WSUS: Best practice guide lines for WSUS installation, configuration and management

Windows Server Update Services (WSUS) is highly important services in a Microsoft infrastructure. WSUS provides automated delivery of service packs, hot fixes and update rollups to desktops and servers and keep them up to date. When you configure WSUS in an enterprise you have to consider maximum benefits you can get it from using minimum bandwidth and resources. However, you must provide WSUS server enough resources to run in optimum conditions and deliver up to the expectation over the years.

Capacity Planning

Capacity planning is the step 1 before deploying WSUS in an enterprise. There are number of factors you have to consider before deploying WSUS. The following hardware and database requirements are driven by the need of an organization.

  1. Number of clients and servers
  2. Frequency of update delivery
  3. Single server or multiple server deployment

Minimum requirements:

  1. CPU – Minimum 1 GHz, 1.5 GHz or faster is recommended
  2. RAM – Minimum 1 GB, 2 GB or more is recommended
  3. Both the system partition and the partition on which you install WSUS 3.0 SP2 must be formatted with the NTFS file system
  4. Minimum 1 GB of free space on the system partition
  5. Minimum 2 GB of free space on the volume on which database files will be stored
  6. Minimum 20 GB of free space on the volume on which content is stored, 30 GB is recommended
  7. Notice that WSUS 3.0 SP2 cannot be installed on compressed drives.
  8. Database – internal or SQL Express

But with this minimum hardware, WSUS server will not perform well when content and Data base log start growing. Recommended Systems that supports up to 25k clients:

  1. CPU- Intel Core 2 or Quad or Xeon
  2. RAM – 4GB
  3. Disk – at least 50 GB or more free space in Systems partition and 150GB or more disk space for WSUS content in separate partitions or DFS.
  4. Database – SQL Remote database or local SQL Express 2005 or later
  5. Windows Server 2003 (x64 or X86) or Windows Server 2008
  6. un-compressed NTFS Partitions

Bandwidth Management

WSUS is a bandwidth hungry systems in whole infrastructure. The decisions you make about how to synchronize with Microsoft Update have a dramatic effect on the efficient use of bandwidth. Set Synchronization schedule and download option when update is approve. To do this log on to WSUS front end Server as an administrator.

Start menu>Administrative Tools>WSUS>Update Services>Options>Synchronization Schedule

►Set Synchronisation schedule on later at night when nobody is at work.

Start menu>Administrative Tools>WSUS>Update Services>Options>Update Files and Languages

►Set download files to this server only when update is approved

►Download update only in these languages (check preferred language)

In a chain of WSUS servers (head office and branch office deployment) , WSUS automatically sets all downstream servers to use the deferred download option that is selected on the highest upstream server—in other words, the server that is directly connected to Microsoft Update. I would recommend not to use express installation option because this will download larger files then preferred download.

 Update Delivery: To manage bandwidth of internal networks, it’s better to deliver update based on internal network uses i.e. set update time when there will be no bottle neck in internal infrastructure.

Firewall Management

You have to configure the firewall (ISA or Forfront) that is positioned between Front End WSUS and the Internet to allow WSUS traffic pass through. Because WSUS initiates and synchronize with Microsoft update using port 80 and 443. there is no need to configure Windows Firewall on the WSUS server or Windows client. Only you have to allow WSUS server connect the following websites .

  • http://*
  • https://*
  • http://*
  • https://*
  • http://*
  • http://*

    Group Policy Management

    Managing GPO for WSUS client is easy. But you must not modify Default Domain Controller GPOs to add WSUS settings. After you set up a client computer, it will take a few minutes before it appears on the Computers page in the WSUS console. For client computers configured with an Active Directory-based GPO, it will take about 20 minutes after Group Policy refreshes (that is, applies any new settings to the client computer). By default, Group Policy refreshes in the background every 90 minutes, with a random offset of 0–30 minutes. For Windows XP SP2 and Windows Server SP2, you don’t need load administrative template of windows update in GPO.

    To configure the behaviour of Automatic Updates

    1. In the Group Policy Object Editor, expand Computer Configuration, expand Administrative Templates, expand Windows Components, and then click Windows Update.

    2. In the details pane, click Configure Automatic Updates.

    3. Click Enabled and select one of the following options:

    • Set Auto download and schedule the install. If Automatic Updates is configured to perform a scheduled installation, you must also set the day and time for the recurring scheduled installation.

    4. Click OK.

    To redirect Automatic Updates to a WSUS server

    1. In the Group Policy Object Editor, expand Computer Configuration, expand Administrative Templates, expand Windows Components, and then click Windows Update.

