How to Setup WSUS Server on Azure/AWS/GCP

Setup WSUS on Azure, AWS or Google GCP running on Windows Server 2022 or 2019.  Windows Server Update Services (WSUS) enables admins to deploy the latest Microsoft product updates to your computers and servers on your network both in the cloud and on-premise.  WSUS server provides features that you can use to manage and distribute updates through a management console. A WSUS server can also be the update source for other WSUS servers within your organization. The WSUS server that acts as an update source is called an upstream server. In a WSUS implementation, at least one WSUS server on your network must be able to connect to Microsoft Update to get available update information. 

WSUS Cloud Solution

WSUS Features

Use WSUS (Windows Server Update Services) in Azure, AWS or GCP to manage your server and computer updates both in the cloud and on-premise, great solution if your a fully cloud organization or hybrid.  Run on Windows Server 2022 or 2019.

 

  • Manage Microsoft product updates for Azure VMs, other cloud platforms and on-premise servers and computers.
  • Product or product family (for example, Windows Server 2019 or Microsoft Office).
  • Update category (for example, Critical Updates, and Drivers).
  • Specify a schedule for synchronization to initiate automatically.
  • Enforce a deadline for install or remove (uninstall) update approvals.
  • Create an automatic approval action for specific types of updates.
  • Targeting enables administrators to deploy updates to specific computers and groups of computers.
  • Optional integration with Azure Update Management.
  • WSUS servers can be scaled out to handle any number of clients.
  • Runs on Microsoft SQL Server 2000 Desktop Engine (Windows) (WMSDE) database.
  • Advanced reporting on update status, compliance status, computer status, sync status and much more.

Getting Started with WSUS Server

RDP into Cloud Windows Server

Once you’ve deployed WSUS on Windows server, the first step is to RDP into the new instance once it has fully booted up.  The following links explain how to connect the VM once it has finished being deployed:

 

 

Once logged in, you’re now ready to start setting up WSUS according to your requirements:

Install WSUS / Configuration Steps

1.) Choose WSUS Updates Storage Location

From the desktop launch “Windows Server Update Services” and the following window will launch asking where you would like to store your updates.  You can store them locally on your WSUS server, for example create a folder locally called c:\WSUS

Click Run and once complete, click Close to launch the WSUS Administration Console

2.) WSUS Prerequisites

Before you get started make sure:

 

  1. Is the WSUS server firewall configured to allow clients to access the server
  2. Can this server connect to the upstream server (such as Microsoft Update)
  3. Do you have user credentials for any proxy servers you use, if needed

Click Next to get started.  On The Microsoft Update Improvement Program, click Next.

3.) Choose WSUS Upstream Server

You can choose the upstream server from which your WSUS synchronizes updates.  For example you might have other WSUS servers in your network as part of a WSUS server hierarchy.  If this is your only WSUS server then you can select Synchronize from Microsoft Update

WSUS Firewall Rules - URLs to Whitelist on Your Firewall

If a corporate firewall is between WSUS and the internet, you might have to configure that firewall to ensure that WSUS can get updates. To get updates from Microsoft Update, the WSUS server uses ports 80 and 443 for the HTTP and HTTPS protocols. Although most corporate firewalls allow this type of traffic, some companies restrict internet access from the servers because of security policies. If your company restricts access, you’ll need to configure your firewall to allow your WSUS server to access Microsoft domains.

Here is a complete list of WSUS URLs to whitelist on your firewall

4.) Configure a Proxy Server

If you use a proxy server to connect to the internet, enter your proxy information, otherwise leave as default and click next

On the next screen you may be asked to start connecting. Press start connecting button.

5.) Choose Language

On the next screen select your language and press Next.

6.) Select Products for Microsoft Updates

Select the products that you use within your corporation and these are the updates that your server will get from Microsoft.

