WSUS is deprecated but still supported for production use on supported Windows Server releases. Microsoft is no longer adding new WSUS features, so new deployments should be evaluated against cloud-based alternatives – but the role remains valid for organizations that require on-premises update control, operate disconnected networks, or run Microsoft Configuration Manager.
A typical WSUS installation takes around 20 minutes on a healthy server. The configuration wizard usually takes another 10-15 minutes, excluding the initial synchronization, which can range from 30 minutes to several hours depending on product scope and internet speed.
The decisions that matter happen in the configuration wizard, not during role installation. Product and classification selection determines how much disk space you consume and how long that first sync takes. Getting it wrong does not break anything immediately – it creates a cleanup job six months later.
This guide covers WSUS installation on Windows Server 2016, 2019, 2022, and 2025 via both Server Manager and PowerShell – the post-install wizard, initial sync, and verification are also covered.
WSUS Installation Prerequisites
- Windows Server installed and domain-joined (workgroup acceptable for isolated deployments)
- No WSUS role currently present
- Local administrator access
- Outbound internet access on ports 80 and 443 for syncing from Microsoft Update
- A dedicated non-C: volume recommended for WSUS content storage
- 2 GB RAM dedicated to WSUS beyond what the OS needs
If you are adding WSUS as a downstream server syncing from an existing upstream, you need connectivity to that upstream on its configured WSUS HTTP/HTTPS ports, typically 8530/8531, instead of outbound internet access to Microsoft.
Microsoft lists a minimum 1.4 GHz x64 processor (2 GHz or faster recommended), an additional 2 GB of RAM beyond the OS and other workloads, at least 40 GB of available disk space recommended, and a 100 Mbps network adapter (1 Gbps recommended).
WID or SQL Server: The WSUS Installation Database Decision
Before starting the WSUS installation, decide which database backend to use. Migrating an existing WSUS deployment from WID to SQL Server is supported, but it is a manual migration rather than a wizard-driven process. Microsoft documents stopping IIS and WSUS, detaching SUSDB from WID, attaching it to SQL Server, updating permissions, and changing the WSUS database registry settings. Going the other direction – SQL to WID – is not supported.
WID (Windows Internal Database) is the default and the right choice for most deployments on Windows Server 2016 through 2022. It is built into Windows Server, requires no additional licensing, and installs automatically with the WSUS role.
WID is intended for local access only and does not expose a normal remote SQL endpoint. You can still connect to it locally with SSMS or sqlcmd using the named pipe \\.\pipe\Microsoft##WID\tsql\query. There is no enforced per-database size cap in WID – that limit belongs to SQL Server Express, not WID. WID is suitable for many single-server WSUS deployments, including environments with thousands of clients, provided that the server is correctly sized and maintained.
WID limitation that matters operationally: cannot be used for network load-balanced WSUS configurations.
Windows Server 2025 note: WID is itself deprecated in Server 2025 alongside WSUS. Deprecation does not mean WID is currently unsupported – both WSUS and WID remain available in Windows Server 2025 and are supported for production use – but Microsoft may remove deprecated components in a future release. For new Server 2025 installations, prefer SQL Server Express for small deployments; WID remains supported but deprecated.
SQL Server Express is free but enforces a hard 10 GB per-database limit. A busy SUSDB on a large deployment can exceed this – error 1827 when it does. SQL Server Express supports normal SSMS administration and can be configured for remote connections, but TCP/IP network access is disabled by default on a new Express installation. Enable TCP/IP, restart the SQL Server service, and configure the required static or dynamic port and firewall rules before using it as a remote WSUS database.
