  
• Make sure you are placing the cert in the correct certificate store (Trusted Root Certification Authorities for this step). Click Next.
  
• You will be given a summary. Click Finish.
• Wait to receive the message stating ‘The import was successful.’ Click OK.
  
• Repeat the same steps for Trusted Publishers.
  
• Finish by verifying if the WSUS self-signed certificate appears now both under Trusted Root Certification Authorities → Certificates and Trusted Publishers → Certificates.

5. Client server RegistryKey changes:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate]
"DisableDualScan"=dword:00000001
"DoNotConnectToWindowsUpdateInternetLocations"=dword:00000001
"ElevateNonAdmins"=dword:00000001
"TargetGroup"="Unassigned Computers – <em>or use your desired target group</em>"
"TargetGroupEnabled"=dword:00000001
"WUServer"="<a href=\"https://wsuserver.contoso.com:8531\">https://wsuserver.contoso.com:8531</a>"
"WUStatusServer"="<a href=\"https://wsuserver.contoso.com:8531\">https://wsuserver.contoso.com:8531</a>"

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU]
"AllowMUUpdateService"=dword:00000001
"AlwaysAutoRebootAtScheduledTime"=dword:00000001
"AlwaysAutoRebootAtScheduledTimeMinutes"=dword:0000003c
"AUOptions"=dword:00000004
"AUPowerManagement"=dword:00000001
"AutoInstallMinorUpdates"=dword:00000001
"AutomaticMaintenanceEnabled"=dword:00000001
"DetectionFrequency"=dword:00000002
"DetectionFrequencyEnabled"=dword:00000001
"IncludeRecommendedUpdates"=dword:00000001
"ScheduledInstallDay"=dword:00000000
"ScheduledInstallTime"=dword:00000003
"UseWUServer"=dword:00000001

6. Modification of HOST file :

172.x.x.x            WSUSSERVER.contoso.com
172.x.x.x            WSUSERVER

7. Test WSUS services the connectivity by accessing https://WSUSSERVER.contoso.com:8531/SimpleAuthWebService/SimpleAuth.asmx

As a good practice it is recommended to have a defined WSUS maintenance process scheduled in your environment.
Additional information can be found in this article by mr. J.C. Hornbeck: The complete guide to Microsoft WSUS and Configuration Manager SUP maintenance

In case you have any blockings with the procedure, do not hesitate to contact us.

Thank you,
Bogdan C.