Automating a Disconnected WSUS
Welcome to Part 1 in setting up Windows Server Update Services (WSUS) infrastructure for environments without internet connectivity. Today, we’ll focus on deploying an internet-connected WSUS server (Exporter) using a Windows Server 2022 AMI through AWS CloudFormation. This setup is for downloading and exporting updates to a WSUS server (Importer) located in an internet-disconnected environment.
The Objective
The goal is to automate Microsoft monthly updates configured on the Exporter and only keep the EC2 running during this time. The Exporter will connect to the internet to download updates, which we’ll later transfer to the disconnected Importer using physical media.
Step 1: Define the CloudFormation Template
We begin by defining our AWS CloudFormation template. This YAML template will provision a Windows Server 2022 instance and set up the necessary configurations for WSUS in the UserData.
AWSTemplateFormatVersion: '2010-09-09'
Description: Deploy Windows Server 2022 with WSUS Role
Resources:
WSUSInstance:
Type: AWS::EC2::Instance
Properties:
InstanceType: t2.large
ImageId: ami-12345678 # Example AMI ID for Windows Server 2022
KeyName: your-key-pair
SecurityGroups: [your-security-group]
UserData:
Fn::Base64: |
<powershell>
Install-WindowsFeature -Name UpdateServices -IncludeManagementTools
</powershell>
Outputs:
InstanceId:
Description: The Instance ID of the WSUS Server
Value: !Ref WSUSInstance
Explanation:
- InstanceType:
t2.large
is chosen for demonstration; adjust based on your needs. - ImageId: Replace
ami-12345678
with the actual AMI ID for Windows Server 2022 in your AWS region. - UserData: Utilizes PowerShell to install the WSUS role on the server upon initialization.
Step 2: Deploy the Template
Deploy the template via the AWS Management Console, AWS CLI, or SDKs. Check the Outputs section of your CloudFormation stack to obtain the Instance ID of your newly deployed WSUS server.
Step 3: Initial Configuration
Once deployed, connect to your server via RDP to perform the initial WSUS setup. This includes configuring the WSUS database and selecting the updates you wish to download based on your environment’s needs.
Conclusion
You now have a fully operational, internet-connected WSUS server ready to synchronize and download updates. In Part 2, we’ll cover how to export these updates to S3 using a simple powershell script.