How to Configure Windows Update and WSUS on Windows Server 2025

How to Configure Windows Update and WSUS on Windows Server 2025

Keeping Windows Server 2025 systems patched is one of the most impactful things you can do to reduce your organization’s attack surface. A significant proportion of successful cyberattacks exploit vulnerabilities for which patches were available weeks or months before the breach. Windows Server 2025 offers multiple layers of update management: the built-in Windows Update client for direct Microsoft update delivery, the PSWindowsUpdate community PowerShell module for scripted update management, Group Policy-based update ring configuration, and Windows Server Update Services (WSUS) for fully centralized, network-efficient update distribution and approval workflow. Understanding how these layers interact — and how to configure each one — lets you build a patching strategy that balances speed, control, and bandwidth efficiency.

Prerequisites

• Windows Server 2025 (Standard or Datacenter edition)
• Administrator or Domain Administrator privileges
• Internet access on servers that pull directly from Microsoft Update
• For WSUS: a dedicated server with at least 40 GB of disk space for update files (more recommended for large environments), 4+ GB RAM, and SQL Server or Windows Internal Database (WID)
• PowerShell 5.1 or later; PowerShell 7.x for PSWindowsUpdate compatibility
• Group Policy Management Console (GPMC) for GPO-based configuration

Step 1: Reviewing and Configuring Windows Update via GUI

The Windows Update settings page in Windows Server 2025 provides a clean view of pending updates, installed update history, and active hours configuration. On servers, active hours are less critical than on workstations, but ensuring the update service is running and not blocked is a first-line check.

# Open Windows Update settings directly
Start-Process "ms-settings:windowsupdate"

# Check Windows Update service status
Get-Service -Name wuauserv | Select-Object Name, Status, StartType

# Force an immediate check for updates (triggers the built-in client)
(New-Object -ComObject Microsoft.Update.AutoUpdate).DetectNow()

# View update history via COM object
$UpdateSession = New-Object -ComObject Microsoft.Update.Session
$Searcher = $UpdateSession.CreateUpdateSearcher()
$HistoryCount = $Searcher.GetTotalHistoryCount()
$History = $Searcher.QueryHistory(0, [Math]::Min($HistoryCount, 50))
$History | Select-Object Title, Date, ResultCode | Format-Table -AutoSize
# ResultCode: 2 = Succeeded, 3 = Succeeded with errors, 4 = Failed, 5 = Aborted

Step 2: Using the PSWindowsUpdate Module

The PSWindowsUpdate module by Michal Gajda is the most capable PowerShell interface for Windows Update management. It wraps the Windows Update Agent COM API to provide scriptable search, download, installation, and hiding of updates — all from the command line.

# Install PSWindowsUpdate from the PowerShell Gallery
Install-Module -Name PSWindowsUpdate -Scope AllUsers -Force -AllowClobber
Import-Module PSWindowsUpdate

# Search for available updates without installing
Get-WindowsUpdate -Verbose

# Search for specific update categories
Get-WindowsUpdate -Category "Security Updates" -Verbose
Get-WindowsUpdate -Category "Critical Updates","Security Updates" -Verbose

# Install all pending updates (will NOT reboot automatically by default)
Install-WindowsUpdate -AcceptAll -Verbose

# Install updates and auto-reboot if required
Install-WindowsUpdate -AcceptAll -AutoReboot -Verbose

# Install only Security Updates and Critical Updates
Install-WindowsUpdate -Category "Security Updates","Critical Updates" -AcceptAll -Verbose

# Install updates on remote servers using PSRemoting
Invoke-WUJob -ComputerName "WS2025-SVR01","WS2025-SVR02" `
    -Script { Import-Module PSWindowsUpdate; Install-WindowsUpdate -AcceptAll -AutoReboot } `
    -Credential (Get-Credential) `
    -Verbose

# Hide a specific update (prevent it from being installed)
Hide-WindowsUpdate -Title "*Preview*" -Verbose

# Show all hidden updates
Get-WindowsUpdate -IsHidden

# Unhide a specific update
Show-WindowsUpdate -Title "2025-05 Preview of Monthly Rollup for Windows Server 2025"

Step 3: Configuring Update Rings via Group Policy

In enterprise environments, update rings (sometimes called update waves) control which servers receive updates first. Early rings act as canaries — if an update causes problems, you catch it before it affects production. Configure rings using Group Policy Objects linked to Organizational Units (OUs) containing server computer accounts.

