Windows Server Core (on Windows Server 2019) is a great way to reduce the performance and security footprint of your servers. The operating system itself is minimalist and provides no GUI except for a command prompt, and some basic windows and tools.
All administration on Server Core must be performed via the command prompt, powershell, or remote administration tools (such as Server Manager, or the new Windows Admin Center.
Server Core provides a fantastic foundation for Windows Server Roles (roles that are integrated in the operating system), and can be installed with ease, managed remotely, and managed easily. It’s also nice too because you can allocate less CPU and RAM to virtual machines running Windows Server Core.
Getting started may be a bit tricky as you might need to learn and verse yourself with some commands, powershell, and remote management kung-fu, but overtime it’s easy!
Why WSUS?
I think I can speak for most admins out there when I say that a WSUS deployment typically consists of a single VM, with the WSUS, IIS, and WID roles installed.
WSUS is usually CPU and RAM intensive (when doing synchronizations), requires disk space, and doesn’t do much else. Because of the spikes, we usually keep this VM separate and don’t mix it with other LoBs or roles, with the exception of perhaps a file server.
Whether or not your VM runs WSUS alone, or also as a file server, since both of these roles are “Windows Roles and Features”, they are perfect to deploy on a Windows Server Core install.
There should be little administrative requirement on the WSUS server, other than re-indexing scripts, and cleanup scripts which can easily be ran from the command prompt, and the occasional Windows Update that will be installed.
Because you don’t require any 3rd party software, management consoles, or GUI related elements, it’s perfect for Server Core. By skipping on the GUI and applications, you’ll be able to allocate that memory, for WSUS/IIS itself.
How to Install and Configure WSUS on Windows Server Core
- Install Windows Server 2019 – Server Core
- Configure Network, Join to Domain, Update, etc.
- Open “powershell” (by typing powershell) and Install the WSUS Role with the following command:
Install-WindowsFeature UpdateServices -Restart
- Exit powershell with “exit” and run the post installation task command in command prompt to configure WSUS:
"C:\Program Files\Update Services\Tools\wsusutil.exe" postinstall CONTENT_DIR=C:\WSUS
- AT THIS POINT DO NOT CONTINUE CONFIGURING WSUS AS YOU MUST APPLY A MEMORY FIX TO IIS.
- Enable Remote IIS Management to manage and modify IIS config (to apply the memory fix below), as provided here: https://www.stephenwagner.com/2019/05/14/manage-remotely-iis-on-windows-server-2019-server-core/
- Apply “Private Memory Limit (KB)” fix as provided here: https://www.stephenwagner.com/2019/05/14/wsus-iis-memory-issue-error-connection-error/
- Install the “Windows Server Update Services” mmc applet which is included in the Windows 10 RSAT tools. Instructions to install the RSAT are provided here: https://www.stephenwagner.com/2018/10/05/windows-10-1809-october-update-rsat/
- Open the WSUS MMC on a server or workstation on the network and connect it to the WSUS instance on your Server Core install.
- Run through the wizard as you would normally and perform an synchronization.
- Modify your GPO to point your servers and workstations towards your WSUS server.
- Enable Windows Update “Features on Demand” and “Turn Windows features on or off” via GPO as provided here:
https://www.stephenwagner.com/2018/10/08/enable-windows-update-features-on-demand-and-turn-windows-features-on-or-off-in-wsus-environments/ - Install the “sqlcmd” command so you can regularly run the WSUS re-index script, as provided here: https://www.stephenwagner.com/2019/05/14/run-wsus-cleanup-index-script-windows-server-core-without-sql-management-studio/
You’re done!
Don’t forget to regularly re-index your WSUS database and perform the routine maintenance!
Tips n Tricks
- Need to view, modify, cut/paste, or delete files and folders? Open up notepad from the command prompt to get a simple GUI where you can do this.
- CTRL + SHIFT + ESC will open a Task Manager to monitor the Server Core install
- You can use “Server Manager” remotely to manage the Server Core install after you’ve enabled it inside of “sconfig”.
