Windows Server 3d ago 5 views 5 min read

How to configure Windows Server Update Services (WSUS) for enterprise patching

Deploy WSUS to centralize patch management for your domain. Follow these steps to install the role, configure synchronization, and set up reporting for enterprise environments.

R
Roy S
Updated 4h ago
Sponsored

Cloud VPS — scale in minutes

Instantly deploy SSD cloud VPS with guaranteed resources, snapshots and per-hour billing. Pay only for what you use.

This guide walks you through installing and configuring Windows Server Update Services (WSUS) on a fresh Windows Server 2022 instance. You will deploy the server role, configure synchronization with Microsoft Update, and set up Group Policy to direct clients to your local WSUS server. These steps apply to Windows Server 2022 Datacenter or Standard editions with the latest cumulative updates installed.

Prerequisites

  • Windows Server 2022 (Standard or Datacenter) with a static IP address.
  • Administrative access to the server via Remote Desktop or local console.
  • Active Directory Domain Services (AD DS) installed and joined to your domain.
  • At least 20 GB of free disk space on the C: drive for the WSUS database.
  • Stable internet connection to download updates from Microsoft.
  • Windows Server Update Services (WSUS) is not already installed on the server.

Step 1: Install the WSUS Server Role

Open Server Manager and launch the "Add Roles and Features" wizard. Select the "Add roles and features" option and click Next until you reach the "Server Roles" page. Check the box for "Updates Services" and click Next. On the "Features" page, ensure "Management Tools" and "Management Tools - RSAT" are selected. Click Next, then select "Role-based or feature-based installation." Choose the target server and click Next. On the "WSUS Server" page, select "WSUS Server" and click Next. Read the license terms and click Next, then click Install. Wait for the installation to complete and click Finish.

Server Manager > Manage > Add roles and features > Select "Updates Services" > Install

Step 2: Configure WSUS Synchronization

Launch the "WSUS Console" from the Start menu or Server Manager tools. Right-click "Computer" in the console tree and select "Properties." In the "General" tab, ensure "This computer is a member of a WSUS server group" is checked and click Next. On the "Synchronization Options" page, select "Synchronize all updates" or choose specific product and classification filters. Set the "Synchronization schedule" to "Synchronize every 24 hours" to keep your database current. Click Next, then click "Synchronize now" to download available updates from Microsoft Update. Wait for the progress bar to reach 100% before proceeding.

WSUS Console > Right-click "Computer" > Properties > Synchronize now > Wait for completion

Step 3: Configure Group Policy for Client Updates

Open Group Policy Management Console (GPMC) on a domain controller or use the Local Group Policy Editor (gpedit.msc) on the WSUS server. Navigate to "Computer Configuration" > "Administrative Templates" > "Windows Components" > "Windows Update." Double-click "Specify intranet Microsoft update service location." Set this option to "Enabled" and enter the WSUS server URL (e.g., http://wsus-server:8530) in both the "Set the intranet update service for detection and download" and "Set the intranet statistics server" fields. Click Apply and OK. Create a new Group Policy Object (GPO) linked to your organizational unit (OU) containing client computers. Edit the GPO and apply the same settings to ensure all clients use your WSUS server for updates.

gpedit.msc > Computer Configuration > Administrative Templates > Windows Components > Windows Update > Enable "Specify intranet Microsoft update service location"

Step 4: Approve and Deploy Critical Updates

Return to the WSUS Console and expand "All Computers" in the left pane. Select a specific computer group (e.g., "Production Servers") and right-click to filter updates by "Approved" status. Review the list of available updates and select the ones you want to deploy. Right-click the selected updates and choose "Approve." Confirm the approval for the selected product and classification. Right-click "All Computers" again and select "Synchronize selected computers" to push the approved updates to the client machines. Monitor the synchronization progress in the console.

WSUS Console > Expand "All Computers" > Select "Production Servers" > Right-click updates > Approve > Synchronize selected computers

Step 5: Configure Reporting and Monitoring

Launch the WSUS Reporting tool from the Start menu or Server Manager. Open the "Reporting" tab and select "Create a new report." Choose a report type such as "Update Compliance" or "Failed Updates." Set the date range and filter by computer group or product. Click "Run" to generate the report. Export the report to CSV or PDF format for documentation. Schedule automated reports using Task Scheduler if needed. Review the reports regularly to ensure compliance with your patch management policy.

WSUS Reporting Tool > Create a new report > Select "Update Compliance" > Run > Export to CSV

Verify the installation

Open Command Prompt as Administrator and run the following command to check the WSUS service status:

sc query wsus

You should see "STATE: 4 RUNNING" in the output. Next, verify that clients are receiving updates from your WSUS server by checking the Windows Update settings on a client machine. Open "Settings" > "Update & Security" > "Windows Update" and ensure "Active Hours" and "Pause downloads" are configured as needed. Run "wuauclt /detectnow /reportnow" on a client to force an immediate check for updates. Review the event logs on the WSUS server under "Windows Logs" > "Application" for any WSUS-related errors.

Troubleshooting

If clients do not receive updates from WSUS, check the Group Policy settings on the client machine. Run "gpupdate /force" in Command Prompt to refresh policies. Ensure the WSUS server is accessible from the client network by pinging the server IP and testing the WSUS URL in a browser. Check the WSUS service status using "sc query wsus" and restart the service if necessary with "net stop wsus" followed by "net start wsus." Review the WSUS event logs for error codes like 0x8024402F, which indicates a synchronization failure. If synchronization fails, check your internet connection and ensure the WSUS server can reach Microsoft Update servers. Use the "Synchronize now" option in the WSUS Console to re-download updates after resolving connectivity issues. For persistent issues, reset the WSUS database by stopping the service, deleting the contents of the WSUS database directory, and restarting the service. Always back up the database before performing destructive operations.

Sponsored

Linux Dedicated Server

Rock-solid Linux dedicated servers with root access, KVM-IPMI and fully managed options. CentOS, Ubuntu, Debian, Rocky and AlmaLinux.
Tags: Windows ServerWSUSPatchingEnterprise
0
Was this helpful?

Related tutorials

Windows Server
How to set up Windows Server Core for headless administration

Configure a fresh Windows Server Core installation for remote management via PowerShell Remoting and WinRM. Th…

14
Windows Server
How to build a Failover Cluster with Windows Server 2022

Configure a highly available Windows Server Failover Cluster (WSFC) using the Failover Cluster Manager to prot…

12
Windows Server
How to install the Hyper-V role on Windows Server

This guide walks you through installing the Hyper-V role on Windows Server 2022 using Server Manager or PowerS…

10

Comments 0

Login to leave a comment.

No comments yet — be the first to share your thoughts.