Complete Guide to Install and Configure WSUS on Windows Server 2019

In this post I will cover the steps to install and configure WSUS (Windows Server Update Services) on Windows Server 2019. This guide should help you if you decide to install and configure WSUS from scratch.

In the past I have published several posts on WSUS. That includes installing WSUS and configuring WSUS. In addition to that I also published a post on WSUS troubleshooting. Since then I have been using Configuration Manager and never bothered to focus on WSUS.

Few days ago a colleague on mine contacted me and asked if I can publish a post on setting up WSUS on Windows Server 2019. The company where he works uses only WSUS to deploy the updates to computers. So he was looking for a guide that can help him setup and configure WSUS from scratch.

So I decided to publish this guide that is exclusively for admins who wish to install and configure WSUS to manage updates in their setup. I will also cover some WSUS basics which answers basic questions and the importance of WSUS.

It been quite a long time that I have actually configured anything in WSUS. That’s because the moment you start using SCCM to deploy updates, you forget about the WSUS console.

I have chosen Windows Server 2019 to install and configure WSUS. After Server 2012 R2 I believe Server 2019 is a stable release. I hate Windows Server 2016 because I have spent lot of time in troubleshooting windows update issues. For me the most important complain is that updates just don’t install properly on Server 2016.

What are Windows Updates

Let’s start with some basics. When you install an operating system or image a machine, you always ensure it is patched with latest updates. Not just operating system but almost every software that we use needs to be constantly updated.

Windows updates are released to fix bugs, fix security issues in OS and to add new features to operating system. The Windows Updates rely on Windows Update service which is set to start automatically by default.

Windows Update service downloads and installs recommended and important updates automatically.

Microsoft updates can be classified into following categories :-

  1. Critical Updates
  2. Security Updates
  3. Definition Updates
  4. Drivers
  5. Update Rollups
  6. Service Packs
  7. Tools
  8. Feature Packs
  9. Updates

If you have migrated from Windows 7 to Windows 10, you will notice lot of new options under Windows Update. You get some cool options such as pause the updates for 7 days, change active hours for installing updates. In addition to that there are many useful options under Advanced Options. When you get time, go ahead and explore all of them.

Introduction to Windows Server Update Services

Windows Server Update Services (WSUS) enables the administrators to deploy the latest Microsoft product updates. WSUS is a Windows Server server role and when you install it, you can efficiently manage and deploy the updates.

One of the most important task of system administrators is to keep client and server computers updated with the latest software patches and security updates. Without WSUS it would be really hard to manage the updates deployment.

When you have a single WSUS server in your setup, the updates are downloaded directly from Microsoft Update. However if you install multiple WSUS server, you can configure WSUS server to act as an update source which is also known as an upstream server.

Rather than letting multiple computers download updates directly from internet, you can setup WSUS server and point the clients to download all the updates from a WSUS server. With this you save your Internet bandwidth and also speed up the Windows update process.

I can talk a lot about WSUS but let’s get started with installing WSUS.

WSUS Lab Setup

First of all let me cover about WSUS lab setup. I believe the best way to master WSUS is to install and configure it in your test or lab setup first. You can then start working on it and try several things.

I have created some virtual machines in my lab. Let me give you a list of machines and the OS info.

Server Name Operating System Roles
CORPAD.PRAJWAL.LOCAL Windows Server 2019 Datacenter Active Directory, DNS, DHCP
CORPWSUS.PRAJWAL.LOCAL Windows Server 2019 Datacenter WSUS
CORPWIN10ENT.PRAJWAL.LOCAL Windows 10 Enterprise None


And if I had to show my setup in the form of a network diagram, this is how it’s going to look.

WSUS System Requirements

When you have decided to implement WSUS in your setup, you must first look into WSUS requirements. To plan your WSUS deployment I recommend reading this article from Microsoft. It covers all the information required to WSUS requirements, deployment scenarios, performance considerations etc.

This post covers the procedure to install Windows Server Update Services using Windows Internal Database (WID).

WSUS Firewall Ports / Exceptions

When you set up WSUS server, it is important that the server connects to Microsoft update to download updates. If there is a corporate firewall between WSUS and the Internet, you might have to configure that firewall to ensure WSUS can obtain updates.