[…] For instructions on installing WSUS on Server Core, please click here: https://www.stephenwagner.com/2019/05/15/guide-using-installing-wsus-windows-server-core-2019/ […]
hi when i tey to do the 4th setp
“C:\Program Files\Update Services\Tools\wsusutil.exe” postinstall CONTENT_DIR=C:\WSUS
i get the following error aill you advice
PS C:\Windows\system32> “C:\Program Files\Update Services\Tools\wsusutil.exe” postinstall CONTENT_DIR=C:\WSUS
At line:1 char:55
+ … Program Files\Update Services\Tools\wsusutil.exe” postinstall CONTENT …
+ ~~~~~~~~~~~
Unexpected token ‘postinstall’ in expression or statement.
+ CategoryInfo : ParserError: (:) [], ParentContainsErrorRecordException
+ FullyQualifiedErrorId : UnexpectedToken
PS C:\Windows\system32>
Hi, Stephen.
I used your instructions but used PowerShell from a remote machine. It may help if you have to do it again in the future. 🙂
$WsusServer = “WsusGui”
# Install the WSUS role on the target WSUS server
Install-WindowsFeature -ComputerName $WsusServer -Name UpdateServices -IncludeManagementTools -Restart
# Create the directory for WSUS
Invoke-Command -ComputerName $WsusServer -ScriptBlock { New-Item -Name WSUS -Type Directory -Path C:\ -Force | Out-Null }
# Run the post installation task command to configure WSUS
Invoke-Command -ComputerName $WsusServer -ScriptBlock { Start-Process -FilePath “C:\Program Files\Update Services\Tools\wsusutil.exe” -ArgumentList “postinstall CONTENT_DIR=C:\WSUS” -Wait -NoNewWindow }
# Enable remote IIS management
Install-WindowsFeature -ComputerName $WsusServer -Name Web-Mgmt-Service
# Create a firewall exception (if needed) by running the following command in PowerShell
# !!! Also try this? New-NetFirewallRule -CimSession $WsusServer -Name “IISRemote management” -DisplayName “IISRemote management” -Description “IISRemote management” -Enabled True -Profile Domain -Action Allow -Direction Inbound -Service “WMSVC”
Invoke-Command -ComputerName $WsusServer -ScriptBlock { Start-Process -FilePath C:\Windows\system32\netsh.exe -ArgumentList ‘advfirewall firewall add rule name=”IIS Remote Management” dir=in action=allow service=WMSVC’ }
# Enable remote IIS management in the registry
Invoke-Command -ComputerName $WsusServer -ScriptBlock { New-Item -Path “HKLM:\SOFTWARE\Microsoft\WebManagement\Server” -Name Favorites -ItemType Directory -Force | Out-Null }
Invoke-Command -ComputerName $WsusServer -ScriptBlock { New-ItemProperty -Path “HKLM:\SOFTWARE\Microsoft\WebManagement\Server” -Name “EnableRemoteManagement” -PropertyType DWord -Value “00000001” -Force }
# Configure the Service WMSVC to start automatically and start the service
Get-Service -ComputerName $WsusServer -Name WMSVC | Set-Service -StartupType Automatic
Invoke-Command -ComputerName $WsusServer -ScriptBlock { Start-Service -Name WMSVC }
# Set the Private Memory Limit (KB) for the WSUS Application Pool to 0 (zero) and reset IIS
Invoke-Command -ComputerName $WsusServer -ScriptBlock { Set-WebConfiguration “/system.applicationHost/applicationPools/add[@name=’WsusPool’]/recycling/periodicRestart/@privateMemory” -Value 0 }
Invoke-Command -ComputerName $WsusServer -ScriptBlock { iisreset }
After step 6, I cannot connect using IIS Manager as I continually get “The underlying connection was closed. An unexpected error occurred on a send”
Running [net.servicepointmanager]::securityprotocol on both 2019 server core and my window 10 build 1809 show “Tls, Tls11, Tls12”
This is all well and good but it must be noted that using this with WID means that you also cannot run the WSUS reports section. Because the WSUS MMC is not on Server Core 2019 and WID can only be accessed on the local machine, this simply won’t function.
Hi James,
That’s not correct. Using WSUS on Server Core requires you use the MMC for WSUS on another system. Reporting works just fine.
I use the WSUS MMC on my Windows 10 workstation to manage WSUS on my Server Core instance, and regularly run reports.
