How to Configure Advanced WSUS Settings on Windows Server 2016

How to Set Up Windows Server 2016 Windows Server Update Services

Windows Server Update Services (WSUS) allows organizations to centrally manage and distribute Microsoft updates to servers and workstations on the internal network. Instead of each machine downloading updates independently from Microsoft Update servers on the internet, WSUS acts as a local update repository that IT administrators can control. This reduces internet bandwidth consumption, provides granular approval control over which updates are deployed and when, and enables compliance reporting across the entire managed estate. This tutorial covers installing WSUS on Windows Server 2016, configuring synchronization, approving updates, creating computer groups, and configuring clients to use the internal WSUS server.

Prerequisites

You need a Windows Server 2016 server with at least 4 GB of RAM, a minimum of 40 GB of free disk space on the drive used to store the WSUS content repository (more is recommended for large environments), and outbound internet access to Microsoft Update servers on ports 80 and 443. The server should have a static IP address. You will also need an elevated PowerShell session or access to Server Manager.

Step 1: Install the WSUS Role

Install the WSUS role and management tools using PowerShell. Specify a dedicated content directory on a drive with sufficient free space. WSUS can use either Windows Internal Database (WID) or an existing SQL Server instance. This example uses WID, which is suitable for environments with up to 30,000 clients.

Install-WindowsFeature -Name UpdateServices -IncludeManagementTools

# Run the post-installation configuration script
& 'C:Program FilesUpdate ServicesToolswsusutil.exe' postinstall `
    CONTENT_DIR=D:WSUS

The postinstall step creates the WSUS database and initializes the content directory. This may take several minutes. After completion, check that the UpdateServices service is running.

Get-Service WSUSService, WsusPool
Start-Service WSUSService

Step 2: Open the WSUS Console and Run the Configuration Wizard

Open the WSUS Administration Console from the Tools menu in Server Manager. The first launch triggers the WSUS Configuration Wizard. Work through the wizard to specify whether this server synchronizes from Microsoft Update directly or from an upstream WSUS server, to choose the products and update classifications to synchronize, and to set the synchronization schedule.

Alternatively, configure WSUS programmatically using the UpdateServices PowerShell module.

$wsus = Get-WsusServer -Name localhost -PortNumber 8530
$wsusConfig = $wsus.GetConfiguration()
$wsusConfig.SyncFromMicrosoftUpdate = $true
$wsusConfig.Save()

Step 3: Select Products and Classifications

Configure which Microsoft products and update classifications WSUS should synchronize. Limiting this selection reduces disk usage and synchronization time significantly.

$subscription = $wsus.GetSubscription()

# Set product categories (example: Windows Server 2016 only)
Get-WsusProduct | Where-Object { $_.Product.Title -like '*Server 2016*' } | Set-WsusProduct

# Set update classifications
Get-WsusClassification | Where-Object {
    $_.Classification.Title -in 'Critical Updates','Security Updates','Definition Updates'
} | Set-WsusClassification

$subscription.Save()

Step 4: Configure Synchronization Schedule

Set WSUS to synchronize automatically on a daily schedule so the local repository stays current without manual intervention.

$subscription = $wsus.GetSubscription()
$subscription.SynchronizeAutomatically = $true
$subscription.SynchronizeAutomaticallyTimeOfDay = [TimeSpan]::FromHours(2)  # 2:00 AM
$subscription.NumberOfSynchronizationsPerDay = 1
$subscription.Save()

# Trigger an immediate first synchronization
$subscription.StartSynchronization()

Step 5: Create Computer Groups

WSUS computer groups let you target specific updates to specific machines. A typical structure includes groups for Pilot, Production Servers, and Workstations. Create groups and assign computers to them for staged rollouts.

# Create computer groups
$wsus.CreateComputerTargetGroup('Pilot')
$wsus.CreateComputerTargetGroup('Production Servers')
$wsus.CreateComputerTargetGroup('Workstations')

# List existing computer groups
$wsus.GetComputerTargetGroups() | Select-Object Name, Id

Step 6: Configure Clients via Group Policy

Configure client machines to point to the WSUS server using Group Policy. Create a new GPO or edit an existing one targeting the organizational units containing the machines you want to manage.

