In this post I will walk through on how to install and configure WSUS on Windows Server 2022. Windows Server Update Services (WSUS) allows administrators to deploy Microsoft product updates. Updates can be completely managed by WSUS administrators by manually updating the required updates, hence giving full control on what to deploy and what not to.
Table Of Contents
- Benefits of using WSUS
- Supported Database for WSUS Server
- Install WSUS Server Role
- Configure WSUS
- Configure network connections for WSUS
- Configure Firewall rules for WSUS
- Configure Proxy server settings for WSUS
- Configure Client computers to access WSUS Server
- Configure WSUS Configuration Wizard
- Configure Group Policy for WSUS
- Configure Automatic Updates
- Specify intranet Microsoft update service location
- Specify deadlines for automatic updates and restarts
- Automatic Updates detection frequency
- Initiate scanning at client side
- Configure network connections for WSUS
- Verify list of required updates on WSUS Server
- Create Server-side targeting
- Approve and deploy updates using WSUS
- WSUS Reports to check Status
In this Step by step Guide for installing and configuring WSUS, I will be going through from scratch on how to start with installing and doing initial configuration. Then will be moving towards other required settings and policies to implement WSUS. I will be demonstrating deploying few patches as well on Windows 10 device and will show you the results in form of WSUS reports which are inbuilt.
Benefits of using WSUS
Windows Server Update Services role can be installed on any Windows Server operating system by using “Windows Server Update Services” Server Roles feature. Following are the benefits of using WSUS Server role in your environment:
- Centralised management of update
WSUS console is a single stop shop for seeing all the updates / upgrades and one place which can be controlled easily.
- Reporting
WSUS reporting provides in-depth analysis of the devices with where Update status such as:
Computers with errors
Computers needing updates
Computers installed/not applicable
Computers with no status
- WSUS is free
WSUS comes as part of Windows Server role, you don’t have to pay for the service unlike SCCM / Configuration Manager or Intune where you have to pay licensing cost for subscription
- Bandwidth
One of the major benefits of using WSUS is to save bandwidth. Only WSUS server will be downloading the updates from Microsoft Update website and storing it locally. Devices will start getting updates from WSUS server, hence never going to reach Microsoft update if policies are configured properly which I will show you momentarily.
- Testing – rolled out manner
WSUS servers can be used for testing on few devices first to check and see the results before rolling out the patches to all devices in your environment.
- Usage of WSUS Upstream server
You can have multiple WSUS server located at different regions. WSUS configuration can be done to use one WSUS Server to get the update information from another WSUS server via Upstream Server setting.
Supported Database for WSUS Server
Following are the supported database which can be used with WSUS:
- Full SQL – It’s a full fledged SQL Server Database which is a paid version.
- SQL Express – A light version of SQL Server which can be installed free
- WID – Also known as Windows Internal Database which gets installed automatically as part of WSUS configuration, this is the most recommended version for proceeding with WSUS installation configuration for databases.
Install WSUS Server Role
WSUS role can be deployed on any Windows Server Operating System. I will be proceeding the installation of Windows Server 2022 server on . It is recommended to have 2 different partitions:
- C drive: for Operating System
- D drive: d:\WSUS for downloading the patches from Microsoft
The server name is WSUS01 which is a member server joined to a domain.
Login to the server and launch Server Manager (Windows + R – type “servermanager”)
Click on Manage > Add Roles and Features.
On Before you begin page, click Next.
On Installation Type page, go with option Role-based or feature-based installation, click Next.
On Server Selection page, Select a server from the server pool and make sure your server is selected, click Next.
On Server Roles page, select Windows Server Update Services role and click Next. ‘
WSUS requires some additional components which will be selected automatically, click on Add Features, following will be list of components selected:.
.NET Framework 4.8 Features
ASP.NET 4.8
WCF Services
HTTP Activation
Remote Server Administration Tools
Role Administration Tools
Windows Server Update Services Tools
API and PowerShell cmdlets
[Tools] User Interface Management Console
Web Server (IIS)
Management Tools
IIS 6 Management Compatibility
IIS 6 Metabase Compatibility
[Tools] IIS Management Console
Web Server
Application Development
ASP.NET 4.8
ISAPI Extensions
ISAPI Filters
.NET Extensibility 4.8
Common HTTP Features
Default Document
Static Content
Performance
Dynamic Content Compression
Security
Request Filtering
Windows Authentication
Windows Internal Database
Windows Process Activation Service
Configuration APIs
Process Model
Once Windows Server Update Service Roles have been selected, click Next.
On Features page, go with the default options as options were already selected as part of Server Roles page, click Next.
On WSUS page, click Next.