    2. In the details pane, click Specify Intranet Microsoft update service location.

    3. Click Enabled and type the HTTP URL of the same WSUS server in the Set the intranet update service for detecting updates box and in the Set the intranet statistics server box. For example, type http//WSUS:8530 in both WSUS server stat server.

    4. Click OK.

    To reschedule Automatic Update scheduled installation

    1. In the Group Policy Object Editor, expand Computer Configuration, expand Administrative Templates, expand Windows Components, and then click Windows Update.

    2. In the details pane, click Reschedule Automatic Update scheduled installations, click Enabled, and type the number of minutes to wait.

    3. Click OK.

    Database Management

    I would prefer to install SQL Express version with Management studio Express because it free and serve my purpose. So no to Windows Internal Database (WID). SQL Express will deliver optimum performance. For large scale deployment you can create separate SQL database server and use remote database in all front end servers.  The WSUS database i.e. Server\SUSDB stores the following types of information:

    1. WSUS server configuration information
    2. Metadata that describes each update
    3. Information about client computers, updates, and client interaction with updates

    Set Proper security in SUSDB as shown below


    Backup SUSDB regularly to save all config and client info as shown below.


    Cleanup WSUS Server

    You have to clean up WSUS server on and off to remove expired updates, downloads and computers. you can freed up storage by running clean up wizard. To run clean up wizard, Log on the WSUS server. Go to Start menu>Administrative Tools>WSUS SP2>Update Services>Options>Server Clean Up Wizard>Check Specific Options you want>Next>Finish. 

    Management of WSUS server

    WSUS supports deployments in both central and distributed management models. Centre Management means Front End WSUS server placed in head office will manage everything including update approval, database and also facing proxy and windows update. Rest of WSUS servers are place in branches and replicating main WSUS server. Distributed WSUS means every WSUS server placed in branch and head office works independently.

    The WSUS 3.0 SP2 administration console installed in Admin PC can be used to manage any WSUS server or Front End WSUS server placed in head office. WSUS can be managed from one of the following supported operating systems: Windows Server 2008 R2, Windows Server 2008, Windows Server 2003 SP2 or later, Windows Small Business Server 2008 or 2003, Windows Vista, or Windows XP SP3. Also prerequisite must be installed.

    1. Microsoft .NET Framework 2.0 or later
    2. Microsoft Management Console 3.0
    3. Microsoft Report Viewer Redistributable 2008

    To open the WSUS administration console

    1. Click Start, point to Control Panel, point to Administrative Tools, and then click Windows Server Update Services 3.0 Sp2.

    2. If you are bringing up the remote console for the first time, you will see only Update Services in the left pane of the console.

    3. To connect to a WSUS server, in the Actions pane click Connect to Server.

    4. In the Connect To Server dialog box, type the name of the WSUS server and the port 8530 on which you would like to connect to it.

    5. If you wish to use SSL to communicate with the WSUS server, select the Use Secure Sockets Layer (SSL) to connect to this server check box. In this case use port 8531.

    6. Click Connect to connect to the WSUS server.

    7. You may connect to as many servers as you need to manage through the console.

    Related References:

    Minimum Systems Requirement Guide 

    Prerequisite software

    Install and configure WSUS SP2— Step by Step

    IIS Planning

    Add to FacebookAdd to DiggAdd to Del.icio.usAdd to StumbleuponAdd to RedditAdd to BlinklistAdd to TwitterAdd to TechnoratiAdd to Yahoo BuzzAdd to Newsvine

  • About Raihan Al-Beruni

    My Name is Raihan Al-Beruni. I am working as an Infrastructure Architect in Data Center Technologies in Perth, Western Australia. I have been working on Microsoft technologies for more than 15 years. Other than Microsoft technologies I also work on Citrix validated solution and VMware data center virtualization technologies. I have a Masters degree in E-Commerce. I am certified in Microsoft, VMware, ITIL and EMC. My core focus is on cloud technologies. In my blog I share my knowledge and experience to enrich information technology community as a whole. I hope my contribution through this blog will help someone who wants more information on data center technologies.
    This entry was posted in Windows Server and tagged , . Bookmark the permalink.

    28 Responses to WSUS: Best practice guide lines for WSUS installation, configuration and management

    1. althaf says:

      could you please give details about MS SQL2005/2008 database backup and restoration procedure.

      I would really appreciate for your time in this regard.


