Update Services-WSUS

Install and configure Windows Server Update Services (WSUS)

WSUS- Windows Server Update Services

Windows updates are released to fix bugs, fix security issues in OS and to add new features to operating system. The Windows Updates rely on Windows Update service which is set to start automatically by default.

install and configure WSUS (Windows Server Update Services) on Windows Server 2019.

Benefits of WSUS – Windows Update service downloads and installs recommended and important updates automatically.

Categories of updates:

  • Critical Updates
  • Security Updates
  • Drivers
  • Update Rollups
  • Service Packs
  • Tools
  • Feature Packs
  • Updates

Server Manager- Add Roles and Features

Select Role Based and features based installation

On the Server Selection page, verify the server name and click Next.

Server Roles – Windows Server Update Services

On the Server roles page, select the role Windows Server Update Services. You should see Add features that are required for Windows Server Update Services box. Click Add Features, and then click Next.


Or Including with IIS Server

Add features

Also select HTTP Activation

Click and next


Select WID Connectivity and WSUS Services. Click Next.

Create a patch folder

 The size of this folder can grow eventually and you don’t want this folder to reside on C: drive. Hence choose either a separate drive or store the updates on remote server.

OR Network folder


On the Connect to Upstream Server page, click Start Connecting button.

synchronization task is completed click Next

Choose Languages screen, click Download updates only in these languages. Check English and any other additional language you wish to download updates

On the Choose products screen, check all products you wish to update. Scroll down to the Windows section and uncheck it. Then check only the Windows versions you have in your environment. 

Choose Clarifications screen offers option to determine Windows update classifications you wish to download.

Set Sync Schedule screen configure to sync manually or automatically and Next.

If you choose Synchronize manually, you must manually start the synchronization process from the WSUS Administration Console. With this option selected, you have to manually perform the sync every time. Therefore do not select this option if you are setting up the WSUS in production.

It is recommended to set the automatic sync between the primary WSUS and WSUS Replica as frequently as possible (24 syncs a day), because in scenarios where a remediation plan was activated on endpoints that communicate with WSUS Replica (Downstream WSUS) the “execute patch installation for single computer” task will only work after the Primary and Replica WSUS sync successfully. 

If the sync has yet to occur, you will see either an exit code 341 or 342 for the “execute patch installation for single computer” task.

In order to change the sync schedule to be as frequently as possible, do the following on the WSUS replica.

  1. Go to Options
  2. Open Synchronization Schedule
  3. Make sure Synchronize automatically is enabled and set to 24 synchronizations per day.

Next Begin WSUS Initial synchronization

Finally on the last page, click Finish. This completes the steps to configure WSUS

So now,

Need to configure GPO

If you wanted to connect to specific need to install IIS (Internet Information Services).

Configure Group Policy Settings for WSUS

After you install and configure WSUS, the next important task is to configure group policy settings for automatic updates.

Open the Group Policy Management console, and open an existing GPO or create a new one.

WSUS – Create as per you, Group Policy

Once created Group policy click to edit once edited – you will redirect to GPO EDIT Windows

Edit GPO

Configure WSUS Automatic Updates

Go to

Computer Configuration > Policies > Administrative Templates > Windows Components > Windows Update.

Double-click Configure Automatic Updates and set it to Enabled

Enable auto update

Intranet (Private Network).

You can design your private organization according to your need.

Locally connect to office devices environment, Like Computer, Server, Printer and etc. – office server which is only associated to only your office environment known as Intranet.

Mostly Intranet use for officially keep the data secure which is not connected to internet.

Specify Intranet Microsoft Update Service Location

The idea behind this is to ensure the client computers contact the specified intranet server instead of downloading updates from internet. Unless you configure this policy setting, the client computers

Computer Configuration > Policies > Administrative Templates > Windows Components > Windows Update.

Double-click Specify Intranet Microsoft update service location and set it to Enabled

Specify intranet Microsoft Update service location

(in your Domain Controller your attached PC – Address will be appear here)

So my wsus pc url is : wsus.vre.local

Default port for wsus: 8530

Specify intranet Microsoft Update service location

On the client computer, check the resultant set of policy to confirm if the WSUS GPO is applied

To enable the policy, click Enabled. Specify the intranet update service and intranet statistics server. Click Apply and OK

How to Start, Stop and Restart Windows Server Update WSUS Services via PowerShell and CMD
Start the WSUS service
Start-Service wsusservice
Stop the WSUS service
Stop-Service wsusservice
view the status of the WSUS service
Get-Service wsusservice

The below commands are Command line syntax used to start, stop and restart WSUS service.
net stop wsusservice
net start wsusservice

Leave a Reply

Your email address will not be published. Required fields are marked *