How to Install Windows Server Update Services (WSUS) on Windows Server 2012

Installing WSUS on Windows Server 2012

Before we can start installing Windows Server Update Services (WSUS) we want to make sure we understand the retirements.

Requires one of the following databases:

  • Windows Internal Database (WID)
  • Microsoft SQL Server 2012
  • Microsoft SQl Server 2008 R2

Windows Server Update Services

  • Standard
  • Enterprise
  • Express

Can you install WSUS role on a separate database server? YES, but the following must be applied first.

1. The database server cannot be configured as a domain controller.

If WSUS is installed a domain controller, this will cause database access issues due to how the database is configured. Installing WSUS on a domain controller can also cause problems upgrading or installing WSUS in the future.

2. The WSUS server cannot run Remote Desktop Services

3. The database server must be in the same Active Directory domain as the WSUS Server

4. The WSUS server and the database server must be in the same time zone or be synchronized to the same Coordinated Universal Time source.


Now that we understand the requirements for Windows Server Update Services (WSUS). We can begin to install the role.


1. To install Windows Server Update Services (WSUS) on Windows Server 2012 R2, click on Server Manager, click on Manage, click Add Roles and Features, select Windows Server Update Services and click on Next.122a2b34

2. The Features section is next. We do not have to do anything here. Click Next.5

3. Choose WSUS Services and Database as these are the ones that are actually required. We will not select WID Database here. Click on Next.67

4. Content Location Selection – In this folder the WSUS downloads and stores license terms for specific software updates in the update content folder. During the update synchronization process,  Configuration Manager looks for applicable license terms in the content folder. If it cannot find the license terms, it will not synchronize the update. Provide a folder path and click on Next.8


5. Database Instance Selection – Specify the database server where you want to store the WSUS database. Click on Check connection and you must see the message Successfully connected to server. Click on Next.

*Note if this doesn’t work make sure the you have a SQL Firewall rule in place.

netsh advfirewall firewall add rule name = SQLPort dir = in protocol = tcp action = allow localport = 1433 remoteip = localsubnet profile = DOMAIN


6. Web Server Role will only appear if you don’t have it installed. If you don’t have it installed this will do it for you. Click on Next


7. IIS Role Services section appears. We do not need to do anything with this yet. Click on Next.


8. Click on Install.  Security issues do not require you to install it on a Domain Controller as we went over at the start of this post.13


Now we have installed WSUS. Follow this think to find out how to configure it.


PowerShell: Lock User Accounts inside an OU

I am currently working on a PowerShell script that will tell you what accounts are locked out and the OU they are in. You can now check this out here.

I have a script that will lock user accounts inside an OU. This is good for testing the above program.

#Requires -Version 3.0
#Requires -Modules ActiveDirectory, GroupPolicy
if ($LockoutBadCount = ((([xml](Get-GPOReport -Name "Default Domain Policy" -ReportType Xml)).GPO.Computer.ExtensionData.Extension.Account |
Where-Object name -eq LockoutBadCount).SettingNumber)) {
$Password = ConvertTo-SecureString 'NotMyPassword' -AsPlainText -Force
Get-ADUser -Filter * -SearchBase "OU=Test,DC=IT,DC=com" -Properties SamAccountName, UserPrincipalName, LockedOut |
ForEach-Object {
for ($i = 1; $i -le $LockoutBadCount; $i++) {
Invoke-Command -ComputerName hyperv {Get-Process
} -Credential (New-Object System.Management.Automation.PSCredential ($($_.UserPrincipalName), $Password)) -ErrorAction SilentlyContinue
Write-Output "$($_.SamAccountName) has been locked out: $((Get-ADUser -Identity $_.SamAccountName -Properties LockedOut).LockedOut)"