Windows Server Update Services (WSUS)
What is Windows Server Update Services (WSUS)?
Windows Server Update Services (WSUS) is a Windows server role that can plan, manage and deploy updates, service packs, patches and hotfixes for Windows servers, client operating systems (OSes) and other Microsoft software. It lets system administrators control when and how systems install updates and provides a central point for clients to get updates. It's designed for small and medium-sized business use. There's typically no additional cost to add WSUS to a Windows network.
Installed on Microsoft Windows Server, WSUS is a simple tool system administrators use to manage Microsoft Windows updates. It's available for various versions of Windows Server and client OSes, such as Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, 2016, 2019 and Windows Server 2022. All supported Microsoft client OSes can use WSUS, including Windows 8.1, 10 and 11.
Practical applications and benefits of WSUS
WSUS lets an organization control when and how its Windows devices receive OS updates and patches. Practical applications and benefits of WSUS include the following:
- Automated updates. WSUS enables automatic updates within specific parameters. Without WSUS, clients install updates as soon as they're available from Microsoft. This can cause clients to be at different patch levels, or to install patches that break software or install during the middle of the workday, causing employee downtime.
- Testing and approval. Using WSUS gives system administrators time to test that the updates work with their network and don't introduce compatibility issues. It also lets them install the updates during a maintenance timeframe so that production work isn't affected. For example, an organization would want to avoid installing updates to the accounting department during tax preparation.
- Reporting and monitoring. WSUS provides reporting about Windows updates in an organization. System administrators can use this information to verify that all clients are installing security updates correctly and have the same updates applied. This ensures that the systems have the correct security patches, reducing overall network vulnerability.
- Centralized update management. Without WSUS, all clients go directly to Microsoft servers to download updates. In networks with many clients or with poor bandwidth, this could cause excessive internet use and affect productivity. With WSUS acting as a central point, the server downloads only one copy of the update from Microsoft and all clients can get the update from there. This approach makes better use of high-speed LAN connections and reduces overall internet usage. WSUS supports multiple languages and can selectively make the information for these languages available.
- Custom updates. WSUS enables administrators to organize updates into custom categories based on criteria such as importance, type or product.
- Bandwidth conservation. By downloading updates once to the WSUS server and then distributing them internally, for example, through a downstream server, organizations can conserve internet bandwidth. This is particularly useful for large organizations with many computers, where downloading updates individually could strain network resources.
- Compliance and security. WSUS helps organizations maintain compliance with security standards and regulations by ensuring that all systems are up to date with the latest security patches and fixes. This is crucial for protecting sensitive data and mitigating security risks.
WSUS database requirements
When planning to deploy WSUS, organizations should consider their hardware and database requirements, which are driven by the number of client computers being updated within the organization.
The various database requirements for a WSUS deployment include the following:
- Database software requirements. Microsoft SQL Server Express 2008 R2 has a database size constraint of 10 GB, which should typically meet the needs of WSUS. However, opting for this database instead of Windows Internal Database (WID) doesn't offer any significant benefits. A WID database has a minimum RAM requirement of 2 GB beyond the standard Windows Server system requirements.
- Database size and content. Updates consist of metadata that details the update's description and the files required to install the update. Update metadata is typically much smaller than the actual update and is stored in the WSUS database. However, the update files are stored on a local WSUS server or a Microsoft Update Web server.
- Minimum hardware requirements. Microsoft recommends a minimum of 2 GB of RAM and 40 GB of storage space for the WSUS server. However, enterprises commonly use a minimum of 64 GB of RAM and more than 1 TB of WSUS content.
- Additional hardware requirements. For WSUS, an extra 2 GB of RAM beyond the server's standard requirements and those of all other services or software is necessary. It's recommended to use a separate server, or a virtual machine dedicated to WSUS, along with an SQL or SQL Express instance for the database.
WSUS license and OS requirements
WSUS doesn't require an additional license for the server. Clients connecting to WSUS only require a Windows Server Client Access License (CAL). Because most organizations already purchase Windows Server and CALs, WSUS is typically no additional cost to them.
WSUS only supports Microsoft products, such as Windows and Microsoft Office updates. It doesn't allow admins to install new software or update other products, such as Google Chrome. It also doesn't support other OSes, such as macOS or Linux.
How to use WSUS
The following outlines the step-by-step process of how to use and configure WSUS:
Step 1: Installing WSUS
WSUS is installed on an upstream server as a server role using Microsoft Windows Server Manager. This server provides features to manage and distribute updates through a management console.
Once the role is activated, it's available for use. It has a few prerequisites, including .NET, Microsoft Report Viewer, Internet Information Services, and a database such as Windows Internal Database or SQL. All these prerequisites are freely available on Windows Server.
Depending on the size of the network, WSUS can be a single server or many servers working together. WSUS servers can get updated content and configurations from each other. This permits extremely large networks and different office locations to each have their own server. Organizations can also use WSUS disconnected from the internet. This way, high-security networks can receive regular patches without exposing the network to the internet.
Step 2: Client configuration
Just deploying a WSUS server to a network isn't enough; clients must be configured to connect to it instead of to Microsoft update. System admins often configure the client using Group Policy, but could also set it up through Microsoft System Center Configuration Manager (SCCM), mobile device management or manually with registry keys. The settings can be configured via Group Policy Objects if Active Directory is being used.
