In this post I will cover the steps to install and configure WSUS (Windows Server Update Services) on Windows Server 2019. This guide should help you if you decide to install and configure WSUS from scratch.
In the past I have published several posts on WSUS. That includes installing WSUS and configuring WSUS. In addition to that I also published a post on WSUS troubleshooting. Since then I have been using Configuration Manager and never bothered to focus on WSUS.
Few days ago a colleague on mine contacted me and asked if I can publish a post on setting up WSUS on Windows Server 2019. The company where he works uses only WSUS to deploy the updates to computers. So he was looking for a guide that can help him setup and configure WSUS from scratch.
So I decided to publish this guide that is exclusively for admins who wish to install and configure WSUS to manage updates in their setup. I will also cover some WSUS basics which answers basic questions and the importance of WSUS.
It been quite a long time that I have actually configured anything in WSUS. That’s because the moment you start using SCCM to deploy updates, you forget about the WSUS console.
I have chosen Windows Server 2019 to install and configure WSUS. After Server 2012 R2 I believe Server 2019 is a stable release. I hate Windows Server 2016 because I have spent lot of time in troubleshooting windows update issues. For me the most important complain is that updates just don’t install properly on Server 2016.
What are Windows Updates
Let’s start with some basics. When you install an operating system or image a machine, you always ensure it is patched with latest updates. Not just operating system but almost every software that we use needs to be constantly updated.
Windows updates are released to fix bugs, fix security issues in OS and to add new features to operating system. The Windows Updates rely on Windows Update service which is set to start automatically by default.
Windows Update service downloads and installs recommended and important updates automatically.
Microsoft updates can be classified into following categories :-
- Critical Updates
- Security Updates
- Definition Updates
- Drivers
- Update Rollups
- Service Packs
- Tools
- Feature Packs
- Updates
If you have migrated from Windows 7 to Windows 10, you will notice lot of new options under Windows Update. You get some cool options such as pause the updates for 7 days, change active hours for installing updates. In addition to that there are many useful options under Advanced Options. When you get time, go ahead and explore all of them.
Introduction to Windows Server Update Services
Windows Server Update Services (WSUS) enables the administrators to deploy the latest Microsoft product updates. WSUS is a Windows Server server role and when you install it, you can efficiently manage and deploy the updates.
One of the most important task of system administrators is to keep client and server computers updated with the latest software patches and security updates. Without WSUS it would be really hard to manage the updates deployment.
When you have a single WSUS server in your setup, the updates are downloaded directly from Microsoft Update. However if you install multiple WSUS server, you can configure WSUS server to act as an update source which is also known as an upstream server.
Rather than letting multiple computers download updates directly from internet, you can setup WSUS server and point the clients to download all the updates from a WSUS server. With this you save your Internet bandwidth and also speed up the Windows update process.
I can talk a lot about WSUS but let’s get started with installing WSUS.
WSUS Lab Setup
First of all let me cover about WSUS lab setup. I believe the best way to master WSUS is to install and configure it in your test or lab setup first. You can then start working on it and try several things.
I have created some virtual machines in my lab. Let me give you a list of machines and the OS info.
Server Name | Operating System | Roles |
CORPAD.PRAJWAL.LOCAL | Windows Server 2019 Datacenter | Active Directory, DNS, DHCP |
CORPWSUS.PRAJWAL.LOCAL | Windows Server 2019 Datacenter | WSUS |
CORPWIN10ENT.PRAJWAL.LOCAL | Windows 10 Enterprise | None |
CORPWIN10PRO.PRAJWAL.LOCAL | Windows 10 Pro | None |
And if I had to show my setup in the form of a network diagram, this is how it’s going to look.
WSUS System Requirements
When you have decided to implement WSUS in your setup, you must first look into WSUS requirements. To plan your WSUS deployment I recommend reading this article from Microsoft. It covers all the information required to WSUS requirements, deployment scenarios, performance considerations etc.
This post covers the procedure to install Windows Server Update Services using Windows Internal Database (WID).
WSUS Firewall Ports / Exceptions
When you set up WSUS server, it is important that the server connects to Microsoft update to download updates. If there is a corporate firewall between WSUS and the Internet, you might have to configure that firewall to ensure WSUS can obtain updates.
To obtain updates from Microsoft Update, the WSUS server uses port 443 for HTTPS protocol. You must allow Internet access from WSUS to the following list of URLs :-
- http://windowsupdate.microsoft.com
- http://*.windowsupdate.microsoft.com
- https://*.windowsupdate.microsoft.com
- http://*.update.microsoft.com
- https://*.update.microsoft.com
- http://*.windowsupdate.com
- http://download.windowsupdate.com
- https://download.microsoft.com
- http://*.download.windowsupdate.com
- http://wustat.windows.com
- http://ntservicepack.microsoft.com
- http://go.microsoft.com
- http://dl.delivery.mp.microsoft.com
- https://dl.delivery.mp.microsoft.com
Install WSUS Role on Windows Server 2019
The steps to install Windows Server Update Services (WSUS) Role on Windows Server 2019 include :-
- Log on to the Windows 2019 server on which you plan to install the WSUS server role using an account that is a member of the Local Administrators group.