Stephen
@Stephen hmm, is there any components required besides the RSAT?
Yes, you’ll need to install the Report viewer runtime. There’s a link for it when you try to open a report if you don’t have it installed.
Make sure you install the applicable version (year), if using the wrong version (year), the reports won’t function.
Hey Stephen,
Thanks for your reply.
You were correct, the right runtime needs to be setup.
For those who would like to know – to setup reporting for Server 2019 + WSUS WID, I used Microsoft Report Viewer 2012 Runtime:
https://www.microsoft.com/en-au/download/details.aspx?id=35747
Which has a pre-requisite of Microsoft System CLR Types for SQL Server 2012 (x64). (link in the “Install Instructions section):
https://www.microsoft.com/en-au/download/confirmation.aspx?id=29065
Hi Stephen,
Nice how-to article (and linked articles), thanks!
You don’t really need to set up Remote IIS Management just to modify the Wsuspool application pool’s “Private Memory Limit”. Use PowerShell instead, for example using the webadministration module:
Set-WebConfiguration "/system.applicationHost/applicationPools/add[@name='WsusPool']/recycling/periodicRestart/@privateMemory" -Value 0
Installing SqlCmd is easy peasy as well:
1. download your architecture version (x86, x64) from https://docs.microsoft.com/en-us/sql/tools/sqlcmd-utility?view=sql-server-ver15
2. Make sure Microsoft Visual C++ Redistributable for Visual Studio 2017/2019 is installed: https://visualstudio.microsoft.com/downloads/
3. Install Microsoft ODBC Driver 17 for SQL Server: https://www.microsoft.com/en-us/download/details.aspx?id=56567
4. msiexec /i C:\Users\janreilink\Downloads\MsSqlCmdLnUtils.msi
Now you can use &’C:\Program Files\Microsoft SQL Server\Client SDK\ODBC\170\Tools\Binn\SQLCMD.EXE’
I need to enable SSL and Code Signing for WSUS. How do I do that in Core?
Hello,
It is possible to run locally the PS command on a local server?
I have the Server 2019 with GUI licensed on a domain, and I wanted to have this server to download all updates for the network computers and servers.
Hi Mario,
I’m not sure I understand what you’re asking.
My question is about setting up a 2019 server with a GUI and the PS command window… Is this setup good for it?
Also I have another question… I need and extra server to run the database SQL Server. What is the best scenario for a network of 2000-2500 devices? Using the WID or a separated SQL server database?
Hi Mario,
What PS command are you asking about? I’m still not understanding what you’re asking.
As for SQL. It would probably help if you used SQL in a deployment that large.
Cheers,
Stephen
Hello Sir!
I am wondering if you could help with a WSUS installation problem I’m having on Server 2019. It happens no matter how I try to install WSUS: GUI or Core. I have tried installing WSUS on a standalone installation (not joined to domain) and also domain joined. These are always brand new fresh installations. I’ve tried each combination above with NOT running windows update after the initial OS installation and also making the OS fully up-to-date. The result is always the same :
Install-WindowsFeature : The request to add or remove features on the specified server failed.
The operation cannot be completed, because the server that you specified requires a restart.
I’ve looked at the google…. nothing has helped. My last hope is :
https://docs.microsoft.com/en-US/troubleshoot/windows-server/deployment/error-install-windows-internal-database
But, when I try to add to the default GPO, NT SERVICE\MSSQL$MICROSOFT##WID to log on as a service, it says that NT SERVICE\MSSQL$MICROSOFT##WID doesn’t exist, and it won’t let me add it.
Any words of wisdom? Thanks for your time !! I’ve been working on this on and off for weeks now!
Hi Cameron,
I’m not sure what’s causing it, but check out this post: https://www.stephenwagner.com/2021/05/12/exchange-cu-pending-reboot-previous-installation/
The post is for exchange, but similar issue. The resolution in the post may help you.
Also, if you didn’t install WID, then account you referenced won’t exist. Also I’m not sure what you’re trying to do with logon as a service, as this post doesn’t instruct you to do that.
Cheers
Stephen
Thank you. I went down the path of Windows admin instead of Unix so I wouldn’t have to memorize a bunch of commands. Never would have guessed Server Core.