How to Configure Windows Server 2022 Backup and Recovery

Understanding Windows Update on Server 2022

Keeping Windows Server 2022 up to date is one of the most fundamental security and stability responsibilities of any system administrator. Microsoft releases cumulative updates for Windows Server 2022 on the second Tuesday of each month (Patch Tuesday), with additional out-of-band security updates released as needed for critical vulnerabilities.

Windows Server 2022 supports several update delivery mechanisms: direct Windows Update via Settings or GUI, the PSWindowsUpdate PowerShell module, Windows Server Update Services (WSUS) for centralised management, and Windows Update for Business (WUfB) for policy-driven management in Azure AD or domain environments.

Checking and Installing Updates via Settings

For interactive management on a single server, the Windows Update settings panel is the simplest interface. Open it with:

start ms-settings:windowsupdate

Or navigate to Settings > Windows Update. From here you can check for updates, view update history, configure active hours to prevent restarts during business hours, and access advanced options including optional updates and feature updates.

From an elevated Command Prompt, you can trigger an update check using the legacy Windows Update Agent:

wuauclt /detectnow
wuauclt /updatenow

On Server 2022, the preferred approach is using the UsoClient command (Update Session Orchestrator client):

UsoClient StartScan
UsoClient StartDownload
UsoClient StartInstall

Managing Updates with PSWindowsUpdate

The PSWindowsUpdate module, available from the PowerShell Gallery, provides a powerful command-line and scripting interface for Windows Update that is far more capable than wuauclt. Install it on Server 2022 from an elevated PowerShell session:

Install-Module -Name PSWindowsUpdate -Force -Scope AllUsers
Import-Module PSWindowsUpdate

If the server does not have internet access, install the module from another machine and transfer the module folder to C:Program FilesWindowsPowerShellModules.

Check for available updates without installing them:

Get-WindowsUpdate

List all available updates including KB numbers, sizes, and categories:

Get-WindowsUpdate -MicrosoftUpdate | Select-Object Title, KB, Size, MsrcSeverity | Format-Table -AutoSize

Install all available updates and automatically reboot if required:

Install-WindowsUpdate -AcceptAll -AutoReboot

Install only security updates (no optional or driver updates):

Install-WindowsUpdate -Category "Security Updates" -AcceptAll -AutoReboot

Install a specific update by KB number:

Install-WindowsUpdate -KBArticleID KB5035857 -AcceptAll

Exclude a specific KB from installation (useful to defer a problematic update):

Install-WindowsUpdate -AcceptAll -NotKBArticleID KB5035857

Check update history (installed updates with dates):

Get-WUHistory | Select-Object -First 20 Title, Date, Result | Format-Table

Run updates remotely on another server using PSWindowsUpdate’s built-in remoting support:

Invoke-WUJob -ComputerName SRV-WEB01 -Script { 
    Import-Module PSWindowsUpdate
    Install-WindowsUpdate -AcceptAll -AutoReboot | Out-File "C:Logswu_$(Get-Date -Format yyyyMMdd).log"
} -Confirm:$false -RunNow

Configuring Windows Update via Group Policy

Group Policy is the standard way to configure Windows Update settings across multiple servers in a domain environment. On a standalone server, you use the Local Group Policy Editor (gpedit.msc).

The Windows Update settings are at: Computer Configuration > Policies > Administrative Templates > Windows Components > Windows Update

Key policies to configure:

Configure Automatic Updates — Controls whether Windows Update is automatic. Option 4 (Auto download and schedule the install) is the most common setting for servers. You specify the day and time for installation. This prevents updates from being applied at random times.

Specify intranet Microsoft update service location — Points the server at your WSUS server rather than Windows Update on the internet. Set both the intranet update service URL and the intranet statistics server to your WSUS server address (e.g., http://wsus-server:8530).

Enable client-side targeting — Assigns this computer to a specific WSUS target group (e.g., “Production-Servers” or “Test-Group”). This determines which updates are approved for this machine in WSUS.

No auto-restart with logged on users for scheduled automatic update installations — Prevents automatic reboots when users are connected. Important for RDS or shared servers.

Automatic Updates detection frequency — Controls how often Windows Update checks for updates. The default is 22 hours with a random offset. In a WSUS environment, reducing this to 1 hour improves update compliance speed.

Apply the Group Policy after making changes:

gpupdate /force

Verify the applied settings by reading the registry keys that Group Policy writes:

Get-ItemProperty "HKLM:SOFTWAREPoliciesMicrosoftWindowsWindowsUpdate" | Format-List
Get-ItemProperty "HKLM:SOFTWAREPoliciesMicrosoftWindowsWindowsUpdateAU" | Format-List

Setting Up a WSUS Server

Windows Server Update Services (WSUS) is a server role that allows you to download updates from Microsoft once and distribute them to all servers and workstations on your network. This reduces internet bandwidth consumption and gives administrators control over which updates are approved before deployment.

