Tutorial: Install and Configure WSUS on Windows Server 2022/2019 | Ranjan.info

you can use Windows Server Update Services (WSUS) Update Servers to deploy Microsoft product updates (Windows, Office, SQL Server, Exchange, etc.) on computers and servers in the company’s local network. In this article, we will walk you through how to install and configure WSUS Update Server on Windows Server 2022/2019/2016, or 2012 R2.

How does WSUS work?

WSUS Server is implemented as a separate Windows Server role. In general terms, the WSUS service can be described as follows:

  • After installation, the WSUS server is scheduled to synchronize with Microsoft Update servers over the Internet and download new updates for selected products;
  • The WSUS administrator chooses which updates to install on the company’s workstations and servers and approves their installation;
  • WSUS clients (computers) on the local network download and install updates from your update server according to the configured update policies.

How to Install WSUS Role on Windows Server 2016/2016/2012R2?

Starting with Windows Server 2008, WSUS is a separate role that can be installed using the Server Management Console or PowerShell.

If you are deploying a new WSUS server, we recommend that you install it on the latest release of Windows Server 2022 (installation is possible on Windows Server Core).

To install WSUS, open Server Manager Console and check Windows Server Update Services Role (the system will automatically select and offer to install the necessary IIS web server components).

install wsus role on windows 2012 server

In the next window, select which WSUS role services you want to install. be sure to check WSUS Services alternative. The next two options depend on which SQL database you plan to use for WSUS.

Server settings, updated metadata, and WSUS client information are stored in a SQL Server database. As a WSUS database you can use:

  • Windows Internal Database (WID) – Built-in Windows Database (WID connectivity alternative). It is a recommended and practical option even for large infrastructure;
  • A separate Microsoft SQL Server database is deployed on the local or remote server. You can use MS SQL Enterprise, Standard (licensing required), or the free Express Edition. it is SQL Server Connectivity alternative.

Windows Internal Database) is recommended if:

  • You do not have unused MS SQL Server licenses;
  • You are not planning to use WSUS Load Balancing (NLB WSUS)
  • When deploying downstream (child) WSUS servers (for example, in branch offices). In this case, it is recommended to use the built-in WSUS database on the secondary server.

In the free SQL Server Express Edition, the maximum database size is limited to 10 GB. Windows internal database is limited to 524 GB. For example, in my infrastructure, the size of the WSUS database was about 7GB for 3000 customers.

If you install the WSUS role and MS SQL database on different servers, there are some limitations:

  • SQL Server with WSUS database cannot be an Active Directory domain controller;
  • The WSUS server cannot be deployed on a host with the Remote Desktop Services role.

The default WID database is called SUSDB.mdf and stored in the folder %windir%\wid\data, This database only supports Windows Authentication (not SQL). The internal (WID) database instance for WSUS is called Server_name\Microsoft##WID,

The WSUS WID database can be administered through SQL Server Management Studio (SSMS) if you specify the following connection string: \\.\pipe\MICROSOFT##WID\tsql\query,

If you do not have enough disk space to store the updated files, disable this option. In this case, the WSUS client will receive the accepted update files from the Internet (a viable option for smaller networks).

wsus role services in windows server manager

Enable the option if you want to store the updated files locally on the WSUS server Store updates in the following locations and specify the directory path. This can be a folder on a local disk (a separate physical or logical volume is recommended), or a network location (UNC path). Updates are downloaded to the specified directory only after they are approved by the WSUS administrator.

The size of the WSUS database is highly dependent on the number of Microsoft products and the number of Windows versions you plan to update. In a large organization, the size of the update files on WSUS servers can reach hundreds of GB.

If you do not have enough disk space to store the updated files, disable this option. In this case, the WSUS client will receive the accepted update files from the Internet (a viable option for smaller networks).

folder for windows update store

You can also set up a WSUS server with an internal database (WID) using the following PowerShell command:

Install-WindowsFeature -Name UpdateServices, UpdateServices-WidDB, UpdateServices-Services, UpdateServices-RSAT, UpdateServices-API, UpdateServices-UI -IncludeManagementTools

Initial WSUS configuration on Windows Server

After installing the WSUS role, you need to complete its initial configuration. Open Server Manager and choose Post-Deployment Configuration -> Launch Post-Installation Task.

wsus post install task

You can use the WsusUtil.exe console tool to manage WSUS from the command prompt. For example, to change the path to the WSUS Update Files directory, run:

CD "C:\Program Files\Update Services\Tools"
WsusUtil.exe PostInstall CONTENT_DIR=D:\WSUS

Or, for example, you can switch your WSUS to an external SQL Server database:

wsusutil.exe postinstall SQL_INSTANCE_NAME="MUN-SQL1\WSUSDB" CONTENT_DIR=D:\WSUS_Content

Then open the Windows Server Update Services console. The WSUS Update Server Initial Configuration Wizard starts.

Specify whether the WSUS server will download updates directly from the Microsoft Update site (Sync with Microsoft Update) or if it should get them from the upstream WSUS server (Synchronize with another Windows Update service server) Downstream WSUS servers are usually deployed on remote sites with a large number of clients (300+) to reduce the load on the WAN link.