On Role Services page, we will go with default option:
- WID Connectivity (Required) : This is Windows Internal Database which will be installed to server the information of updates.
- WSUS Services (Required) : This will install various services which will be used by WSUS.
- SQL Server Connectivity: We are not going to select this option as we are solely relying on WID database. This option should be selected in case you are planning to use SQL Express or full SQL Server version.
Windows Internal Database (WID) components will be created under c:\Windows\WID\Data with the name SUSDB.mdf & SUDB_log.ldf and other supporting files.
On Content page, provide the path which will store updates in a specific location:
D:\WSUS
Providing the path will make sure the updates will be downloaded to d:\WSUS location from Microsoft Update when we approve the updates. Without approving the updates, patches will not be downloaded.
On Web Server Role (IIS) page, click Next.
Web Server role ie. IIS is the backbone for processing all the requests from the clients to WSUS Server.
One Role Services page, we will go with default options as Web Server and other options were already selected when we selected Windows Server Update Services role, click Next.
On Confirmation page, verify the settings and click on Install to initiate the installation of WSUS Server.
Allow couple of minutes to get the selected roles and features installed for WSUS.
Once the installation is done, you will see the message Configuration required. Installation succeeded.
We are done with the installation, but configuration is pending for WSUS Server.
Configure WSUS
Our installation of Windows Server Update Services (WSUS) server role is done. Now we need to configure it. There will be several configurations required on WSUS Server side, network side and client side as well in form of Group policy settings
Configure network connections for WSUS
If there is no internet connectivity on WSUS Server, it can still used to download the patches from another WSUS server which has internet connectivity. This can be done by using upstream server configuration or can also be used by exporting the updates from one server and importing the it to another WSUS Server.
Configure Firewall rules for WSUS
WSUS Server uses ports 80 and 443 with HTTP and HTTPS protocols to download the updates from Microsoft update. Make sure to have outbound access to ports 80 and 443 for following Microsoft links:
- http://windowsupdate.microsoft.com
- http://*.windowsupdate.microsoft.com
- https://*.windowsupdate.microsoft.com
- http://*.update.microsoft.com
- https://*.update.microsoft.com
- http://*.windowsupdate.com
- http://download.windowsupdate.com
- https://download.microsoft.com
- http://*.download.windowsupdate.com
- http://wustat.windows.com
- http://ntservicepack.microsoft.com
- http://go.microsoft.com
- http://dl.delivery.mp.microsoft.com
- https://dl.delivery.mp.microsoft.com
Configure Proxy server settings for WSUS
If Proxy servers are used in the environment, we need to configure it so as to allow HTTP and HTTPS protocol channels. We can use separate proxy server for each protocol channel if we want.
To configure proxy server, open command prompt and navigate to C:\Program Files\Update Services\Tools, run the command:
WsusUtil.exe ConfigureSSLproxy <proxy_server-name proxy_port> -enable
Where proxy_server is the proxy server name
and proxy_port is the port number such as 80, 443 etc
Configure Client computers to access WSUS Server
To get client computers connected to WSU Server, make sure to have outbound access to two default ports which WSUS Server uses ie. 8530 and 8531 ports.
Configure WSUS Configuration Wizard
Navigate to Server Manager > Tools > Windows Server Update Services.
You will get Complete WSUS Installation prompt, which will ask you to confirm if you wanted to store updates locally with current content directory path we selected during WSUS installation process. Click on Run.
Once done, you will be able to see 2 folders created under Content Directory path for the WSUS Server:
UpdateServicesPackages
WSUSContent ‘
You will be presented with Windows Server Update Services Configuration Wizard, on Before You Begin page, click Next.
On Microsoft Update Improvement Program page, uncheck the box if you don’t want to join the Microsoft Update Improvement program.
On Choose Upstream Server page, go with option Synchronize from Microsoft Update. We are also presented with another option ie. “Synchronize from another Windows Server Update Services server” if you would like to update from another server rather than Microsoft update.
On Specify Proxy Server page, you can specify the proxy details. As this is my lab with no proxy configured, I clicked on Next.
On Download update information from Microsoft Update page, click on Start Connecting to check and verify the connection.
This process may take quite a while to verify and connect online. Once done, you can click on Next.
On Choose Languages page, you have options to download updates in multiple languages. I am going with default language ie. English by selectin Download updtes only in these languages > English, click Next.
On Choose Products page, Select only those products for which you wanted to deploy patches for. I have selected “Windows 10, version 1903 and later”, click Next.
On Choose Classifications page, we have several options to select:
- Critical Updates– A broadly released fix for a specific problem addressing a critical, non-security related bug.
