Windows server update services are needed to download updates from Microsoft and store them locally on the WSUS server. It decreases data transfer over the WAN link for multiple servers, preventing the need for installing essential Windows updates. Moreover, It can approve or decline updates (i.e., control how updates are installed). Here are some articles I have written: Configuring WSUS Email Notification to Work With Office365, Important Areas to Master on WSUS (Installed and not applicable, Install 1/4, and Installed / Not applicable 100).
Why deploy WSUS?
Deploying Windows Server Update Services (WSUS) in an organization offers several significant benefits:
- WSUS provides a centralized location for managing and distributing Windows updates. Instead of relying on GPO or individual computers to fetch updates from the internet, WSUS allows administrators to control and distribute updates within the network.
- WSUS reduces internet bandwidth consumption by downloading updates once and then distributing them internally. This is particularly beneficial for organizations with limited bandwidth or remote locations with slow internet connections.
- Keeping Windows systems up to date is essential for security. WSUS ensures that all computers within the organization are patched with the latest security updates and patches, reducing vulnerabilities and the risk of cyberattacks.
- WSUS allows administrators to control which updates are deployed in the organization. Before deploying updates, administrators test these updates on a small group of computers to ensure they don’t cause any compatibility issues.
- You can create target groups within WSUS to manage updates differently for various parts of the organization. For example, you might have different groups for servers and workstations, each with its update approval process.
- WSUS provides detailed reporting and monitoring tools to track update status and compliance across the network. This information is valuable for ensuring that all systems are up to date.
- In some industries, compliance regulations require organizations to maintain up-to-date software. WSUS helps in maintaining compliance with such regulations.
- In some cases, organizations may need to delay or block certain updates that could cause issues with specific software or hardware configurations. WSUS gives administrators this level of control.
Prerequisites for setting up Windows server update services (WSUS)
Here are the prerequisites:
- .Net framework 4.5
- Windows Server 2012R2 (using window internal database [WID])
- IIS 6.0 or greater (with components such as ASP.net, windows authentication, dynamic content compression etc.)
- System partition and WSUS partition must be NTFS
- Cant be installed on a compressed drive
- Requires 1Gb free on the System partition
- 2 GB free for WID (WSUS database)
- Moreover At least 20Gb free for updates (30 GB recommended by Microsoft).
Here are some exciting guides: How to disable unused Cisco Access Ports, Client Visibility Issues: Fix WSUS Clients appear then disappear in the console, and How To Force Stop A Windows Service When Stop Option Is Grayed Out.
Setting up a WSUS
Step 1: Below are the steps to have WSUS installed and configured for Windows Update via GPO
- Click on Server Manager
- Click on Add roles and features (Add Roles and Features Wizard Opens Up)
Select next and select the Installation Type
Click on Next (select Webserver IIS) and Windows Server Update Services, and click on Add features
Moreover, Click on next till you get to the roles service option as shown below.
However, the first two are selected by default (Since I will be using Windows internal Database for WSUS) I am fine with this.
On the content role service option, enter the path you wish WSUS to download updates to (if you have an external drive you can use that)
You may also want to see how to target WSUS Clients with the Registry keys: How to configure WSUS Clients to get Updates from the WSUS server using Registry settings, How to apply Windows Updates from WSUS to the server using AWS RunCommand, How to Configure SSL between WSUS servers (Upstream and Downstream Servers).
Click on Install
On the confirmation role page, click on install as shown below
Configuring Windows Server Updates Services
When this completes, you can open Windows Server Updates Services in so many ways
- Navigate to Tools and select Windows Server Updates Services
- Click on Windows, then Administrative Tools and then on Windows Server Updates Services.
- Lastly, click on the WSUS server on the Server Manager as shown below, right-click on the server name and select Windows Server Updates Services
The updated Service page will open up as shown below. Kindly configure the Options settings according to your needs. (work through each option, read and configure). I will drop any important information as the task progresses
Also on the synchronisation service option window, ensure you synchronise your WSUS server to get updates from Microsoft by selecting Synchronise Now
After this has been completed. It should be like this below.
The updates section of updates services will be populated as well. Note: Takes a long when run the first time.
Note: To be able to view the reports, you will need to install the Microsoft report view.
Note: Nonetheless, When the WSUS console is not closed, despite having the installation succeeded. You cannot view any report generated. Therefore, close the wsus windows and uninstall and reinstall
Steps 2: However, You can either use the local group policy or set the registry key to point clients to get Windows updates from the WSUS server
Handy WSUS Commands – Windows Server Update Services Commands, WAUACLT, PowerShell and USOClient, How to Start, Stop and Restart Windows Server Update Services (WSUS) via PowerShell and CMD, Windows Server Update Services: Windows 2016 Servers does not show up on WSUS console, and WSUS clients appear and disappear from the WSUS Update Services console.
Using the local group policy
Setup the group policy object to allow clients to contact the WSUS for updates
– From the MMC, open the local computer policy from there
– Run gpedit.msc
– Open Computer Configuration
– Administrative Template
– Windows Component and
– Click on Windows Update
We have to configure these options
1. Specify the Microsoft Update Service Location (Double click to open this up) by entering the IP address followed by the port or specify the FQDN.
2: Enable Configure Automatic Updates and select the third option to Auto download and notify for Install
After completing this run gpupdate /force to effect the group policy immediately
Configuring Update Service
Note: This ensures you are able to create a group for administrative purposes. This allows updates to be tested to some groups before deploying (rolling) them to production servers.
Now on the Local Group Policy. Enable it and enter the name created above for the xxxx-Group
Configuring Options: I went for this option because my server will be getting windows updates via GPO
Like I said, just go through it and personalize it (they are straight forwards)
FAQ on WSUS
WSUS operates via a client-server architecture. The key components include the WSUS server, which stores and manages updates, and client computers within the network. The clients are configured to periodically contact the WSUS server to check for available updates. Administrators configure update approvals, which determine which updates are distributed to clients.
Yes, you can pause Windows updates on Windows 10, and Windows 11. This can provide some flexibility if you need to temporarily postpone updates.
I hope you found this article useful on WSUS Setup: How to configure Windows server update services. If you have any questions, please let me know in the comment session.