С помощью сервера обновлений Windows Server Update Services (WSUS) вы можете развернуть собственную централизованную систему обновления продуктов Microsoft (операционных систем Widows, Office, SQL Server, Exchange и т.д.) на компьютерах и серверах в локальной сети компании. В этой статье мы рассмотрим, как установить и настроить сервер обновлений WSUS в Windows Server 2019/2016/2012R2.
Содержание:
- Установка роли WSUS в Windows Server
- Начальная настройка сервера обновлений WSUS в Windows Server
- Установка консоли администрирования WSUS в Windows 10/11
- Оптимизация производительности WSUS
Как работает WSUS?
Сервер WSUS реализован в виде отдельной роли Windows Server. В общих словах сервис WSUS можно описать так:
- После установки сервер WSUS по расписанию синхронизируется с серверами обновлений Microsoft Update в Интернете и скачивает новые обновления для выбранных продуктов;
- Администратор WSUS выбирает, какие обновления нужно установить на рабочие станции и сервера компании и одобряет их установку;
- Клиенты WSUS в локальной сети скачивают и устанавливают обновления с вашего сервера обновлений согласно настроенным политикам.
Установка роли WSUS в Windows Server
Начиная с Windows Server 2008, сервис WSUS выделен в отдельную роль, которую можно установить через консоль управления сервером или с помощью PowerShell.
Если вы развертываете новый сервер WSUS, рекомендуется сразу устанавливать его на последнем релизе Windows Server 2022 (возможна установка на Windows Serve Core).
Чтобы установить WSUS, откройте консоль Server Manager и отметьте роль Windows Server Update Services (система автоматически выберет и предложит установить необходимые компоненты веб сервера IIS).
В следующем окне нужно выбрать, какие компоненты WSUS нужно установить. Обязательно отметьте опцию WSUS Services. Две следующие опции зависят от того, какую базу данных вы планируете использовать для WSUS.
Настройки сервера, метаданные обновлений, информация о клиентах WSUS хранятся в базе данных SQL Server. В качестве базы данных WSUS вы можете использовать:
- Windows Internal Database (WID) – встроенную базу данных Windows, опция WID Connectivity (это рекомендуемый и работоспособный вариант даже для больших инфраструктур);
- Отдельную базу Microsoft SQL Server, развернутую на локальном или удаленном сервере. Вы можете использовать редакции MS SQL Enterprise, Standard (требуют лицензирования) или бесплатную Express редакцию. Это опция SQL Server Connectivity.
Внутреннюю базу Windows (Windows Internal Database) рекомендуется использовать, если:
- У вас отсутствуют лицензии MS SQL Server;
- Вы не планируется использовать балансировку нагрузки на WSUS (NLB WSUS);
- При развертывании дочернего сервера WSUS (например, в филиалах). В этом случае на вторичных серверах рекомендуется использовать встроенную базу WSUS.
В бесплатной SQL Server Express Edition максимальный размер БД ограничен 10 Гб. Ограничение Windows Internal Database – 524 Гб. Например, в моей инфраструктуре размер базы данных WSUS на 3000 клиентов составил около 7Гб.
При установке роли WSUS и MS SQL Server на разных серверах есть ряд ограничений:
- SQL сервер с БД WSUS не может быть контроллером домена Active Directory;
- Сервер WSUS нельзя разворачивать на хосте с ролью Remote Desktop Services.
База WID по умолчанию называется SUSDB.mdf и хранится в каталоге windir%\wid\data\. Эта база поддерживает только Windows аутентификацию (но не SQL). Инстанс внутренней (WID) базы данных для WSUS называется server_name\Microsoft##WID.
Базу WID можно администрировать через SQL Server Management Studio (SSMS), если указать в строке подключения
\\.\pipe\MICROSOFT##WID\tsql\query
.
Если вы хотите хранить файлы обновлений локально на сервере WSUS, включите опцию Store updates in the following locations и укажите путь к каталогу. Это может быть папка на локальном диске (рекомендуется использовать отдельный физический или логический том), или сетевой каталог (UNC путь). Обновления скачиваются в указанный каталог только после их одобрения администратором WSUS.
Размер базы данных WSUS сильно зависит от количества продуктов и версий ОС Windows, которое вы планируете обновлять. В большой организации размер файлов обновлений на WSUS сервере может достигать сотни Гб.