On Windows 10 and 11, you can use Delivery Optimization to reduce the bandwidth usage of update traffic on your communication channels.

wsus upstream server

If you access the Internet through a proxy server, you must specify the proxy server’s address and port, as well as authentication credentials.

proxy server settings for upstream connections

Next, check the connection to the upstream update server (or Windows Update). Click start connecting,

start connecting upstream wsus server

You will then need to select the product languages ​​for which WSUS will download the update. We choose English (The list of languages ​​can be changed further from the WSUS console).

wsus select languages

Then specify the list of products for which WSUS should download updates. Select only those Microsoft products that are used in your environment. For example, if you’re sure there are no Windows 7 or Windows 8 computers left on your network, don’t select these options. This will significantly save space on the WSUS server drive.

Be sure to include the following general classes in the WSUS classification:

  • Developer Tools, Runtime and Redistributable — used to update the Visual C++ runtime library;
  • windows dictionary update in the Windows category;
  • Windows Server Manager – Windows Server Update Services (WSUS) Dynamic Installer.

Specify the products you want to update

Feather classification page, you must specify the types of updates to be deployed through WSUS. It is recommended to select: Critical Updates, Definition Updates, Security Packs, Service Packs, Update Rollups and Updates.

wsus update classification

The WSUS console includes Windows 10 build upgrades (21H2, 20H2, 1909, etc.). upgrade Class.

Configure your update synchronization schedule. It is recommended to use automatic daily synchronization of WSUS servers with Microsoft Update servers. WSUS synchronization must be performed at night, so as not to affect the Internet channel during business hours.

wsus synchronization schedule

The initial synchronization of the WSUS server with the upstream update server may take several days, depending on the number of products you selected earlier and your ISP.

Once the wizard is done, the WSUS console will start.

update service console

The WSUS console tree has several sections:

  • Update – Updates available on the WSUS server (here you can manage update approvals and assign them to installation);
  • computer – Here you can manage WSUS client groups (Computer, Server, Test, and Production groups, etc.);
  • downstream server – Allows you to configure whether you receive Windows Updates or from upstream WSUS servers;
  • synchronization – update the synchronization schedule;
  • reports – Various WSUS reports;
  • alternative -WSUS configuration settings.
Further steps for configuring WSUS (approving WSUS updates, creating and configuring update groups for computers and servers) are described in separate posts:

Clients can now receive updates by connecting to a WSUS server on port 8530 (in Windows Server 2003 and 2008, port 80 is used by default). Check that this port is open on WSUShost:

Test-NetConnection -ComputerName yourwsushost1 -Port 8530

You can use a secure SSL connection on port 8531. To do this, you need to bind a certificate to the WSUS Administration website in IIS.

If the port is closed, create a permission rule in Windows Defender Firewall.

How to Install WSUS Management Console on Windows 10 and 11?

If you use the Windows Server Update Services console (wsus.msc) to manage WSUS. You can manage WSUS hosts using a local console or from a remote computer over the network.

The WSUS Administration Console for Windows 10 or 11 is installed from the Remote Server Administration Tool (RSAT). To install Rsat.WSUS.Tool component, run the following PowerShell command:

Add-WindowsCapability -Online -Name Rsat.WSUS.Tools~~~~

If you want to install WSUS Console on Windows Server, use the command:

Install-WindowsFeature -Name UpdateServices-Ui

wsus management console

When you install WSUS on a Windows Server, two additional local groups are created. You can use them to give users access to the WSUS Management Console.

  • WSUS Administrator
  • WSUS Reporter

To view updates and reports about clients on WSUS, you must install:

  • Microsoft System CLR Types for SQL Server 2012 (SQLSysClrTypes.msi);
  • Microsoft Report Viewer 2012 Runtime (ReportViewer.msi).

To view the various update reports in the WSUS console, you must install the optional Microsoft Report Viewer 2008 SP1 Redistributable (or higher) components on your server.

If these components are not installed, when generating any WSUS report, an error will appear:

The Microsoft Report Viewer 2012 Redistributable is required for this feature. Please close the console before installing this package.

install ms wsus report viewer

Optimizing WSUS Performance

This section describes some tips for optimizing the performance of WSUS Update Server in a real-world environment.

  • For WSUS to function properly, the update host must have at least 4 GB of RAM and 2CPU free;
  • With a large number of WSUS clients (more than 1500), you may experience significant performance degradation of the IIS WsusPoll pool that distributes updates to clients. Mistake 0x80244022 may appear on the client, or when starting the WSUS console, it may crash with an error Error: Unexpected error + Event ID 7053 In Event Viewer (The WSUS administration console has encountered an unexpected error. This may be a transient error; try restarting the administration console. If this error persists, wsus console unexpected errorTo resolve this issue, you need to add more RAM to your WSUS host and optimize your IIS pool settings as suggested in the article. Use these powershell commands:
    Import-Module WebAdministration
    Set-ItemProperty -Path IIS:\AppPools\WsusPool -Name queueLength -Value 2500
    Set-ItemProperty -Path IIS:\AppPools\WsusPool -Name cpu.resetInterval -Value "00.00:15:00"
    Set-ItemProperty -Path IIS:\AppPools\WsusPool -Name recycling.periodicRestart.privateMemory -Value 0
    Set-ItemProperty -Path IIS:\AppPools\WsusPool -Name failure.loadBalancerCapabilities -Value "TcpLevel"
  • Enable automatic approval for Microsoft Antivirus signature/definition updates. Otherwise, WSUS can slow down significantly and consume all available RAM.

Antivirus checking can negatively affect WSUS performance. With the built-in Microsoft Defender Antivirus in Windows Server, it is recommended to exclude the following folders from the real-time protection zone:

  • \WSUS\WSUSContent;
  • %windir%\wid\data;
  • \SoftwareDistribution\Downloads.

stay tuned!

Leave a Comment