← Previous Active Directory Explained: Users, Groups, and Policies
Chapter 8 of 15 Windows Server ↑ Index
Next → Windows Server Performance Monitoring: Resource Monitor, PerfMon, and More
Windows Server Chapter 8 of 15 by Administrator 4 min read

WSUS Setup Guide: Manage Windows Updates with Windows Server

Uncontrolled Windows updates cause downtime, compatibility breaks, and security gaps. Windows Server Update Services (WSUS) gives you centralised control: you decide which updates are approved, when they install, and which machines receive them. This guide covers a complete WSUS deployment from installation to client configuration.

Why Use WSUS?

Without WSUS, every Windows machine in your organisation downloads updates directly from Microsoft Update servers — consuming internet bandwidth and providing no admin visibility or control. WSUS downloads updates once to your server, distributes them internally, and gives you an approval workflow so you can test patches before they reach production systems.

Prerequisites

  • Windows Server 2019 or 2022/2025 with at least 10 GB free on the system drive and a separate volume for the WSUS content store (plan for 30-100 GB depending on products synchronised)
  • SQL Server or Windows Internal Database (WID) — WID is sufficient for most environments under 500 clients
  • Outbound access on port 443 to windowsupdate.microsoft.com and related Microsoft endpoints

Installing WSUS

Install-WindowsFeature -Name UpdateServices -IncludeManagementTools

After installation, run the post-installation configuration to specify the content store location:

& "C:Program FilesUpdate ServicesToolsWsusUtil.exe" postinstall CONTENT_DIR=D:WSUS

Replace D:WSUS with your chosen content directory on a volume with sufficient space.

Initial WSUS Configuration

Open Windows Server Update Services from Server Manager > Tools. The configuration wizard launches on first open:

  1. Upstream server: Synchronise from Microsoft Update (or from an upstream WSUS if you have a hierarchy)
  2. Proxy settings: Configure if your environment routes traffic through a proxy
  3. Languages: Select only the languages you need — English only significantly reduces storage requirements
  4. Products: Choose the Windows and Office versions in your environment. Avoid selecting products you don't use — each adds GB of downloads
  5. Classifications: At minimum select Critical Updates, Security Updates, and Service Packs. Add Definition Updates only if you don't have a dedicated antivirus update mechanism
  6. Sync schedule: Set daily automatic synchronisation, e.g., 03:00 when network load is low

Computer Groups

WSUS uses computer groups to target updates. Create groups that mirror your testing workflow:

  • Test-Machines — a handful of non-critical machines that receive updates first
  • Servers — production servers with a longer approval delay
  • Workstations — end-user machines
  • Unassigned — the default group; clients land here until explicitly moved

In the WSUS console, expand Computers > All Computers and right-click to add groups. Move clients between groups via right-click > Change Membership.

Approving Updates

Updates do not install until approved. In the WSUS console, navigate to Updates > All Updates and filter by Approval: Unapproved and Status: Needed. Select critical security updates, right-click, choose Approve, and select which computer group receives them.

A common approval workflow: approve for Test-Machines immediately after Patch Tuesday. Wait one week. If no issues, approve for Workstations. Wait another week. Approve for Servers during a maintenance window.

Configuring Clients via Group Policy

Point client machines at your WSUS server using GPO. In GPMC, create a GPO linked to your domain or relevant OU and navigate to:

Computer Configuration > Policies > Administrative Templates > Windows Components > Windows Update

Configure these settings:

  • Specify intranet Microsoft update service location: http://wsus-server:8530 (HTTP) or https://wsus-server:8531 (HTTPS)
  • Configure Automatic Updates: Set to option 4 (Auto download and schedule install) with your preferred install day and time
  • Enable client-side targeting: Enabled, with the group name matching your WSUS computer group

After applying the GPO, force an update on a client to verify it registers:

gpupdate /force
wuauclt /detectnow /reportnow
# On Windows 10/11:
UsoClient StartScan

Maintenance and Cleanup

WSUS databases grow large over time. Run the Server Cleanup Wizard monthly: in the WSUS console, click Options > Server Cleanup Wizard and select all cleanup options including declined updates and superseded updates. For large environments, run the cleanup via PowerShell instead, as the wizard can time out:

Invoke-WsusServerCleanup -CleanupObsoleteComputers -CleanupObsoleteUpdates -CleanupUnneededContentFiles -CompressUpdates -DeclineExpiredUpdates -DeclineSupersededUpdates

Schedule this as a monthly Task Scheduler job to keep your WSUS database healthy and your disk usage under control.

Tags: Tutorial Step by Step Sysadmin Windows Server Windows Server 2025 WSUS

Related Articles

Windows Server Windows Server Performance Monitoring: Resource Monitor, PerfMon, and More Windows Server performance monitoring with Resource Monitor, PerfMon, Data Collector Sets,... Windows Server DNS and DHCP Setup on Windows Server 2025: Step-by-Step Guide Learn to install and configure DNS and DHCP on Windows Server 2025. Covers zones, records,... Windows Server Group Policy Explained: How to Create and Apply GPOs in Windows Server Group Policy Objects (GPOs) let you configure hundreds of machines from one place. This gu... Windows Server PowerShell for Windows Server Admins: 10 Essential Scripts Ten essential PowerShell scripts for Windows Server admins: inventory reports, bulk AD use...
← Previous Chapter Active Directory Explained: Users, Groups, and Policies
View All Chapters
Next Chapter → Windows Server Performance Monitoring: Resource Monitor, PerfMon, and More