Если у вас недостаточно места на дисках для хранения файлов обновлений, отключите эту опцию. В этом случае клиенты WSUS будут получать одобренный файлы обновлений из Интернета (вполне рабочий вариант для небольших сетей).
Также вы можете установить сервер WSUS с внутренней базой данный WID с помощью PowerShell командлета Install-WindowsFeature:
Install-WindowsFeature -Name UpdateServices, UpdateServices-WidDB, UpdateServices-Services, UpdateServices-RSAT, UpdateServices-API, UpdateServices-UI –IncludeManagementTools
Начальная настройка сервера обновлений WSUS в Windows Server
После окончания установки роли WSUS вам нужно выполнить его первоначальную настройку. Откройте Server Manager и выберите Post-Deployment Configuration -> Launch Post-Installation tasks.
Для управления WSUS из командной строки можно использовать консольную утилиту
WsusUtil.exe
. Например, чтобы указать путь к каталогу с файлами обновлений WSUS, выполните:
CD "C:\Program Files\Update Services\Tools"
WsusUtil.exe PostInstall CONTENT_DIR=E:\WSUS
Или, например, вы можете перенастроить ваш WSUS на внешнюю базу данных SQL Server:
wsusutil.exe postinstall SQL_INSTANCE_NAME="SQLSRV1\SQLINSTANCEWSUS" CONTENT_DIR=E:\WSUS_Content
Затем откройте консоль Windows Server Update Services. Запустится мастер первоначальной настройки сервера обновлений WSUS.
Укажите, будет ли сервер WSUS скачивать обновления с сайта Microsoft Update напрямую (Synchronize from Microsoft Update) или он должен получать их с вышестоящего WSUS сервера (Synchronize from another Windows Update Services server). Дочерние WSUS сервера обычно развертываются на удаленных площадках с большим количеством клиентов (300+) для снижения нагрузки на WAN канал.
Если в вашей сети используется прокси-сервер для доступа в Интернет, далее нужно указать адрес и порт прокси сервера, и логин/пароль для аутентификации.
Проверьте подключение к вышестоящему серверу обновлений (или Windows Update). Нажмите кнопку Start Connecting.
Выберите языки продуктов, для которых WSUS будет получать обновления. Мы укажем English и Russian (список языков может быть в дальнейшем изменен из консоли WSUS).
Затем выберите продукты, для которых WSUS должен скачивать обновления. Выберите только те продукты Microsoft, которые используются в Вашей корпоративной сети. Например, если вы уверены, что в вашей сети не осталось компьютеров с Windows 7 или Windows 8, не выбирайте эти опции.
Обязательно включите в классификации следующие общие разделы:
- Developer Tools, Runtimes, and Redistributable — для обновления библиотек Visual C++ Runtime
- Windows Dictionary Updates в категории Windows
- Windows Server Manager – Windows Server Update Services (WSUS) Dynamic Installer
На странице Classification Page, нужно указать типы обновлений, которые будут распространяться через WSUS. Рекомендуется обязательно указать: Critical Updates, Definition Updates, Security Packs, Service Packs, Update Rollups, Updates.
Обновления редакций (билдов) Windows 10 (21H2, 20H2, 1909 и т.д.) в консоли WSUS входят в класс Upgrades.
Настройте расписание синхронизации обновлений. В большинстве случаев рекомендуется использовать автоматическую ежедневную синхронизацию сервера WSUS с серверами обновлений Microsoft Update. Рекомендуется выполнять синхронизацию в ночные часы, чтобы не загружать канал Интернет в рабочее время.
Первоначальная синхронизация сервера WSUS с вышестоящим сервером обновлений может занять несколько дней (в зависимости от количества продуктов, которое вы выбрали ранее).
После окончания работы мастера запустится консоль WSUS.
Консоль WSUS состоит из нескольких разделов:
- Updates – обновления, доступные на сервере WSUS (здесь можно управлять одобрением обновлений и назначать их для установки)
- Computers – здесь можно создать группы клиентов WSUS (компьютеры и серверы)
- Downstream Servers – позволяет настроить, будете ли вы получать из обновления Windows Update или вышестоящего сервера WSUS
- Syncronizations –расписание синхронизации обновлений
- Reports – отчёты WSUS
- Options – настройка сервера WSUS
Клиенты теперь могут получать обновления, подключившись к WSUS серверу по порту 8530 (в Windows Server 2003 и 2008 по умолчанию использоваться 80 порт). Проверьте, что этот порт открыт на сервере обновлений:
Test-NetConnection -ComputerName wsussrv1 -Port 8530
Можно использовать защищенное SSL подключение по порту 8531. Для этого нужно привязать сертификат в IIS.