# Open Group Policy Management Console
gpmc.msc

# Create and link a GPO for the "Pilot" ring — these servers get updates 0 days after release
# Navigate to: Computer Configuration > Administrative Templates >
#              Windows Components > Windows Update > Windows Update for Business

# Key GPO settings to configure:
# 1. "Select when Preview Builds and Feature Updates are received"
#    - Windows Update for Business readiness level: Semi-Annual Channel
#    - Feature update deferral: Pilot=0 days, Early Production=30 days, Production=60 days

# 2. "Select when Quality Updates are received"
#    - Quality update deferral: Pilot=0 days, Early Production=7 days, Production=14 days

# 3. "Configure Automatic Updates"
#    - Set to: 4 - Auto download and schedule the install
#    - Schedule time: 03:00 AM (minimize user impact)
#    - Scheduled day: 0 - Every day

# Verify GPO application on a target server
gpresult /Scope Computer /R
gpresult /H "C:GPReport.html"; Start-Process "C:GPReport.html"

# Check the effective Windows Update registry keys set by GPO
Get-ItemProperty "HKLM:SOFTWAREPoliciesMicrosoftWindowsWindowsUpdate" -ErrorAction SilentlyContinue
Get-ItemProperty "HKLM:SOFTWAREPoliciesMicrosoftWindowsWindowsUpdateAU" -ErrorAction SilentlyContinue

Step 4: Installing the WSUS Role

WSUS (Windows Server Update Services) gives you full control over which updates are approved for deployment and lets you serve update files from your own network, dramatically reducing internet bandwidth consumption in environments with many servers.

# Install the WSUS role with the Windows Internal Database (WID) backend
# For larger environments (>500 computers), use a dedicated SQL Server instance instead
Install-WindowsFeature -Name UpdateServices -IncludeManagementTools -Verbose

# Verify the role installed successfully
Get-WindowsFeature -Name UpdateServices* | Select-Object Name, Installed

# Create the directory for WSUS update files (use a volume with ample space)
New-Item -ItemType Directory -Path "D:WSUS" -Force

# Run the WSUS post-installation configuration
# This configures the database connection and sets the content directory
& "C:Program FilesUpdate ServicesToolswsusutil.exe" postinstall CONTENT_DIR=D:WSUS

# Open the WSUS Administration Console
Start-Process "C:Program FilesUpdate ServicesAdministrationSnapinwsus.msc"

Step 5: Initial WSUS Configuration

After installation, WSUS requires initial configuration through the Configuration Wizard or PowerShell. Key decisions include which product classifications to synchronize and whether to sync from Microsoft Update or a parent (upstream) WSUS server.

# Connect to the WSUS server object via PowerShell
[reflection.assembly]::LoadWithPartialName("Microsoft.UpdateServices.Administration") | Out-Null
$WsusServer = [Microsoft.UpdateServices.Administration.AdminProxy]::GetUpdateServer("WS2025-WSUS01", $false, 8530)

# Configure synchronization source (Microsoft Update)
$WsusConfig = $WsusServer.GetConfiguration()
$WsusConfig.SyncFromMicrosoftUpdate = $true
$WsusConfig.Save()

# Configure products to synchronize — add only what you need to minimize disk usage
$Subscription = $WsusServer.GetSubscription()
$AllCategories = $WsusServer.GetUpdateCategories()

# Enable specific products
$WindowsServer2025 = $AllCategories | Where-Object { $_.Title -like "*Windows Server 2025*" }
$Subscription.SetUpdateCategories($WindowsServer2025)

# Configure update classifications to sync
$AllClassifications = $WsusServer.GetUpdateClassifications()
$SecurityUpdates   = $AllClassifications | Where-Object { $_.Title -eq "Security Updates" }
$CriticalUpdates   = $AllClassifications | Where-Object { $_.Title -eq "Critical Updates" }
$Subscription.SetUpdateClassifications(@($SecurityUpdates, $CriticalUpdates))

$Subscription.SynchronizeAutomatically = $true
$Subscription.SynchronizeAutomaticallyTimeOfDay = (New-TimeSpan -Hours 1 -Minutes 0)
$Subscription.Save()

# Start the initial synchronization (this downloads update metadata — not update files yet)
$Subscription.StartSynchronization()

# Check sync status
$WsusServer.GetSubscription().GetSynchronizationStatus()

Step 6: Creating Computer Groups and Approving Updates

WSUS computer groups map to your update ring strategy. Create groups for Pilot, Early Production, and Production, then set targeting rules so servers automatically join the right group.

