Installing WSUS on Windows Server 2012

Summary: Honorary Scripting Guy, Boe Prox, talks about installing WSUS on Windows Server 2012 via Windows PowerShell.

Microsoft Scripting Guy, Ed Wilson, is here. Welcome back today to Honorary Scripting Guy, Boe Prox. Without further ado, here is Boe…

In a previous Hey, Scripting Guy! Blog post, Introduction to WSUS and PowerShell, I demonstrated how you can download the Windows Server Update Services (WSUS) installation file and use various parameters to customize a WSUS installation on a local or remote system. With Windows Server 2012, we get a new version of WSUS that can be installed through Server Manager and also by…you guessed it…Windows PowerShell!

We can do the installation by using the Install-WindowsFeature cmdlet and specifying the proper feature names that you would like to have installed. In the case of WSUS, we are looking only at the update services feature. I will also take a look at some of the new cmdlets that are available in the UpdateServices module, which is available in Windows Server 2012 to help configure the WSUS server.

Let’s take a look at the possible subfeatures that are available by using the Get-WindowsFeature cmdlet and specifying UpdateServices* for the Name parameter.

Get-WindowsFeature –Name UpdateServices*

Image of command output

You could try to install everything, but that will end badly for you because there will be a conflict between using the Windows Internal Database (WID) and using another SQL Server database (local or remote) to store the SUSDB database on.

Image of error message

So which one should I choose? That depends on your environment and what your requirements are to support patching in your enterprise. Luckily for you, I will show examples of using the WID database or using another SQL Server database as part of the WSUS installation. After the installation, I will show one last thing you can do as a post installation that will allow you to specify a new location for the software update files and where the database is located.

Let’s start with the easiest, which is the WID database. I say easiest because it really comes down to just running a single line of code to get everything installed. Just to see what might be installed, I can use the WhatIf switch first.

Install-WindowsFeature -Name UpdateServices -IncludeManagementTools –WhatIf

Image of command output

From the looks of it, not only will WSUS be installed, but we also will be installing the WID database and some IIS components that are used for client check-ins and other things. I am confident that this is what I need, so let’s remove WhatIf and let it run again.

Image of command output

Wait for a bit…

Image of command output

And we are now finished with the installation. As you can see, we have a message stating some additional configuration may be required before our WSUS server can be up and running. In this case, we still need to configure a location for the update files to be stored.

This is where wsusutil.exe will come into play. This executable is located at C:\Program Files\Update Services\Tools. Besides the usual parameters that you can use with this utility, there is another set of parameters that become available when you use the PostInstall argument.

.\wsusutil.exe postinstall /?

Image of command output

We have parameters for specifying where to store the content and for where to build the database, if needed. Note that this can be used to specify a database that is local or remote (you will see this used on a remote system later).

Before I say where I want the content, I had better create a folder to store it. I don’t want all of this on my system drive, so I will create the folder on my D: drive.

New-Item -Path D: -Name WSUS -ItemType Directory

Now I can run the following command to configure my content directory to download and save all of the update files to D:\WSUS.

.\wsusutil.exe postinstall CONTENT_DIR=D:\WSUS

Image of command output

And with that, we have now configured the content directory on another drive to save the update files. Very simple…and a big recommendation to do it regardless!

Specify an alternate SQL Server

What if I want to specify a different SQL Server for saving the data instead of relying on a WID instance locally? Fortunately for us (and as you saw previously), this is an available option by using WSUSUtil.exe PostInstall. Going back to the beginning, I will perform a different installation of WSUS, this time specifying that I want a different SQL Server database.

Install-WindowsFeature -Name UpdateServices-Services,UpdateServices-DB -IncludeManagementTools

Image of command output

Now we need to use WSUSUtil again to not only specify the Content directory, but also to specify the SQL Server database that I want to use for my WSUS server. The WSUS server must be on a domain for the remote SQL Server database build to work. If it isn’t, you will get a message that states the host is unknown.

.\wsusutil.exe postinstall SQL_INSTANCE_NAME="DC1\SQL2008" CONTENT_DIR=D:\WSUS

Image of command output

And after a few minutes, the configuration has completed with the Content directory on D:\WSUS and the SUSDB database configured on my remote SQL Server.