To obtain updates from Microsoft Update, the WSUS server uses port 443 for HTTPS protocol. You must allow Internet access from WSUS to the following list of URLs :-

  • http://*
  • https://*
  • http://*
  • https://*
  • http://*
  • http://*

Install WSUS Role on Windows Server 2019

The steps to install Windows Server Update Services (WSUS) Role on Windows Server 2019 include :-

  • Log on to the Windows 2019 server on which you plan to install the WSUS server role using an account that is a member of the Local Administrators group.
  • In Server Manager, click Manage and click add Roles and Features.
  • On the Before you begin page, click Next.
  • In the select installation type page, select Role-based or feature-based installation option. Click Next.
Install and configure WSUS
Select Role based or feature based installation

On the Server Selection page, verify the server name and click Next.

Install and configure WSUS
Select the server to install WSUS

Server Roles – Windows Server Update Services

On the Server roles page, select the role “Windows Server Update Services“. You should see Add features that are required for Windows Server Update Services box. Click Add Features, and then click Next.

Select Windows Server Update Services role
Select Windows Server Update Services role

On the Select features page, leave the options to default and click Next.

Windows Server Features

On the Windows Server Update Services page, click Next.

Install and configure WSUS

WSUS Database Type – Role Services

You must select role services / Database type to install for Windows Server Update services. Select WID Connectivity and WSUS Services. Click Next.

Select WID Connectivity and WSUS Services
Select WID Connectivity and WSUS Services

WSUS Content Location

Specify a content location to store the updates. I would recommend storing the updates on another drive and not on your C: drive. The size of this folder can grow eventually and you don’t want this folder to reside on C: drive. Hence choose either a separate drive or store the updates on remote server.

Click Next.

WSUS Content Location
WSUS Content Location

On the Web Server Role (IIS) page, click Next.

Web Server Role IIS

The role services to install web server (IIS) are select automatically. Do not change anything here and click Next.

WSUS Role Services

A final confirmation before you install WSUS. Review the settings and click Install.

Confirm Selections

Once WSUS installation is complete, click Launch Post-Installation tasks.

Launch WSUS Post Installation tasks
Launch WSUS Post Installation tasks

Wait for the message Configuration successfully completed. Click Close.

WSUS configuration completed successfully
WSUS configuration completed successfully

Configure Windows Server Update Services (WSUS)

After you install WSUS, you can configure the WSUS server using WSUS Server configuration wizard. This is a one time configuration where you will configure some important WSUS options.

If you don’t see a WSUS Server configuration wizard or if you have skipped it by mistake, don’t worry. You can launch it by opening the WSUS Console > Options > WSUS Server Configuration wizard.

Note – Before you start to configure WSUS, some important points.

  • Ensure the server firewall allows the clients to access the WSUS server. If the clients have issues connecting to WSUS server, updates won’t be downloaded from server.
  • The WSUS downloads the updates from upstream server which is Microsoft update in our case. So ensure the firewall allows the WSUS server to connect to Microsoft Update.
  • In case there is a proxy server in your setup, you must enter the credentials for proxy server while configuring WSUS. Have them handy as they are required.

On the Before you begin page, click Next.

Install and configure WSUS using WSUS Configuration Wizard
WSUS Configuration Wizard

Click Next.

Windows Server Update Services Configuration Wizard

Choose WSUS Upstream Server

This is an important section where you select the upstream server. You get two options.

  • Synchronize from Microsoft Update – Selecting this option will download the updates from Microsoft update.
  • Synchronize from another Windows Server Update Services server – Select this option if you want this WSUS server to download updates from already existing WSUS server. You must specify the server name and port number (8530) by default. If you are selecting the option to use SSL during updates synchronization, ensure that upstream WSUS server is also configured to support SSL.

Since this will be my only WSUS server, I will select Synchronize from Microsoft Update. Click Next.

Choose Upstream Server
Choose Upstream Server

Proxy Server

Specify Proxy server information if you have got one. If this option is selected, ensure you specify proxy server name and port number. In addition to that specify the credentials to connect to the proxy server. If you want to enable basic authentication for the user connecting to the proxy server, click Allow basic authentication (password in clear text).

Click Next.

Specify Proxy Server

On the Connect to Upstream Server page, click Start Connecting button.

Download Update Information from Windows Update
Download Update Information from Windows Update

Once it is complete, click Next.

Download Update Information from Windows Update

Choose Languages for Updates

On the Choose Languages page, you have the option to select the languages from updates. If you choose to download updates in all languages, you would find updates with all languages in the WSUS console.

However if you choose to get updates only for specific languages, select Download updates only in these languages. Select the languages for which you want updates.

Click Next.

Windows Updates Languages
Windows Updates Languages

Choose Products

This is the page where you select the products for which you want the updates. A product is a specific edition of an operating system or application.