- Definition Updates- Used to detect objects with specific attributes
- Driver Sets- A package of software modules that is designed to support the hardware of a specific model of computing device.
- Drivers- A software component necessary to control or regulate another device
- Feature Packs- New product functionality that is first distributed outside the context of a product release, and usually included in the next full product release.
- Security Updates- A broadly released fix for a product-specific security-related vulnerability.
- Service Packs- A tested, cumulative set of all hotfixes, security updates, critical updates and updates, as well as additional fixes for problems found internally since the release of the product.
- Tools – A utility or feature that aids in accomplishing a task or set of tasks.
- Update Rollups – A tested, cumulative set of hotfixes, security updates, critical updates, and updates packaged together for easy deployment.
- Updates – A broadly released fix for a specific problem addressing a noncritical, non-ecurity-related bug.
- Upgrades– A new product release bringing a device to the next version, containing bug fixes, design changes and new features. This is also known as Feature Update.
On Configure Sync Schedule, you can either select manual synchronization or Synchronize Automatically which will run during specific date time specified in re-occurrence manner. I have gone with Synchronize manually option, click Next.
On Finished page, click on Begin initial synchronization to start the process, click on Next.
The process will launch Update Services console. Expand it, and select Servername. Under right Pane, we can see Synchronization Status, it will take a while as this is the very first sync happening.
Connection information of WSUS settings along with Port and Server version 10.0.20348.143 can also be verified.
Once the Synchronization is completed, verify it under Synchronizations
If you wanted to make changes to Products and Classifications which we selected previously, navigate to Options and click on it to make appropriate adjustments.
We can see updates available now which are categorized as:
- All Updates
- Critical Updates
- Security Updates
- WSUS Updates
There are 598 updates available (which are not yet downloaded), however it is not applicable for any device as of yet.
The reason is, devices are not yet using WSUS server to get the patches. Let’s do that.
Configure Group Policy for WSUS
We need to point the clients / endpoints to get updates from WSUS. This can be done through Group Policy policy. Navigate to domain controller and launch Group Policy Management (gpmc.msc).
Create a new Group Policy and edit it.
Navigate to Computer Configuration > Policies > Administrative Templates > Windows Components > Windows Update
Configure Automatic Updates
This setting can be found under Computer Configuration > Policies > Administrative Templates > Windows Components > Windows Update > Manage End user experience.
Enable the option for Configure Automatic Updates.You will also get other options available for Configure automatic updating:
2 – Notify for download and auto install
3 – Auto download and notify for install
4 – Auto download and schedule the install
5 – Allow local admin to choose setting
7 – Auto Download, Notify to install, Notify to Restart
We can specify the option to install updates during maintenance window which can be scheduled to install at specific date and time.
We can also force to evaluate the patches every week, first week of the month and so on.
There are lots of combination which can be specified based upon organizations need.
Specify intranet Microsoft update service location
This is the setting which will point the Clients to use WSUS server rather than going to Microsoft Update directly.
This setting can be found under Computer Configuration > Policies > Administrative Templates > Windows Components > Windows Update > Manage updates offered from Windows Server Update Service.
Set the intranet update service for detecting updates: http://WSUS01.MANBAN.COM:8530
Set the intranet statistics server: http://WSUS01.MANBAN.COM:8530
Specify deadlines for automatic updates and restarts
This setting provides extra control over restarting the pc as deadline and grace period can be specified. Deadline is when the updates are going to install. Grace period provides additional days of time to restart the device when deadline has passed.
This is an optional setting, but very useful one, this policy overrides the Configure Automatic Updates setting. Just see which policy suits better to you.
This setting can be found under Computer Configuration > Policies > Administrative Templates > Windows Components > Windows Update > Manage End user experience
Enable the option for specifying deadlines, you have options to specify Deadline and Grace period options separately for Quality Updates and Feature Updates.
Automatic Updates detection frequency
This settings allows the frequency of checking the updates from WSUS server. Client uses Windows Update agent to contact WSUS server every 22 hours. With this setting you can specify the hours ranging from 1 to 22 hours.
This setting can be found under Computer Configuration > Policies > Administrative Templates > Windows Components > Windows Update > Manage updates offered from Windows Server Update Service
Initiate scanning at client side
Our Group Policy is ready. Once client receives the GPO (you can force is by running gpupdate /force), verify if policy is applied correctly by launching rsop.msc using Windows + R command
We can see policy applied correctly.
Client will do the scanning in next 22 hours and report back to WSUS Server for what patches are required.