Install the WSUS role and management tools on a dedicated server (or your management server). WSUS requires a database — WID (Windows Internal Database) is sufficient for environments with fewer than 500 clients:

Install-WindowsFeature -Name UpdateServices, UpdateServices-WidDB, UpdateServices-Services, UpdateServices-RSAT -IncludeManagementTools

After installation, run the post-install configuration to specify the content directory where updates will be stored. Choose a drive with sufficient space — a full WSUS content store for Windows Server and Windows 10/11 can easily exceed 100 GB:

& "C:Program FilesUpdate ServicesToolsWsusUtil.exe" postinstall CONTENT_DIR=D:WSUS

If using SQL Server instead of WID, specify the SQL instance:

Install-WindowsFeature -Name UpdateServices, UpdateServices-DB, UpdateServices-Services, UpdateServices-RSAT -IncludeManagementTools
& "C:Program FilesUpdate ServicesToolsWsusUtil.exe" postinstall SQL_INSTANCE_NAME=WSUS-SRVSQLEXPRESS CONTENT_DIR=D:WSUS

After postinstall completes, open the WSUS management console to run the initial configuration wizard:

mmc "%ProgramFiles%Update ServicesAdmConsolewsus.msc"

In the wizard, you choose whether to synchronise from Microsoft Update or an upstream WSUS server, select products to synchronise (choose specific Windows Server versions rather than all products to limit storage), select update classifications (Critical Updates, Security Updates, Service Packs — avoid selecting all classifications initially), and set a synchronisation schedule.

Approving Updates in WSUS

WSUS uses an approval workflow: updates are downloaded during synchronisation but are not installed on clients until they are explicitly approved. This is the central value of WSUS — you control exactly which updates reach production systems and when.

Create computer groups in the WSUS console to separate your fleet (for example: Test-Servers, Stage-Servers, Production-Servers). Approve updates for Test-Servers first, wait several days to verify stability, then approve for Production-Servers.

To approve an update for a specific computer group via PowerShell, use the WSUS API. First load the WSUS assembly:

[reflection.assembly]::LoadWithPartialName("Microsoft.UpdateServices.Administration") | Out-Null
$WSUS = [Microsoft.UpdateServices.Administration.AdminProxy]::GetUpdateServer("localhost", $false, 8530)
$Group = $WSUS.GetComputerTargetGroups() | Where-Object { $_.Name -eq "Test-Servers" }
$Updates = $WSUS.GetUpdates() | Where-Object { $_.IsApproved -eq $false -and $_.UpdateClassificationTitle -eq "Security Updates" }
foreach ($Update in $Updates) {
    $Update.Approve([Microsoft.UpdateServices.Administration.UpdateApprovalAction]::Install, $Group)
}
Write-Host "Approved $($Updates.Count) security updates for Test-Servers"

WSUS Maintenance and Cleanup

Without regular maintenance, the WSUS database and content store grow very large and WSUS performance degrades. The WSUS Server Cleanup Wizard removes superseded updates, expired updates, and unnecessary files from the content directory.

Run the cleanup wizard from the WSUS console Actions panel, or automate it with PowerShell:

[reflection.assembly]::LoadWithPartialName("Microsoft.UpdateServices.Administration") | Out-Null
$WSUS = [Microsoft.UpdateServices.Administration.AdminProxy]::GetUpdateServer("localhost", $false, 8530)
$Cleanup = $WSUS.GetCleanupManager()
$Scope = New-Object Microsoft.UpdateServices.Administration.CleanupScope
$Scope.DeclineSupersededUpdates        = $true
$Scope.DeclineExpiredUpdates           = $true
$Scope.CleanupObsoleteUpdates          = $true
$Scope.CompressUpdates                 = $true
$Scope.CleanupObsoleteComputers        = $true
$Scope.CleanupUnneededContentFiles     = $true
$Results = $Cleanup.PerformCleanup($Scope)
Write-Host "Disk space freed: $([math]::Round($Results.DiskSpaceFreed / 1GB, 2)) GB"
Write-Host "Updates deleted: $($Results.UpdatesDeleted)"

You should also periodically re-index the WSUS database to maintain query performance. Connect to the WID instance and run re-index:

sqlcmd -S \.pipeMicrosoft##WIDtsqlquery -i C:ScriptsWsusDBMaintenance.sql

The WsusDBMaintenance.sql script is available from Microsoft’s documentation and performs index defragmentation and statistics updates on the SUSDB database.

Windows Update for Business Overview

Windows Update for Business (WUfB) is Microsoft’s policy-driven approach to Windows Update that operates without requiring an on-premises WSUS server. It is configured through Group Policy or Microsoft Intune and defers updates by a specified number of days from the Patch Tuesday release date.

The key Group Policy settings for WUfB are located at Computer Configuration > Administrative Templates > Windows Components > Windows Update > Windows Update for Business.

Select when Quality Updates are received — Defers security and quality updates by up to 30 days. This gives you a window to evaluate updates before they reach production.

Select when Preview Builds and Feature Updates are received — Defers feature updates by up to 365 days. For servers, feature updates are less common but still apply.

Manage preview builds — Controls access to Windows Insider preview builds. Set this to disabled for production servers.

Configure a 7-day deferral for quality updates via registry (useful for scripted deployment):

$WUBPath = "HKLM:SOFTWAREPoliciesMicrosoftWindowsWindowsUpdate"
New-Item -Path $WUBPath -Force | Out-Null
Set-ItemProperty -Path $WUBPath -Name "DeferQualityUpdates" -Value 1 -Type DWORD
Set-ItemProperty -Path $WUBPath -Name "DeferQualityUpdatesPeriodInDays" -Value 7 -Type DWORD
Set-ItemProperty -Path $WUBPath -Name "DeferFeatureUpdates" -Value 1 -Type DWORD
Set-ItemProperty -Path $WUBPath -Name "DeferFeatureUpdatesPeriodInDays" -Value 180 -Type DWORD

WUfB and WSUS are mutually exclusive — a server can use one or the other, not both. If the Specify intranet Microsoft update service location policy is configured, WUfB deferral policies are ignored.