How to configure Windows Server Update Services (WSUS) for enterprise updates
Deploy WSUS to manage updates for your entire domain. Install the role, configure synchronization, set approval rules, and redirect clients to the internal server.
This guide walks you through installing and configuring Windows Server Update Services (WSUS) to manage patches for your organization. These steps target Windows Server 2022 and Windows Server 2019, using the latest available WSUS 6.2.2.1. You will install the role, configure synchronization, set up approval rules, and redirect client computers to the internal server.
Prerequisites
- Windows Server 2022 or 2019 with at least 50 GB free disk space.
- Active Directory Domain Services (AD DS) installed and a domain-joined server.
- Administrative privileges (Domain Admin or local Administrator).
- Internet connectivity for downloading updates from Microsoft Update.
- Group Policy Editor installed (gpedit.msc) or ability to run PowerShell.
Step 1: Install the WSUS Role
Open Server Manager and select Manage, then Add Roles and Features. On the Select Server Roles page, check Add features and click Next. On the Select Server Features page, click Next without changing anything.
On the Add Roles and Features Wizard page, expand Server Roles, then select Windows Server Update Services. Expand the role and check all sub-options including .NET Framework 3.5.1 and the WSUS Administration Tools. Click Next through the remaining pages, then click Install.
Role Installation Progress...
Installing Windows Server Update Services...
Role Installation completed successfully.
Once the wizard finishes, restart the server if prompted. This ensures all services start correctly.
Step 2: Configure WSUS Console Settings
Open Server Manager and navigate to Tools, then Windows Server Update Services. Log in with your domain credentials. On the home page, click Options in the left navigation pane. In the Options window, select My Computer and click Edit.
On the General tab, set the Update Source to Microsoft Update. Click the My Computer tab and enter the name of your WSUS server. Select the option to allow administrators to approve updates. Click OK to save changes.
WSUS Options Configuration:
Update Source: Microsoft Update
Server Name: WSUS01
Allow Admin Approval: Yes
Next, click the Approvals tab. Select the option to allow administrators to approve updates. Click OK to confirm.
Step 3: Synchronize Updates from Microsoft
Click Synchronize in the left navigation pane. In the Synchronize window, select the checkboxes for Update Classes you want to sync, such as Critical Updates, Security Updates, and Driver Updates. Leave the default settings for the rest unless you have specific requirements.
Click the Synchronize button to start the process. Wait for the progress bar to complete. This may take several minutes depending on your internet connection speed.
Synchronizing Updates...
Progress: 0% -> 100%
Total Updates Found: 1,245
Updates Approved: 0
Review the list of updates and approve them manually or use a rule-based approach. Click OK when synchronization completes.
Step 4: Configure Group Policy for Client Redirection
Open Group Policy Management Console (GPMC) and create a new GPO linked to your domain or organizational unit. Edit the GPO and navigate to Computer Configuration, Policies, Administrative Templates, Windows Components, Windows Update.
Enable Configure Automatic Updates and set it to Auto download and schedule the install. Enable Specify intranet Microsoft update service location and enter the URL of your WSUS server, such as http://WSUS01:8530.
Set the target group policy to Apply to all computers in the domain. Close the Group Policy Management Editor and run gpupdate /force on client machines to apply the changes immediately.
gpupdate /force
Verify that client computers are now pointing to your WSUS server by checking the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU for the WSUS server URL.
Verify the installation
Open a command prompt on a client machine and run the following command to confirm it is using your WSUS server:
slmgr /imprt
Check the Windows Update history on a client machine to ensure it is downloading updates from your WSUS server. Open Settings, Update & Security, and view the Update History. Ensure the source shows your WSUS server name.
Troubleshooting
Error: "WSUS Console will not start"
Cause: The WSUS service is not running or the database is corrupted.
Fix: Open Services.msc, locate Windows Server Update Services, and set the startup type to Automatic. Restart the service. If the database is corrupted, run the WSUS repair tool or restore from a backup.
Error: "Updates fail to synchronize"
Cause: Firewall blocks port 8530 or internet connection is unstable.
Fix: Ensure port 8530 is open on the WSUS server and firewall. Check internet connectivity and try synchronizing again.
Error: "Clients do not receive updates"
Cause: Group Policy has not been applied or the WSUS server URL is incorrect.
Fix: Run gpupdate /force on clients and verify the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU contains the correct WSUS server URL.
Error: "Database is full"
Cause: The WSUS database has reached its storage limit.
Fix: Use the WSUS Cleanup tool to remove obsolete updates and free up space. Alternatively, expand the database storage on the server.