How to Setup, Manage, and Maintain WSUS: Part 1 – Choosing your Server OS

by | Last updated 2022.10.22 | Published on 2018.05.23 | Guides, WSUS

In this 8-part series, we will go over a good strategy on setting up Windows Server Update Services (WSUS) and managing it using test groups approval processing, and more. Sometimes WSUS may also be referred to as Windows Update Server (WUS) or Software Update Point (SUP) and in Microsoft Configuration Manager (ConfigMgr/SCCM), it is known as a Software Distribution Point. We will touch on group policy, using inheritance and scoping permissions to create a highly flexible, yet simple design for any AD architecture. We will also go over what modifications from the default WSUS Console to make your views mean more and give you more visibility into your environment. Finally, we will wrap up with the required maintenance for WSUS and how you can use WSUS Automated Maintenance to help automate what you need to do. You can use the menus on the left to jump to a specific part and navigate the series. Let’s start!

Choosing your Server OS

Server 2008 & Server 2008 R2

  • Server 2008 & Server 2008 R2 are no longer in support by Microsoft as of 2020.01.14 and should NOT be a consideration for deployment.
  • Server 2008 and Server 2008 R2 CANNOT handle upgrades to Windows 10/11 from Windows 7 or 8, and cannot handle upgrades to Windows 10/11 from Windows 10 (eg, 1511 to 1607 or 1703 or 1709 or 1803 or 1809 or 1903 or 1909 or 2004 or 20H2 or 21H1 or 21H2 or 22H2) which is also known as Windows as a Service (WaaS).
  •  Server 2008+ can supply updates (not upgrades) to Windows 10 devices to keep them updated with the current cumulative updates.

Server 2012 & Server 2012R2

  • Server 2012 or higher is required to perform upgrades to Windows 10/11 Devices
  • Server 2012 does not have the ‘out of the box’ servicing options for Windows 10/11; they were added afterwards. The latest CU DOES have the ‘out of the box’ servicing options.
  • If Server 2012 contains KB3159706 which was installed BEFORE the latest CU, you will need to perform manual steps to allow Windows 10/11 servicing and upgrades.
  • Server 2012 & Server 2012R2 will be supported until 2023.10.10.

Server 2016

  • Out of the box support for Windows 10/11 Servicing
  • Server 2016 should be considered your THIRD option for your WSUS server deployment.

Server 2019

  • Out of the box support for Windows 10/11 Servicing
  • If possible, Server 2019 should be considered your SECOND option for your WSUS server deployment.

Server 2022

  • Out of the box support for Windows 10/11 Servicing
  • If possible, Server 2022 should be considered your FIRST option for your WSUS server deployment.

Deploy Updates (Push System) vs Handle Updates (Pull System)

WSUS is a repository for updates and associated files. It is not a true deployment tool. The Windows Update Agent (WUA) on each of the client systems is responsible for doing all the work including checking in with the WSUS server and ask if there are any updates that are applicable to them. If there are updates available, the WUA will download them, install them, initiate the restart, communicate back to WSUS and report that the update(s) have been installed. The Windows Update Agent is controlled with policies set through GPO (Most common), Intune, Local Group Policy, or Registry Edits.

Microsoft Endpoint Manager Configuration Manager (MECM/SCCM/ConfigMgr) is a true deployment tool with an agent on each system. MECM uses WSUS in the background to populate updates available for MECM to push to clients and install. Because MECM uses WSUS in the background, you must also make sure you’re performing the required maintenance for WSUS, not just doing the maintenance for MECM.

Take note of all your client systems but plan for Windows 10 and Windows 11.

Whatever client systems you have you should make a mental note of but plan your WSUS around Windows 10 and Windows 11. One thing that is very good that comes out of this is their switch to Windows as a Service (WaaS) where you get free upgrades to the latest revision of Windows 10 and Windows 11 for the life of your device.

What does ‘life of your device’ mean?

It includes your motherboard. If you have a catastrophic failure and need to replace your motherboard, you’ll have to buy a new license of Windows. If it is covered by warranty, the manufacturer will provide you a new motherboard with a valid license of Windows embedded in the hardware.

It includes hardware requirements. For example, if you’re using Windows 10 on a 32bit Generation 1 netbook with 1GB of RAM, you may have realized that there’s an end of life due to minimum requirements going up to 2GB.

As we have seen with Windows 11, new hardware requirements were put in place such that if your computer has a 7th Generation Intel processor or AMD equivalent generation, the life of the device is the end of support for Windows 10 which is Oct 14, 2025.

If you have a device that had an 8th generation processor, your system would be compatible with upgrading to Windows 11, assuming it meets the other hardware requirements (TPM 2.0, 4GB RAM or more, etc.) and would continue to be supported on Windows 11.