Image of menu

Inspect the WSUS Installation State

By using my current installation of WSUS and the remote SQL Server database, we can now check the Best Practices Analyzer to see if anything else is required before we configure the WSUS server and kick off synchronization get all of the update metadata.

Invoke-BpaModel -ModelId Microsoft/Windows/UpdateServices

Image of command output

Now let’s see the results of our scan…

Get-BpaResult -ModelId Microsoft/Windows/UpdateServices |

Select Title,Severity,Compliance | Format-List

Image of command output

With the exception that I haven’t configured the WSUS server to use a required language pack (English in my case), everything else is compliant. Now it is time to finish configuring the WSUS server and get this synchronization kicked off.

First I’ll configure the languages and tell my server where I want to synchronize. In this case I want to sync up with Microsoft Updates. After I do that, I will perform an initial synchronization to pull down all of the available categories, classifications, and possible updates that can be approved.

Note   For more information about some of the configuration properties that are set in the following code, see IUpdateServerConfiguration Properties  on MSDN.

#Get WSUS Server Object

$wsus = Get-WSUSServer

#Connect to WSUS server configuration

$wsusConfig = $wsus.GetConfiguration()


#Set to download updates from Microsoft Updates

Set-WsusServerSynchronization –SyncFromMU


#Set Update Languages to English and save configuration settings

$wsusConfig.AllUpdateLanguagesEnabled = $false           




#Get WSUS Subscription and perform initial synchronization to get latest categories

$subscription = $wsus.GetSubscription()



While ($subscription.GetSynchronizationStatus() -ne 'NotProcessing') {

    Write-Host "." -NoNewline

    Start-Sleep -Seconds 5


Write-Host "Sync is done."

You may have noticed that I didn’t have to run Import-Module before using the UpdateServices module cmdlets. This is because Windows PowerShell 3.0 supports automatic loading of the modules when a specific cmdlet from a module is used.

Now that we have pulled down the classifications and platforms, it is time to filter the platforms for which I want updates and the classifications I want. Your preference for platforms and classifications will vary based on your environment and requirements.

When that is done, we will configure WSUS to synchronize once a day automatically at midnight, and kick off another synchronization to pull down the update metadata (not the actual update files) from the Microsoft Update server.

#Configure the Platforms that we want WSUS to receive updates

Get-WsusProduct | where-Object {

    $_.Product.Title -in (



    'SQL Server 2008 R2',

    'SQL Server 2005',

    'SQL Server 2008',

    'Exchange Server 2010',

    'Windows Server 2003',

    'Windows Server 2008',

    'Windows Server 2008 R2')

} | Set-WsusProduct


#Configure the Classifications

Get-WsusClassification | Where-Object {

    $_.Classification.Title -in (

    'Update Rollups',

    'Security Updates',

    'Critical Updates',

    'Service Packs',


} | Set-WsusClassification


#Configure Synchronizations


#Set synchronization scheduled for midnight each night

$subscription.SynchronizeAutomaticallyTimeOfDay= (New-TimeSpan -Hours 0)




#Kick off a synchronization


It may take a while to complete the synchronization. When it has completed, you can begin reviewing the available updates that your systems require. Whether you want to keep everything installed and configured on a single server or you want to keep your SUSDB database on a remote SQL Server, you will find that it is easily accomplished by using Windows PowerShell.

That is all for today’s blog about working with WSUS on Windows Server 2012. The next blog I have lined up will deal with using the UpdateServices module to configure the clients and approve or decline updates. In addition, we will dip our toes into WSUS API to set up Computer Groups for the clients and to remove clients from WSUS.


Thank you, Boe, for a great blog post. Join us tomorrow for a guest blog by Honorary Scripting Guy and Windows PowerShell MVP, Don Jones.

I invite you to follow me on Twitter and Facebook. If you have any questions, send email to me at, or post your questions on the Official Scripting Guys Forum. See you tomorrow. Until then, peace.

Ed Wilson, Microsoft Scripting Guy 

Comments (25)

  1. Boe Prox says:

    @Ben Herila [MSFT] Thanks for the feedback!