From the list of products you can select individual products or product families for which you want your server to synchronize updates. In this case I am going to select Windows Server 2019 and Windows 10 1903 as products.

Click Next.

Select the Microsoft Products
Select the Microsoft Products

Choose Update Classifications

In the beginning of the post I have listed the types of updates. On the Choose Classifications page, select the required classifications. I have selected Critical Updates, Security Updates and Update Rollups.

Click Next.

WSUS Update Classifications
WSUS Update Classifications

Configure WSUS Synchronization Schedule

You must decide on how do you want to perform WSUS sync. The Set Sync Schedule page lets you select whether to perform synchronization manually or automatically.

If you choose Synchronize manually, you must manually start the synchronization process from the WSUS Administration Console. With this option selected, you have to manually perform the sync every time. Therefore do not select this option if you are setting up the WSUS in production.

If you choose Synchronize automatically, the WSUS server will synchronize at set intervals. You can set the time of First synchronization. Then set the number of synchronizations per day. From the drop-down you can choose the value between 1-24.

Click Next.

Configure Windows Server Update Services Synchronization Schedule
Configure WSUS Synchronization Schedule

Click Begin initial synchronization. Click Next.

Begin Windows Server Update Services Initial synchronization
Begin WSUS Initial synchronization

Finally on the last page, click Finish. This completes the steps to configure WSUS.

Install Configure WSUS Complete

Configure Group Policy Settings for WSUS

After you install and configure WSUS, the next important task is to configure group policy settings for automatic updates. The new clients still don’t know about the new WSUS server that you just setup. Using group policy you can point your client machines to new WSUS server.

In an active directory environment, you can use Group Policy specify the WSUS server. The group policy settings will be used to obtain automatic updates from Windows Server Update Services (WSUS).

You can create the group policy and apply it at domain level. Or you can create and apply the GPO to a specific OU (containing your computers).

While there are many Windows Update policy settings, I am going to configure few of them. For a list of all windows update policy settings, read this article from Microsoft.

Configure Automatic Updates WSUS

To configure Automatic Updates group policy settings for WSUS

  • Open the Group Policy Management console, and open an existing GPO or create a new one.
  • Navigate to Computer Configuration > Policies > Administrative Templates > Windows Components > Windows Update.
  • Double-click Configure Automatic Updates and set it to Enabled.

Under Configure automatic updating, select the desired option. Under Schedule install day, select the day when you want the updates to be installed. Set the scheduled install time.

Configure WSUS Automatic Updates
Configure WSUS Automatic Updates

In case you select Auto download and schedule the updates install, you get some options to limit updating frequency. If you have configured the settings, click Apply and OK.

Configure WSUS Automatic Updates
Configure WSUS Automatic Updates

Specify Intranet Microsoft Update Service Location

The next setting that you should configure is specify an intranet Microsoft update service location. The idea behind this is to ensure the client computers contact the specified intranet server instead of downloading updates from internet. Unless you configure this policy setting, the client computers wouldn’t know about the intranet server.

To enable the policy, click Enabled. Specify the intranet update service and intranet statistics server. Click Apply and OK.

Specify intranet Microsoft Update service location
Specify intranet Microsoft Update service location

On the client computer, check the resultant set of policy to confirm if the WSUS GPO is applied.

Check RSOP settings on client computersYou can also verify the intranet update service location on client computers using registry. On the client computer, open Registry Editor and go to HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate.

Check the values of WUServer and WUStatusServer and confirm if the values match the one that you supplied in WSUS GPO.

Verify intranet Microsoft Update service location
Verify intranet Microsoft Update service location


Configure WSUS computer groups

By creating computer groups you can first test and target updates to specific computers. When you open WSUS console, you will find two default computer groups – All computers and Unassigned computers.

You can create custom computer groups to manage updates in your organization. As per Microsoft you must create at least one computer group in the WSUS console. Test updates before you deploy them to other computers in your organization.

To create a new computer group in WSUS console

In the WSUS Administration Console, under Update Services, expand the WSUS server. Expand computers, right-click All computers, and then click Add computer Group.

In the add computer Group dialog box, specify the name of the new group, and then click Add.

Add WSUS Computer group
Add new computer group

Click All Computers and you should see list of computers. Select the computers, right click and click Change Membership.

Configure WSUS computer groups
Change the computer membership

On the Set Computer Group Membership box, select the new group that you just created. Click OK.

Select target computer group
Select target computer group

Click the new group and you should find those computers.

Configure WSUS computer groups

Approve and Deploy Updates in WSUS

Once you have a test computer group created, your next task to deploy the updates to the test group. To do so you must first approve and deploy WSUS updates.