Если порт закрыт, создайте соответствующее правило в Windows Defender Firewall.
Установка консоли администрирования WSUS в Windows 10/11
Для администрирования сервера обновления WSUS используется консоль Windows Server Update Services (
wsus.msc
). Вы можете управлять серверов WSUS как с помощью локальной консоли, так и по сети с удаленного компьютера.
Консоль администрирования WSUS для десктопных компьютеров с Windows 10 или 11 входит в состав RSAT. Для установки компонента Rsat.WSUS.Tool, выполните следующую PowerShell команду:
Add-WindowsCapability -Online -Name Rsat.WSUS.Tools~~~~0.0.1.0
Если вы хотите установить консоль WSUS в Windows Server, выполните команду:
Install-WindowsFeature -Name UpdateServices-Ui
При установке WSUS в Windows Server создаются две дополнительные локальные группы. Вы можете использовать их для предоставления доступа пользователям к консоли управления WSUS.
- WSUS Administrators
- WSUS Reporters
Для просмотра отчетов по установленным обновлениям и клиентам на WSUS нужно установить:
- Microsoft System CLR Types для SQL Server 2012 (SQLSysClrTypes.msi);
- Microsoft Report Viewer 2012 Runtime (ReportViewer.msi).
Если компоненты не установлен, при формировании любого отчета WSUS появится ошибка:
The Microsoft Report Viewer 2012 Redistributable is required for this feature. Please close the console before installing this package.
Оптимизация производительности WSUS
В этом разделе опишем несколько советов, касающихся оптимизации производительности сервера обновлений WSUS в реальных условиях.
- Для нормальной работы WSUS на сервере обновлений нужно должно быть свободным минимум 4 Гб RAM и 2CPU;
- При большом количестве клиентов WSUS (более 1500) вы можете столкнутся с существенным снижением производительность пула IIS WsusPoll, который раздает обновления клиентам. Может появляться ошибка 0x80244022 на клиентах, или при запуске консоль WSUS падать с ошибкой Error: Unexpected Error + Event ID 7053 в Event Viewer (The WSUS administration console has encountered an unexpected error. This may be a transient error; try restarting the administration console. If this error persists). Для решения проблемы нужно добавить RAM на сервер и оптимизировать настройки пула IIS в соответствии с рекомендациями в статье. Воспользуетесь такими командами:
Import-Module WebAdministration
Set-ItemProperty -Path IIS:\AppPools\WsusPool -Name queueLength -Value 2500
Set-ItemProperty -Path IIS:\AppPools\WsusPool -Name cpu.resetInterval -Value "00.00:15:00"
Set-ItemProperty -Path IIS:\AppPools\WsusPool -Name recycling.periodicRestart.privateMemory -Value 0
Set-ItemProperty -Path IIS:\AppPools\WsusPool -Name failure.loadBalancerCapabilities -Value "TcpLevel" - Включите автоматическое одобрения для обновлений антивируса Microsoft В противном случае WSUS станет существенно тормозить и потреблять всю доступную оперативную память.
Антивирусные проверки могут негативно влиять на производительность WSUS. Во встроенном Microsoft Defender антивирусе в Windows Server рекомендуется исключить следующие папки из области проверки:
- \WSUS\WSUSContent;
- %windir%\wid\data;
- \SoftwareDistribution\Download.
In this guide, we will demonstrate the steps to install WSUS console on Windows Server and Windows 11. There are several ways to install the WSUS admin console, including Server Manager, Windows PowerShell, and optional features.
Organizations often use WSUS as the primary solution to help keep up with and manage the frequent release of security updates, software upgrades, and service packs. WSUS plays an important role in distributing updates to your devices. For example, the software update point integrates with WSUS to provide software updates to Configuration Manager clients.
When you install the WSUS role on a Windows Server, the WSUS console is automatically installed. However, there are different procedures to follow if you want to manually install the WSUS console on Windows Server or Windows 11.