    @Jose Rojas Thanks for the comment!

  2. Boe Prox says:

    @Derek Smith
    Can you provide anything else in regards to that error? I would recommend posting the question at the link below along with any other error messages to see if it can get resolved.

  3. _Emin_ says:


    Great article. Thanks Boe 🙂

    Let me just add that the way you use the Get-WsusClassification cmdlet will only work on English culture ($host.CurrentCulture). Titles are actually translated. In French, 'Security Updates' is translated to "Mise à jour de la sécurité".

    The Microsoft.UpdateServices.Internal.BaseApi.UpdateServer has also an ID property that could be use for automation in multi-language environments.


  4. @andreww, we're looking at upgrading to Report Viewer 2012 in the future. Thanks for the feedback!

  5. Boe Prox says:

    @Anonymous (6 Jan 2014 2:56 PM)

    Not that I am aware of. It is possible that there may be a registry key somewhere that defines this to start-up initially, but this needs to be verified.

  6. Boe Prox says:

    @_Emin_ Glad you enjoyed the article! Also thanks for the tip!

    @andreww Thanks for the comment as well!

  7. Anonymous says:

    Nice.. and I know this is Powershell and all – but when you want to use the GUI, you'll find that it doesn't work as ReportViewer2008 and dotnet 2 aren't installed. This isn't as simple as you'd think. These additional steps are then needed.

    Basically, to get dotnet in place (you'll get a warning that you already have 3.5, so go away, if you just try and do it)

    Dism /online /enable-feature /featurename:NetFX3 /featurename:NetFx3ServerFeatures /Source:D:sourcessxs

    Note: D: is the drive letter of DVD drive on the computer, adjust it accordingly.

    You can then install ReportViewer 2008. This info from…/windows-server-2012-beta-how-to-configure-wsus-reporting.aspx

    Can't help but think it's a staggering fail that MS rolled this out, and you can't actually use the GUI unless you search the web for a blog post explaining how to use it…

  8. Anonymous says:


    Thanx for this great Article. I’ve used it to create a script to install and configure WSUS in a MDT task sequence.
    I do have a follow up question: Even though I’ve completely configured WSUS using the script I still get the WSUS configuration Wizard the first time I start the WSUS console. Is there a way to bypass this behaviour? I know I can just hit Cancel and be done with it but I like to dot all the i’s if possible.

  9. Jose Rojas says:

    Hey Boe…

    This is great! I.T. will get a kick out of your current update with windows. Can't say that programs run faster then humans, but we are sure handy to them.

    Ok! Boe. Thanks for the update.

  10. dann23 says:

    Hello. Good article but I have one big problem. I see we can set the products for which we want to receive updates but how can we remove products that we don't want? Because I saw that some products are check by default. And also I didn't find some function to list the products that are checked. Thank you.

  11. So many words says:

    Anyway we could get a default server powershell and a client install script.  There's so many words on this screen.

  12. less monologing. says:

    I just installed with the wizard, reading this article would have taken longer.  +1 Yum -1 powershell   And I like windows!  Drive space?  really?  That's why you extend primary volumes.

  13. Boe Prox says:

    @So many words

    I can see what I can do for a server install script. As for a client install script, because it can be done with one line, I don't really see a good reason to have a script. Here is the one-liner for the client installation:

    Install-WindowsFeature -Name UpdateServices-RSAT

  14. Boe Prox says:

    @less monologing.

    Thank you for your comment. There is a lot of writing here and that is by design as I want to ensure I explain everything that is going on (teaching to fish). Sure the time it takes to read may be longer than going through the wizard, but the idea here is
    to better learn the PowerShell method of accomplishing the same task which will in turn take a shorter time to install the role.

    I’m unsure about what you mean by drive space, but I will assume you are talking about my reason for placing everything on the D: drive vs. a system drive. This is considered a ‘best practice’ to keep data files such as the database and update files on a
    separate drive from the system not only for security purposes, but also performance (run the Best Practices Analyzer and you will see). See also…/cc720525(v=ws.10).aspx

  15. Boe Prox says:


    You can use the same approach that I showed on filtering for Products and then just pipe that into Set-WSUSProduct and use the -Disable switch.