You can force this immediately by running following 2 command in command prompt:
Wuauclt /detectnow : To detect the required updates
Wuauclt /reportnow: To report back the results to WSUS Server
Verify list of required updates on WSUS Server
It will take couple of minutes for clients to report back with the required patches as we ran wuauclt command manually.
Login to WSUS Server, under Update Services > WSUS01 > Updates, we can see All Updates showing 13 updates are required which was previously showing 0.
To further drill down, click on Computers, we can see Computers needing updates count as 1. This is our Windows 10 device which has sent the updates which are required for that specific device.
We can also see this device is listed under Unassigned Computers list, which means update is required but still not assigned to it.
Double click it to see the list of updates required, you might see error “Feature Unavailable” as Microsoft Report Viewer 2012 Redistributable & Microsoft System CLR Types for SQL Server 2012 is not installed. Install following components:
- Reportviewer.msi from Microsoft Report Viewer 2012 Runtime
- SQLSysClrTypes.msi from Microsoft SQL Server 2012 SP4 Feature Pack
Install above mentioned components.
When we double click device this time, we can see the report listing all updates which are required, and in not approved and Not installed state.
Create Server-side targeting
We will be now creating Server-side targeting, means going to create a group by adding 1 device. Hence, it would be easy for us to have multiple groups created and approving / targeting the updates based upon our requirement.
Navigate to Update Services > WSUS01 > Computers > All Computers, right click and select Add Computer Group, provide appropriate name such as PilotDevice.
Group is now created under All Computers, select the device, right click and select Change Membership. Select PilotDevice to add the Windows 10 device to this specific group.
Approve and deploy updates using WSUS
We are ready with required updates, group is also created. Let’s approve the required updates for the device. Navigater to Updates > All Updates. This will list all required updates with Status showing as Needed. We can further change the filters to see installed, failed or needed, no status etc.
Select all updates, right click and Approve the updates.
You will be prompted to select Computer Group, we have options to target it to All Computers, Unassigned Computers. Select PilotDevice Computer group which we created previously.
Select Approved for Install for PilotDevice Computer Group
Click on OK. Windows Update will download under d:\WSUS\WsusContent.
Navigate to Windows 10 device, either wait for next detection frequency ie. 22 hours or run “wuauclt /detectnow” & “wuauclt /reportnow”
We can see the patch installation initiated, this can be verified by going to Start > Settings > Update & security
Once the patch is installed, you can see the Windows toast notification in taskbar mentioning “Your organization requires your device to restart in 7 days”.
WSUS Reports to check Status
There are numerous reports available for WSUS installation status, navigate to Update Services > Reports, we have Update Reports and Computer Reports.
Update Reports
- Update Status Summary
- Update Detailed Status
- Update Tabular Status
- Update Tabular Status for Approved Updates
Computer Reports
- Computer Status Summary
- Computer Detailed Status
- Computer Tabular Status
- Computer Tabular Status for Approved Updates
Let’s explore the Computer Report – Computer Detailed Status, click on it to launch report viewer.
Select “Include Computers from these groups” as Pilot Device
Include Computers that have a status of: any
Click on Run Report.
We will be able to see Update Detailed Status Report for a specific device with Approval and Status
Same way we can explore lots of other reports to check insight of patching status.
Frequently asked questions
How to check health of WSUS Server
One of the main concern of WSUS Server is that, it should be up and running and should be in a healthy state. Open command prompt and navigate to c:\Program Files\Update Services\Tools. Run the command:
Wsusutil checkhealth
This will generate the event viewer logs. Open Event Viewer and navigate to Windows Logs > Application. You will be able to see the results as “WSUS is working correctly” if WSUS health is ok.
How to migrate database from WID to SQL
Windows Internal Database can be migrated to SQL. For this you need:
- Stop the update services (stop-service wsuservice)
- Stop IIS Admin service (stop-service IISADMIN)
- Detach susdb and attach in SQL Server
How to move WSUS Content to new location
Use following command if you want4ed to move the WSUS Content to new location:
Wsusutil movecontent e:\NewFolder c:\movecontentlog.log -skipcopy
What to do when WSUS content is deleted or missing / corrupted
Use following command if WSUS content is deleted / missing or corrupted:
Wsusutil reset
This will check metadata row in database, and if missing or corrupted, will download the content again.
How to take backup of WSUS
- Detach susdb and copy it at safe location
- Copy the content from d:\wsus, the location which is used to save the content of WSUS Data.
Important Links
Get started with Windows Server Update Services (WSUS) | Microsoft Docs
Deploy Windows Server Update Services | Microsoft Docs
Configure WSUS | Microsoft Docs
Related
Discover more from SCCM | Intune | Device Management| Enterprise Mobility & Security
Subscribe to get the latest posts to your email.
