Complete guide to configure WSUS (Windows Server Update Services) step by step

Correctly configure WSUS (Windows Server Update Services) It's key to maintaining a secure and efficient work environment in companies using Windows systems. This service centralizes the management of operating system security and functional updates, reducing network traffic and improving the administrator's control over the device fleet.

Throughout this complete guide we will review all the steps you must follow. to install and configure WSUS from scratch. You'll cover everything from server preparation to the GPO configuration that client computers should have, including network settings, ports, proxy usage, and the implementation of SSL certificates to improve security.

Installing the WSUS role on the server

The first step to get started with WSUS is Install the corresponding role on the server you will use as an update centerThis server must be up-to-date, with network roles correctly configured, and preferably be part of the Active Directory domain.

From the server administrator, access the option Add roles and features. In the wizard that opens, select Installation based on roles or features and choose the corresponding destination server. Then, check the box Windows Server Update Services.

The wizard will also ask you to add several necessary features. Confirm the default suggestions. In the Content location, you must specify a local path where WSUS will store downloaded updates. It's recommended that this folder be on a drive with sufficient free space (at least 40 GB, preferably more than 150 GB if you'll be managing multiple computers). It's also important to ensure that updates are installed effectively to avoid issues, which you can check at this link.

Next, you'll go through the installation of IIS (Internet Information Services), which is required for the WSUS web environment to function. Don't change its settings unless you have a custom setup. Finally, review your selections, click Install and wait for the process to finish.

Once the installation is complete, run the subsequent tasks from the progress window. This prepares the environment to initiate the initial configuration from the WSUS management console.

Initial WSUS Configuration

After installing the role, the next step is to open the WSUS Initial Configuration Wizard. This wizard guides the administrator through defining where updates will be retrieved from, which languages, products, and classifications will be downloaded, and how synchronization will be performed.

When you start it, review the introduction and, if you wish, choose to participate in the Microsoft Update Improvement Program. Then, you will have to choose between sync from Microsoft Update or from another WSUS server. This second option is useful in large environments with multiple sites and intermediate servers.

If your corporate network uses a proxy to access the internet, configuring this option is mandatory. Specify the proxy host and port (80 by default), and enter credentials if necessary. WSUS supports Basic Authentication and Integrated Windows Authentication.

After connecting to the update source, choose the languages you want to include. Reducing the number of languages ​​saves space and speeds up synchronization. Then select the products from Microsoft that you want to keep up to date: this could be Windows 10, Windows Server 2019, Office, etc.

In the next step, mark the update classifications that WSUS will need to manage. Typically, this will select critical updates, security definitions, and software enhancements. If you're experiencing issues with the update process, check out possible solutions at this guide.

Finally, you can choose whether to sync manually or automatically. If you choose to automate it, define how many times a day and at what time the syncs will occur. You can sync up to 24 times a day.

At the end, you can start initial synchronization directly from the wizard. This step will download the initial metadata and prepare the server for operation.

Network configuration, ports and external access

For WSUS to work properly with both update servers and client computers, it is imperative open the necessary ports in the various firewalls and routers that may exist between the devices.

To connect to Microsoft Update, the WSUS server needs outbound on the ports 80 (HTTP) y 443 (HTTPS)If your organization uses strict outbound rules, be sure to allow access to domains such as:

• windowsupdate.microsoft.com
• *.update.microsoft.com
• download.microsoft.com
• *.delivery.mp.microsoft.com

If you have multiple WSUS servers and you are setting up a hierarchical chain, Secondary servers must be able to access the primary server through the ports 8530 (HTTP) y 8531 (HTTPS).

Client computers also need to communicate with the WSUS server through these same ports. Make sure the server's firewall allows incoming connections and that there are no restrictions at the local network level. Sometimes, users may experience connection issues that may be related to update settings, so it's a good idea to check. this article.