Navigate to Computer Configuration > Administrative Templates > Windows Components > Windows Update. Enable and configure the following settings:

# Example: Configure via registry (for scripting or testing)
# These settings should normally be deployed via GPO

$wsusServer = 'http://wsus01.corp.local:8530'

Set-ItemProperty -Path 'HKLM:SOFTWAREPoliciesMicrosoftWindowsWindowsUpdate' `
    -Name WUServer -Value $wsusServer
Set-ItemProperty -Path 'HKLM:SOFTWAREPoliciesMicrosoftWindowsWindowsUpdate' `
    -Name WUStatusServer -Value $wsusServer
Set-ItemProperty -Path 'HKLM:SOFTWAREPoliciesMicrosoftWindowsWindowsUpdateAU' `
    -Name UseWUServer -Value 1
Set-ItemProperty -Path 'HKLM:SOFTWAREPoliciesMicrosoftWindowsWindowsUpdateAU' `
    -Name AUOptions -Value 4  # Auto download and schedule install

Restart-Service wuauserv

Step 7: Approve Updates

After synchronization completes, review and approve updates for deployment to computer groups. You can approve updates through the WSUS console or via PowerShell.

# Get unapproved updates
$updates = $wsus.GetUpdates() | Where-Object {
    $_.IsApproved -eq $false -and $_.IsDeclined -eq $false
}

# Approve critical updates for the Pilot group
$pilotGroup = $wsus.GetComputerTargetGroups() | Where-Object Name -eq 'Pilot'
$updates | Where-Object { $_.UpdateClassificationTitle -eq 'Critical Updates' } | ForEach-Object {
    $_.Approve('Install', $pilotGroup)
}

Write-Host "Approved $($updates.Count) updates for Pilot group"

Step 8: Decline Unwanted Updates

Declining updates you do not need reduces clutter in the WSUS console and improves performance. Common candidates for declination include updates for products not in your environment, preview updates, and updates superseded by newer versions.

# Decline superseded updates
$wsus.GetUpdates() | Where-Object { $_.IsSuperseded -eq $true } | ForEach-Object {
    $_.Decline()
}

# Decline updates for a specific product you do not use
$wsus.GetUpdates() | Where-Object { $_.Title -like '*Silverlight*' } | ForEach-Object {
    $_.Decline()
}

Step 9: Run WSUS Cleanup

The WSUS database and content store grow over time. Run the WSUS Server Cleanup Wizard regularly to remove obsolete updates, expired updates, superseded updates, and unnecessary update files.

$cleanupManager = $wsus.GetCleanupManager()
$cleanupScope = New-Object Microsoft.UpdateServices.Administration.CleanupScope
$cleanupScope.DeclineSupersededUpdates = $true
$cleanupScope.DeclineExpiredUpdates = $true
$cleanupScope.CleanupObsoleteUpdates = $true
$cleanupScope.CompressUpdates = $true
$cleanupScope.CleanupObsoleteComputers = $true
$cleanupScope.CleanupUnneededContentFiles = $true

$result = $cleanupManager.PerformCleanup($cleanupScope)
Write-Host "Disk space freed: $([Math]::Round($result.DiskSpaceFreed / 1GB, 2)) GB"

Step 10: Generate Compliance Reports

WSUS provides built-in reports to track update compliance across your managed machines. Use the WSUS console Reports section or query compliance programmatically.

# Get update status summary for all computers
$wsus.GetComputerTargets() | ForEach-Object {
    $summary = $_.GetUpdateInstallationSummary()
    [PSCustomObject]@{
        Computer       = $_.FullDomainName
        Installed      = $summary.InstalledCount
        Needed         = $summary.NotInstalledCount
        Failed         = $summary.FailedCount
        Pending Reboot = $summary.InstalledPendingRebootCount
    }
} | Format-Table -AutoSize

Windows Server Update Services on Windows Server 2016 provides organizations with full control over their patching lifecycle. By following this guide you have installed WSUS, configured product and classification synchronization, created computer groups for staged rollouts, deployed client configuration through Group Policy, approved and declined updates, performed database cleanup, and generated compliance reports. Establish a regular patching cadence, test updates in a pilot group before broad deployment, and integrate WSUS cleanup into your monthly maintenance window to keep the service running efficiently for years to come.