How To

Install WSUS on Windows Server 2025

Kibet John Updated Mar 22, 2026 · 9 min read

Windows Server Update Services (WSUS) is a server role that lets you centrally manage and distribute Windows updates across your network. Instead of each machine pulling updates independently from Microsoft Update, WSUS downloads patches once and distributes them to all clients – saving bandwidth, giving you control over which updates get deployed, and letting you enforce compliance across the organization.

Original content from computingforgeeks.com - post 72225

This guide walks through installing and configuring WSUS on Windows Server 2025, from role installation through client GPO configuration and ongoing maintenance. By the end, you will have a fully functional WSUS server managing updates for your domain-joined machines. For the official reference, see the Microsoft WSUS documentation.

Prerequisites

Before starting, make sure you have the following in place:

  • Windows Server 2025 installed and joined to your Active Directory domain
  • At least 10 GB of free disk space for the WSUS content store (more for large environments – 100 GB+ recommended)
  • Administrator access to the server
  • Internet access for downloading updates from Microsoft Update
  • Active Directory with Group Policy management for pushing WSUS settings to clients
  • Firewall rules allowing outbound HTTPS (TCP 443) to Microsoft Update servers and inbound TCP 8530/8531 from client machines

Step 1: Install the WSUS Role

You can install WSUS through Server Manager or PowerShell. Both methods accomplish the same thing – pick whichever you prefer.

Method 1: Server Manager

Open Server Manager and click Add Roles and Features. Walk through the wizard:

  • Select Role-based or feature-based installation
  • Choose your destination server from the server pool
  • Under Server Roles, check Windows Server Update Services
  • When prompted to add required features (IIS, .NET Framework, etc.), click Add Features
  • On the Role Services page, keep both WID Connectivity and WSUS Services checked. Uncheck SQL Server Connectivity unless you plan to use an external SQL Server instance
  • Click through to the confirmation page and click Install

The installation takes several minutes. When it finishes, do not close the wizard yet – you will see a post-installation task notification.

Method 2: PowerShell

Open an elevated PowerShell window and run the following command to install WSUS with the Windows Internal Database (WID):

Install-WindowsFeature -Name UpdateServices -IncludeManagementTools

The output confirms the installation was successful when you see Success as the exit code and True under the Success column:

Success Restart Needed Exit Code      Feature Result
------- -------------- ---------      --------------
True    No             Success        {Windows Server Update Services, ...}

A restart is typically not required, but check the Restart Needed column to be sure.

Step 2: Configure WSUS Storage Location

Before WSUS can function, you need to specify where update files are stored on disk. Create a dedicated directory for WSUS content. A separate volume or partition is recommended for production environments so update files do not fill your system drive.

Create the content directory:

New-Item -Path "D:\WSUS" -ItemType Directory -Force

Now run the WSUS post-installation task to initialize the content directory and database:

& "C:\Program Files\Update Services\Tools\wsusutil.exe" postinstall CONTENT_DIR=D:\WSUS

The post-install process takes a minute or two. When finished, it confirms the configuration was completed:

Post install has successfully completed

If you used Server Manager, you can also trigger this from the notification flag in Server Manager by clicking Launch Post-Installation tasks. The PowerShell method above gives you explicit control over the content path.

Step 3: Run the WSUS Configuration Wizard

Open the WSUS management console. From Server Manager, go to Tools and select Windows Server Update Services. The first time you open the console, the configuration wizard launches automatically.

Walk through the wizard pages:

  • Microsoft Update Improvement Program – opt in or out based on your organization’s policy
  • Choose Upstream Server – select Synchronize from Microsoft Update unless this is a downstream WSUS server
  • Specify Proxy Server – configure your proxy if outbound internet access requires one. Skip if direct access works
  • Connect to Upstream Server – click Start Connecting. This downloads the list of available products and classifications from Microsoft. It takes several minutes depending on your internet speed
  • Choose Languages – select only the languages you need. English is the minimum for most environments. Fewer languages means less disk space and faster syncs

Do not start the initial synchronization from this wizard yet – configure products and classifications first (next step) so you only download what you actually need.

Step 4: Select Products and Classifications

Choosing the right products and update classifications prevents WSUS from downloading hundreds of gigabytes of patches you will never deploy. In the WSUS console, go to Options then Products and Classifications.

