How to Set Up Windows Server 2016 Patch Management with WSUS
Windows Server Update Services (WSUS) is Microsoft’s free server role that enables administrators to manage the distribution of updates released through Microsoft Update to computers in a network. Rather than having each server and workstation download updates directly from Microsoft, WSUS downloads updates once and distributes them internally. This reduces internet bandwidth consumption, gives administrators control over which updates are deployed and when, and provides centralized reporting on patch compliance across the organization. This guide covers the complete setup and configuration of WSUS on Windows Server 2016 for managing patches across your environment.
Installing the WSUS Role
WSUS is installed as a Windows Server role. Before installing, decide where you want to store the update files. WSUS can store updates locally on the server (recommended for full control) or download them on demand from Microsoft. For most environments, local storage is preferred. Ensure you have sufficient disk space — a typical WSUS database can require 50 GB or more depending on the number of products and classifications synchronized.
Install the WSUS role using PowerShell from an elevated prompt. The following command installs WSUS with the Windows Internal Database (WID) and stores updates in D:WSUS:
Install-WindowsFeature -Name UpdateServices -IncludeManagementToolsAfter the role is installed, run the post-install configuration to set up the content directory and database. This step is required before WSUS will function:
& "C:Program FilesUpdate ServicesToolswsusutil.exe" postinstall CONTENT_DIR="D:WSUS"Initial WSUS Configuration
Open the WSUS Administration Console from Server Manager or by running wsus.msc from the Run dialog. The WSUS Configuration Wizard will launch automatically on first open. Work through the wizard to configure the upstream synchronization source. For internet-connected WSUS servers, choose “Synchronize from Microsoft Update.” For internal hierarchical WSUS deployments, you would point downstream servers to an upstream WSUS server.
Configure a proxy server if your network requires one for internet access. Specify the proxy server address and credentials if authentication is required.
Select the languages for which you want to download updates. Limiting languages to only those needed significantly reduces disk space usage and synchronization time. For most English-only environments, deselect all languages except English.
Select the products you want to manage updates for. At minimum, select Windows Server 2016. You can also include other Microsoft products such as Microsoft 365, SQL Server, and Exchange Server if you want WSUS to manage those updates as well.
Choose update classifications. Common selections include Critical Updates, Security Updates, Update Rollups, and Definition Updates. Service Packs and Feature Packs are optional depending on your update strategy.
Setting Up Synchronization Schedule
Configure WSUS to automatically synchronize with its upstream source on a regular schedule. In the WSUS console, click on Options in the left pane, then Synchronization Schedule. Choose “Synchronize automatically” and set the synchronization to occur daily, ideally during off-peak hours such as 2:00 AM. Configure it to synchronize once per day initially; you can increase this if you need faster access to newly released updates.
To configure synchronization via PowerShell:
$wsus = [Microsoft.UpdateServices.Administration.AdminProxy]::GetUpdateServer()
$config = $wsus.GetConfiguration()
$config.SyncFromMicrosoftUpdate = $true
$schedule = $wsus.GetSubscription()
$schedule.SynchronizeAutomatically = $true
$schedule.SynchronizeAutomaticallyTimeOfDay = (New-TimeSpan -Hours 2)
$schedule.NumberOfSynchronizationsPerDay = 1
$schedule.Save()
$wsus.GetSubscription().StartSynchronization()Creating Computer Groups
WSUS computer groups allow you to target updates to specific sets of servers. Create groups that reflect your environment’s structure, such as production servers, test servers, and workstations. This allows you to deploy updates to test systems first, validate they do not cause issues, then approve them for production.
In the WSUS console, expand Computers, right-click “All Computers,” and select “Add Computer Group.” Create groups such as “Test Servers,” “Production Servers,” and “Domain Controllers.” Computers are assigned to groups either manually or automatically via Group Policy.
To assign computers to WSUS groups via Group Policy, create or edit a GPO applied to the target computers. Navigate to Computer Configuration > Administrative Templates > Windows Components > Windows Update. Enable “Enable client-side targeting” and specify the WSUS computer group name. Computers will automatically appear in the correct group in WSUS after the next update check.
Approving Updates
Updates must be approved in WSUS before they are distributed to client computers. Navigate to Updates in the WSUS console to see available updates. Filter by classification, product, and approval status to find updates you want to review. Right-click an update and select “Approve” to approve it for installation to selected computer groups.
The recommended approval workflow is to approve updates for the Test Servers group first. After verifying updates install correctly on test systems over a period of one to two weeks, approve the same updates for Production Servers. This staged deployment approach reduces the risk of problematic updates impacting critical production systems.
To automate update approvals using PowerShell for critical and security updates:
$wsus = [Microsoft.UpdateServices.Administration.AdminProxy]::GetUpdateServer()
$testGroup = $wsus.GetComputerTargetGroups() | Where-Object {$_.Name -eq "Test Servers"}
$updates = $wsus.GetUpdates() | Where-Object {$_.UpdateClassificationTitle -in @("Critical Updates","Security Updates") -and $_.IsApproved -eq $false}
foreach ($update in $updates) {
$update.Approve("Install", $testGroup)
Write-Host "Approved: $($update.Title)"
}Configuring Client Computers to Use WSUS
Configure Windows Server 2016 client computers to use the WSUS server via Group Policy. Navigate to Computer Configuration > Administrative Templates > Windows Components > Windows Update. Enable “Specify intranet Microsoft update service location” and set both the update service URL and the statistics server URL to your WSUS server address:
http://wsus-server.yourdomain.com:8530Port 8530 is the default HTTP port for WSUS. If you configured WSUS with SSL, use port 8531 and the HTTPS URL. After applying the Group Policy, force a Group Policy update on client servers and then trigger a Windows Update check:
gpupdate /force
wuauclt.exe /detectnowVerify the client is connecting to WSUS by checking the WindowsUpdate.log file or reviewing computer status in the WSUS console. Properly configured WSUS patch management significantly improves your organization’s security posture and ensures consistent update deployment across all Windows Server 2016 systems.
