How to Configure WSUS Server to Download All Updates Automatically

Overview

This article provides step-by-step instructions to configure a Windows Server Update Services (WSUS) server to automatically download and approve updates. Proper WSUS configuration ensures your environment stays secure and up to date with minimal administrative effort.

Solution Steps

1. Configure Update Source

1. Open the WSUS Console.

2. Navigate to Options → Update Source and Proxy Server.
   

3. Under Update Source, select:

   • Synchronize from Microsoft Update.

4. If your environment requires internet access through a proxy, check Use a proxy server when synchronizing and enter the necessary proxy details and credentials.
   

2. Configure Products and Classifications

1. Go to Options → Products and Classifications.

a. Products Tab

• Choose All Products or select only the specific applications and operating systems relevant to your organization.
  

b. Classifications Tab

• Select All Classifications, or only the required ones such as:
  

  • Critical Updates

  • Security Updates

  • Service Packs

  • Update Rollups

  • Updates

  • Upgrades

3. Configure Update Files and Languages

1. In Options, select Update Files and Languages.

a. Update Files Tab

• Check Store update files locally on this server.

• Check Download express installation files for faster client update installations.
  

b. Update Languages Tab

• Select Download updates only in these languages, then choose the required languages for your organization.
  

4. Configure Synchronization Schedule

1. Navigate to Options → Synchronization Schedule.
   

2. Check Synchronize automatically.

3. Set a preferred synchronization time and choose the frequency (e.g., 3 times per day or as per organizational policy).

5. Configure Automatic Approvals

1. Go to Options → Automatic Approvals.
   

2. Click New Rule and configure as follows:

   • Under When an update is in a specific classification, select All Classifications (or those selected earlier).

   • Under When an update is in a specific product, select All Products (or those configured earlier).

   • Under Approve the update for, select All Computers, including Unassigned Computers.

3. Provide a Rule Name and click OK to save.

4. Under the Advanced tab, enable any additional options for granular control.
   

6. Configure Computer Assignment

1. Navigate to Options → Computers.
   

2. Choose Use Group Policy or Registry settings on computers to manage group membership and update approvals via Active Directory or registry settings.

7. Manual Maintenance Checklist

Monthly Maintenance:

• Apply the latest security updates and service packs to the WSUS server.

• Review and manually approve any updates that were not automatically approved.

Patch Schedule:

• Microsoft releases updates on the second Tuesday of every month (“Patch Tuesday”).

• Perform WSUS maintenance and verification during the second week of each month, preferably on Friday.

Emergency Patches:

• Regularly monitor for emergency or out-of-band patches and apply them as required.

References

For detailed Microsoft documentation, refer to:

• WSUS Overview and Configuration Guide

• Products and Classifications Configuration

• Update Files and Languages

• Automatic Approvals and Synchronization

• WSUS Computer Group Management

Conclusion

By following the above configuration steps, your WSUS server will automatically download and approve necessary updates, ensuring all managed systems remain secure, stable, and compliant with organizational update policies.