The most recent Microsoft product updates can be deployed by administrators using Windows Server Update Services (WSUS). Installing WSUS in your setup will allow you to efficiently manage and distribute updates.
What is WSUS Admin Console?
The WSUS administration console is a software or tool that allows you to connect to the WSUS Server and manage Windows updates. The WSUS admin console allows you to connect to a remote Windows Server Update Services server.
The Windows Server Update Services Tools can be installed on both Windows Server and Windows 11. By installing the WSUS administration console on a Windows 11 laptop, you can manage multiple WSUS servers without logging in to them.
Ways to Install WSUS Administration Console
There are three ways to install the WSUS administration console.
- Manually install the WSUS console using Server Manager
- Install WSUS admin console using PowerShell
- Install WSUS administration console on Windows 11 via optional features
On a Windows server, the WSUS admin console installed using PowerShell is quicker than Server Manager. However, the server manager is not available in Windows 11, and PowerShell is not supported for installing the WSUS console. The only way is to do it via the optional features.
Method 1: Install WSUS Console on Windows Server
Let’s look at the steps to install the WSUS console on Windows Server. On Windows Server, launch the Server Manager. In the Server Manager window, under the Configure this local server heading, click Add roles and features.
Click Next on the page titled “Before you begin.” If you want to avoid seeing this window again, you can choose to skip this page by default.
Select the installation type as role-based or feature-based installation. Click Next.
Make sure the server you select to install the WSUS console is the correct one in the server selection window. Click Next.
You do not need to make any choices in the Select Server Roles window. Click Next.
You can enable the installation of the WSUS console in the Features window. Expand “Role Administration Tools” and select the Windows Server Update Services Tools. The API and PowerShell cmdlets and User Interface Management console are also selected. Click Next.
On the Confirmation window, click Specify an alternate source path. Enter the path of the SXS folder from the Windows Server installation media. Click Next.
The WSUS console is now installed, and the Results window displays the installation status. The Windows Server message “Feature installation succeeded” verifies the installation of the WSUS console.
Installing the WSUS console on a server doesn’t require restarting the computer. Close the Add roles and features wizard window.
Method 2: Install WSUS Admin Console using PowerShell
The steps below explain how to install the WSUS console on a Windows server using PowerShell.
- Launch the PowerShell as an administrator.
- Run the command Install-WindowsFeature -Name UpdateServices-Ui to install the WSUS console.
- Exit code success means the WSUS console has been installed successfully.
- You can now launch the Windows Server Update Services console and connect to the WSUS server.
Method 3: Install WSUS Console on Windows 11
On Windows 11, you can install the WSUS administration console using optional features. The optional feature “RSAT: Windows Server Update Services Tools” contains both graphical and PowerShell tools for managing WSUS.
Click Start and launch the Settings app. Go to System > Optional Features. Next to the option “Add an optional feature,” select View Features.
Windows 11 has several optional features that you can install. To make it easier, type “Windows Server Update Services” in the search box. From the search results, select the optional feature RSAT: Windows Server Update Services Tools. Click Next.
The RSAT: Windows Server Update Services Tools optional feature that you selected above is shown on the confirmation screen. Click on Install.
The RSAT: Windows Server Update Services Tools are now downloaded and installed on your Windows 11 PC. Installing this optional feature doesn’t require a reboot.
How to Launch the WSUS Administration Console
The steps to launch the WSUS administration console vary based on the operating system that you have installed it on.
- WSUS Server: On your WSUS server, click Start, point to All Programs, point to Administrative Tools, and then click Windows Server Update Services.
- Windows Server: Open the Server Manager on the WSUS server. Select Tools from the top menu, then select Windows Server Update Services. This will open the WSUS administration console.
- Windows 11: Click Start, type “WSUS” in the search box, and open the Windows Server Update Services console.
- Shortcut: You can use the following shortcut to directly open the WSUS console: C:\Program Files\Update Services\AdministrationSnapin\wsus.msc
You must be a member of the local administrators group or the WSUS administrators group on the server on which WSUS is installed to use the WSUS console.
How to Connect to WSUS Server
The WSUS Server can be accessed in two different ways.
- You can use the WSUS console to connect to a remote WSUS server
- Open the administration console from Microsoft Edge on any server or computer by going to http://WSUSServerName[:portnumber]/WSUSAdmin/.
Using the WSUS admin console is the simplest method to gain access to the WSUS server. Launch the WSUS console, right-click Update Services and select Connect to Server.
