How to Set Up Windows Server 2022 Network File System

How to Configure WSUS for Automated Patch Management on Windows Server 2022

Windows Server Update Services (WSUS) is Microsoft’s built-in solution for managing the distribution of updates released through Microsoft Update to computers in a corporate environment. Rather than allowing every workstation and server to pull updates independently from the internet, WSUS acts as a local update repository, letting administrators control which updates are approved, when they deploy, and to which groups of machines. This guide covers a complete WSUS deployment on Windows Server 2022, from role installation through ongoing maintenance.

Installing the WSUS Role

WSUS can be installed using either Server Manager or PowerShell. The PowerShell approach is preferred for repeatability. WSUS requires a content directory — a local folder where update files will be downloaded. Choose a volume with sufficient space; a typical enterprise environment requires 100–500 GB depending on product coverage. In this guide, the content directory is D:WSUS.

Install the UpdateServices role along with the management console and the WID (Windows Internal Database) connectivity component:

Install-WindowsFeature -Name UpdateServices, UpdateServices-WidDB, UpdateServices-Services, UpdateServices-RSAT, UpdateServices-API -IncludeManagementTools -Restart

If you prefer an external SQL Server database instead of WID, replace UpdateServices-WidDB with UpdateServices-DB and specify the SQL instance during post-install configuration.

Post-Install Configuration with wsusutil.exe

After the role installs and the server restarts, you must run the WSUS post-install configuration tool before WSUS will function. This step creates the database schema and initializes the content folder:

& "C:Program FilesUpdate ServicesToolswsusutil.exe" postinstall CONTENT_DIR="D:WSUS"

If you are using a remote SQL Server, the syntax is:

& "C:Program FilesUpdate ServicesToolswsusutil.exe" postinstall SQL_INSTANCE_NAME="SQLSERVERWSUS" CONTENT_DIR="D:WSUS"

The tool will output progress messages. A successful run ends with “Post install has successfully completed.” Once complete, open the Windows Server Update Services console from Server Manager > Tools > Windows Server Update Services.

Initial WSUS Wizard: Connecting to Microsoft Update

On first launch the WSUS Configuration Wizard runs automatically. The key decisions are:

Upstream server: Choose “Synchronize from Microsoft Update” for a root WSUS server. For downstream servers in a hierarchy, choose “Synchronize from another Windows Server Update Services server” and specify the upstream WSUS hostname and port (default: 8530 for HTTP, 8531 for HTTPS).

Products and classifications: Select only what you need. Common selections include Windows Server 2022, Windows 10, Windows 11, Microsoft 365 Apps, and SQL Server. For classifications, typical choices are Critical Updates, Security Updates, Update Rollups, and Service Packs. Avoid selecting “Drivers” unless specifically needed, as this can consume enormous storage.

Sync schedule: Configure automatic daily synchronization. A scheduled sync at 2:00 AM is common practice.

You can also configure these settings in PowerShell after installation:

# Load the WSUS assembly
[void][reflection.assembly]::LoadWithPartialName("Microsoft.UpdateServices.Administration")

# Connect to the local WSUS server
$wsus = [Microsoft.UpdateServices.Administration.AdminProxy]::GetUpdateServer('localhost', $false, 8530)

# Configure upstream server (Microsoft Update)
$config = $wsus.GetConfiguration()
$config.SyncFromMicrosoftUpdate = $true
$config.Save()

# Add products to sync
$subscription = $wsus.GetSubscription()
$wsus.GetUpdateCategories() | Where-Object { $_.Title -match "Windows Server 2022" } | ForEach-Object {
    $subscription.SetUpdateCategories($_)
}
$subscription.Save()

Creating Computer Groups

WSUS computer groups allow you to control which machines receive which updates. A typical structure includes groups for pilot testing, servers, and workstations. Create groups in the WSUS console under Computers > All Computers, right-click and select “Add Computer Group”, or use PowerShell:

# Create computer groups
$wsus.CreateComputerTargetGroup("Pilot")
$wsus.CreateComputerTargetGroup("Servers")
$wsus.CreateComputerTargetGroup("Workstations")

Computers can be assigned to groups manually in the WSUS console, or automatically via Group Policy using client-side targeting.

