Docs / Windows Server / Deploy WSUS for Windows Update Management

Deploy WSUS for Windows Update Management

By Admin · Mar 15, 2026 · Updated Apr 23, 2026 · 103 views · 3 min read

Windows Server Update Services (WSUS) gives you centralized control over Windows updates across your network. Instead of each server downloading updates directly from Microsoft, WSUS downloads updates once, lets you review and approve them, and distributes them to clients. This guide covers deploying WSUS on your Windows Server VPS.

Install WSUS

Install-WindowsFeature -Name UpdateServices, UpdateServices-WidDB, UpdateServices-Services, UpdateServices-RSAT -IncludeManagementTools

# Configure WSUS content directory
New-Item -ItemType Directory -Path "D:\WSUS" -Force
& "C:\Program Files\Update Services\Tools\wsusutil.exe" postinstall CONTENT_DIR=D:\WSUS

# Verify service is running
Get-Service WsusService, W3SVC

Initial Configuration

# Connect to WSUS server
$wsus = Get-WsusServer -Name localhost -PortNumber 8530

# Configure upstream server (Microsoft Update)
Set-WsusServerSynchronization -SyncFromMU

# Select products to sync
$products = Get-WsusProduct -TitleIncludes "Windows Server 2022", "Windows Server 2025", "Microsoft Defender"
$products | Set-WsusProduct

# Select classifications
$classifications = Get-WsusClassification
$classifications | Where-Object {
    $_.Classification.Title -in @("Critical Updates", "Security Updates", "Definition Updates", "Update Rollups")
} | Set-WsusClassification

# Set sync schedule
$subscription = $wsus.GetSubscription()
$subscription.SynchronizeAutomatically = $true
$subscription.SynchronizeAutomaticallyTimeOfDay = [TimeSpan]::new(3, 0, 0)  # 3 AM
$subscription.NumberOfSynchronizationsPerDay = 1
$subscription.Save()

# Start initial synchronization
$subscription.StartSynchronization()
Write-Host "Sync status: $($subscription.GetSynchronizationStatus())"

Configure Computer Groups

$wsus = Get-WsusServer
# Create computer groups for staged rollout
$wsus.CreateComputerTargetGroup("Test Servers")
$wsus.CreateComputerTargetGroup("Production Servers")
$wsus.CreateComputerTargetGroup("Domain Controllers")

# List groups
$wsus.GetComputerTargetGroups() | Select-Object Name, Id

Configure Clients via GPO

# GPO settings for WSUS clients
# Computer Config > Admin Templates > Windows Components > Windows Update

# Set WSUS server URL
Set-GPRegistryValue -Name "WSUS Client Settings" `
    -Key "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" `
    -ValueName "WUServer" -Type String -Value "http://wsus.corp.example.com:8530"

Set-GPRegistryValue -Name "WSUS Client Settings" `
    -Key "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" `
    -ValueName "WUStatusServer" -Type String -Value "http://wsus.corp.example.com:8530"

# Enable WSUS as update source
Set-GPRegistryValue -Name "WSUS Client Settings" `
    -Key "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" `
    -ValueName "UseWUServer" -Type DWord -Value 1

# Auto-download and schedule install
Set-GPRegistryValue -Name "WSUS Client Settings" `
    -Key "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" `
    -ValueName "AUOptions" -Type DWord -Value 4

# Schedule install day (0=every day, 1=Sunday, etc.)
Set-GPRegistryValue -Name "WSUS Client Settings" `
    -Key "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" `
    -ValueName "ScheduledInstallDay" -Type DWord -Value 1

# Schedule install time (3 AM)
Set-GPRegistryValue -Name "WSUS Client Settings" `
    -Key "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" `
    -ValueName "ScheduledInstallTime" -Type DWord -Value 3

# Enable target group via GPO
Set-GPRegistryValue -Name "WSUS Client Settings" `
    -Key "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" `
    -ValueName "TargetGroupEnabled" -Type DWord -Value 1

Set-GPRegistryValue -Name "WSUS Client Settings" `
    -Key "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" `
    -ValueName "TargetGroup" -Type String -Value "Production Servers"

Approve and Manage Updates

# Get unapproved updates
$wsus = Get-WsusServer
Get-WsusUpdate -Approval Unapproved -Status Needed | Format-Table Title, Classification, MsrcSeverity

# Approve critical updates for test group first
Get-WsusUpdate -Classification "Critical Updates" -Approval Unapproved |
    Approve-WsusUpdate -Action Install -TargetGroupName "Test Servers"

# After testing, approve for production
Get-WsusUpdate -Classification "Critical Updates" -Approval Unapproved |
    Approve-WsusUpdate -Action Install -TargetGroupName "Production Servers"

# Decline superseded updates
$wsus.GetUpdates() | Where-Object { $_.IsSuperseded -eq $true } | ForEach-Object {
    $_.Decline()
}

# WSUS maintenance — clean up
Invoke-WsusServerCleanup -CleanupObsoleteUpdates -CleanupUnneededContentFiles `
    -CompressUpdates -DeclineExpiredUpdates -DeclineSupersededUpdates

Reporting

# Computer compliance report
$wsus.GetComputerTargets() | ForEach-Object {
    $needed = ($_.GetUpdateInstallationInfoPerUpdate() | Where-Object { $_.UpdateInstallationState -eq "NotInstalled" }).Count
    [PSCustomObject]@{
        Computer = $_.FullDomainName
        Group = ($_.GetComputerTargetGroups() | Select-Object -First 1).Name
        NeededUpdates = $needed
        LastContact = $_.LastReportedStatusTime
    }
} | Sort-Object NeededUpdates -Descending | Format-Table

Best Practices

  • Use staged rollout: Approve for test servers first, production after validation
  • Run WSUS cleanup monthly to keep the database and content store manageable
  • Monitor client check-in: Alert if servers haven't contacted WSUS in over 7 days
  • Only sync needed products and classifications to save disk space
  • Schedule installs during maintenance windows to minimize disruption
  • Use SSL for WSUS connections in production environments

Was this article helpful?

Related Articles