Introduction to Windows Server Update Services (WSUS)

Before you start

Objectives: Learn what is WSUS server and why it is used.

Prerequisites: you have to know what are Windows updates.

Key terms: Windows Server Update Services, updates, Windows, WSUS, MBSA

 Managing Updates

Regardless of the size of our organization network, there is a need to manage and maintain operating system patches and updates. Update management can be done automatically or manually. It can also be done locally or trough the Microsoft update servers on the Internet.

As we know, updates can be managed on every Windows client using the Windows Update console. In home environments and in small organizations, we typically have our clients configured to automatically download and install updates from the Microsoft update servers on the Internet, as updates become available. In this case, each client independently downloads the same updates that other clients are downloading as well. The result of this is redundant traffic and bandwidth usage on the Internet connection. In addition, we have no control over what updates are downloaded and installed.

WSUS Server

We can save a significant amount of bandwidth and improve update management capabilities by deploying a centralized software update solution such as Windows Server Update Services (WSUS), System Center Essentials (SCE) or System Center Configuration Manager (SCCM). Mentioned software products function as a local Microsoft update server. Rather than each client downloads the same updates over the Internet connection, the local update server can download updates once to its local store, and then each client can retrieve the update from the local update server. This way we download updates only once.

System Center Essentials and System Center Configuration Manager build off of WSUS, which allows administrators to manage and maintain the local deployment of updates. The main disadvantages of relying on Microsoft update service on the Internet is updates are released according to Microsoft schedule. This prevents administrators from testing updates which could possibly case problems on a computer. If the computer is set to automatically install updates, this can sometimes lead to problems.

When we use a WSUS server,  we can manage when and which computers will install updates. This allows administrators to test updates and to control which clients will install them. WSUS also enables administrators to organize client computers into groups, which allows controlled deployment of updates. With this option we can deploy updates on some computers, but not others. WSUS also enables administrators to roll back or uninstall an update across all computers in the organization. We can also hide the update and in that way prevent it from being installed as well. We can also enforce the application of updates. We can manage computers on the WSUS server using groups. After creating the necessary groups we can configure clients to join a group either through Group Policies or by manually sign the computer the group in the WSUS console. Have in mind that the groups in WSUS are independent and not related to groups in Active Directory.

Group Policy and Updates

Windows Updates can be configured using Windows Update console or trough Group Policies. Settings in the Windows Update console focus on the using of Microsoft update server on the Internet. We can configure the same settings and much more in the Group Policy settings available under the Windows updates node, under Computer Configuration. Some of the more common group policy settings related to Windows updates are:

  • Configure automatic updates policy  – allows us to configure the update detection, download and installation settings. The setting in this policy are similar to those we can configure manually in the Windows Update console. This includes things such as the day and the time of day to check for updates or to automatically download updates and to notify us when they’re ready.
  • Specify update server location policy – enables us to specify the server name or address of an internal update server, such as our internal WSUS server. This policy is the only way we can configure Windows updates to use a different update server than the Microsoft update service on the Internet. It also allows us to configure the statistics server which clients use the report update installation information. Usually, the update server and the statistics server are on the same WSUS server.
  • Automatic updates detection frequency policy – allows us to configure how often Windows updates checks the local intranet update server for updates. This policy does not work if we configure our client to retrieve updates from the Windows update servers on the Internet.
  • No auto-restart policy – forces a client to wait until the currently logged on user logs off before restarting the computer, if the update requires a reboot. If this policy is left unconfigured, Windows update gives the logged on user a warning before restarting the computer to complete the update installation.
  • Enable client site targeting policy – can be used to configure which WSUS server group the computer should be placed in when it reports to the WSUS server. For this policy to work we also need to enable client site targeting on the WSUS server.

In addition to these common policies there are additional policies that can be used to manage Windows updates. These policies help administrators to manage the Windows update settings of a large or small group of Windows clients either through group policies and Active Directory, or trough local policies. By default, the Automatic Updates client communicates with the Microsoft Update server on the Internet for updates. When using WSUS, we have to configure the Automatic Updates client to get updates from our WSUS server.

How WSUS Works

The WSUS server scans the client computer for installed and needed updates the first time the computer contacts the WSUS server. After the administrator approves an update for client to install, the update is downloaded by the client the next time he contacts the WSUS server. The clients pull updates regardless of using the Windows update server on the Internet, or the local WSUS server. This means that we can’t push an update to the client unless they have contact to the WSUS server.

Microsoft Baseline Security Analyzer

In some situations, we might want to manually scan one or more computers on our network to determine if they are up-to-date and properly patched. The Microsoft Baseline Security Analyzer (MBSA) tool allows us to do just that. It can be downloaded for free from  We can use this tool on networks that do not have a WSUS server, to locate computers that are not up-to-date with security updates. It can also be used to scan for other security-related items in a network that has a WSUS server. So, we can use the MBSA tool to scan computers remotely instead of sitting behind each one and opening up the update history window in the Windows Update console. We can use the MBSA tool to check the computer for updates based on Microsoft update servers on the Internet, or scan a computer based on updates that are approved on a WSUS server.

In addition to report on installed or needed updates, the MBSA tool can be used to determine if there are problems with the computer security configuration, such as the presence of common vulnerabilities, use of weak passwords, guest account status, file-system type, file shares, and members of the Administrators group. We can use the MBSA tool to check for these issues on both client computers and servers in our environment. The benefit of being able to scan servers is that we can locate other vulnerabilities such as those that are present in IIS or Microsoft SQL servers.  We need administrative rights to perform MBSA scans.