- In Server Manager, click Manage and click add Roles and Features.
- On the Before you begin page, click Next.
- In the select installation type page, select Role-based or feature-based installation option. Click Next.
On the Server Selection page, verify the server name and click Next.
Server Roles – Windows Server Update Services
On the Server roles page, select the role “Windows Server Update Services“. You should see Add features that are required for Windows Server Update Services box. Click Add Features, and then click Next.
On the Select features page, leave the options to default and click Next.
On the Windows Server Update Services page, click Next.
WSUS Database Type – Role Services
You must select role services / Database type to install for Windows Server Update services. Select WID Connectivity and WSUS Services. Click Next.
WSUS Content Location
Specify a content location to store the updates. I would recommend storing the updates on another drive and not on your C: drive. The size of this folder can grow eventually and you don’t want this folder to reside on C: drive. Hence choose either a separate drive or store the updates on remote server.
Click Next.
On the Web Server Role (IIS) page, click Next.
The role services to install web server (IIS) are select automatically. Do not change anything here and click Next.
A final confirmation before you install WSUS. Review the settings and click Install.
Once WSUS installation is complete, click Launch Post-Installation tasks.
Wait for the message Configuration successfully completed. Click Close.
Configure Windows Server Update Services (WSUS)
After you install WSUS, you can configure the WSUS server using WSUS Server configuration wizard. This is a one time configuration where you will configure some important WSUS options.
If you don’t see a WSUS Server configuration wizard or if you have skipped it by mistake, don’t worry. You can launch it by opening the WSUS Console > Options > WSUS Server Configuration wizard.
Note – Before you start to configure WSUS, some important points.
- Ensure the server firewall allows the clients to access the WSUS server. If the clients have issues connecting to WSUS server, updates won’t be downloaded from server.
- The WSUS downloads the updates from upstream server which is Microsoft update in our case. So ensure the firewall allows the WSUS server to connect to Microsoft Update.
- In case there is a proxy server in your setup, you must enter the credentials for proxy server while configuring WSUS. Have them handy as they are required.
On the Before you begin page, click Next.
Click Next.
Choose WSUS Upstream Server
This is an important section where you select the upstream server. You get two options.
- Synchronize from Microsoft Update – Selecting this option will download the updates from Microsoft update.
- Synchronize from another Windows Server Update Services server – Select this option if you want this WSUS server to download updates from already existing WSUS server. You must specify the server name and port number (8530) by default. If you are selecting the option to use SSL during updates synchronization, ensure that upstream WSUS server is also configured to support SSL.
Since this will be my only WSUS server, I will select Synchronize from Microsoft Update. Click Next.
Proxy Server
Specify Proxy server information if you have got one. If this option is selected, ensure you specify proxy server name and port number. In addition to that specify the credentials to connect to the proxy server. If you want to enable basic authentication for the user connecting to the proxy server, click Allow basic authentication (password in clear text).
Click Next.
On the Connect to Upstream Server page, click Start Connecting button.
Once it is complete, click Next.
Choose Languages for Updates
On the Choose Languages page, you have the option to select the languages from updates. If you choose to download updates in all languages, you would find updates with all languages in the WSUS console.
However if you choose to get updates only for specific languages, select Download updates only in these languages. Select the languages for which you want updates.
Click Next.
Choose Products
This is the page where you select the products for which you want the updates. A product is a specific edition of an operating system or application.
From the list of products you can select individual products or product families for which you want your server to synchronize updates. In this case I am going to select Windows Server 2019 and Windows 10 1903 as products.
Click Next.
Choose Update Classifications
In the beginning of the post I have listed the types of updates. On the Choose Classifications page, select the required classifications. I have selected Critical Updates, Security Updates and Update Rollups.
Click Next.
Configure WSUS Synchronization Schedule
You must decide on how do you want to perform WSUS sync. The Set Sync Schedule page lets you select whether to perform synchronization manually or automatically.
If you choose Synchronize manually, you must manually start the synchronization process from the WSUS Administration Console. With this option selected, you have to manually perform the sync every time. Therefore do not select this option if you are setting up the WSUS in production.
If you choose Synchronize automatically, the WSUS server will synchronize at set intervals. You can set the time of First synchronization. Then set the number of synchronizations per day. From the drop-down you can choose the value between 1-24.
Click Next.
Click Begin initial synchronization. Click Next.
