What is Windows Server Update Services (WSUS)?
Windows Server Update Services (WSUS) is a Windows server role that can plan, manage and deploy updates, patches and hotfixes for Windows servers, client operating systems (OSes) and other Microsoft software. It allows system administrators to control when and how systems install updates and provides a central point for clients to get the updates. It is designed for small to medium-sized business (SMB) use. There is typically no additional cost to add WSUS to a Windows network.
Installed on Microsoft Windows Server, WSUS is a simple tool that system administrators use to manage Microsoft Windows updates. It is available for Windows Server 2008 R2, 2012, 2012 R2, 2016, 2019 and will be part of Server 2022. All supported Microsoft client OSes can use WSUS, including Windows 8.1, 10 and 11.
WSUS allows an organization to control when and how Windows devices receive OS updates and patches. It also allows for automated updates within specific parameters. Without WSUS, clients install updates as soon as they are available from Microsoft. This can cause clients to be at different patch levels, to install patches that break software or install during the middle of the workday, causing employee downtime. It also allows for automated updates within specific parameters
Using WSUS gives system administrators time to test that the updates work with their network and allows them to install the updates during a maintenance time frame so that production work isn't affected. For example, an organization would want to avoid installing updates to the accounting department during tax preparation.
Windows Server Update Services provides reporting about Windows updates in an organization. System administrators can use this information to see that all clients are installing updates correctly and have the same updates applied. This ensures that the systems have the correct security patches, reducing overall network vulnerability.
Without WSUS, all clients go directly to Microsoft servers to download updates. In networks with many clients or with poor bandwidth, this could cause excessive internet use and affect productivity. With WSUS acting as a central point, the server downloads only one copy of the update from Microsoft and all clients can get the update from there. This approach makes better use of high-speed LAN connections and reduces overall internet usage. WSUS supports multiple languages and can selectively make the information for these languages available.
Windows Server Update Services does not require any additional license for the server. Clients connecting to WSUS only require a Windows Server Client Access License (CAL). Because most organizations already purchase Windows Server and CALs, WSUS is typically no additional cost to an organization.
WSUS only supports Microsoft products, such as Windows and Microsoft Office updates. It does not allow for installing new software or updating other products, such as Google Chrome. It also does not support other OSes such as macOS or Linux.
How to use WSUS
WSUS is installed to Windows Server as a server role using Microsoft Windows Server Manager. Once the role is activated it is available for use. It has a few prerequisites, including .NET, Microsoft Report Viewer, Internet Information Services (IIS), and a database such as Windows Internal Database (WID) or SQL. All these prerequisites are freely available on Windows Server.
Depending on the size of the network, WSUS can be a single server or many working together. WSUS servers can get update content and configurations from each other. This allows for extremely large networks and for different office locations to each have their own server.
Organizations can also use WSUS disconnected from the internet. This way, high security networks can receive regular patches without exposing the network to the internet.
Just deploying a WSUS server to a network is not enough; clients must be configured to connect to it instead of to Microsoft update. System admins often configure the client using Group Policy, but may also set it up through System Center Configuration Manager (SCCM), mobile device management (MDM) or manually with registry keys. Admins can set how clients install updates, if they reboot after installation and how to notify users of the updates.
The Windows Update Agent (WUA) performs the actions on the client to install updates. It connects to the WSUS server and scans for needed updates and then downloads and installs them. The download uses Background Intelligent Transfer Service (BITS) to optimize bandwidth use.
WSUS requires a few network ports to be open for operation. The server must be able to communicate out to the internet Windows update servers on ports 80 and 443 to receive the update packages. Clients connect to the WSUS server on ports 8530 and 8531 by default, though these can be changed.
WSUS and System Center Configuration Manager
Windows Server Update Services is a separate product from Microsoft System Center Configuration Manager. SCCM can perform any role that WSUS does and much more. WSUS only manages updates and patches, while SCCM allows for updates, patches, software installation, administration, configuration and inventory.
WSUS is included with Windows Server. SCCM is a separate paid product from Microsoft.
Windows Server Update Services and Windows Update for Business
Windows Update for Business (WUfB) is a modern update system from Microsoft. In WUfB the organization sets when and how clients apply updates, but the clients connect to Microsoft servers or use peer distribution to download update content. This is different than in WSUS where clients connect to servers that the organization manages.
WUfB is easier to set up and manage than WSUS and provides benefits to remote workers, but it does not provide as much control of updates nor as much bandwidth savings as WSUS.