WSUS on Windows Server 2025 continues In the previous parts of my Windows Server 2025 series, where I focused heavily on cloud-native management and the new features of Windows Server 2025. However, the reality of many IT infrastructures involves high-density on-premises environments where bandwidth management and local control are a mandatory design element.
WSUS (Windows Server Update Services) has been a fundamental service in our data centers for decades. Even with the rise of Azure Update Manager and Automanage, WSUS remains a critical tool for those who prefer to keep their update traffic internal. In Part 9, we look at how to set this up on Windows Server 2025 and how to handle the “deprecated” elephant in the room.
Table of Contents
Introduction for WSUS on Windows Server 2025
The inclusion of WSUS in the latest OS version ensures that we can maintain our infrastructure, including the 12-month support window for Azure Arc agents, without needing to rebuild our entire update strategy overnight. To use it effectively in 2025, we must look deeper into how it manages the massive amount of patch data from Microsoft.
Technical Architecture: Metadata and Content Caching
The power of WSUS lies in its two-tier storage architecture. It distinguishes between the “intelligence” of an update and the “weight” of the files. Understanding this separation is key to optimizing your storage and network performance.
- The Metadata Database is the administrative data for the updates. It includes the patch descriptions, product associations, Knowledge Base (KB) numbers, and installation rules. This is stored in either the Windows Internal Database (WID) or a dedicated SQL Server. Metadata is lightweight but critical for the WSUS console to determine which servers need which patches.
- The Content Cache stores (caches) the actual binaries for local download.
The WSUS server will download the necessary patches once and distribute it multiple times to your servers. This can help to create a dedicated data flow for your patches.
The reality of WSUS: Deprecation and Lifecycle
Microsoft officially deprecated WSUS in September 2024. It is important to tell it like it is. Deprecation does not mean the service stops working today.
It actually means Microsoft has ceased active feature development. You won’t see new features or most likely support for future Operating Systems for WSUS. However, it remains a fully supported role in Windows Server 2025.
Since WSUS is a role within Windows Server 2025, it inherits the OS lifecycle. This means mainstream support until October 2029 and extended support until 2034. You have a guaranteed runway of at least 3-5 years (likely until the release of “Windows Server vNext” around 2028 and far beyond) to plan a transition.
Important: Be aware that starting in late 2025, Microsoft removed some legacy binaries (like those used for SelfUpdate on Windows Server 2012/R2) to harden the platform. If you are still running 2012 R2, you’ll need specific workarounds or, better yet, finally upgrade to 2025.
Installation of WSUS on Windows Server 2025- Powershell
Installing WSUS on the latest OS follows our established “Automation-first” mindset. You can do this via Server Manager, but I recommend staying consistent with our previous automation articles.
- Open an elevated PowerShell session.
- Run the following command to install the role with the Windows Internal Database (WID):
Install-WindowsFeature -Name UpdateServices-Services, UpdateServices-WidDB- Create a dedicated directory for update content (e.g.,
D:\WSUS). - Run the post-install configuration:
& "C:\Program Files\Update Services\Tools\wsusutil.exe" postinstall CONTENT_DIR=D:\WSUS
Install-WindowsFeature -Name UpdateServices-Services, UpdateServices-WidDB & "C:\Program Files\Update Services\Tools\wsusutil.exe" postinstall CONTENT_DIR=D:\WSUS The code above assumes you created a second volume D:\ with a D:\WSUS folder as the recommend configuration. For my lab I will install it on C:\, but this can cause issues with the operating system, when you run out of disk space on C:\
Important: If you are managing more than 500-1000 nodes, skip WID and use a dedicated SQL Server instance to avoid the “WsusPool” IIS crashes that haunt many legacy environments.
Installation of WSUS on Windows Server 2025 with Server Manager
To understand a service it is always good to initially install it through a GUI. It will give you an overview of the standard options and choices. WSUS is installed using the Server Manager. If you are following my guides and the Quality of Life improvements you need to manually start the Server Manager from the Start Menu.
The installation is using “defaults” with the only variable being entered being the volume C:\WSUS, that you can redirect to other servers.
Configuration of WSUS on Windows Server 2025
The initial sync determines the health of your environment. Following the “One intent” rule from my GPO Background article, we want this server to be the single source of truth for our local LAN.
For the Upstream Connection choose “Synchronize from Microsoft Update” unless you are building a hierarchical downstream server.
The Product Selection will need Windows Server 2025 and Azure Connected Machine Agent.
And i recommend to Stick to Critical Updates, Security Updates, and Updates. Avoid “Drivers” unless you want to bloat your database and storage instantly.
Let’s see in the next video on how to configure it.
Once the installation is completed I do make sure the system is rebooted, before starting the initial configuration. The initial configuration is based on my current homelab requirements (Windows Server 2022, 2025 and Azure Arc) and needs to be adjusted for your environment. Don’t activate everything and all languages, because that will require a lot of bandwidth and storage. Be patient during each of the installation steps. Especially the initial connection can take a while.
Important: WSUS in 2025 will no longer support driver updates starting April 2025.
Once completed make sure you approve the updates for deployment. Personally and for the homelab scenario, I do recommend to select Auto Approve and deploy all the critical and security updates.
If you want to enable Client Side Targeting in the GPO, please make sure you also configure this on your WSUS as shown below.
Configuration for Azure Arc
Make sure you have the Azure Arc option enabled, if you are setting this up to follow my guide on Azure Arc Updates using GPOs.
When the initial sync is running keep watch the sync status. This can run for a long time based on updates selected, speed of your WAN link and the performance of your CPUs and disks.
My recommendations for WSUS on Windows Server 2025
WSUS is fine for now. It is a robust, proven architecture. Don’t let the “deprecated” tag scare you into a rushed cloud migration if your bandwidth or compliance doesn’t allow it yet. Plan for the Future when looking into a 24 to 48 months future with the next Server Operating system.
The “standard” WSUS cleanup wizard is often not enough. Use the command scheduled weekly to keep your WID/SQL database lean.
Get-WsusServer | Invoke-WsusServerCleanupDon’t just trust the WSUS console “Green status.” Use the Azure Arc dashboard (from Part 1) to verify that the versions reported in the cloud match what your local WSUS thinks it has deployed.
Conclusion on WSUS on Windows Server 2025
Setting up WSUS on Windows Server 2025 is the logical next step in automating and optimizing your hybrid infrastructure. It values the utility of the past while providing the necessary updates for the modern Azure Arc-enabled future. While we know the sun is setting on WSUS eventually, it remains the most efficient way to manage local traffic for at least the next few years.
This is how it looks like after 24 hours in my homelab after using the GPO configuration method to update my servers and this WSUS installation guide. What a transformation to before.
If you have any questions please don’t hesitate to reach out to me on LinkedIn, Bluesky or check my newly created Adaptive Cloud community on Reddit.
LinkedIn: https://www.linkedin.com/in/andreas-hartig/
Bluesky: https://bsky.app/profile/hartiga.de
Adaptive Cloud community on Reddit: https://www.reddit.com/r/AdaptiveCloud/
Additional Resources
Microsoft Configuration Manager documentation