Finally on the last page, click Finish. This completes the steps to configure WSUS.
Configure Group Policy Settings for WSUS
After you install and configure WSUS, the next important task is to configure group policy settings for automatic updates. The new clients still don’t know about the new WSUS server that you just setup. Using group policy you can point your client machines to new WSUS server.
In an active directory environment, you can use Group Policy specify the WSUS server. The group policy settings will be used to obtain automatic updates from Windows Server Update Services (WSUS).
You can create the group policy and apply it at domain level. Or you can create and apply the GPO to a specific OU (containing your computers).
While there are many Windows Update policy settings, I am going to configure few of them. For a list of all windows update policy settings, read this article from Microsoft.
Configure Automatic Updates WSUS
To configure Automatic Updates group policy settings for WSUS
- Open the Group Policy Management console, and open an existing GPO or create a new one.
- Navigate to Computer Configuration > Policies > Administrative Templates > Windows Components > Windows Update.
- Double-click Configure Automatic Updates and set it to Enabled.
Under Configure automatic updating, select the desired option. Under Schedule install day, select the day when you want the updates to be installed. Set the scheduled install time.
In case you select Auto download and schedule the updates install, you get some options to limit updating frequency. If you have configured the settings, click Apply and OK.
Specify Intranet Microsoft Update Service Location
The next setting that you should configure is specify an intranet Microsoft update service location. The idea behind this is to ensure the client computers contact the specified intranet server instead of downloading updates from internet. Unless you configure this policy setting, the client computers wouldn’t know about the intranet server.
To enable the policy, click Enabled. Specify the intranet update service and intranet statistics server. Click Apply and OK.
On the client computer, check the resultant set of policy to confirm if the WSUS GPO is applied.
You can also verify the intranet update service location on client computers using registry. On the client computer, open Registry Editor and go to HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate.
Check the values of WUServer and WUStatusServer and confirm if the values match the one that you supplied in WSUS GPO.
Configure WSUS computer groups
By creating computer groups you can first test and target updates to specific computers. When you open WSUS console, you will find two default computer groups – All computers and Unassigned computers.
You can create custom computer groups to manage updates in your organization. As per Microsoft you must create at least one computer group in the WSUS console. Test updates before you deploy them to other computers in your organization.
To create a new computer group in WSUS console
In the WSUS Administration Console, under Update Services, expand the WSUS server. Expand computers, right-click All computers, and then click Add computer Group.
In the add computer Group dialog box, specify the name of the new group, and then click Add.
Click All Computers and you should see list of computers. Select the computers, right click and click Change Membership.
On the Set Computer Group Membership box, select the new group that you just created. Click OK.
Click the new group and you should find those computers.
Approve and Deploy Updates in WSUS
Once you have a test computer group created, your next task to deploy the updates to the test group. To do so you must first approve and deploy WSUS updates.
To approve the updates in WSUS
- Launch the WSUS Administration Console, click Updates > All Updates.
- In the All Updates section, select the updates that you want to approve for installation in your test computer group.
- Right-click the updates and click Approve.
Most of all in the Approve Updates dialog box, select your test group, and then click down arrow. Click Approved for Install. You an also set a deadline to install the updates. Click OK.
The Approval Progress window appears, which shows the progress of the tasks that affect update approval. When the approval process is complete, click Close.
Configure Auto Approval Rules in WSUS
If you don’t want to manually approve the updates you can configure auto approval rule in Windows Server Update Services.
To configure Automatic Approvals in WSUS
- Launch WSUS Administration Console, expand the WSUS server, and then click Options.
- In Options, click Automatic Approvals.
- You should find the default automatic approval rule and if you wish you can edit it and use it.
- To create a new approval rule, click New Rule.
Check the box When an update is in a specific classification. Select the classifications. You can also approve the update for computers groups. I am going to select Windows 10 as that is my test computer group. Finally you can set a deadline for the update approval and specify auto approval rule name.
After you configure the rule, click OK.
On the Automatic Approvals window, you can find the rule that you just created. If you wish to run this rule, click Run Rule.
WSUS Reports
The last section that I want to cover is the WSUS reports. Clicking Reports in the WSUS console shows the list of reports. WSUS comes with several reports to help you find the updates deployment status, sync reports and computers reports.
- Update Reports – Includes Updates status summary, detailed and tabular status, tabular status for Approved Updates.
- Computer Reports – Computer Status Summary, Detailed Status, Tabular Status and Computer tabular Status for approved updates.
- Synchronization Reports – Shows the results of last synchronization.
This completes the steps to install and configure WSUS. I am sure this guide will help you to setup WSUS in your lab setup. If you have any questions related to WSUS, do let me know in comments section.
Still Need Help?
If you need further assistance on the above article or want to discuss other technical issues, check out some of these options.