In the Connect to Server window, specify the WSUS server to which you want to connect. If you have an existing WSUS server, enter the WSUS server name and port number.
If you wish to use SSL to communicate with the WSUS server, select the Use Secure Sockets Layer (SSL) to connect to this server check box. You may connect to as many servers as you need to manage through the console.
Video Tutorial
Take a look at the YouTube video tutorial that explains how to install the WSUS console. If you feel the video helped you, please subscribe to the channel for more such videos.
Read Next
Listed below are some useful WSUS guides.
- Manually Import Updates into WSUS
- How to Connect to WSUS with PowerShell
- Use CMPivot Query to Find WSUS Server Details in SCCM
- 2 Best Ways to Uninstall WSUS Admin Console
- How to Run WSUS Server Cleanup Wizard to Clean Updates
Still Need Help?
If you need further assistance on the above article or want to discuss other technical issues, check out some of these options.
Go to the start menu and navigate to the administration. the Link called Microsoft Windows Server Update Services open the WSUS web console.
What is the WSUS Administration Console?
When you install the WSUS role on a Windows server, the WSUS console is installed automatically. Windows Server Update Services (WSUS) enables administrators to deploy the latest updates to Microsoft products. WSUS is a Windows Server feature, and its installation enables you to efficiently manage and deploy updates.
How do I install the WSUS administration console?
Install the console
- Double-click the installation file (WSUSSetup-x86.exe or WSUSSetup-x64.exe).
- On the welcome page, click Next.
- On the installation mode selection page, select the Management console only check box, and then click Next.
- Please read the terms of the license agreement carefully.
How do I open the WSUS wizard?
In the left pane of Server Manager, select Panel> Tools> Windows Server Update Services. When the WSUS Installation Complete dialog appears, choose Run. In the WSUS Installation Complete dialog box, select Shut down when installation completes successfully. The WSUS configuration wizard opens.
How do you manage WSUS?
How to Approve and Deploy WSUS Updates
- In the WSUS Administration Console, click Updates.
- In the All updates section, click Updates required by computers.
- From the list of updates, select the updates that you want to approve for installation in the group of test computers.
- Right-click the selection, and then click Approve.
What is the role of the WSUS server?
Windows Server Update Services (WSUS), formerly known as Software Update Services (SUS), is a computer program and network service developed by Microsoft Corporation that enables administrators to manage the distribution of updates and hotfixes for Microsoft products to computers on a corporate environment.
How do I connect to the WSUS console?
To open the WSUS console On your WSUS server, click Start, point to All Programs, Administrative Tools, and then click Microsoft Windows Server Update Services.
How do I install WSUS on Windows 2019?
How to: Install and Configure WSUS on Windows Server 2019
- Step 1: Add the WSUS role.
- Step 2: Add all required roles and components.
- Step 3: use Windows internal database.
- Step 4: choose the role services.
- Step 5: Specify the location of the update repository.
- Step 6: Complete the post-installation tasks.
How do I verify my WSUS configuration?
Computer Configuration -> Administrative Templates -> Windows Components -> Windows Update. Right-click Specify the location of the Microsoft intranet update service. Take a look at the two fields that list the WSUS server and port.
Where is the WSUS server in the registry?
The registry entries for the WSUS server are located in the following subkey: HKEY_LOCAL_MACHINESoftwarePoliciesMicrosoftWindowsWindowsUpdate.
How do I run Windows Update Server?
How to configure Windows Server Update Services (WSUS)
- Choose WSUS Upstream Server. This is the important section where we choose the upstream server.
- Proxy server.
- Choose languages for updates.
- Choose products.
- Choose Update Classifications.
- Configure the WSUS sync schedule.
- WSUS CONSOLE.
- Create WSUS groups.
How do I update my WSUS server?
How to apply this update
- Start the process with WSUS 3.0 SP2 synchronized with Microsoft Update.
- Apply this update.
- Start a sync.
- Wait for the synchronization to be successful.
- Repeat steps 2 through 4 for each WSUS 3.0 SP2 server that will be synchronized with the server that you just upgraded.
After installing WSUS 3.0 on a server, you can manage WSUS 3.0 from any computer on your network, as long as the domain of that computer has a trust relationship with the domain of the server. You will need to perform a separate installation, from the same downloaded installation package, on every machine from which you want to run the WSUS 3.0 administration console.