    You can find what products are approved via the following code:

    $wsus = Get-WsusServer


  16. _nid says:

    Thanks for the article Boe. Trying to setup NLB on wsus 2012 server, but cannot find a guide. Already setup the first wsus server with remote sql db, As per wsus 3.0 SP1 the subsequent frontend wsus need to be setup without creating a new database, is there a cmdlet that will install the wsus 2012 without creating the database but pointing to current db for nlb setup ?

  17. Boe Prox says:


    Unfortunately, there is not a cmdlet that can be used to tell where to point WSUS to for a database. You will have to use the wsusutil.exe command to point to your remote database. The following is an example of what you can do:

    Install-WindowsFeature -Name UpdateServices-Services,UpdateServices-DB -IncludeManagementTools


  18. JeffS says:

    Nice article, used the scripts successfully with minor mods. Thanks!

  19. Derek Smith says:

    Been trying to install WSUS on Windows Server 2012 R2 Standard Hyper V and I consistently get an error when running the .wsusutil.exe postinstall. I have domain admin credentials and yet it consistently issues a fatal error, telling em i am preforming an unauthorized operation. Any suggestions, my domain functional level is 2003

  20. ricardo says:


    I have tried to migrate SQL Server 2005 SUSDB to a Windows Server 2012, generating the scripts of the DB with SQL management studio for SQL Server 2005, and running the postinstall process it says to me that I have a too much updated schema in the DB. what
    can I do?

  21. sama says:

    Great article. I ran the first script as you describe using the -whatif switch and I got the same results that you did. Then I ran the script without the -whatif switch and the install failed with the following error message:

    install -windowsfeature : The request to add or remove features on the specified server failed.
    The operation cannot be completed, because the server you specified requires a restart.
    At line 1 char:1
    + install -windowsfeature -Name UpdateServices -IncludeManagementTools
    + CategoryInfo :DeviceError: (@Vhd; Credent…Name=localhost}:PSobject) [Install-WindowsFeaure], Exception
    + FullyQualifiedErrorId : DISMAPI_Error_Failed_Reboot_Required,
    Success Restart Needed Exit Code Feature Result
    False No Failed {}

    What server failed to start and how can I restart it?

  22. Great article!! Very helpful!!

  23. D says:

    Great article. But the Powershell modules are really, really bad. I would expect commands like
    Get-WsusProducts -ListAvailable
    Add-WsusProducts "Windows 7", "Windows 8.1", "Windows Server 2012 R2"
    Remove-WsusProducts "Windows 8"

    And the same with classifications …

  24. Jarrod Levet says:

    Hi Boe

    Thanks for the walkthrough, very helpful.

    I’m installing a new WSUS server on 2012R2 core with a remote database. I’m getting some strange issues.
    If I run the following command ([FQDN] is a placeholder for our fully qualified internal domain name, both WSUS01 and MGMTSQL01 are on the same domain/subnet):
    .wsusutil.exe postinstall SQL_INSTANCE_NAME="MGMTSQL01.[FQDN]MSSQLSERVER" CONTENT_DIR=W:Update-Data
    I get the response:
    Fatal Error: A network-related or instance-specific error occurred while establishing a connection to SQL Server. The server was not found or was not accessible. Verify that the instance name is correct and that SQL Server is configured to allow remote connections.
    (provider: SQL Network Interfaces, error: 25 – Connection string is not valid)

    If I run the command like this:
    .wsusutil.exe postinstall SQL_INSTANCE_NAME="MGMTSQL01.[FQDN]" CONTENT_DIR=W:Update-Data
    ..without the instance name, I get:
    fatal error: login failed for user ‘nt authorityanonymous logon’.

    Here’s the connection screen on the MGMTSQL01 server:
    So from that I can gather that it was set up with no instance name and that the second command above should work! Any idea how I can force it to use sepcific credentials?


  25. Edgar Toia says:


    Very useful your post.

    I can install two databases on the same SQL Server instance?

    For example:

    SUSDB and SUSDB2 ?


Skip to main content