How to Set Up Windows Server 2016 WSUS

Windows Server Update Services (WSUS) allows administrators to centrally manage the distribution of updates released through Microsoft Update to computers in a network. Instead of each computer individually downloading updates from Microsoft, they download from the WSUS server, saving bandwidth and enabling administrators to approve, decline, and schedule updates. This guide walks through installing and configuring WSUS on Windows Server 2016.

Prerequisites

  • Windows Server 2016 with at least 4 GB RAM and 40 GB of disk space for the WSUS content directory.
  • SQL Server (optional, for larger environments) or the built-in Windows Internal Database (WID).
  • Network access to Microsoft Update or an upstream WSUS server.
  • Group Policy capability to direct clients to the WSUS server.

Step 1: Install the WSUS Role

Install WSUS with the built-in Windows Internal Database and management tools:

Install-WindowsFeature -Name UpdateServices, UpdateServices-WidDB, UpdateServices-Services, UpdateServices-RSAT -IncludeManagementTools

For SQL Server backend instead of WID:

Install-WindowsFeature -Name UpdateServices, UpdateServices-DB, UpdateServices-Services, UpdateServices-RSAT -IncludeManagementTools

Step 2: Run Post-Installation Configuration

Specify the content directory where updates will be stored:

& "C:Program FilesUpdate ServicesToolsWsusUtil.exe" postinstall CONTENT_DIR="D:WSUS"

For SQL Server backend:

& "C:Program FilesUpdate ServicesToolsWsusUtil.exe" postinstall SQL_INSTANCE_NAME="SQLSERVERWSUS" CONTENT_DIR="D:WSUS"

Step 3: Configure WSUS Using PowerShell

Load the WSUS module and get a reference to the WSUS server object:

[reflection.assembly]::LoadWithPartialName("Microsoft.UpdateServices.Administration") | Out-Null
$wsus = [Microsoft.UpdateServices.Administration.AdminProxy]::GetUpdateServer("localhost", $false, 8530)

Configure synchronization from Microsoft Update:

$config = $wsus.GetConfiguration()
$config.SyncFromMicrosoftUpdate = $true
$config.Save()

Step 4: Configure Products and Classifications

Select which products to synchronize:

$wsus.GetSubscription().GetUpdateCategories() | Where-Object {$_.Title -like "*Windows Server 2016*"} | ForEach-Object {
    $sub = $wsus.GetSubscription()
    $sub.SetSelectedCategories(@($_))
    $sub.Save()
}

More practically, configure through the WSUS console wizard at: Start > Windows Server Update Services. The initial configuration wizard lets you select:

  • Upstream server (Microsoft Update or another WSUS)
  • Proxy settings
  • Languages (English only to minimize storage)
  • Products (Windows 10, Windows Server 2016, Office, etc.)
  • Update classifications (Critical, Security, Feature Packs, etc.)

Step 5: Run Initial Synchronization

$wsus.GetSubscription().StartSynchronization()
$wsus.GetSubscription().GetSynchronizationStatus()

Or use wsusutil to trigger a sync:

& "C:Program FilesUpdate ServicesToolsWsusUtil.exe" listupdates

Step 6: Create Computer Groups

Organize computers into groups for staged rollout (e.g., Test, Pilot, Production):

$wsus.CreateComputerTargetGroup("TestServers")
$wsus.CreateComputerTargetGroup("ProductionServers")

Step 7: Configure Automatic Approvals

Create rules to automatically approve critical and security updates for the test group:

$rule = $wsus.CreateInstallApprovalRule("Auto-Approve-Critical")
$classSet = $wsus.GetUpdateClassifications()
$critical = $classSet | Where-Object {$_.Title -eq "Critical Updates"}
$rule.SetUpdateClassifications($critical)
$rule.Enabled = $true
$rule.Save()
$rule.ApplyRule()

Step 8: Configure Clients via Group Policy

Direct Windows clients to the WSUS server using Group Policy. Navigate to:

Computer Configuration > Administrative Templates > Windows Components > Windows Update

Key settings to configure:

  • “Specify intranet Microsoft update service location” — set to http://wsus-server:8530
  • “Configure Automatic Updates” — set to option 4 (Auto download and schedule the install)
  • “Enable client-side targeting” — set the computer group name

Using PowerShell to set registry values directly:

$wsusKey = "HKLM:SOFTWAREPoliciesMicrosoftWindowsWindowsUpdate"
New-Item -Path $wsusKey -Force | Out-Null
Set-ItemProperty -Path $wsusKey -Name "WUServer" -Value "http://wsus-server.corp.local:8530"
Set-ItemProperty -Path $wsusKey -Name "WUStatusServer" -Value "http://wsus-server.corp.local:8530"
Set-ItemProperty -Path "$wsusKeyAU" -Name "UseWUServer" -Value 1 -Type DWord

Step 9: Run WSUS Server Cleanup

Regularly clean up the WSUS database to remove obsolete updates and free disk space:

$cleanup = $wsus.GetCleanupManager()
$cleanupScope = New-Object Microsoft.UpdateServices.Administration.CleanupScope
$cleanupScope.DeclineSupersededUpdates = $true
$cleanupScope.DeclineExpiredUpdates = $true
$cleanupScope.CleanupObsoleteUpdates = $true
$cleanupScope.CompressUpdates = $true
$cleanupScope.CleanupUnneededContentFiles = $true
$cleanupScope.CleanupLocalPublishedContentFiles = $true
$cleanup.PerformCleanup($cleanupScope)

Summary

WSUS on Windows Server 2016 provides centralized patch management, reducing bandwidth consumption and giving administrators control over which updates are deployed. By combining WSUS with Group Policy, staged computer groups, and regular cleanup maintenance, organizations can maintain up-to-date systems while minimizing risk from untested updates.