To install the WSUS 3.0 administration console, use the same installation package you downloaded to install the WSUS server.
| Note |
|---|
| The latest version of the WSUS setup executable is available on the WSUS Web site (http://go.microsoft.com/fwlink/?LinkId=74472). |
The console-only installation process can be run from the setup UI from the command line. For more information about command-line installation, see Appendix A: Unattended Installations later in this guide.
To install the WSUS 3.0 console only from the UI
- Double-click the installer file (WSUSSetup-x86.exe or WSUSSetup-x64.exe).
- On the Welcome page, click Next.
- On the Installation Mode Selection page, select the Administration Console only check box, and then click Next.
- Read the terms of the license agreement carefully. Click I accept the terms of the License Agreement, and then click Next.
- The final page of the installation wizard will tell you whether or not the WSUS 3.0 installation was completed successfully. Then click Finish.
To install the WSUS 3.0 console only from the command line
- Open a command window.
- Navigate to the directory in which you saved the installation executable. (This will be either WSUSSetup-x86.exe or WSUSSetup-x64.exe.)
- Type one of the following commands:
WSUSSetup-x86.exe CONSOLE_INSTALL=1 or WSUSSetup-x64.exe CONSOLE_INSTALL=1
- This will bring up the Welcome page of the installation UI. Click Next.
- Read the terms of the license agreement carefully. Click I accept the terms of the License Agreement, and then click Next.
- Wait for the installation process to finish, and then click Finish.
Access the WSUS administration console
You must be a member of the local Administrators group or the WSUS Administrators security group on the computer on which WSUS is installed in order to use all the features of the WSUS console. Members of the WSUS Reporters security group have read-only access to the console.
To open the WSUS administration console
- Click Start, point to Control Panel, point to Administrative Tools, and then click Microsoft Windows Server Update Services 3.0.
- If you are bringing up the remote console for the first time, you will see only Update Services in the left pane of the console.
- To connect to a WSUS server, in the Actions pane click Connect to Server.
- In the Connect To Server dialog box, type the name of the WSUS server and the port on which you would like to connect to it.
- If you wish to use SSL to communicate with the WSUS server, select the Use Secure Sockets Layer (SSL) to connect to this server check box.
- Click Connect to connect to the WSUS server.
- You may connect to as many servers as you need to manage through the console.
You can use the Windows Server Update Services (WSUS) update server to deploy Microsoft product updates (Windows, Office, SQL Server, Exchange, etc.) to computers and servers in the company’s local network. In this article, we’ll walk you through how to install and configure the WSUS update server on Windows Server 2022/2019/2016, or 2012 R2.
Contents:
- How to Install WSUS Role on Windows Server 2016/2016/2012R2?
- Initial WSUS Configuration on Windows Server
- How to Install WSUS Management Console on Windows 10 and 11?
- Optimizing WSUS Performance
How does WSUS work?
The WSUS server is implemented as a separate Windows Server role. In general terms, the WSUS service can be described as follows:
- After installation, the WSUS server is scheduled to synchronize with Microsoft Update servers on the Internet and download new updates for selected products;
- The WSUS administrator selects which updates to install on company workstations and servers and approves their installation;
- WSUS clients (computers) on the local network download and install updates from your update server according to configured update policies.
How to Install WSUS Role on Windows Server 2016/2016/2012R2?
Starting with Windows Server 2008, WSUS is a separate role that can be installed through the Server Management console or using PowerShell.
If you are deploying a new WSUS server, we recommend that you install it on the latest release of Windows Server 2022 (installation on Windows Server Core is possible).
To install WSUS, open the Server Manager console and check the Windows Server Update Services role (the system will automatically select and offer to install the necessary IIS web server components).
In the next window, choose which WSUS role services you want to install. Be sure to check the WSUS Services option. The next two options depend on which SQL database you plan to use for WSUS.
Server settings, update metadata, and WSUS client information are stored in a SQL Server database. As a WSUS database you can use:
- Windows Internal Database (WID) – built-in Windows database (WID Connectivity option). This is the recommended and workable option even for large infrastructures;
- A separate Microsoft SQL Server database is deployed on a local or remote server. You can use MS SQL Enterprise, Standard (licensing required), or the free Express edition. This is the SQL Server Connectivity option.