SQL Server Standard or Enterprise is required for NLB/high-availability WSUS deployment, when the SUSDB may exceed the SQL Express 10 GB database limit, when the organization already operates a managed SQL platform, or when SQL-level availability and backup requirements justify it.
| Scenario | Database choice |
|---|---|
| New deployment, Server 2016/2019/2022 | WID |
| New deployment, Server 2025 (small) | Prefer SQL Server Express; WID remains supported but deprecated |
| New deployment, Server 2025 (may grow beyond 10 GB) | SQL Server Standard or Enterprise |
| Need NLB/HA WSUS | SQL Server Standard or Enterprise |
| SUSDB may exceed 10 GB | SQL Server Standard or Enterprise |
| Existing WID deployment | Stay on WID unless you have a specific operational reason to migrate |
Storage Planning for WSUS Installation
Plan storage before the WSUS installation begins. Use a dedicated local NTFS volume where practical and avoid NTFS compression. WSUS can use a path on C:, but separating the content store simplifies capacity management, backup, migration, and recovery. If the folder is created or moved manually, verify that NETWORK SERVICE has the required permissions.
Microsoft’s documented minimums are 20 GB to store updates, 40 GB recommended. For Windows releases serviced through on-premises Unified Update Platform content, plan for roughly 10 GB of additional storage per Windows version and processor architecture – confirm which managed releases currently use UUP before applying that estimate to your full scope.
As a field estimate, a narrowly scoped and regularly maintained WSUS content store stays significantly smaller than a broadly configured or neglected one. Actual storage varies substantially with products, languages, architectures, approvals, driver content, express files, and cleanup frequency. Monitor the volume rather than treating a single size estimate as a design limit.
WSUS Installation: Role Setup via Server Manager and PowerShell
WSUS Installation via Server Manager
- Open Server Manager → Manage → Add Roles and Features
- Role-based installation on the local server
- Select Windows Server Update Services and accept the additional IIS features when prompted
- In role services, keep WSUS Services checked. For the database: keep WID Connectivity for WID, or uncheck it and check SQL Server Connectivity for SQL
- Set the content store location – enter the path to your dedicated volume, e.g.
D:\WSUS. Uncheck Store updates locally only when you intentionally want WSUS to synchronize metadata while clients download approved update binaries directly from Microsoft Update. Those clients must have the required internet access and policy configuration. - Install. When the installation completes, click Launch Post-Installation Tasks in the results pane and wait for “Configuration successfully completed”
Restart the server only if Server Manager reports that a restart is required.
WSUS Installation via PowerShell
WID backend (concise – official path):
Install-WindowsFeature -Name UpdateServices -IncludeManagementToolsWID backend (explicit components):
Install-WindowsFeature -Name UpdateServices, UpdateServices-WidDB, UpdateServices-Services, UpdateServices-RSAT, UpdateServices-API, UpdateServices-UI -IncludeManagementToolsSQL backend:
Install-WindowsFeature -Name UpdateServices-Services, UpdateServices-DB -IncludeManagementToolsRun post-install after either path.
WID:
& "$env:ProgramFiles\Update Services\Tools\WsusUtil.exe" postinstall CONTENT_DIR=D:\WSUSSQL (local instance):
& "$env:ProgramFiles\Update Services\Tools\WsusUtil.exe" postinstall SQL_INSTANCE_NAME="SERVERNAME\INSTANCENAME" CONTENT_DIR=D:\WSUSDOMAIN\WSUSSERVER$) to access SUSDB. WSUS supports Windows authentication only. Enable TCP/IP for the SQL instance, configure a static port or SQL Browser as appropriate, and open the required firewall path. Note that Microsoft documents the connection between WSUS and a remote SQL database as not protected by TLS – keep this traffic on a trusted and controlled network segment.
Verify WSUS Installation
Get-WindowsFeature -Name *UpdateServices*All relevant features should show [X] (installed). Confirm WsusService is running:
Get-Service WsusServiceTune IIS After WSUS Installation, Before Clients Connect
Do this before the configuration wizard – it is part of completing the WSUS installation correctly. The default WsusPool settings cause problems under load and are documented by Microsoft.
Open IIS Manager → Application Pools → WsusPool → Advanced Settings:
| Setting | Recommended value | Why |
|---|---|---|
| Queue Length | 2000 | Default 1000 fills under scan storms, dropping connections |
| Idle Time-out (minutes) | 0 | Prevents pool shutdown between client scans |
| Ping Enabled | False | Prevents unnecessary pool recycling |
| Private Memory Limit (KB) | 0 (unlimited) | Default limit causes recycling and HTTP 503 errors under metadata cache load |
| Virtual Memory Limit (KB) | 0 (unlimited) | Same reason as Private Memory Limit |
| Regular Time Interval (minutes) | 0 | Disables periodic recycling that drops metadata cache |
Review these values against available RAM and client count for the specific deployment. Official reference: Microsoft WSUS best practices.