To approve the updates in WSUS

  • Launch the WSUS Administration Console, click Updates > All Updates.
  • In the All Updates section, select the updates that you want to approve for installation in your test computer group.
  • Right-click the updates and click Approve.

Approve and Deploy Updates in WSUS

Most of all in the Approve Updates dialog box, select your test group, and then click down arrow. Click Approved for Install. You an also set a deadline to install the updates. Click OK.

Approve and Deploy Updates in WSUS

The Approval Progress window appears, which shows the progress of the tasks that affect update approval. When the approval process is complete, click Close.

Approve and Deploy Updates in WSUS

Configure Auto Approval Rules in WSUS

If you don’t want to manually approve the updates you can configure auto approval rule in Windows Server Update Services.

To configure Automatic Approvals in WSUS

  • Launch WSUS Administration Console, expand the WSUS server, and then click Options.
  • In Options, click Automatic Approvals.
  • You should find the default automatic approval rule and if you wish you can edit it and use it.
  • To create a new approval rule, click New Rule.

Configure Auto Approval Rules in WSUS

Check the box When an update is in a specific classification. Select the classifications. You can also approve the update for computers groups. I am going to select Windows 10 as that is my test computer group. Finally you can set a deadline for the update approval and specify auto approval rule name.

After you configure the rule, click OK.

Configure Auto Approval Rules in WSUS

On the Automatic Approvals window, you can find the rule that you just created. If you wish to run this rule, click Run Rule.

Configure Auto Approval Rules in WSUS

WSUS Reports

The last section that I want to cover is the WSUS reports. Clicking Reports in the WSUS console shows the list of reports. WSUS comes with several reports to help you find the updates deployment status, sync reports and computers reports.

  • Update Reports – Includes Updates status summary, detailed and tabular status, tabular status for Approved Updates.
  • Computer Reports – Computer Status Summary, Detailed Status, Tabular Status and Computer tabular Status for approved updates.
  • Synchronization Reports – Shows the results of last synchronization.

WSUS reportsThis completes the steps to install and configure WSUS. I am sure this guide will help you to setup WSUS in your lab setup. If you have any questions related to WSUS, do let me know in comments section.

Related Posts
Oldest Most Voted
Inline Feedbacks
View all comments
Blakely Loftus

Hi there – great article. You mentioned issues installing & configuring WSUS on Windows Server 2016. That is the OS we run on our server. The Server was bought from Dell in 2018. I am nervous doing an upgrade to MS Server 2019 only to install and configure WSUS for my convenience. (It is a pain having to update 11 PCs on in our office on the domain and make sure they are all patched). The server runs smoothly and has software critical to our business (our EMR). I am looking for an easier solution and I believe we ran… Read more »

Satish Verma

Cheers, You have great Knowledge Base Creating skills. Keep going.


Hi, great help, but i upgraded my domain to windows 2019 and i can’t see the options to schedule the updates monthly, could someone please help?


Hi Prajwal, excellent documentation as always. I’ve installed Windows 2019 and enabled the WSUS role, no proxy in my test environment, but when I try a manual “Import Updates” from the Microsoft Catalog Server, I search for KB890830, add to my basket and the download. The download fails with; “Some updates could not be imported. If you cancelled the process, try again to import the updates. If an error occurred, click Failed in the progress column next to each update to see how to solve the problem.” When you open the Fail Button Contents, you get the error message [Error… Read more »

Last edited 1 month ago by AndyB_UK

Update: From our investigation so far we have demonstrated if WSUS 2019 / 2016 is installed on a Windows 10 Hyper-V environment we can observer this problem, however in the same Hyper-V environment with WSUS on Windows 2012 WSUS works correctly, if WSUS 2016 is installed on a physical server, Manual Import of Updates work correctly, testing continuing.

Yonathan Tewolde

It is a wonderful detailed and very helpful article . Thank you very much


Hi Prajwal, This was a very detailed document, thank you! We have a WSUS server setup, but for some reason my Windows 10 computers don’t auto install. I have one computer I’m testing with and I’ve restarted it multiple times. I’ve also left it on all weekend to see if it would do it over night. Nothing is working. I can see in the registry that it’s pointing to the right server. I can see on the server that the updates that are waiting are approved for install so I’m not sure why it’s not working. Can you help me… Read more »



Can I have a WSUS server for a closed environment that is not connected to the internet?


Justin Dobson

Yes, you would need one that is connected to the internet as well though. Here is a link to microsofts instructions on how to perform this action.


