Setup WSUS on Azure, AWS or Google GCP running on Windows Server 2022 or 2019. Windows Server Update Services (WSUS) enables admins to deploy the latest Microsoft product updates to your computers and servers on your network both in the cloud and on-premise. WSUS server provides features that you can use to manage and distribute updates through a management console. A WSUS server can also be the update source for other WSUS servers within your organization. The WSUS server that acts as an update source is called an upstream server. In a WSUS implementation, at least one WSUS server on your network must be able to connect to Microsoft Update to get available update information.
WSUS Cloud Solution
Use WSUS (Windows Server Update Services) in Azure, AWS or GCP to manage your server and computer updates both in the cloud and on-premise, great solution if your a fully cloud organization or hybrid. Run on Windows Server 2022 or 2019.
- Manage Microsoft product updates for Azure VMs, other cloud platforms and on-premise servers and computers.
- Product or product family (for example, Windows Server 2019 or Microsoft Office).
- Update category (for example, Critical Updates, and Drivers).
- Specify a schedule for synchronization to initiate automatically.
- Enforce a deadline for install or remove (uninstall) update approvals.
- Create an automatic approval action for specific types of updates.
- Targeting enables administrators to deploy updates to specific computers and groups of computers.
- Optional integration with Azure Update Management.
- WSUS servers can be scaled out to handle any number of clients.
- Runs on Microsoft SQL Server 2000 Desktop Engine (Windows) (WMSDE) database.
- Advanced reporting on update status, compliance status, computer status, sync status and much more.
Getting Started with WSUS Server
RDP into Cloud Windows Server
Once you’ve deployed WSUS on Windows server, the first step is to RDP into the new instance once it has fully booted up. The following links explain how to connect the VM once it has finished being deployed:
- How to RDP to AWS Windows Instance
- How to RDP to Google GCP Windows Instance
- How to RDP to Azure Windows Virtual Machine
Once logged in, you’re now ready to start setting up WSUS according to your requirements:
Install WSUS / Configuration Steps
1.) Choose WSUS Updates Storage Location
From the desktop launch “Windows Server Update Services” and the following window will launch asking where you would like to store your updates. You can store them locally on your WSUS server, for example create a folder locally called c:\WSUS
Click Run and once complete, click Close to launch the WSUS Administration Console
2.) WSUS Prerequisites
Before you get started make sure:
- Is the WSUS server firewall configured to allow clients to access the server
- Can this server connect to the upstream server (such as Microsoft Update)
- Do you have user credentials for any proxy servers you use, if needed
Click Next to get started. On The Microsoft Update Improvement Program, click Next.
3.) Choose WSUS Upstream Server
You can choose the upstream server from which your WSUS synchronizes updates. For example you might have other WSUS servers in your network as part of a WSUS server hierarchy. If this is your only WSUS server then you can select Synchronize from Microsoft Update
WSUS Firewall Rules - URLs to Whitelist on Your Firewall
If a corporate firewall is between WSUS and the internet, you might have to configure that firewall to ensure that WSUS can get updates. To get updates from Microsoft Update, the WSUS server uses ports 80 and 443 for the HTTP and HTTPS protocols. Although most corporate firewalls allow this type of traffic, some companies restrict internet access from the servers because of security policies. If your company restricts access, you’ll need to configure your firewall to allow your WSUS server to access Microsoft domains.
4.) Configure a Proxy Server
On the next screen you may be asked to start connecting. Press start connecting button.
5.) Choose Language
On the next screen select your language and press Next.
6.) Select Products for Microsoft Updates
Select the products that you use within your corporation and these are the updates that your server will get from Microsoft.
7.) Choose Update Classifications
Next, select the update classifications you want to download. For example
- Critical Updates
- Definition Updates
- Security Updates
8.) Configure Sync Schedule
Next you can configure how you want to schedule your updates sync from Microsoft
9.) Begin Initial WSUS Synchronization
You’re now ready to start an initial synchronization from Microsoft update to your WSUS server. You can start now or leave to later. press Next to start the sync. Once complete press Finish
Note: If you have a firewall in your corporation that controls internet access for your servers, remember to whitelist the Microsoft Update URLS.
Here is a complete list of WSUS URLs to whitelist on your firewall
Using Windows Server Update Services (WSUS) Console
You’re now ready to start using the WSUS admin console. To access the console simply click on Windows Server Update Services on the desktop or
- On your WSUS server, click Start, point to All Programs, point to Administrative Tools, and then click Microsoft Windows Server Update Services.
To learn about all the configuration options, refer to Microsoft documentation on using WSUS Console
Configure WSUS computer groups
You can create as many custom computer groups as you need to manage updates in your organization. As a best practice, create at least one computer group to test updates before you deploy them to other computers in your organization.
Refer to Microsoft documentation on best practices for setting up WSUS computer groups.
Approve and Deploy WSUS Updates
On the WSUS Administration Console, click Updates. In the right pane, an update status summary is displayed for All Updates, Critical Updates, Security Updates, and WSUS Updates.
In the All Updates section, click Updates needed by computers.
Follow the steps on approving and deploying updates from the following Microsoft documentation.
Deploy WSUS Updates to Clients via GPO
When you choose WSUS as your source for Windows updates, you use Group Policy to point Windows client devices to the WSUS server for their updates. From there, updates are periodically downloaded to the WSUS server and managed, approved, and deployed through the WSUS administration console or Group Policy.
Check the following Microsoft documentation on how to setup a GPO to deploy WSUS updates to your clients:
WSUS Firewall Ports / Rules
Configure your firewall to allow client computers to access your WSUS server. The client computer must have outbound access to two ports on the WSUS server. By default, these are ports 8530 and 8531. These are already enabled on your WSUS server but if you’re using other firewalls in your corporation its good to check if these are whitelisted also.
If you’re using a proxy server on your network, you must configure WSUS with the proxy server’s name and port number. WSUS uses port 80 and port 443 to communicate with Microsoft’s update servers. These ports must be open on your firewall to allow WSUS to synchronize updates
WSUS server must have outbound access to ports 80 and 443 on the following domains: