Posts tagged WSUS

WSUS – Configure SSL with external name.

Installing and configuring WSUS, this is a task I have done time and time again BUT only a few of those has involved configuring SSL for WSUS. I was given a task to set up a WSUS for multiple customers within our datacenter and outside our datacenter so using a certificate and SSL was needed. After following Microsoft’s article on Securing WSUS with SSL and adding the appropriate DNS records I fired up the WSUS Management console and could not connect to the server on port 443 as configured in IIS.

The server responded to ping using the FQDN I had assigned to it so no problem there. It just didn’t seem to accept the FQDN so I remembered a registry setting I used during migrations providing aliases to servers. The registry value should be located here, if it is not there just create it.


Name: BackConnectionHostNames


Value(s): Add the fqdn you want it to listen to e.g., one line for each entry if you wish to have more than one.

After adding the FQDN and performing an IISRESET from an elevated command prompt I could establish a connection to the WSUS server using the FQDN and desired port.


Manage test and production groups in WSUS from powershell with PoshWSUS

I have always found the WSUS interface lacking in functionality for handling multiple server groups with test and production environments and here comes PoshWSUS in real handy.

I will show you basics on how to manage test and production groups and verify patch assignment.

You can find the PoshWSUS module here

Loading the module and connecting to your WSUS server

Select the group for your test environment that already got the latest patches assigned and deployed where patch functionality is verified

Get all the patches from your test environment and assign them to your production group

When the script is done running you will have an output list on all the assigned patches to the production group.

Lets verify that the production environment has the same patches applied as the test environment and list missing patches if found

If no patches are returned then your test environment now match your production environment of assigned patches



How to fully automate installation of Microsoft Forefront Security for SCCM with WSUS update in powershell


I made a script that would automate the installation of Microsoft Forefront Security and add the computer name to the AD Group for Forefront and then update the WSUS server with the computer name and assign it to the right groups. Now there are ways that you can automatically assign client to the right WSUS server through WSUS itself and then this installation script might come in handy.

Files placed on the installation package:

  • install.ps1
  • Forefront Client Security installation package
  • password.txt

Files placed on the WSUS server directory C:ScriptWsus:

  • wsus.ps1
  • addtowsus.ps1

For this to work we need to execute command on remote servers such as the DC and the WSUS server and therefore PSRemoting must be enabled on these servers.

PSRemoting does the following:

  • Starts the WinRM service.
  • Sets the startup type on the WinRM service to Automatic.
  • Creates a listener to accept requests on any IP address.
  • Enables a firewall exception for WS-Management communications.


WSUS – Force the client to register itself


I was working on a installation script for Forefront Client Security and needed the computer to show up in the WSUS server immediately so that the script could assign the computer to different groups and I found a command to do just that.

wuauclt /resetauthorization /detectnow

Computer is now registered in WSUS and shows up immediately.

Go to Top