Windows Server Update Service, formerly known as Server Update Service, is a computer program and network service developed by Microsoft Corporation that enables administrators to manage the distribution of updates and fixes for Microsoft products to computers in a corporate environment.
Windows Server Update Services (WSUS) is a Windows Server role that can schedule, manage, and deploy updates, service packs, patches, and fixes for Windows servers, client operating systems (OS), and other Microsoft software. This approach makes better use of high-speed LAN connections and reduces overall Internet usage.
Prerequisites
- Windows Server 2019
- Administrator permissions on the server
- Windows Server network connection
Configuration Steps
First, go to the “Server Manager” section on Windows Server, then in the top right corner click “Manage” and enter the “Add Roles and Features” section. Select Windows Server Update Services. When we install it, the system automatically installs “Web Server” as well. In the “Select Features” section, select “BİTS” and install it.
After the WSUS Service is installed, we go to the “Tools” section and select WSUS Service to start the configuration. Here, it asks whether we want to participate in Microsoft's update improvement program. I uncheck the box because if it's enabled, data will be sent to Microsoft, which consumes additional resources. In the second screen, if we have another WSUS Server, we need to enter its name and port. If you have one, enter it; since I don't, I choose to get updates directly from Microsoft Update.
If our server requires a proxy server to access the upstream server, we can configure it. Since I don't have a proxy server, I click Next to continue. By clicking “Start Connecting”, we begin connecting to the Update service. After the connection is established, we click Next to proceed.
It asks which language the Update should be in; we select English and continue. In the next section, it asks which operating systems or software we want to download updates for. For now, I only select “Windows 11”.
It asks which updates we want to perform; this includes drivers, updates, upgrades, etc. We select the ones we need and continue. Next, we choose whether the updates will be manual or automatic. I selected automatic to occur every evening at 9 PM. This can be done manually if there is someone who constantly monitors the WSUS server on a server, it can be done manually.
We choose to perform the initial synchronization, and it tells us that it will start the synchronization of the selected services, products, etc. It shows us the necessary steps to fully configure the system.
We enter the WSUS Server panel and click the “Synchronize Now” button to synchronize our service with the selected updates. After the Synchronization is complete, we go to Users and Computers on our Domain server, create a new OU (Organizational Unit), and add the Client Users to that Group. Then, we go to Group Policy Management and create a Policy within the group we created, and click edit to make the changes.
From “Computer Configuration > Policies > Administrative Templates > Windows Components > Windows Update”, we go to the “Configure Automatic Updates” settings, enable it, and configure the options below. I choose option 4, auto updates, which means selecting “Schedule Automatic Download and Installation”, and setting the time for updates to be downloaded and installed every evening at 9 PM.
For the next configuration, we open the “Server Manager” on the WSUS Server and check the server name, which we see as “WSUS-Server.blueteam.local” (you will enter the name of your server). In the GPO, in the “Windows Update” section, we open “Specify intranet Microsoft update service location”, enable it, and enter the following WSUS Server and port in the fields. Then, on both operating systems, both client and server, we run the “gpupdate /force” command in Powershell or CMD so that the GPO settings are applied.
Here, we enable this Policy to prohibit Client devices from updating through services like Windows Update, Microsoft Update, or Windows Store. This means that when this policy is active, devices in the domain will only receive updates from the update service we selected, i.e., from our WSUS Server. Then, we open Powershell as an administrator on both the client and server devices and run the “gpupdate /force” command to apply all the policies.
On our Client system, we open Powershell as an administrator and run the “rsop.msc” command, which opens the “Resultant Set of Policy” screen, where we can see which GPOs have been applied to the client. Then, let's check if the Client System can update itself. After checking, we see that the Client device does not have permission to update itself and can only update through the WSUS Service.
For testing, let's download updates from our WSUS Server to the Client devices. As we can see, our Client device has now received updates through WSUS.
Conclusion
In this article, I discussed how to install, set up, and operate the WSUS Server. Let's imagine a company with 100 devices. If all these devices try to update themselves at the same time, the network could crash, or even if it doesn't crash, it could become heavily overloaded. The WSUS Server downloads all the updates from the Microsoft Update Service and then sends the ready update packages to all devices without overloading the network.