Creating a patch management policy: Step-by-step guide Patch Tuesday

Windows Server Update Services (WSUS)

What is Windows Server Update Services (WSUS)?

Windows Server Update Services (WSUS) is a Windows server role that can plan, manage and deploy updates, patches and hotfixes for Windows servers, client operating systems (OSes) and other Microsoft software. It allows system administrators to control when and how systems install updates and provides a central point for clients to get the updates. It is designed for small to medium-sized business (SMB) use. There is typically no additional cost to add WSUS to a Windows network.

Installed on Microsoft Windows Server, WSUS is a simple tool that system administrators use to manage Microsoft Windows updates. It is available for Windows Server 2008 R2, 2012, 2012 R2, 2016, 2019 and will be part of Server 2022. All supported Microsoft client OSes can use WSUS, including Windows 8.1, 10 and 11.

WSUS allows an organization to control when and how Windows devices receive OS updates and patches. It also allows for automated updates within specific parameters. Without WSUS, clients install updates as soon as they are available from Microsoft. This can cause clients to be at different patch levels, to install patches that break software or install during the middle of the workday, causing employee downtime. It also allows for automated updates within specific parameters

Using WSUS gives system administrators time to test that the updates work with their network and allows them to  install the updates during a maintenance time frame so that production work isn't affected. For example, an organization would want to avoid installing updates to the accounting department during tax preparation.

Windows Server Update Services provides reporting about Windows updates in an organization. System administrators can use this information to see that all clients are installing updates correctly and have the same updates applied. This ensures that the systems have the correct security patches, reducing overall network vulnerability.

patch management cost-benefit analysis
WSUS provides system administrators with the ability to control and manage every facet of updating, patching and hotfixing of Microsoft OS and software products.

Without WSUS, all clients go directly to Microsoft servers to download updates. In networks with many clients or with poor bandwidth, this could cause excessive internet use and affect productivity. With WSUS acting as a central point, the server downloads only one copy of the update from Microsoft and all clients can get the update from there. This approach makes better use of high-speed LAN connections and reduces overall internet usage. WSUS supports multiple languages and can selectively make the information for these languages available.

Windows Server Update Services does not require any additional license for the server. Clients connecting to WSUS only require a Windows Server Client Access License (CAL). Because most organizations already purchase Windows Server and CALs, WSUS is typically no additional cost to an organization.

WSUS only supports Microsoft products, such as Windows and Microsoft Office updates. It does not allow for installing new software or updating other products, such as Google Chrome. It also does not support other OSes such as macOS or Linux.

How to use WSUS

WSUS is installed to Windows Server as a server role using Microsoft Windows Server Manager. Once the role is activated it is available for use. It has a few prerequisites, including .NET, Microsoft Report Viewer, Internet Information Services (IIS), and a database such as Windows Internal Database (WID) or SQL. All these prerequisites are freely available on Windows Server.

Depending on the size of the network, WSUS can be a single server or many working together. WSUS servers can get update content and configurations from each other. This allows for extremely large networks and for different office locations to each have their own server.

Organizations can also use WSUS disconnected from the internet. This way, high security networks can receive regular patches without exposing the network to the internet.

install WSUS management console with PowerShell
System administrators can install the WSUS management console using use PowerShell.

Just deploying a WSUS server to a network is not enough; clients must be configured to connect to it instead of to Microsoft update. System admins often configure the client using Group Policy, but may also set it up through System Center Configuration Manager (SCCM), mobile device management (MDM) or manually with registry keys. Admins can set how clients install updates, if they reboot after installation and how to notify users of the updates.

The Windows Update Agent (WUA) performs the actions on the client to install updates. It connects to the WSUS server and scans for needed updates and then downloads and installs them. The download uses Background Intelligent Transfer Service (BITS) to optimize bandwidth use.

WSUS requires a few network ports to be open for operation. The server must be able to communicate out to the internet Windows update servers on ports 80 and 443 to receive the update packages. Clients connect to the WSUS server on ports 8530 and 8531 by default, though these can be changed.

connect WSUS to SCVMM for managing VMs
The dialog box system administrators use to link System Center Virtual Machine Manager (SCVMM) for management virtual machines to WSUS.

WSUS and System Center Configuration Manager

Windows Server Update Services is a separate product from Microsoft System Center Configuration Manager. SCCM can perform any role that WSUS does and much more. WSUS only manages updates and patches, while SCCM allows for updates, patches, software installation, administration, configuration and inventory.

WSUS is included with Windows Server. SCCM is a separate paid product from Microsoft.

Windows Server Update Services and Windows Update for Business

Windows Update for Business (WUfB) is a modern update system from Microsoft. In WUfB the organization sets when and how clients apply updates, but the clients connect to Microsoft servers or use peer distribution to download update content. This is different than in WSUS where clients connect to servers that the organization manages.

select when Windows preview builds and feature updates are received in WUfB
Defer the deployment of or setup a delay when rolling out preview builds or major Windows releases to clients in Windows Update for Business.

WUfB is easier to set up and manage than WSUS and provides benefits to remote workers, but it does not provide as much control of updates nor as much bandwidth savings as WSUS.

This was last updated in May 2022

Continue Reading About Windows Server Update Services (WSUS)

Dig Deeper on IT operations and infrastructure management

Cloud Computing
Enterprise Desktop
Virtual Desktop