How to Configure WSUS on Windows Server (2026)

WSUS (Windows Server Update Services) allows IT administrators to manage and approve Windows updates centrally, controlling exactly which updates are deployed to which machines and when. This guide covers how to install and configure WSUS on Windows Server 2019 and 2022 in 2026.

Prerequisites

• Windows Server 2019 or 2022
• At least 40GB free disk space for the WSUS content store (more for large environments)
• 4GB RAM minimum — 8GB recommended
• SQL Server or Windows Internal Database (WID) — WID is fine for most environments
• Outbound internet access to Microsoft Update servers

Step 1 — Install the WSUS Role

# Install WSUS with Windows Internal Database via PowerShell
Install-WindowsFeature -Name UpdateServices -IncludeManagementTools

# Verify installation
Get-WindowsFeature -Name UpdateServices

Step 2 — Run Post-Installation Configuration

# Run WSUS post-installation setup - specify your content store path
# This downloads the initial configuration files from Microsoft
& "C\:Program Files\Update Services\Tools\WsusUtil.exe" postinstall CONTENT_DIR=D:WSUS

Step 3 — Configure WSUS via the Console

1. Open Windows Server Update Services from Server Manager → Tools
2. The WSUS Configuration Wizard will launch — click Next
3. Choose whether to sync from Microsoft Update or an upstream WSUS server
4. If using a proxy, configure proxy settings
5. Click Start Connecting — WSUS will contact Microsoft and download available product and classification data
6. Select which Products to update — at minimum select Windows 10, Windows 11 and Windows Server 2019/2022
7. Select which Classifications to sync — Critical Updates, Security Updates and Definition Updates are the minimum recommended
8. Set a Sync Schedule — daily at 3am is typical
9. Click Finish

Step 4 — Configure Clients via Group Policy

1. Open Group Policy Management Console
2. Create a new GPO linked to your domain or workstations OU
3. Navigate to Computer Configuration → Administrative Templates → Windows Components → Windows Update → Manage updates offered from Windows Server Update Service
4. Enable Specify intranet Microsoft update service location and set both URLs to your WSUS server: http://wsus-server:8530
5. Enable Configure Automatic Updates and set to 4 — Auto download and schedule the install
6. Set your preferred install day and time

Step 5 — Approve Updates

WSUS does not deploy updates automatically until you approve them. In the WSUS console go to Updates → All Updates, filter by Unapproved and approve Critical and Security updates for your computer groups. Create computer groups to stage deployments — for example approve to a Test group first, then All Computers after verification.

WSUS Maintenance — Keep It Healthy

# Run WSUS cleanup via PowerShell - run monthly
$wsus = [Microsoft.UpdateServices.Administration.AdminProxy]::GetUpdateServer()
$cleanupScope = New-Object Microsoft.UpdateServices.Administration.CleanupScope
$cleanupScope.DeclineSupersededUpdates = $true
$cleanupScope.DeclineExpiredUpdates = $true
$cleanupScope.CleanupObsoleteUpdates = $true
$cleanupScope.CompressUpdates = $true
$cleanupScope.CleanupObsoleteComputers = $true
$cleanupScope.CleanupUnneededContentFiles = $true
$cleanupManager = $wsus.GetCleanupManager()
$cleanupManager.PerformCleanup($cleanupScope)

Frequently Asked Questions

About The Author

Andrew Armstrong

Andrew Armstrong is a UK-based IT professional with 26+ years of hands-on experience in Windows, Windows Server, SCCM/ConfigMgr, Active Directory, PowerShell, and enterprise infrastructure. He founded TechyGeeksHome in 2010 and has published over 1,500 practical guides covering real-world IT problems and solutions. When not solving IT problems, Andrew develops free Windows utilities including Ultimate Settings Panel, which has been downloaded over 850,000 times.

See author's posts