How to Configure Windows Server Update Services (WSUS)

After the WSUS installation, we can configure the Windows Server Update Services WSUS server through WSUS Server configuration wizard. This is a one-time configuration where we will configure some important WSUS options.

Configure Windows Server Update Services

1- Select Tools and then select WSUS Server Configuration wizard.

Note – Before you begin the configuration of WSUS, some important points.

Make sure the server firewall allows the clients to access the WSUS server. If clients have issues connecting to WSUS server, updates wouldn’t be downloaded from server.
The WSUS downloads the updates from upstream server which is Microsoft update in our case. So please ensure that the firewall allows the WSUS server to connect to Microsoft Update.
In case if there is a proxy server in your organization, you should type the credentials for proxy server while configuring WSUS.

2- Click Next.

3- Click Next.

Choose WSUS Upstream Server

This is the important section where we select the upstream server. You get two options.

Synchronize from Microsoft Update – After Selecting this option will download the updates from Microsoft update.
Synchronize from another Windows Server Update Services server – Select this option if you want this WSUS server to download updates from already existing WSUS server. We should specify the server name & the port number (8530) by default. If you want to select the option to use SSL during updates synchronization, make sure that upstream WSUS server is also configured to support SSL.

4- This is the only WSUS server; I will choose Synchronize from Microsoft Update and then click Next.

Proxy Server

5- Specify Proxy server information if you have one, and then click Next.

6- Select the Start Connecting button.

Download Update Information from Windows Update

7- Once completed, click next.

Choose Languages for Updates

8- Select Download updates only in these language options. Select the languages for which you want updates ,and then click next.

Choose Products

9- This is the window where we can select the products for which we want the updates. From the list of products, we can select individual products or product families for which we want our server to synchronize updates. In my case, I will select Windows Server 2019 and Windows 10 1903. Click Next.

Choose Update Classifications

10- Select the required classifications. I will select Critical Updates, Security Updates, and Update Rollups. Click Next.

Configure WSUS Synchronization Schedule

11- We should decide on how to perform WSUS sync. Select whether to perform synchronization manually or automatically. Click Next.

12- Select the checkbox. Begin initial synchronization and then click next.

13- Select Finish, this completes the steps to configure WSUS.

14- Here, you can see the synchronization status.

WSUS CONSOLE

15- The summary of updates.

16- We have not approved any updates yet, so select all updates.

windows server update services all updates

17- Under source, select any and then click refresh.

18- After hitting the Refresh button we will be able to see all updates.

19- Here in this list of all updates there is no way for me to kinda select update and say, deploy right now to machines that are not how WSUS works. What we need to do is approve the update by right-clicking the update and then select Approve.

20- We can’t see any computer/server listed here.

Create WSUS Groups

By default, there are 2 WSUS groups.

All Computers: this group registers computer accounts when they contact to the WSUS server and this group you should not populate manually
Unassigned computers: this group is not assigned to other groups by the WSUS Administrator.

1- Select options and then select Computers.

2- I will choose the second setting Use Group Policy or registry settings on computers.

3- To create a new group, right-click on All Computers and then select Add Computer Group.

4- I am going to create only one group Windows10 because I have only one Windows to test WSUS. You can create groups as per your requirements. You can type in whatever name you like and click Add.

5- Here you can see the group (Windows10)

WSUS Group Policy Management

It will give me the abilities to use group policy to assign the correct machines into this group. I am going to open GPO group policy management console in the domain controller and have a look at the different OU’s. I have moved one client machine with windows 10 in Windows10 OU.

1- Select Tools and then Group Policy Management.

2- Now we need to create a new GPO and then will link it to Windows10 OU. Right click on Windows10 OU and select Create a GPO in this domain…..

3- Type GPO name and click ok.

Here is the GPO, once it’s configured and attached, we need to edit the GPO so we can look at, first the specific group policy setting that we will go about configuring the client-side targeting here for WSUS.

4- Right-click on the GPO name and then select Edit.

5- Select Computer Configuration > Polices > Administrative Templates Policy > Windows Components.

6- Select Windows Update; on your right side, double click on Specify intranet Microsoft update service location policy.

7- Select enable, Here We will type WSUS server name and the port number (8530) that is used for the clients to attach. Click ok

intranet microsoft update services location

8- Double-click to open the Configure Automatic Updates policy.

9- Select enable, configure automatic update, schedule install day, and scroll down for more settings.

10- Configure the schedule options and then click ok.

11- Double-click on Enable client-side targeting policy.

12- Select enable, type group name and then click ok.

13- We need to run these 3 commands on client machines to update group policy.

gpupdate /force
wuauclt /resetauthorization /detectnow
wuauclt /reportnow

14- We can verify the intranet update service location on the client computers using the Windows registry. In the client computer, open Registry Editor and open “HKLMSOFTWAREPoliciesMicrosoftWindowsWindowsUpdate”.
Here you can confirm WSUS values (WUServer and WUStatusServer)

15- Now go back to WSUS server console and press refresh button I will be able to see machines attached to my WSUS server (Windows10).

16—Select All updates, under status, select failed or needed, right-click on the update you want to install, and select approve.

configure wsus update services all updates

17- Under computer group, right-click on your windows/server and then select approved for installation.

18- Click ok.

19- The updates will now be made available, and then next time that client hits that maintenance interval we’ve configured in group policy, it’ll go about downloading, installing, and perhaps rebooting the PC in order to support the installation of this Windows update.

windows server updates approval progress

Configure Auto Approval Rules in WSUS

If you don’t want to approve updates manually, we can configure the auto-approval rule in Windows Server Update Services.

To configure Automatic Approvals in WSUS

1- WSUS Administration Console, choose Options and then select Automatic Approvals.

2- Here you can find the default automatic approval rule and if you want it you can edit it and use it. Select New Rule to create a new approval rule.

3- Select when an update is in a specific classification checkbox. Select the classifications. You can also permit the update for computers groups. I am going to choose Windows 10 as that is my test PC group. Last you can set a deadline for the update approval & specify auto approval rule name.
After you configure the rule, click OK.