In this tutorial, we will see how to install the WSUS (Windows Server Update Services) role on Windows Server 2025, which will allow you to have a server in your environment to control the distribution of updates for Microsoft products (Windows, Office, SQL Server, etc.). The WSUS role is also a “component” of MECM, because it relies on the WSUS service to manage update packages.
WSUS is found in companies mainly for 2 reasons:
- Manage the deployment of updates and have installation reports to know if the computer park is up to date. This management also allows you to control the installation time of Microsoft updates and therefore avoid an uncontrolled installation from Windows Update on computers and to wipe bugs related to updates.
- Bandwidth saving, storage on a centralized server avoids downloading updates from the Internet for each computer (Today it is possible to no longer store updates locally while saving BP).
To work, WSUS needs a database and there are three solutions:
- WID: Windows Internal Database which is a Microsoft embedded database with no size limit but with poor performance, this is the default option.
- SQL Express: which is the solution that we will see in this tutorial, which is the best compromise between cost and performance, this type of database can be used in an environment of 1500 to 2500 computers before reaching the size limits of 10Gb imposed by SQL Express
- SQL Server which is the type of database to use for large IT systems.
Before installing the WSUS role, we will install SQL Server 2022 Express on our WSUS server. Regarding hardware requirements, plan for at least 2CPU with 8Gb of memory and two hard drives, the first for the system and the second for storing updates and the database, the size of this second disk will mainly depend on whether you store updates on the server and also on the number of products and types of updates that you will manage.
In September 2024, Microsoft announced the end of development of the WSUS role, it will still be present on Windows Server 2025, but from now on, we must think about looking for a patch management solution to anticipate the end of WSUS.
Install SQL Server Express for WSUS
Start by downloading SQL Express from the Microsoft website, at the time of writing this tutorial I was using the version SQL Server 2022 Express.
Once downloaded, run the file.
Select installation type: Basic 1.
Click the Accept button 1 to accept the terms of the license agreement.
If necessary, change the installation location and then click Install 1.
Please wait while SQL Server Express is downloaded and installed…
SQL Server Express is installed, click the Close button 1.
Restart the server.
We will now move on to installing the WSUS role.
Installing WSUS Role on Windows Server 2025
From Server Manager, launch the wizard by clicking Add Roles and Features 1.
When launching the wizard, click on the Next button 1.
Choose: Role-based or feature-based installation 1 and click the Next button 2.
Select the server 1 where the WSUS role will be deployed and then click Next 2.
In the list of roles, check the Windows Server Update Services (WSUS) Service 1 box.
The WSUS role requires adding several features to Windows Server, including the IIS role for the web server, click the Add Features button 1.
With the roles (WSUS and IIS) selected, click the Next button 1 in the wizard.
Skip the list of features by clicking Next 1.
A summary of the WSUS role is displayed, click Next 1.
As you can see, by default WSUS is configured to use the internal WID database.
Uncheck WID Connectivity 1 then check SQL Server Connectivity 2 then click the Next button 3.
Specify the location 1 where the updates are stored on the server and then click Next 2.
Here for the lab I used the C: (System) disk, in a production environment use another disk.
Enter the name of the SQL instance 1 then click on the Next button 2.
You can test the instance name and its connection by clicking the Check Connection button before proceeding to the next step.
Skip the next two steps by clicking Next 1, it deals with the IIS role which is the web server used by WSUS.
Finally, click on the Install button 1.
Wait for the installation which is quite quick between 2 and 5 minutes depending on the server configuration.
When the installation is complete, exit the installation wizard by clicking the Close button 1.
We have completed the installation of the components necessary for the installation of the WSUS role.
WSUS post-installation configuration
Now we will move on to the “general” configuration of WSUS, where we will choose which types of updates will be deployed by WSUS and also for which Microsoft products.
On Server Manager there is a notification, click on flag 1 then click on Start post-installation tasks 2.
This step should launch a configuration wizard, if it does not open, launch the WSUS console which is available through Server Manager in the Tools list.
We arrive at a new wizard which will allow us to configure WSUS, click on the Next button 1.
At this stage, it is up to you to decide whether you wish to participate in the improvement program. Once you have made your choice, click on Next 1.
At this stage Microsoft asks us from which location we want to download the updates, there are 2 choices:
- From the Internet from Microsoft Update
- From another WSUS server that would be present in your network
Here we will choose the option Synchronize from Microsoft update 1 and then click on the Next button 2.
If a proxy is used to go to the Internet, configure it and click Next 1.
Click on the Start Connection button 1.
This step is quite long, for my part 30 to 45 minutes…
Once the operation is completed, click on the Next button 1.
Start by selecting the languages 1 for updates and then click Next 2.
Then select the products 1 that you use in order to have the distribution of updates carried out by WSUS 1 then click on Next 2.
Then select the type (classification) 1 of updates you want to distribute using WSUS and click Next 2.
The more products and classifications you select, the “bigger” the WSUS database will be and the more disk space you will need on the server for local update storage.
Configure WSUS server synchronization, here I chose automatic synchronization at 22:00:00 every day 1, then click Next 2.
Check the box: Start initial synchronization 1 and click Next 2.
WSUS configuration is complete, click Finish 1 to close the wizard.
We are done with WSUS configuration.
Utiliser WSUS
Launch the WSUS console and go to Synchronization 1, you should be able to follow the progress of the first synchronization.
This first synchronization may take several hours, while WSUS retrieves the list of updates corresponding to the selected products and classifications.
Going to All Updates, you should start seeing available updates.
Your WSUS server on Windows Server 2025 is up and running.
To continue with the configuration and use of the WSUS role on Windows Server 2025, I invite you to read this tutorial: WSUS – Installation and configuration – Windows Server Update Service, in the second part, I explain how the validation of updates works as well as how to connect the computers present in your environment to WSUS so that they can use it.
If you do not want updates to be downloaded locally on the WSUS server, this is possible and optimized with computers from Windows 10 and Windows Server 2016 which allow downloading of updates in P2P in the local network.
- Configurer WSUS pour que les ordinateurs téléchargent les mises à jour depuis Microsoft (French)
- Windows Update : Optimisation de la distribution des mises à jour (French)
You now have all the information you need to set up WSUS with Windows Server 2025.
A quick security reminder: keeping your computer system up to date, as well as all of its software, is important to have the highest possible level of security by correcting the various flaws in the software.