WSUS Setup on Server 2012 & Higher

The setup for WSUS on Server 2012 or higher (2012, 2012R2, 2016, 2019, 2022) is the same. First you will need to add the role to the server through Server Manager. You can choose to use the Windows Internal Database (good for small to large deployments) or decide to use a Remote SQL server (Express, Standard or Enterprise) if you are going to run a load balancing or high availability service. Most large organizations should use a distributed model for WSUS with a single master upstream server and multiple replica downstream servers based on location, bandwidth, or operational boundaries.

You can install WSUS using PowerShell (ran in elevated mode [Run as administrator]) instead of using Server Manager. This way you can script out the entire process if you’re deploying multiple servers.

Install WSUS with WID & UI MMC Console
Install-WindowsFeature -Name UpdateServices, UpdateServices-UI
Install WSUS with SQL Connectivity & UI MMC Console
Install-WindowsFeature -Name UpdateServices-DB, UpdateServices-UI
Don’t forget that after you install WSUS, you need to run the PostInstall steps

  1. For the Windows Internal Database:
    & "$env:ProgramFiles\Update Services\Tools\WsusUtil.exe" postinstall CONTENT_DIR=C:\WSUS
  2. For any other SQL Database location:
    & "$env:ProgramFiles\Update Services\Tools\WsusUtil.exe" postinstall SQL_INSTANCE_NAME="HOSTNAME" CONTENT_DIR=C:\WSUS
    or
    & "$env:ProgramFiles\Update Services\Tools\WsusUtil.exe" postinstall SQL_INSTANCE_NAME= "HOSTNAME\INSTANCE" CONTENT_DIR=C:\WSUS

DO NOT HAVE A TRAILING BACKSLASH [\] on the CONTENT_DIR folder or you will encounter errors. The folder does not have to exist prior to running the command. Also, refrain from using a root drive (D:) as the permissions of root drives are different than what is required for WSUS to run, so you will end up having issues. Instead, use a folder off the root drive (eg. C:\WSUS or D:\WSUS)

Windows Internal Database vs SQL Express Edition

The Windows Internal Database (WID) is SQL Express edition, just built into the operating system as a feature, rather than having a separate installation. There is no benefit to installing a SQL Express instance locally on a system instead of using the WID. There is actually a detriment to installing SQL Express instead of using the WID; the SQL Express instance will have a hard limit for space in the database while the WID does not. The trade-off on using the WID is that it can only be accessed from the server itself (only through Named Pipes, and not from a remote server via TCP/IP)

Some differences between Windows Internal Database (WID) and SQL Server Express

Feature WID SQL Server Express
Max. Compute Capacity (per instance) 1 socket, multiple cores.
Issues with configurations above 32 cores (KB3138455)
Limited to 2 CPUs (1 default, 2 with adding ‘-P2’ to the WID Service)
Lesser of 1 socket / 4 cores
Max. database size Drive Space Limit (Default on OS Partition, but can be moved) 10GB
SQL Server Agent No No
Backup Compression Yes No
Maximum Memory OS Maximum 1.4 GB
SQL Authentication No Yes
Windows Authentication Yes Yes

 

Run through the WSUS Configuration Wizard to get started.

  1. Microsoft update improvement program – It is up to you if you want to be part of it or not.
  2. Choose Upstream Server – Synchronize from Microsoft Update (If this is a downstream server, you can choose that here, but usually you will want to choose Microsoft Update)
  3. Specify Proxy Server – If you need it, set it up. Usually, this will stay not configured.
    Click Start Connecting
  4. Choose Languages – Select ONLY THE LANGUAGES for the operating systems you use.
  5. Choose Products – ONLY SELECT the products to which you have currently and want to update through WSUS. I recommend all under “Developer Tools, Runtimes, and Redistributables” (Starting in 2020, Microsoft started updating Visual Studio updates, and starting in 2021, all the .NET Core and .NET updates), all under “PowerShell” as PowerShell 7.2 and later is now updatable through WSUS.
  6. Choose Classifications – Check all classifications.
    What about Drivers – Most say to not include the Drivers Classification?
    If you want the most control of which drivers get installed. If you are wanting Microsoft Update to handle drivers, do not select drivers and this will be mentioned again in Part 4. Most places on the internet tell you to exclude Drivers. The reason is that they do not have the power of WSUS Automated Maintenance (WAM). We have customers who have 300,000+ updates in their database metadata. Most installations would have trouble at this number of updates within the database, but when you are using WAM, your WSUS server will continue to work. As this is a new installation, after you WAM your server ®, this list will be cut down immensely and it will be manageable as only new driver updates will appear. Remember that driver approvals are 99% manual as most driver versions do not supersede each other.
  7. Configure Sync Schedule – I would recommend Synchronize Automatically, 4 times per day, at whatever start time you want. WSUS will automatically adjust the time when you click finished to be a random offset around the time you selected.
  8. Finished

PowerShell Example – Do not copy/paste this into a script. Instead run it line by line on the PowerShell console so that you can adjust based on your needs. If you need to deploy it to multiple systems, after confirming your commands, then you can take those and build it into a deployment script.