      • Raihan says:

        Hi Althaf,
        Install MSSQL Management Studio in WSUS server. Open Management console. Connect with database. Servername\MSSQLInstance.. Expand Database>right click an go for backup……..Right click on database… restore…. Becareful while restoring!! as I dont know your real case.


    2. Aaron says:

      Thanks for this excellent simple straight to the point guide.

      I am new to setting up WSUS and recently took over an established site.

      Just a few questions, someone have set up a Server 2003 as the “Front end” Server that download from MS and other Sever 2008 R2 to synchronized from the 2003 Server. Could this arrangement have impact in the overall performance?

      Thanks again.


    3. Skuzzles says:

      Great article! I really appreciate the guidlines. I’m a little confused though, maybe you can help me out.
      You mention 3 partitions… Can you elaborate a little more?

      What is the system partition? If you include the OS partition, will there be 4 in total?

      1. Win OS
      2. Sys partition
      3. database partition
      4. content partition

      I assume the content partition is where the patches will be stored? Should WSUS be installed on the same partition as the OS or is WSUS installation on the system partition? I would really appreciate some feedback.. thanks a lot!


      • WSUS can be installed in so many ways. to keep things neat and tidy, separate partitions are always good. WSUS can be installed on system partition however content must be in separate partition. you can select content location while installing wsus.


    4. Zakaria Erritouni says:

      I like this blog very good info


    5. kumar says:

      Thank you for the blog write up. I was reading the Microsoft WSUS 3.0 Deployment guide ( and thought you can explain a little about the sample configurations/max supported capacity section. I don’t understand the Client Synchronization and Updates column.

      1)I am guessing Delta Sync means sync between WSUS and clients ? In that case, whats the typical recommended sync frequency between WSUS server and MS Updates.

      2) What is Avg. requests per client mean ?

      3)In the 100K client scenario, how are the 2 FE and one BE servers connected ? (connection to MS updates site and also client connections).


      • 1. Sync with Microsoft Updates 2. no of update request/client 3. Two frontend server act as upstream server one backend server who deals with clients.

        What Microsoft doco saying is capacity planning for WSUS. if you dont have 100k clients you can do with upstream and downstream server. simple is that.


    6. kumar says:

      Also, in Database section, the document only talks about Windows Internal Database or FULL install of SQL and not SQL Server express. Is there a reason ? SQL Server Express is much better than WID since it can be installed with Management console which is not available in WID. Microsoft does not talk about SQL Server express because they want people to purchase full versions of SQL Server ?


    7. Carl says:

      I’m new in wsus and setup. i currently have all of my clients via gp to connect to windows update. The question i would like to configure wsus internally without any security issue. Eventhough i have it configured using default port 80… is it the same as having the client connected to windows update using port 80? Do you think that is worth it setting up a wsus for only 47 clients?


    8. PRASANNA KUMAR K S says:

      hi kumar,

      i am new for WSUS. Please help me how to export the client system updated report file in excel through command lines.

      please help me on this.

      Prasanna Kumar


    9. Glenn says:

      Hi Raihan,

      Thank you for a worderful ideas. I need your advise how to view the intranet website link for WSUS 2008? Im not joining the server and clients to domain, we are all in workgroup. Thanks


    10. Rakesh Kishnani says:

      Hello Raihan
      Your blog is very information & was very beatifully designed to clear the concept of how wsus works Thanks for the information


    11. Capricorn says:


      I have one Server OU and and all my servers are under that OU. I cant have more OU. I want to have 2 groups in WSUS. One Test and one production.
      Is there a way i can specify in the GPO to hit the Test first and dont do any thing with production.
      Can i have different policies in 1 gpo for different groups?



    12. Galeano says:

      Hi, really great post.
      Do you recommend install WSUS on the domain server?

      with which applications can coexist without problems wsus?



      • never install any application on DC other than Antivirus and backup software on a domain controller. do not install multiple role in domain controller unless you are a small business and you have only one server.


    13. Chad says:

      Thanks for the great guide! Answered most of the questions I had. One thing though, I am going to install WSUS and MDT on the same server (2008r2) and SQL Express 2008r2 w/managtools. The SQL express is needed for MDT, can WSUS use it as well. The server will support about 50 users for now but down the road may be upstream for branch offices as well.


    Leave a Reply

    Fill in your details below or click an icon to log in: Logo

    You are commenting using your account. Log Out / Change )

    Twitter picture

    You are commenting using your Twitter account. Log Out / Change )

    Facebook photo

    You are commenting using your Facebook account. Log Out / Change )

    Google+ photo

    You are commenting using your Google+ account. Log Out / Change )

    Connecting to %s