Products Tab

Check only the operating systems and applications in your environment. A typical selection includes:

  • Windows Server 2025
  • Windows Server 2022 (if you still run it)
  • Windows 11
  • Windows 10 (if still in your fleet)
  • Microsoft Defender Antivirus
  • Microsoft Edge
  • Microsoft 365 Apps (if using Click-to-Run Office)

Resist the urge to select everything. Each checked product adds to sync time and storage requirements.

Classifications Tab

Classifications control the type of updates WSUS downloads. Recommended selections:

  • Critical Updates – security and reliability fixes
  • Security Updates – patches for security vulnerabilities
  • Update Rollups – cumulative monthly rollups
  • Definition Updates – antivirus and antimalware signatures
  • Service Packs – major cumulative updates

Skip Drivers and Feature Packs unless you have a specific need – drivers alone can consume significant storage. Click OK to save your selections.

Step 5: Configure Automatic Approval Rules

Automatic approval rules save time by approving certain update types without manual intervention. In the WSUS console, go to Options then Automatic Approvals.

The default rule approves Definition Updates for all computers. This is a good starting point – you always want antivirus signatures deployed immediately. To create additional rules:

  • Click New Rule
  • Check When an update is in a specific classification
  • Click the blue any classification link and select Critical Updates and Security Updates
  • Under Step 2, choose which computer group to apply it to (start with a test group, not All Computers)
  • Name the rule something clear like “Auto-approve Security – Test Group”
  • Click OK and make sure the rule is enabled

For production environments, a staged approach works well: auto-approve for a test group first, then manually approve for production servers after a week of testing.

Step 6: Configure Client GPO for WSUS

Client machines need a Group Policy Object (GPO) telling them where to find your WSUS server. Open the Group Policy Management Console (gpmc.msc) on your domain controller and create a new GPO or edit an existing one linked to the OU containing your target machines.

Navigate to Computer Configuration then Policies then Administrative Templates then Windows Components then Windows Update. Configure these settings:

Specify Intranet Microsoft Update Service Location

Set this to Enabled and enter your WSUS server URL in both fields:

  • Set the intranet update service: http://wsus-server:8530
  • Set the intranet statistics server: http://wsus-server:8530

Replace wsus-server with your actual WSUS server hostname. Port 8530 is the default HTTP port. Use 8531 if you configured WSUS for HTTPS.

Configure Automatic Updates

Set this to Enabled and select one of these options:

  • 2 – Notify for download and auto install – user gets notified before download
  • 3 – Auto download and notify for install – downloads automatically, user approves install
  • 4 – Auto download and schedule the install – fully automatic, best for servers during maintenance windows

For servers, option 4 with a scheduled install time during a maintenance window works best. For workstations, option 3 gives users visibility without blocking patches.

Enable Client-Side Targeting (Optional)

If you want to assign machines to WSUS computer groups via GPO instead of manually in the WSUS console, enable Enable client-side targeting and set the target group name. This is especially useful in large environments where you manage group membership through Active Directory OUs.

After configuring the GPO, run the following on a client machine to force an immediate policy refresh:

gpupdate /force

Then trigger a Windows Update detection cycle so the client registers with WSUS:

wuauclt /detectnow /reportnow

Within a few minutes, the client should appear in the WSUS console under the appropriate computer group.

Step 7: Synchronize Updates

With products and classifications configured, it is time to run the first synchronization. In the WSUS console, go to Synchronizations and click Synchronize Now.

The initial sync downloads metadata for all updates matching your product and classification selections. Depending on how many products you selected, this can take anywhere from 15 minutes to several hours. Subsequent syncs are much faster since they only pull new changes.

To set up scheduled synchronization so WSUS stays current automatically, go to Options then Synchronization Schedule:

  • Select Synchronize automatically
  • Set the first synchronization time (pick off-peak hours like 02:00 AM)
  • Set synchronizations per day to 1 (once daily is sufficient for most environments)

You can also trigger synchronization from PowerShell if you prefer scripting your maintenance tasks:

$wsus = Get-WsusServer
$subscription = $wsus.GetSubscription()
$subscription.StartSynchronization()

Check synchronization status with:

$subscription.GetSynchronizationProgress()

Step 8: Approve and Deploy Updates

Once synchronization completes, you will see updates listed in the WSUS console under Updates. By default, updates require manual approval before clients install them (unless caught by an automatic approval rule).