Ports and Firewall Rules for WSUS Installation
By default, the WSUS Administration website uses port 8530 for HTTP and 8531 for HTTPS. Custom ports are possible, so use the ports configured for your deployment.
- 8530 (HTTP): metadata sync and update payload downloads. Always required, even when SSL is configured.
- 8531 (HTTPS): encrypted metadata sync. Required if you configure SSL.
SSL in WSUS encrypts metadata only. Update payloads always transfer over HTTP and are protected by signed hash verification, not transport encryption.
| Component | Direction | Ports |
|---|---|---|
| Clients to WSUS server | Outbound from client | 8530 (always), 8531 (if SSL) |
| Downstream WSUS to upstream WSUS | Outbound from downstream | Upstream’s configured WSUS ports |
| Upstream WSUS to Microsoft Update | Outbound from WSUS server | 80 and 443 (no inbound needed) |
If your WSUS server is behind a firewall, confirm outbound 80/443 to Microsoft’s update endpoints is permitted. Refer to Microsoft’s current documentation for the required FQDNs rather than maintaining a static list.
SSL/TLS Configuration for WSUS Installation (Strongly Recommended for Production)
WSUS SSL/TLS encrypts metadata in transit – computer group membership, approval state, detection results. Payloads always go over HTTP regardless.
Certificate requirements: use a certificate whose SAN includes every hostname clients and administrators use to reach WSUS, including the FQDN and any required short name or DNS alias. The issuing CA must be trusted in the Local Computer certificate store on clients and downstream servers – not the user certificate store.
- Obtain and install the certificate in IIS (bind to the WSUS Administration site on port 8531)
- Keep the HTTP binding on 8530 – removing it breaks payload downloads
- In IIS, set Require SSL on these five virtual directories only:
ApiRemoting30,ClientWebService,DSSAuthWebService,ServerSyncWebService,SimpleAuthWebService - Run the following, passing the WSUS DNS name clients use in Group Policy. Do not pass a certificate thumbprint or display name:
& "$env:ProgramFiles\Update Services\Tools\WsusUtil.exe" configuressl wsus.yourdomain.com - Update client Group Policy to point to
https://wsus.yourdomain.com:8531
Common failure: the issuing CA is trusted only in the administrator’s Current User store. The administrator may see the certificate as trusted while the computer account, IIS, clients, or downstream servers do not. Verify the server certificate and CA chain in the Local Computer stores with certlm.msc.
Running the WSUS Installation Configuration Wizard
Open the WSUS console via Server Manager → Tools → Windows Server Update Services. The Post-Deployment Configuration Wizard launches on first open.
Upstream server:
- “Synchronize from Microsoft Update” – standalone server or top-level upstream
- “Synchronize from another Windows Server Update Services server” – downstream. Enter the upstream FQDN and port. Check “This is a replica of the upstream server” only for Replica mode (centralized administration, all approvals inherited from upstream)
Proxy: configure this page if the WSUS server must use a proxy to reach Microsoft Update. Supply credentials only when that proxy requires authentication.
Start Connecting: the wizard contacts Microsoft Update or the upstream server to retrieve the list of available products, classifications, and languages. This takes a few minutes.
Languages: select only what your environment requires. Always include English – updates are built on English base packages. Missing a required language means clients for that language will not see applicable updates.
Products: add only the operating systems you actually manage. Do not select the top-level Windows product family unless you intend to synchronize every product below it – select individual products. Product labels in the WSUS console can differ from the public Windows release name; select the product entry that explicitly applies to the managed release.
For a current SMB environment, this may include Windows 11 and Windows Server 2019, 2022, and 2025. Select Windows 10 only for devices still covered by an LTSC lifecycle, enrolled in Extended Security Updates, or intentionally retained as legacy systems. Windows 10 version 22H2 reached end of support on October 14, 2025.