Admins can set how clients install updates, if they reboot after installation and notify users of the updates.
Step 3: Managing updates
The Windows Update Agent performs the actions on the client to install updates. It connects to the WSUS server and scans for needed updates and then downloads and installs them. The download uses Microsoft Windows Background Intelligent Transfer Service to optimize bandwidth use.
WSUS requires a few network ports to be open for operation. The server must be able to communicate out to the internet Windows update servers on ports 80 and 443 to receive the update packages. Clients connect to the WSUS server on ports 8530 and 8531 by default, though these can be changed.
Step 4: Testing and approving updates
After synchronization, admins should review the available updates in the WSUS console. They can approve updates for deployment to specific computer groups or all computers within the organization. It's recommended to test updates on a subset of machines before approving them for widespread deployment.
Step 5: Automating tasks
The WSUS Administration Console helps automate approvals using rules and admins can specify rules based on when a particular update becomes available, which products have updates available or when an update should be approved.
Windows PowerShell scripting can also be used to automate tasks such as approvals, cleanups, synchronization and update installation scheduling.
Step 6: Monitoring and reporting
Admins should use the WSUS console to monitor the update status of client machines, track failed installations and generate reports on updated compliance and deployment progress.
Step 7: Regular maintenance
Admins should regularly review and install the updates as they become available. Additionally, they should monitor the WSUS server performance and disk space usage. Regular database maintenance tasks should also be conducted to maintain optimal performance.
Can WSUS update third-party software?
WSUS can update third-party software. Through a procedure called local publishing, system admins can increase the usage of WSUS patching mechanisms to deliver fixes for third-party programs such as Java and Adobe Reader. This process involves using auxiliary management tools to publish update packages containing the binaries and their respective certificates to the WSUS server. Administrators can also use these technologies to push locally generated and tested software and custom upgrades to client computers.
Additionally, third-party software updates can be enabled using the Configuration Manager console and third-party update signing certificates can be automatically managed via WSUS.
It's important to understand that WSUS doesn't natively support third-party patch management, since Microsoft created it to distribute patches for Microsoft products. However, there are numerous benefits to using WSUS instead of alternative WSUS techniques for patch management when deploying third-party software and updates. For example, WSUS can distribute drivers and command-line executables natively without requiring users to have administrator capabilities.
WSUS and System Center Configuration Manager
WSUS and SCCM are both Microsoft tools used for managing updates within an organization, but they serve different purposes and have the following distinguishing features:
WSUS
- WSUS only manages updates and patches. It's specifically focused on managing and distributing updates for Microsoft products, primarily Windows OSes and Microsoft software.
- It provides a centralized platform for downloading, approving and deploying updates to Windows machines within an organization.
- WSUS is simpler to deploy and manage compared to SCCM. It's primarily focused on update management and is often used in conjunction with Group Policy for client configuration.
- WSUS is suitable for organizations mainly concerned with managing Windows updates without the need for advanced systems management capabilities.
- WSUS lacks the advanced features of SCCM. It provides basic reporting and monitoring capabilities but doesn't offer the same level of automation, customization and integration with other systems management functions.
- WSUS is available free of charge and is included as a feature in Windows Server OSes. There are no additional licensing costs associated with using WSUS.
SCCM
- SCCM can perform any role that WSUS does and much more. For example, it enables updates, patches, software installation, administration, configuration, endpoint protection and inventory management across a wide range of devices including laptops, desktops, servers and mobile devices.
- SCCM gives users enhanced control over patch deployment, report generation and management of Windows machines on their network.
- SCCM is a more complex and feature-rich tool compared to WSUS. It requires more planning, configuration and ongoing maintenance to deploy effectively. However, SCCM offers greater flexibility and scalability for managing diverse environments and complex deployments.
- SCCM offers a wide range of features beyond update management, including software distribution, patch management, compliance monitoring, endpoint protection, remote control and reporting.
- SCCM is part of the Microsoft System Center suite and is a paid product. It's available through various licensing options, including standalone licensing or as part of Microsoft 365 subscriptions. The cost of SCCM depends on the licensing model and the number of managed devices.
- SCCM relies on WSUS to check for and apply patches and it can be used to manage the WSUS server through the SCCM console.
Windows Server Update Services and Windows Update for Business
Windows Update for Business (WUfB) is a free and modern update system from Microsoft. In WUfB, the organization sets when and how clients apply updates, but the clients connect to Microsoft servers or use peer distribution to download updated content. This is different than in WSUS where clients connect to servers that the organization manages.
WUfB is easier to set up and manage than WSUS and provides benefits to remote workers, but it doesn't offer as much control of updates nor as much bandwidth savings as WSUS.
According to Microsoft, WUfB is available for the following versions of Windows 10 and Windows 11:
- Windows Pro, including Windows Pro for Workstations.
- Windows 10 Pro Education.
- Windows Enterprise, including Enterprise LTSC (Long-Term Servicing Channel), IoT Enterprise and IoT Enterprise LTSC.
Numerous options exist for organizations looking for comprehensive patch options. Explore top patch management software tools and find the right fit for your organizational needs.