Quick Fix Summary
Run the Post-Installation Tasks right after adding the WSUS role. Then fire up the WSUS console (Start → Administrative Tools → Windows Server Update Services) and walk through the Configure Automatic Synchronization and Products/Classifications dialogs. You’ll usually need a reboot before clients can see the server.
What exactly is WSUS doing here?
It’s version 10.0.14393.2636 (also called WSUS 5.0). Instead of letting every machine download updates straight from Microsoft, WSUS lets you approve which patches your domain computers install. The server itself can sync from Microsoft Update, another WSUS server, or an upstream WSUS; clients then pull approved updates from your internal WSUS via Group Policy. One heads-up: Server 2016 hit end-of-life in January 2026, so Microsoft no longer ships new quality or security updates for the OS itself—only for the WSUS role components that still run on it Microsoft Support.
How do I actually install and configure WSUS?
Install the WSUS role.
- Open Server Manager → Add Roles and Features.
- Pick “Windows Server Update Services” under Server Roles.
- Click through the defaults until the install finishes (no reboot yet).
Run the Post-Installation Tasks.
- In Server Manager, click the yellow warning flag in the top-right.
- Choose “Launch Post-Installation tasks.”
- Wait it out; a reboot is recommended.
Open the WSUS console and set up synchronization.
- Start → Administrative Tools → Windows Server Update Services.
- Right-click the server name → Configure Automatic Synchronization.
- Turn on automatic sync and pick the languages/products you care about.
- Click OK; sync kicks off right away.
Approve the first batch of updates and build some computer groups.
- In the WSUS console, expand Updates → All Updates.
- Pick the updates you need (Critical, Security, Definition, etc.) → Approve.
- Right-click “All Computers” → Add Computer Group → call it “Servers” or “Workstations.”
Point your clients via Group Policy.
- On a Domain Controller, open Group Policy Management.
- Create or edit a GPO linked to the OU you want.
- Drill down to Computer Configuration → Policies → Administrative Templates → Windows Components → Windows Update.
- Turn on “Specify intranet Microsoft update service location,” enter
http://YourWSUSServer:8530(or 8531 for SSL), and set “Configure Automatic Updates” to 4-Auto download and schedule install. - Run
gpupdate /forceon each client or wait for the next refresh cycle.
I followed the steps but it still isn’t working—now what?
Manual sync from PowerShell. If the console locks up, open an elevated PowerShell prompt and run:
Invoke-WsusServerSynchronization -SyncAction DownloadRevisions -SkipRevisionCleanup $falseCheck IIS bindings and ports. WSUS needs port 8530 (HTTP) or 8531 (HTTPS). Fire up IIS Manager → Sites → WSUS → Bindings and confirm the right port is listed. Clients must be able to reach
http://YourWSUSServer:8530/ClientWebService/client.asmx.Reset WSUS components. If approvals vanish, run:
wsusutil resetfromC:\Program Files\Update Services\Tools, then restart the WSUS service.
How do I keep WSUS running smoothly?
| Task | How Often | Tool/Command |
|---|---|---|
| Synchronize with Microsoft Update | Daily or 3×/week | WSUS console → Options → Synchronizations → Schedule |
| Run Server Cleanup Wizard | Monthly | WSUS console → Options → Server Cleanup Wizard |
| Backup WSUS database | Weekly | SQL Management Studio → Backup database “SUSDB” |
| Test Group Policy update | Before major patch Tuesday | On a test OU run gpupdate /force and watch Event Viewer → Application → WSUS |
Honestly, don’t install WSUS on a domain controller; Microsoft has warned since Server 2012 R2 that database contention can break future upgrades Microsoft Docs.