Targeting Computers via Group Policy

Group Policy is the standard method for pointing Windows clients and servers to WSUS. Create a new GPO and link it to the appropriate OU. Navigate to Computer Configuration > Administrative Templates > Windows Components > Windows Update and configure the following settings:

Specify intranet Microsoft update service location: Set both the update service URL and the statistics server URL to your WSUS server. Example: http://wsus.contoso.com:8530

Enable client-side targeting: Enter the computer group name (e.g., “Workstations”) that should receive this GPO.

Configure Automatic Updates: Set to option 4 (Auto download and schedule the install) with a scheduled time, such as 3:00 AM Wednesday.

The corresponding registry keys written by these GPO settings are found at HKLMSOFTWAREPoliciesMicrosoftWindowsWindowsUpdate:

WUServer = http://wsus.contoso.com:8530
WUStatusServer = http://wsus.contoso.com:8530
UseWUServer = 1
TargetGroup = Workstations
TargetGroupEnabled = 1

After applying the GPO, run gpupdate /force on a client and then wuauclt /detectnow /reportnow to trigger immediate check-in. The client should appear in the WSUS console within a few minutes.

Configuring Automatic Approvals

Manual approval of each update is impractical at scale. WSUS automatic approval rules let you define criteria for updates that should be approved without intervention. In the WSUS console, navigate to Options > Automatic Approvals.

A common rule: automatically approve Critical and Security updates for the “Pilot” group immediately, then approve for “Servers” and “Workstations” after a seven-day delay (giving time for pilot validation). Create this staged rollout by setting up multiple rules with different computer group targets and different approval deadlines.

Using PowerShell to create an automatic approval rule:

# Get the automatic approval rule collection
$approvalRules = $wsus.GetInstallApprovalRules()

# Create a new rule for Critical updates targeting Pilot group
$rule = $wsus.CreateInstallApprovalRule("AutoApprove-Critical-Pilot")
$rule.Enabled = $true

# Set classifications (Critical Updates)
$classifications = $wsus.GetUpdateClassifications()
$criticalClass = $classifications | Where-Object { $_.Title -eq "Critical Updates" }
$classCollection = New-Object Microsoft.UpdateServices.Administration.UpdateClassificationCollection
$classCollection.Add($criticalClass)
$rule.SetUpdateClassifications($classCollection)

# Set target group
$pilotGroup = $wsus.GetComputerTargetGroups() | Where-Object { $_.Name -eq "Pilot" }
$groupCollection = New-Object Microsoft.UpdateServices.Administration.ComputerTargetGroupCollection
$groupCollection.Add($pilotGroup)
$rule.SetComputerTargetGroups($groupCollection)

$rule.Save()

Declining Superseded Updates

Over time, WSUS accumulates superseded updates — older updates that have been replaced by newer ones. These should be declined to keep the database manageable and to improve synchronization performance. Run this PowerShell to decline all superseded updates:

$wsus = [Microsoft.UpdateServices.Administration.AdminProxy]::GetUpdateServer('localhost', $false, 8530)

$superseded = $wsus.GetUpdates() | Where-Object {
    $_.IsSuperseded -eq $true -and $_.IsDeclined -eq $false
}

Write-Host "Found $($superseded.Count) superseded updates to decline"

foreach ($update in $superseded) {
    $update.Decline()
}

Write-Host "Done declining superseded updates"

WSUS Cleanup Wizard with PowerShell

The WSUS database grows over time with obsolete update metadata and downloaded content that is no longer needed. The Cleanup Wizard should be run monthly. Using Invoke-WsusServerCleanup from the UpdateServices PowerShell module is the scriptable approach:

# Import the module
Import-Module UpdateServices

# Run full cleanup
Invoke-WsusServerCleanup `
    -CleanupObsoleteComputers `
    -CleanupObsoleteUpdates `
    -CleanupUnneededContentFiles `
    -CompressUpdates `
    -DeclineExpiredUpdates `
    -DeclineSupersededUpdates

Write-Host "WSUS cleanup completed"

For large environments with many years of accumulated data, the cleanup may time out. In such cases, run it in stages: first decline superseded, then run Invoke-WsusServerCleanup -CleanupUnneededContentFiles, and finally the full cleanup.