If the company uses an outbound proxy server, it must support HTTP and HTTPS and have the appropriate permissions to handle WSUS traffic. You can use a single proxy or two separate ones per protocol.

Implement security with certificates and SSL

WSUS allows you to protect communications through the SSL protocol (HTTPS), which encrypts traffic to prevent attacks and information leaks. To enable it, you need to issue a valid certificate from an internal or external CA (Certification Authority).

Once you have the certificate, you must configure it in the IIS web service on the WSUS server. Make sure to enable HTTPS only on the necessary virtual folders to ensure compatibility:

• SimpleAuthWebService
• DSSAuthWebService
• ServerSyncWebService
• APIremoting30
• ClientWebService

Folders containing downloadable content (such as updates or reports) do not require SSL. It's also essential to set the HTTPS port number to 8531 and the HTTP port number to 8530, or use adjacent port pairs if you choose to customize them.

After applying the changes in IIS, open the symbol of the system as administrator and run the command:

wsusutil configuressl NOMBRE_SERVIDOR

This step completes the secure configuration of the WSUS server. Remember to also import the certificate on all client computers as a trusted root authority to avoid SSL trust errors.

Creating and Managing WSUS Computer Groups

WSUS allows you to classify client devices into custom groups to control what type of updates each set of machines receives. By default, there are two groups: All the teams y Unassigned teams.

From the WSUS console, you can create new groups (e.g., “Servers,” “Office A,” etc.) and assign each computer according to organizational criteria. This segmentation is useful for approve phased updates and avoid potential errors in mass deployments. Also, if you need to resolve update crashes, check out this guide.

Also, you can choose to two allocation methods:

• Server side: manually from the WSUS console.
• Client side: using group policies that, when applied, automatically place each computer in the corresponding group.

Configure clients to receive updates from WSUS

By default, Windows computers download their updates from the Internet, using the service Windows Update. In order to redirect your requests to the WSUS server, we must configure the appropriate GPOs.

If you have an Active Directory environment, this task is very simple. Simply create a new GPO (it's recommended that it be dedicated to WSUS) and edit it from the Policy Editor. Navigate to:

Configuración del equipo > Plantillas administrativas > Componentes de Windows > Windows Update

Within that route, activate the following policies:

• Configure automatic updates: Enables download and installation based on the desired option (e.g., automatic at scheduled time).
• Specify the location of the Microsoft Update service on the intranet: Enter the URL or IP of the WSUS server, adding port 8530 if you are using HTTP, or 8531 if you are using HTTPS.
• Enable client-side recipients: asks for the name of the WSUS group to which the computer belongs (it must exactly match the name configured in the WSUS console).

Apply the GPO to the corresponding OU. Use the command gpupdate /force to apply the changes immediately or restart the client computers. Then, run wuauclt /detectnow to force detection of updates.

Checking status and managing updates

After about 20-30 minutes, client computers will begin to appear in the WSUS console. Those configured correctly will display their name, operating system, group, and update status.

From here you can approve or deny updates manually, view compliance statistics, export reports, or configure email notifications. Occasionally, configuration issues may arise, so it is advisable to review aspects in this link.

It's a good idea to establish an internal policy where certain machines (such as test servers or pilot PCs) receive updates before the rest, allowing for the detection of incompatibilities or errors before mass deployment.

Deploying and configuring WSUS isn't overly complicated, but it does require careful attention to every detail: from installation, proxy configuration, language and product synchronization, security steps with SSL certificates, to the effective deployment of group policies. If everything is done correctly, WSUS will provide you with a much more controlled, secure, and efficient environment when it comes to updates.

Related article:

Windows Update cannot detect updates at this time because there are none available.

Isaac

Passionate writer about the world of bytes and technology in general. I love sharing my knowledge through writing, and that's what I'll do on this blog, show you all the most interesting things about gadgets, software, hardware, tech trends, and more. My goal is to help you navigate the digital world in a simple and entertaining way.