Every enabled product increases the amount of metadata stored and processed by WSUS. Update payloads are downloaded separately according to the server’s local-storage and approval settings, so selecting a product does not immediately queue all of its update files.
Classifications – recommended starting baseline: Critical Updates, Security Updates, Updates. Add Definition Updates if you want WSUS to serve Windows Defender signature updates. These selections are a practical starting point, not a technical minimum for synchronization to succeed.
Sync schedule: configure automatic synchronization for an off-peak time, such as daily at 3:00 AM. On the final wizard page, select Begin initial synchronization if you want the first sync to start immediately; otherwise, start it later from the WSUS console.
Allow the initial synchronization to complete without restarting IIS, the WSUS service, or the server unless troubleshooting requires it. An interruption is recoverable, but it delays validation and can make the first-sync status harder to interpret. You can close the WSUS console – synchronization continues on the server.
Verifying a Successful WSUS Installation
After the first sync completes, check the Synchronizations view in the WSUS console. The most recent sync should show “Succeeded” with a count of updates found. Under Updates → All Updates, update metadata should be populated.
Server-side logs for sync failures:
- WSUS console → Synchronizations → open the failed synchronization entry for details
%ProgramFiles%\Update Services\LogFiles\SoftwareDistribution.log– the primary WSUS synchronization log- Event Viewer → Windows Logs → Application → Source: Windows Server Update Services
The WindowsUpdateClient/Operational log is a client-side log for diagnosing scan and download behavior on endpoints. It is not the primary log for server-side sync failures.
Verify WsusPool runtime state:
Import-Module WebAdministration
Get-WebAppPoolState -Name WsusPoolVerify the WSUS API responds:
Import-Module UpdateServices
Get-WsusServer -Name localhost -PortNumber 8530For SSL:
Get-WsusServer -Name wsus.yourdomain.com -PortNumber 8531 -UseSslConfirm clients can reach the WSUS server. Run from a client machine, not the WSUS server:
Test-NetConnection -ComputerName wsus.yourdomain.com -Port 8530For an SSL-enabled deployment, test both ports – 8531 carries the protected WSUS service traffic, while 8530 remains required for update content:
Test-NetConnection -ComputerName wsus.yourdomain.com -Port 8531If TcpTestSucceeded is False, verify DNS resolution, the configured WSUS port, IIS bindings, the WSUS Administration website state, WsusPool state, and network or host firewall rules.
Common WSUS Installation Failures
“The operation cannot be completed because the server requires a restart.” Reboot and retry. If the issue persists after a confirmed clean reboot, check event logs and servicing state before assuming a user-rights cause.
For a WID deployment, confirm that UpdateServices-WidDB is installed. For a SQL deployment, verify the exact server and instance name, SQL service state, enabled network protocol, SQL Browser or static port configuration, DNS resolution, firewall access, and the installed UpdateServices-DB role service. Then rerun WsusUtil.exe postinstall with the correct backend parameters.
HTTP.sys (System/PID 4) may hold the port from a previous WSUS install or another IIS site.
- Run
netstat -ano | findstr :8530to identify what is listening - If another process owns the port, stop it or reconfigure WSUS to use alternate ports
Common on upgraded servers. Verify the WSUS website exists in IIS, the Content and SelfUpdate virtual directories are configured, and required IIS components are present (Web-Net-Ext45, Web-Windows-Auth).
Confirm WsusService is running, WsusPool is started, and the console is connecting to the correct hostname and port. On a freshly installed server the console defaults to localhost.
Official Microsoft Sources
- Install the WSUS server role
- Configure WSUS
- Plan your WSUS deployment
- Migrate WSUS database from WID to SQL
- WSUS best practices and WsusPool settings
- Microsoft reversal of planned WSUS driver synchronization deprecation
- Features on Demand and language packs through WSUS
- Get-WebAppPoolState
- Default SQL Server network protocol configuration
WSUS on Windows Server
Installation & Configuration · Maintenance · Sync Failures · Content Download · Client Reporting · Console Recovery