After you install WSUS and do a basic synchronization, you configure WSUS to identify the products for which your organization requires product updates as well as the classifications of updates WSUS should download.
Once these are defined, you can synchronize updates manually or you can build an update schedule. This enables your WSUS server to download only the updates for the product categories and update classifications you have selected, both at a time of your choosing. The first initial synchronization can take hours, depending on your selections. Subsequent synchronizations pull only the newest updates since the last synchronization.
This recipe configures the WSUS1 WSUS server, which is a domain-joined system. This recipe assumes you are starting with the just-installed WSUS as performed in the Installing Windows Update Services recipe.
- Discover the versions of Windows Server supported by Windows Update:
Get-WsusProduct | Where-Object -FilterScript {$_.Product.Title -match '^Windows Server'} - Also, get update titles for Windows 10:
Get-WsusProduct -TitleIncludes 'Windows 10'
- Create and view a list of software product titles to include:
$CHP = (Get-WsusProduct | Where-Object -FilterScript {$_.product.title -match '^Windows Server'}).Product.Title $CHP += @('Microsoft SQL Server 2016','Windows 10') $CHP - Assign the desired products to include in Windows Update:
Get-WsusProduct | Where-Object {$PSItem.Product.Title -in $CHP} | Set-WsusProduct - Get a list of the distinct categories of updates you can retrieve from Windows Update for distribution to your client hosts:
Get-WsusClassification
- Create and view a list of desired update classifications to make available on your WSUS server:
$CCL = @('Critical Updates', 'Definition Updates', 'Security Updates', 'Service Packs', 'Update Rollups', 'Updates') - Now set the list of desired update classifications in WSUS:
Get-WsusClassification | Where-Object {$_.Classification.Title -in $CCL} | Set-WsusClassification - Get current subscriptions:
$WSUSServer = Get-WsusServer $WSUSSubscription = $WSUSServer.GetSubscription()
- Start synchronizing available updates based on configured categories:
$WSUSSubscription.StartSynchronization()
- Next, loop and wait for synchronization to complete:
$IntervalSeconds = 5 $NP = 'NotProcessing' Do { $WSUSSubscription.GetSynchronizationProgress() Start-Sleep -Seconds $IntervalSeconds } While ($WSUSSubscription.GetSynchronizationStatus() -eq $NP) - Synchronize the updates; this can take a long while to complete:
$IntervalSeconds = 1 $NP = 'NotProcessing' # Wait for synchronizing to start Do { Write-Output $WSUSSubscription.GetSynchronizationProgress() Start-Sleep -Seconds $IntervalSeconds } While ($WSUSSubscription.GetSynchronizationStatus() -eq $NP) # Wait for all phases of process to end Do { Write-Output $WSUSSubscription.GetSynchronizationProgress() Start-Sleep -Seconds $IntervalSeconds } Until ($WSUSSubscription.GetSynchronizationStatus() -eq $NP) - When the final loop is complete, check the results of the synchronization:
$WSUSSubscription.GetLastSynchronizationInfo()
- Finally, going forward, ensure that synchronization happens once a day:
$WSUSSubscription = $WSUSServer.GetSubscription() $WSUSSubscription.SynchronizeAutomatically = $true $WSUSSubscription.NumberOfSynchronizationsPerDay = 1 $WSUSSubscription.Save()
In step 1, you examine the product updates available:
In step 2, you review the version of Windows 10 that you can update using WSUS and Windows Update, like this:
In most cases, you probably do not want to support all Microsoft products. To achieve that, you begin, in step 3, by creating a list of the products you do want to support. In this step, you include all versions of Windows Server, SQL Server 2016, and all versions of Windows 10, which looks like this:
In step 4, you specify that your WSUS server should get updates for the products in the $CHP array. There is no output from this step.
For any given product supported, Windows Update can provide a number of different kinds, classifications, of updates. In step 6, you get the classifications of update types available, which looks like this:
You may not want all these kinds of updates. To achieve this, in step 6, you build a list of the update classifications you do wish to support. In step 7, you configure your WSUS server with this list. In step 8, you obtain the synchronization status of WSUS1, and in step 9, you initiate synchronization of update categories of WSUS1 from Windows Update. These three steps produce no output.
In step 10, you initiate a loop that gets the category synchronization status and, if it's still processing, wait a bit longer. This synchronization takes a long time—and looks like this (but with significant trimming!):
Next, in step 11, you now synchronize the updates available based on previous configuration, which, slightly trimmed to avoid pages of output, looks like this:
Once this synchronization is complete, in step 12, you can view the synchronization status, which now looks like this:
In step 13, you configure WSUS1 to download new updates every day, for those products and classifications you previously specified. This step produces no output.
In step 1, you examined the updates available for all versions of Windows Server. As you can see, this even includes very old versions of Windows Server, such as Windows Server 2003, which is now out of support and hopefully no longer being used in your organization. Inevitably, there are some organizations still running Windows Server 2003, hopefully for good business reasons. It's comforting to know that updates are still available even if the product should have been replaced years ago. You can also see that, as of the time of writing, Windows Update has no updates for Server 2019.
WSUS supports a range of products and different classifications of updates. Consider carefully what products you wish to get updates for and what update types to support. You could err on the side of caution, but that involves a lot of files and a very large number of updates you may never need.