To approve updates manually:

  • Go to Updates then All Updates
  • Set the Approval filter to Unapproved and Status to Any, then click Refresh
  • Select the updates you want to deploy (hold Ctrl for multiple selections)
  • Right-click and select Approve
  • Choose the computer group and set the approval to Approved for Install
  • Click OK

Approved updates will be downloaded to your WSUS content store and distributed to clients at their next update check-in cycle. You can also approve from PowerShell for bulk operations:

Get-WsusUpdate -Classification Security | Approve-WsusUpdate -Action Install -TargetGroupName "Test Servers"

This approves all security updates for the “Test Servers” group in one command.

Step 9: Review Update Compliance

After approving and deploying updates, you need to track which machines are compliant. The WSUS console provides built-in reports for this. If you manage Windows firewall rules across your fleet, make sure reporting ports are open.

Go to Computers in the WSUS console and check the status columns:

  • Needed – updates approved but not yet installed
  • Failed – updates that failed to install (investigate these first)
  • Installed/Not Applicable – machines that are up to date

For more detailed reporting, go to Reports in the WSUS console:

  • Update Status Summary – shows compliance percentage across all computer groups
  • Computer Status Summary – shows per-machine compliance
  • Update Detailed Status – shows which specific updates are installed, needed, or failed per machine

You can also pull compliance data with PowerShell for custom reporting:

$wsus = Get-WsusServer
$computerScope = New-Object Microsoft.UpdateServices.Administration.ComputerTargetScope
$wsus.GetSummariesPerComputerTarget($updateScope, $computerScope)

Machines that show as Not yet reported either have not received the GPO yet or cannot reach the WSUS server. Check network connectivity and GPO application on those clients.

Step 10: WSUS Maintenance

WSUS requires regular maintenance to keep the database lean and the content store clean. Without it, the WSUS console becomes sluggish and synchronization slows down over time.

Server Cleanup Wizard

Run the cleanup wizard monthly. In the WSUS console, go to Options then Server Cleanup Wizard. Check all options:

  • Unused updates and update revisions – removes superseded updates that no computer needs
  • Computers not contacting the server – removes stale computer entries (machines decommissioned or rebuilt)
  • Unneeded update files – deletes downloaded update binaries that no longer match any approved update
  • Expired updates – removes updates Microsoft has marked as expired
  • Superseded updates – declines updates that have been replaced by newer ones

Click Next and let the wizard run. On a busy WSUS server, this can take 15-30 minutes.

You can also run the cleanup from PowerShell to automate it in a scheduled task:

Invoke-WsusServerCleanup -CleanupObsoleteUpdates -CleanupUnneededContentFiles -CompressUpdates -DeclineExpiredUpdates -DeclineSupersededUpdates

SUSDB Database Maintenance

The WSUS database (SUSDB) uses Windows Internal Database by default and benefits from periodic index re-indexing. Without this, queries slow down and the WSUS console becomes unresponsive.

Connect to the WID instance and run a re-index script. Open PowerShell and use sqlcmd to connect:

sqlcmd -S \\.\pipe\MICROSOFT##WID\tsql\query -i C:\wsus-reindex.sql

The re-index SQL script is available from Microsoft’s documentation. Save it as C:\wsus-reindex.sql and schedule it to run monthly alongside the cleanup wizard. The script rebuilds all indexes in the SUSDB database to keep query performance healthy.

For environments managing more than 500 clients, consider migrating SUSDB to a full SQL Server instance. This gives you better performance, proper backup tools, and the ability to run maintenance without affecting WSUS availability. See the WSUS deployment guide for SQL Server migration steps.

Conclusion

You now have a working WSUS server on Windows Server 2025 managing updates for your environment. The key to a well-run WSUS deployment is keeping product selections tight, running the cleanup wizard monthly, and monitoring compliance reports to catch machines that fall behind on patches.

For production hardening, configure WSUS to use HTTPS (port 8531) with a proper SSL certificate, set up remote desktop access for remote management, and implement a staged approval workflow – test group first, production servers after validation. If you manage IIS web servers, keep their update cycle separate from database and domain controller servers to avoid simultaneous reboots.

Kibet John

The power of technology can be blatantly perceived by everyone in the world today and its sway did not spare me. Kibet is a tech enthusiast, ComputingforGeeks writer, and an ardent lover of knowledge and new skills that make the world brighter. His interests lie in Storage systems, High Availability, Routing and Switching, Automation, Monitoring, and Arts.

Related Articles

Windows Introduction to Windows Active Directory Services – Part 1 Windows Fix Windows BSOD Issue caused by CrowdStrike Update Desktop Best PDF to Image Converter on Windows and Mac Windows Working with .NET as a PowerShell Developer

Leave a Comment

Press ESC to close