The Windows Internal Database) is recommended if:
- You don’t have unused MS SQL Server licenses;
- You are not planning to use WSUS load balancing (NLB WSUS)
- When deploying a downstream (child) WSUS server (for example, in branch offices). In this case, it is recommended to use the built-in WSUS database on secondary servers.
In the free SQL Server Express Edition, the maximum database size is limited to 10 GB. The Windows Internal Database is limited to 524 GB. For example, in my infrastructure, the size of the WSUS database for 3000 clients was about 7GB.
If you install the WSUS role and the MS SQL database on different servers, there are some limitations:
- SQL Server with WSUS database cannot be an Active Directory domain controller;
- The WSUS server cannot be deployed on a host with the Remote Desktop Services role.
The default WID database is called SUSDB.mdf and is stored in the folder %windir%\wid\data. This database supports only Windows authentication (not SQL). The internal (WID) database instance for WSUS is called server_name\Microsoft##WID.
The WSUS WID database can be administered through SQL Server Management Studio (SSMS) if you specify the following connection string: \\.\pipe\MICROSOFT##WID\tsql\query.
If you do not have enough disk space to store update files, disable this option. In this case, WSUS clients will receive approved update files from the Internet (a viable option for small networks).
If you want to store update files locally on the WSUS server, enable the option Store updates in the following locations and specify the directory path. This can be a folder on a local disk (a separate physical or logical volume is recommended), or a network location (UNC path). Updates are downloaded to the specified directory only after they have been approved by the WSUS administrator.
The size of the WSUS database is highly dependent on the number of Microsoft products and the Windows versions you plan to update. In a large organization, the size of update files on a WSUS server can reach hundreds of GB.
If you do not have enough disk space to store update files, disable this option. In this case, WSUS clients will receive approved update files from the Internet (a viable option for small networks).
You can also install a WSUS server with an internal database (WID) using the following PowerShell command:
Install-WindowsFeature -Name UpdateServices, UpdateServices-WidDB, UpdateServices-Services, UpdateServices-RSAT, UpdateServices-API, UpdateServices-UI -IncludeManagementTools
Initial WSUS Configuration on Windows Server
After you finish installing the WSUS role, you need to complete its initial configuration. Open Server Manager and select Post-Deployment Configuration -> Launch Post-Installation tasks.
You can use the WsusUtil.exe console tool to manage WSUS from the command prompt. For example, to change the path to the WSUS update files directory, run:
CD "C:\Program Files\Update Services\Tools"
WsusUtil.exe PostInstall CONTENT_DIR=D:\WSUS
Or, for example, you can switch your WSUS to an external SQL Server database:
wsusutil.exe postinstall SQL_INSTANCE_NAME="MUN-SQL1\WSUSDB" CONTENT_DIR=D:\WSUS_Content
Then open the Windows Server Update Services console. The WSUS Update Server Initial Configuration Wizard starts.
Specify whether the WSUS server will download updates from the Microsoft Update site directly (Synchronize from Microsoft Update) or if it should receive them from an upstream WSUS server (Synchronize from another Windows Update Services server). Downstream WSUS servers are usually deployed at remote sites with a large number of clients (300+) to reduce the load on the WAN link.
On Windows 10 and 11, you can use Delivery Optimization to reduce the bandwidth usage of update traffic on your communication channels.
If your access the Internet through a proxy server, you need to specify the address and port of the proxy server, as well as authentication credentials.
Next, check the connection to the upstream update server (or Windows Update). Click Start Connecting.
Then you need to select the product languages for which WSUS will download updates. We select English (the list of the languages can further be changed from the WSUS console).
Then specify the list of products for which the WSUS should download updates. Select only those Microsoft products that are used in your environment. For example, if you are sure that there are no Windows 7 or Windows 8 computers left on your network, don’t select these options. This will significantly save space on the WSUS server drive.
Be sure to include the following general sections in the WSUS classification:
- Developer Tools, Runtimes, and Redistributable — used to update Visual C++ Runtime libraries;
- Windows Dictionary Updates in the Windows category;
- Windows Server Manager – Windows Server Update Services (WSUS) Dynamic Installer.
On the Classification Page, you need to specify the types of updates to be deployed via WSUS. It is recommended to select: Critical Updates, Definition Updates, Security Packs, Service Packs, Update Rollups, and Updates.