7.) Choose Update Classifications

Next, select the update classifications you want to download.  For example 

 

  • Critical Updates
  • Definition Updates
  • Security Updates
  • Upgrades
  • etc

8.) Configure Sync Schedule

Next you can configure how you want to schedule your updates sync from Microsoft

9.) Begin Initial WSUS Synchronization

You’re now ready to start an initial synchronization from Microsoft update to your WSUS server.  You can start now or leave to later.  press Next to start the sync. Once complete press Finish

 

Note: If you have a firewall in your corporation that controls internet access for your servers, remember to whitelist the Microsoft Update URLS.

 

Here is a complete list of WSUS URLs to whitelist on your firewall

Using Windows Server Update Services (WSUS) Console

You’re now ready to start using the WSUS admin console.  To access the console simply click on Windows Server Update Services on the desktop or

 

  • On your WSUS server, click Start, point to All Programs, point to Administrative Tools, and then click Microsoft Windows Server Update Services.

WSUS Documentation

To learn about all the configuration options, refer to Microsoft documentation on using WSUS Console

 

https://learn.microsoft.com/en-us/windows-server/administration/windows-server-update-services/get-started/windows-server-update-services-wsus

Configure WSUS computer groups

You can create as many custom computer groups as you need to manage updates in your organization. As a best practice, create at least one computer group to test updates before you deploy them to other computers in your organization.

 

Refer to Microsoft documentation on best practices for setting up WSUS computer groups.

Approve and Deploy WSUS Updates

On the WSUS Administration Console, click Updates. In the right pane, an update status summary is displayed for All Updates, Critical Updates, Security Updates, and WSUS Updates. 

 

In the All Updates section, click Updates needed by computers.

 

Follow the steps on approving and deploying updates from the following Microsoft documentation.

Deploy WSUS Updates to Clients via GPO

When you choose WSUS as your source for Windows updates, you use Group Policy to point Windows client devices to the WSUS server for their updates. From there, updates are periodically downloaded to the WSUS server and managed, approved, and deployed through the WSUS administration console or Group Policy.

 

Check the following Microsoft documentation on how to setup a GPO to deploy WSUS updates to your clients:

https://learn.microsoft.com/en-us/windows/deployment/update/waas-manage-updates-wsus

WSUS Firewall Ports / Rules

Configure your firewall to allow client computers to access your WSUS server.  The client computer must have outbound access to two ports on the WSUS server. By default, these are ports 8530 and 8531.  These are already enabled on your WSUS server but if you’re using other firewalls in your corporation its good to check if these are whitelisted also.

 

If you’re using a proxy server on your network, you must configure WSUS with the proxy server’s name and port number. WSUS uses port 80 and port 443 to communicate with Microsoft’s update servers. These ports must be open on your firewall to allow WSUS to synchronize updates

WSUS server must have outbound access to ports 80 and 443 on the following domains:

 

  • http://windowsupdate.microsoft.com
  • http://*.windowsupdate.microsoft.com
  • https://*.windowsupdate.microsoft.com
  • http://*.update.microsoft.com
  • https://*.update.microsoft.com
  • http://*.windowsupdate.com
  • http://download.windowsupdate.com
  • https://download.microsoft.com
  • http://*.download.windowsupdate.com
  • http://wustat.windows.com
  • http://ntservicepack.microsoft.com
  • http://go.microsoft.com
  • http://dl.delivery.mp.microsoft.com
  • https://dl.delivery.mp.microsoft.com
  • http://*.delivery.mp.microsoft.com
  • https://*.delivery.mp.microsoft.com

To setup AWS firewall rules refer to – AWS Security Groups

To setup Azure firewall rules refer to – Azure Network Security Groups

To setup Google GCP firewall rules refer to – Creating GCP Firewalls

WSUS Support

If you have any questions or need help with getting WSUS server up and running. Reach out to us with any questions you have.

Avatar for Andrew Fitzgerald
Andrew Fitzgerald

Cloud Solution Architect. Helping customers transform their business to the cloud. 20 years experience working in complex infrastructure environments and a Microsoft Certified Solutions Expert on everything Cloud.

0 0 votes
Article Rating
Subscribe
Notify of
0 Comments
Most Voted
Newest Oldest
Inline Feedbacks
View all comments
0
Would love your thoughts, please comment.x
()
x