This article provides a detailed guide on installing and configuring a Windows Server Update Services (WSUS) server on Windows Server 2019, 2016, and 2012 R2. WSUS enables centralized management of updates for Microsoft products, such as Windows, Office, SQL Server, Exchange, and others. We will cover the installation, configuration, and performance optimization steps for WSUS.
You can purchase original pro keys from our catalog:
Windows Server 2019 – from 16.90 €
Windows Server 2016 – from 11.50 €
Windows Server 2012 R2 – from 11.90 €
How WSUS Works
The WSUS server is a dedicated role in Windows Server that performs the following functions:
– Periodic synchronization with Microsoft Update servers to retrieve new updates.
– The administrator selects and approves updates for installation on workstations and servers.
– WSUS clients download and install updates based on policies configured by the administrator.
Installing the WSUS Role on Windows Server
Starting with Windows Server 2008, WSUS is a separate role that can be installed via the Server Manager console or PowerShell.
Installation via Server Manager
1. Open the Server Manager console.
2. Select the Windows Server Update Services role. The system will automatically include the necessary IIS web server components.
In the WSUS component selection window, choose WSUS Services. Then, select the database WSUS will use:
– Windows Internal Database (WID) — a built-in Windows database. This is the recommended option, especially for large infrastructures.
– Microsoft SQL Server — for using a local or remote SQL Server database. This requires the SQL Server Connectivity option.
Important: SQL Server for WSUS cannot be installed on an Active Directory domain controller, and WSUS should not run on a server with the Remote Desktop Services role.
The WID database is named SUSDB.mdf by default and is stored in the %windir%\wid\data directory.
To administer it, use the connection string \\.\pipe\MICROSOFT##WID\tsql\query in SQL Server Management Studio.
If you want to store update files locally on the WSUS server, enable the option Store updates in the following locations and specify the directory path. This can be a folder on a local drive (preferably a separate physical or logical volume) or a network share (UNC path). Updates are downloaded to the specified directory only after approval by the WSUS administrator.
The size of the WSUS database depends heavily on the number of products and Windows OS versions you plan to update. In large organizations, the size of update files on the WSUS server can reach hundreds of gigabytes. If disk space is limited, disable this option. In this case, WSUS clients will download approved updates directly from the internet (a viable option for smaller networks).
Installation via PowerShell
To install the WSUS server with WID, run the following command:
Install-WindowsFeature -Name UpdateServices, UpdateServices-WidDB, UpdateServices-Services, UpdateServices-RSAT, UpdateServices-API, UpdateServices-UI –IncludeManagementTools
Initial Configuration of the WSUS Server on Windows Server
After installing the WSUS role, perform the initial configuration via Post-Deployment Configuration => Launch Post-Installation tasks in Server Manager.
Main Configuration Steps
1. Launch the initial configuration wizard.
2. Choose whether the WSUS server will synchronize with Microsoft Update or an upstream WSUS server.
3. Specify proxy settings if a proxy server is used for internet access.
4. Verify connectivity to the upstream update server (or Microsoft Update). Click Start Connecting.
5. Select the languages and products for which WSUS will download updates.
Choose Microsoft products relevant to your infrastructure. For example, if Windows 7 is no longer used, disable updates for that OS version.
Be sure to include the following common classifications:
– Developer Tools, Runtimes, and Redistributables — for updating Visual C++ Runtime libraries.
– Windows Dictionary Updates in the Windows category.
– Windows Server Manager – Windows Server Update Services (WSUS) Dynamic Installer.
For update types, we recommend enabling the following classifications:
– Critical Updates
– Security Updates
– Service Packs
– Updates
– Update Rollups
Set the synchronization schedule. It’s optimal to configure automatic daily synchronization during off-hours to avoid network congestion during working hours.
The initial synchronization of the WSUS server with the upstream update server may take several days, depending on the number of products selected earlier. After the wizard completes, the WSUS console will launch.
The WSUS console consists of several sections:
Updates – Available updates on the WSUS server (manage update approvals and assignments here).
Computers – Create WSUS client groups (computers and servers).
Downstream Servers – Configure whether updates are retrieved from Microsoft Update or an upstream WSUS server.
Synchronizations – Update synchronization schedule.
Reports – WSUS reports.
Options – WSUS server settings.
Clients can now receive updates by connecting to the WSUS server on port 8530 (in Windows Server 2003 and 2008, port 80 was used by default). Verify that this port is open on the WSUS server:
Test-NetConnection -ComputerName wsussrv1 -Port 8530
If the port is closed, create an appropriate rule in Windows Defender Firewall.
Installing the WSUS Administration Console on Windows 10/11
The WSUS server can be administered using the Windows Server Update Services console (wsus.msc).
The WSUS console (wsus.msc) is available both locally on the server and remotely via Remote Server Administration Tools (RSAT) on workstations running Windows 10 or 11.
Installing RSAT for WSUS
To install the WSUS console on Windows 10/11, run the following PowerShell command:
Add-WindowsCapability -Online -Name Rsat.WSUS.Tools~~~~0.0.1.0
To install the WSUS console on a server, use:
Install-WindowsFeature -Name UpdateServices-Ui
After installation, two local groups are created:
– WSUS Administrators — for users with full WSUS management access.
– WSUS Reporters — for users with access to reports.
To generate WSUS reports, you need to install:
– Microsoft System CLR Types for SQL Server 2012
– Microsoft Report Viewer 2012 Runtime
If these components are not installed, generating any WSUS report will result in the error:
“The Microsoft Report Viewer 2012 Redistributable is required for this feature. Please close the console before installing this package.”
Optimizing WSUS Performance
For optimal WSUS performance, we recommend the following:
1. A minimum of 4 GB of RAM and 2 CPU cores.
2. For a large number of clients (1500+), additional resources may be needed to avoid performance errors such as 0x80244022 or Event ID 7053.
To address this issue, add more RAM to the server and optimize IIS pool settings using the following commands:
Import-Module WebAdministration
Set-ItemProperty -Path IIS:\AppPools\WsusPool -Name queueLength -Value 2500
Set-ItemProperty -Path IIS:\AppPools\WsusPool -Name cpu.resetInterval -Value "00.00:15:00"
Set-ItemProperty -Path IIS:\AppPools\WsusPool -Name recycling.periodicRestart.privateMemory -Value 0
Set-ItemProperty -Path IIS:\AppPools\WsusPool -Name failure.loadBalancerCapabilities -Value "TcpLevel"
Enable automatic approval for Microsoft antivirus updates. Otherwise, WSUS may slow down significantly and consume all available RAM.
Antivirus exclusions:
Add the following folders to antivirus exclusions to avoid impacting WSUS performance:
– \WSUS\WSUSContent
– %windir%\wid\data
– \SoftwareDistribution\Download
These steps will enhance WSUS performance and ensure timely updates for clients.
By following these instructions, you can install and configure a WSUS server on Windows Server, enabling centralized update management and optimizing its performance in your infrastructure.