The Windows 10 build upgrades (21H2, 20H2, 1909, etc.) in the WSUS console are included in the Upgrades class.
Configure your update synchronization schedule. It is recommended to use the automatic daily synchronization of the WSUS server with Microsoft Update servers. The WSUS synchronization should be performed at night, in order not to impact the Internet channel during business hours.
The initial synchronization of the WSUS server with the upstream update server may take up to several days, depending on the number of products you chose earlier and your ISP.
After the wizard is done, the WSUS console will start.
There are several sections in the WSUS console tree:
- Updates – available updates on the WSUS server (here you can manage the update approvals and assign them for installation);
- Computers – here you can manage WSUS client groups (computers, servers, test, and production groups, etc.);
- Downstream Servers – allows you to configure whether you receive from Windows Update or an upstream WSUS server;
- Synchronizations – update synchronization schedule;
- Reports –different WSUS reports;
- Options –WSUS configuration settings.
Clients can now receive updates by connecting to the WSUS server on port 8530 (in Windows Server 2003 and 2008, port 80 is used by default). Check that this port is open on the WSUShost:
Test-NetConnection -ComputerName yourwsushost1 -Port 8530
You can use a secure SSL connection on port 8531. To do this, you need to bind a certificate to the WSUS Administration website in IIS.
If the port is closed, create an allow rule in Windows Defender Firewall.
How to Install WSUS Management Console on Windows 10 and 11?
You use the Windows Server Update Services console (wsus.msc) to manage WSUS. You can manage WSUS hosts either using the local console or over the network from a remote computer.
The WSUS Administration Console for Windows 10 or 11 is installed from the Remote Server Administration Tools (RSAT). To install the Rsat.WSUS.Tool component, run the following PowerShell command:
Add-WindowsCapability -Online -Name Rsat.WSUS.Tools~~~~0.0.1.0
If you want to install the WSUS console on Windows Server, use the command:
Install-WindowsFeature -Name UpdateServices-Ui
When you install WSUS on Windows Server, two additional local groups are created. You can use them to grant users access to the WSUS management console.
- WSUS Administrators
- WSUS Reporters
To view reports about updates and clients on WSUS, you must install:
- Microsoft System CLR Types for SQL Server 2012 (SQLSysClrTypes.msi);
- Microsoft Report Viewer 2012 Runtime (ReportViewer.msi).
To view different update reports in the WSUS console, you must install the optional Microsoft Report Viewer 2008 SP1 Redistributable (or higher) components on your server.
If these components are not installed, then when generating any WSUS report, an error will appear:
The Microsoft Report Viewer 2012 Redistributable is required for this feature. Please close the console before installing this package.
Optimizing WSUS Performance
This section describes a few tips for optimizing the performance of the WSUS Update Server in a real-world environment.
- For WSUS to work properly, the update host must have at least 4 GB of RAM and 2CPU free;
- With a large number of WSUS clients (more than 1500), you may experience significant performance degradation of the IIS WsusPoll pool that distributes updates to clients. Error 0x80244022 may appear on clients, or when starting the WSUS console, it may crash with an error Error: Unexpected Error + Event ID 7053 in the Event Viewer (
The WSUS administration console has encountered an unexpected error. This may be a transient error; try restarting the administration console. If this error persists). To resolve this issue, you need to add more RAM to your WSUS host and optimize your IIS pool settings as recommended in the article. Use these PowerShell commands:
Import-Module WebAdministration
Set-ItemProperty -Path IIS:\AppPools\WsusPool -Name queueLength -Value 2500
Set-ItemProperty -Path IIS:\AppPools\WsusPool -Name cpu.resetInterval -Value "00.00:15:00"
Set-ItemProperty -Path IIS:\AppPools\WsusPool -Name recycling.periodicRestart.privateMemory -Value 0
Set-ItemProperty -Path IIS:\AppPools\WsusPool -Name failure.loadBalancerCapabilities -Value "TcpLevel" - Enable automatic approval for Microsoft antivirus signature/definition updates. Otherwise, WSUS can slow down significantly and consume all available RAM.
Antivirus checks can negatively impact WSUS performance. In the built-in Microsoft Defender Antivirus in Windows Server, it is recommended to exclude the following folders from the Real-time protection scope:
- \WSUS\WSUSContent;
- %windir%\wid\data;
- \SoftwareDistribution\Download.
Stay tuned!