WSUS also uses a SQL Server database (WID by default) that accumulates index fragmentation. It is good practice to run a database reindex periodically. Microsoft provides a script called WsusDBMaintenance.sql for this purpose, which can be run against the WID instance at \.pipeMICROSOFT##WIDtsqlquery.

Configuring WSUS in Downstream Mode

In large organizations with multiple sites, a WSUS hierarchy reduces internet bandwidth by having remote servers synchronize from a central upstream WSUS rather than from Microsoft. The downstream server is configured during the WSUS wizard as a replica or an autonomous server.

Replica mode: The downstream server mirrors all approvals from the upstream server. Administrators manage approvals only on the upstream server.

Autonomous mode: The downstream server imports update metadata from upstream but administrators make their own approval decisions locally.

Configure downstream mode with wsusutil:

# On the downstream server, configure it to sync from upstream
& "C:Program FilesUpdate ServicesToolswsusutil.exe" postinstall CONTENT_DIR="D:WSUS"

# Then in the WSUS console or via the API:
$config = $wsus.GetConfiguration()
$config.SyncFromMicrosoftUpdate = $false
$config.UpstreamWsusServerName = "wsus-central.contoso.com"
$config.UpstreamWsusServerPortNumber = 8530
$config.UpstreamWsusServerUseSsl = $false
$config.IsReplicaServer = $true   # Set to $false for autonomous mode
$config.Save()

WSUS Reports and Monitoring

The WSUS console includes built-in reports for update status, computer status, and synchronization results. These reports require Microsoft Report Viewer to be installed on the console machine. For scripted monitoring, query update status via PowerShell:

# Get update compliance summary for a specific computer group
$group = $wsus.GetComputerTargetGroups() | Where-Object { $_.Name -eq "Servers" }
$scope = New-Object Microsoft.UpdateServices.Administration.UpdateScope
$scope.ApprovedStates = [Microsoft.UpdateServices.Administration.ApprovedStates]::LatestRevisionApproved

$updates = $wsus.GetUpdates($scope)
foreach ($update in $updates) {
    $summary = $update.GetSummary($group)
    if ($summary.NotInstalledCount -gt 0) {
        Write-Output "$($update.Title): $($summary.NotInstalledCount) machines not installed"
    }
}

Troubleshooting Common WSUS Issues

If clients are not appearing in WSUS, verify the GPO is applied with gpresult /r and check the registry keys under HKLMSOFTWAREPoliciesMicrosoftWindowsWindowsUpdate. The Windows Update client log is at C:WindowsWindowsUpdate.log (or use Get-WindowsUpdateLog on Windows 10/2016+ to decode the ETL logs).

If synchronization fails, check the WSUS application event log (Applications and Services Logs > Microsoft > Windows > WindowsUpdateClient). Common issues include firewall rules blocking port 8530/8531 and SSL certificate problems if WSUS is configured for HTTPS.

To force a client to report immediately:

# Force detection and reporting on a client
wuauclt.exe /detectnow
wuauclt.exe /reportnow

# On Windows 10/Server 2016+ use UsoClient instead
UsoClient.exe StartScan
UsoClient.exe StartDownload
UsoClient.exe StartInstall

WSUS remains one of the most cost-effective patch management tools for Windows-centric environments. Combined with automatic approvals, computer group targeting, and scheduled cleanup, it provides a robust foundation for keeping your Windows Server 2022 estate patched and secure with minimal manual effort.