$WSUSConfig = (Get-WSUSServer).GetConfiguration()
Set-WsusServerSynchronization -SyncFromMU
# Set Update Languages to English and save configuration settings
$WSUSConfig.AllUpdateLanguagesEnabled = $false
$WSUSConfig.SetEnabledUpdateLanguages("en")
$WSUSConfig.Save()
$Subscription = (Get-WSUSServer).GetSubscription()
$Subscription.StartSynchronizationForCategoryOnly()
$Count=0
While ($Subscription.GetSynchronizationStatus() -ne 'NotProcessing') {
    if ($Count -eq 0) {
        Write-Output "Starting first synchronization to get available Products... This will take roughly 53-112 minutes to complete with 2GB RAM, and 8-25 Minutes with 4GB RAM."
    }
    elseif ($Count -eq 1) {
        Write-Output "$Count Minute Elapsed."
    }
    else {
        Write-Output "$Count Minutes Elapsed."
    }
    Start-Sleep -Seconds 60
    $Count++
}
# If you want everything including Drivers
Get-WsusClassification | Set-WsusClassification
# If you don’t want Drivers
Get-WsusClassification | Where-Object { $_.Classification.Title -notlike 'Driver*' } | Set-WsusClassification

Now that the WSUS server has been configured and is starting the first sync, check for updates from Microsoft using Microsoft Update on the server and install all updates that it finds, rebooting when necessary and re-checking for updates to make sure you’re fully updated.

Note: If you are using Server 2012 or Server 2012 R2, along your update path, you may or may not heard about the dreaded KB3159706. While Microsoft has not officially superseded this update, from the feedback we have seen in the communities, the patches and fixes that this KB comes with has been included with the latest cumulative update for Server 2012 and Server 2012 R2. According to the KB Article, you now only need to run a single command ["C:\Program Files\Update Services\Tools\wsusutil.exe" postinstall /servicing]. If KB3159706 still applies to you and is installed, you will have to perform manual steps explained later in this series.

Open the WSUS Console and head to Options. Click on E-Mail Notifications and setup your recipients, with status reports daily, and setup the email server tab with your mail server info. Click OK.

For the average install, click on Update files and Languages and make sure that “Download express installation files” is NOT checked. This ‘option’ will eat up space and is a misnomer with the description. It is not a ‘stub vs. full’ download of the update, where a stub installation will require an internet connection and download what’s needed. It is essentially a revision control system for each file. A better description of what it does comes from:

https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc708456(v=ws.10)#using-express-installation-files

“When you distribute updates by using this method, it requires an initial investment in bandwidth. Express installation files are larger than the updates they are meant to distribute. This is because the express installation file must contain all the possible variations of each file it is meant to update.”

Express Installation files has its place – when you have hundreds of servers to deliver updates to, install and reboot in a short amount of time, express installation files works well as it will only send the deltas to the requesting server. It will, however, require 3-5 times the space on your server.

Click OK to close this window.

PowerShell Example – Do not copy/paste this into a script. Instead run it line by line on the PowerShell console so that you can adjust based on your needs. If you need to deploy it to multiple systems, after confirming your commands, then you can take those and build it into a deployment script.

$WSUSConfig = (Get-WSUSServer).GetConfiguration()
Set-WsusServerSynchronization -SyncFromMU
# Set Update Languages to English and save configuration settings
$WSUSConfig.AllUpdateLanguagesEnabled = $false
$WSUSConfig.SetEnabledUpdateLanguages("en")
$WSUSConfig.Save()
$Subscription = (Get-WSUSServer).GetSubscription()
$Subscription.StartSynchronizationForCategoryOnly()
$Count=0
While ($Subscription.GetSynchronizationStatus() -ne 'NotProcessing') {
    if ($Count -eq 0) {
        Write-Output "Starting first synchronization to get available Products... This will take roughly 53-112 minutes to complete with 2GB RAM, and 8-25 Minutes with 4GB RAM."
    }
    elseif ($Count -eq 1) {
        Write-Output "$Count Minute Elapsed."
    }
    else {
        Write-Output "$Count Minutes Elapsed."
    }
    Start-Sleep -Seconds 60
    $Count++
}

# Set all WsusClassifications including Drivers
Get-WsusClassification | Set-WsusClassification
# Get all WsusProduct listings so you can decide what you want to select
Get-WsusProduct
Reset Windows Update GPO Settings

Reset Windows Update GPO Settings

If you want to Reset the Windows Update GPO Settings because you are moving away from WSUS, or you need to for troubleshooting purposes (sometimes corruption in the registry permissions prevent expected changes from happening), the easiest way to do this is to remove...