Hi Prajwal
thanks for sharing this information. I am learning MCSA2019. I have a question, I installed WSUS on windows server but I cant launch it to complete configuration.
It has joint to Active Directory and they have ping of each other. firewall, date and time is right. but the launch of WSUS fails.
pls let me know where I am going wrong.

Adnan Bhatti

Hi Prajwal, I have a question, in production is it good idea to install the WSUS role on SCCM primary site? if not can you share a post where you have installed WSUS ,SCCM primary site and SQL server on three different servers. I have configured the same lab but WSUS is not working. I went through your post and did all but nothing worked out. Thanks Adnan


Hi Prajwal, thank you for the article….
Any ideas why GPO not applying to Windows 10 – I have my computers in the correct OU ect…..

“Open the Group Policy Management console, and open an existing GPO or create a new one.
Navigate to Computer Configuration > Policies > Administrative Templates > Windows Components > Windows Update.
Double-click Configure Automatic Updates and set it to Enabled”

Steve Wright

Great Detail. I looked to rerun the configuration wizard at WSUS Console > Options > WSUS Server Configuration wizard but the only thing I see there is “Disk Cleanup”. Running this did not result in the configuration wizard option being available. I am also running Server 2019. Do you know if there is another way to launch the configuration wizard?


What a wonderfully detailed and concise article. Thank you very much.


Very helpful article.

Sam VicTrack

Awesome article!!!!!!!!!!!!!!!!

Jun Fababeir

great post. many thanks


Very good post!!!!
works fine.
Thank You.


The WSUS administration console was unable to connect to the WSUS Server via the remote API. Verify that the Update Services service, IIS and SQL are running on the server. If the problem persists, try restarting IIS, SQL, and the Update Services Service. The WSUS administration console has encountered an unexpected error. This may be a transient error; try restarting the administration console. If this error persists, Try removing the persisted preferences for the console by deleting the wsus file under %appdata%\Microsoft\MMC\. System.IO.IOException — The handshake failed due to an unexpected packet format. Source System Stack Trace: at System.Net.Security.SslState.StartReadFrame(Byte[] buffer,… Read more »


Hi I am getting
error:connection error Please reset node


please make a video of it and also specify what to do if computers do not apper in computer group

Zoltan Gal

Great post, thank You


Here’s one thing that can’t be overstated enough, and perhaps the article could be amended to make a strong point: When you configure the policy and specify the WSUS server name, *make sure you provide the port as well* (…:8530). I’ve been running WSUS (on 2008 R2) for over a decade, and the policy has successfully been in use since then, just by providing the name (http://mywsusserver). I’ve spent days trying to figure out what the problem was. When I saw your screenshot, I decided to add the port number (even though I haven’t changed it from the default, which… Read more »


Thanks a lot for the post

Rakesh K

Thanks a lot for the post Iam setuping now the WSUS .If any information i will get back to you


MY WSUS is showing connection type Non-SSL during Synchronization. I want it to be SSL. Can anyone please guide me.


Thanks for the post. I have WSUS working on a fresh install of 2019 Server and machines migrated and are updating. However the report viewer is not available. What things did you install (and in what order) to get that working?


When you click on report viewer it will give you a link to Click on to download report viewer. If you receive an error explaining you need frame work 2.0 you need to install it by adding to roles and features and select frame work 3.5. You will more then likely get do you need to specify an alternate source path that is highlighted in yellow at the top of the page. In that case select the specify an alternate source path link and point to your 2019 OS sources folder.


I had to first install the SQLSysClrTypes then the report viewer. Weird that we have to install 2012 Server programs, but it’s working. Thanks.

Amit Patel

do you also have some troubleshooting guides?
I followed your guide, but I can’t see any computers or updates in WSUS.


You should add that information to the tutorial, also please add how to get the URL for the Local Intranet site.

Hishan Malluwa Wadu

Thank you for the post.

Thomas Lee

Sadly, wsus is not usable with Powershell 7. It uses methods, this the windows compatibility workaround is not usable. And the module uses SOAP which is not supported in .NET core.

Billy Bob Thornton

Why are you referencing something that has nothing to do with it?


Great post..


Hi Prajwal, window 10 machines were connected with wsus and getting update regular but now machine are out of network and unable to get update directly from internet and showing error computer is managed by organization. In current situation what policy should be applied on domain controller for wsus so that remote machine can get directly from internet as wsus


Remove those computers from the group policy. you can create a SG and add into exclusion.

This website uses cookies to improve your experience. We'll assume you're ok with this, but you can opt-out if you wish. Accept Read More