# Create computer groups via PowerShell
$WsusServer.CreateComputerTargetGroup("Pilot")
$WsusServer.CreateComputerTargetGroup("EarlyProduction")
$WsusServer.CreateComputerTargetGroup("Production")

# List all computer groups
$WsusServer.GetComputerTargetGroups() | Select-Object Name, Id

# Approve a specific update for the Pilot group
$Update = $WsusServer.SearchUpdates("KB5034441") | Select-Object -First 1
$PilotGroup = $WsusServer.GetComputerTargetGroups() | Where-Object { $_.Name -eq "Pilot" }
$Update.Approve([Microsoft.UpdateServices.Administration.UpdateApprovalAction]::Install, $PilotGroup)

# Approve all Security Updates for Production group (use cautiously — always test in Pilot first)
$AllUpdates = $WsusServer.GetUpdates() | Where-Object { $_.UpdateClassificationTitle -eq "Security Updates" -and $_.IsApproved -eq $false }
$ProductionGroup = $WsusServer.GetComputerTargetGroups() | Where-Object { $_.Name -eq "Production" }
foreach ($Update in $AllUpdates) {
    $Update.Approve([Microsoft.UpdateServices.Administration.UpdateApprovalAction]::Install, $ProductionGroup)
}

# Configure client-side targeting via GPO to automatically assign servers to groups
# GPO path: Computer Configuration > Admin Templates > Windows Components >
#           Windows Update > "Enable client-side targeting"
# Set: Group name matching your WSUS computer group name (e.g., "Pilot")

Step 7: Configuring Downstream WSUS Servers and Reporting

Large organizations with multiple sites often deploy a hierarchy: one upstream WSUS server syncs from Microsoft, and downstream WSUS servers at branch locations sync from it — serving local clients without consuming WAN bandwidth for each update download.

# On the DOWNSTREAM WSUS server: configure it to sync from upstream
$DownstreamWsus = [Microsoft.UpdateServices.Administration.AdminProxy]::GetUpdateServer("WS2025-WSUS02", $false, 8530)
$DownstreamConfig = $DownstreamWsus.GetConfiguration()
$DownstreamConfig.SyncFromMicrosoftUpdate = $false
$DownstreamConfig.UpstreamWsusServerName = "WS2025-WSUS01"
$DownstreamConfig.UpstreamWsusServerPort = 8530
$DownstreamConfig.IsReplicaServer = $false  # false = autonomous; true = replica (inherits approvals)
$DownstreamConfig.Save()

# Generate WSUS summary report for compliance visibility
$Scope = New-Object Microsoft.UpdateServices.Administration.UpdateScope
$Scope.ApprovedStates = [Microsoft.UpdateServices.Administration.ApprovedStates]::LatestRevisionApproved
$Updates = $WsusServer.GetUpdates($Scope)

$ComplianceSummary = $Updates | ForEach-Object {
    $Summary = $_.GetUpdateInstallationSummary()
    [PSCustomObject]@{
        Update        = $_.Title
        NotInstalled  = $Summary.NotInstalledCount
        Downloaded    = $Summary.DownloadedCount
        Installed     = $Summary.InstalledCount
        Failed        = $Summary.FailedCount
    }
}
$ComplianceSummary | Where-Object { $_.NotInstalled -gt 0 } | Sort-Object NotInstalled -Descending |
    Format-Table -AutoSize

A well-designed update management strategy on Windows Server 2025 combines the automation of PSWindowsUpdate for script-driven patching, the governance of WSUS for approval workflow and bandwidth control, and the precision of Group Policy for ring-based deferral. Start with a small Pilot ring of non-critical servers, validate that updates install without regressions, then progressively approve them for larger rings over days or weeks. Pair this cadence with a defined maintenance window schedule and automated reboot policies, and you transform patching from a stressful manual event into a routine, low-risk operation that keeps your Windows Server 2025 fleet consistently protected against the latest threats.