WSUS server on Windows Server (2016/2019/2022)

blog.payperitem.com,

1. Prerequisites

  • Windows Server machine (2016 or newer)
  • Static IP address
  • Sufficient disk space (minimum 20GB, ideally more if storing updates locally)
  • .NET Framework 4.5 or higher

📦 2. Install WSUS Role

Via Server Manager

  1. Open Server Manager → click Add roles and features.
  2. Choose Role-based or feature-based installation.
  3. Select the server.
  4. Under Server Roles, check Windows Server Update Services.
  5. It will prompt to install IIS (required) – accept it.
  6. In WSUS options:
    • Select WSUS Services
    • Choose a local path for the update storage (e.g., D:\WSUS)
  7. Finish installation, then click Launch Post-Installation Tasks when prompted.

🛠️ 3. Configure WSUS

Initial Configuration Wizard

  1. Open WSUS Console (Server Manager → Tools → Windows Server Update Services).
  2. Follow the configuration wizard:
    • Choose Upstream Server (usually Microsoft, or another WSUS).
    • Select whether to use a proxy.
    • Choose product categories (e.g., Windows 10, Office).
    • Choose classifications (e.g., Security Updates, Critical Updates).
    • Set sync schedule (manual or automatic).
    • Start initial sync (can take hours).

📂 4. Configure Update Storage (Optional)

If you chose to store updates locally:

  • Ensure that WSUSContent folder is on a fast disk.
  • Regularly clean unneeded updates via PowerShell or WSUS Cleanup Wizard.

🧠 5. Configure Group Policy (Clients)

To point clients to your WSUS server:

Create or Edit a GPO

  1. Open Group Policy Management Console (GPMC).
  2. Edit or create a GPO linked to the appropriate OU.
  3. Go to: pgsqlCopyEditComputer Configuration → Policies → Administrative Templates → Windows Components → Windows Update

Set These Policies:

  • Specify intranet Microsoft update service location:
    • http://your-wsus-server:8530
  • Enable client-side targeting(optional):
    • Lets clients assign themselves to WSUS computer groups.
  • Automatic Updates:
    • Set schedule and behavior (e.g., auto-install at 3am).

🔁 6. Sync and Approve Updates

  • In the WSUS Console:
    • Manually synchronize.
    • Go to Updates → All Updates, then Approve relevant updates.
    • Check Reports to see client status and compliance.

🧽 7. Regular Maintenance

  • Run WSUS Cleanup Wizard monthly:
    • Remove obsolete updates, unneeded computers, expired updates.
  • Optionally script cleanups:
powershell

Invoke-WsusServerCleanup -CleanupObsoleteUpdates -CleanupUnneededContentFiles -CompressUpdates -CleanupObsoleteComputers -CleanupExpiredUpdates

✅ WSUS Ports to Allow (Firewall)

  • TCP 8530 (HTTP) – default for WSUS
  • TCP 8531 (HTTPS) – if using SSL
  • TCP 80/443 – if not using custom ports

Active Directory Networking Security Windows

Related Posts