Microsoft wsus server ports

You can create as many custom computer groups as you need to manage updates in your organization. As a best practice, create at least one computer group to test updates before you deploy them to other computers in your organization.

There are two approaches to assigning client computers to computer groups. The right approach for your organization will depend on how you typically manage your client computers.

Server-side targeting : This is the default approach. This approach gives you the flexibility to quickly move client computers from one group to another as circumstances change.

But it means that new client computers must manually be moved from the Unassigned Computers group to the appropriate computer group. Client-side targeting : In this approach, you assign each client computer to computer groups by using policy settings set on the client computer itself. This approach makes it easier to assign new client computers to the appropriate groups.

You do so as part of configuring the client computer to receive updates from the WSUS server. But it means that client computers can't be assigned to computer groups, or moved from one computer group to another, through the WSUS Administration Console.

Instead, the client computers' policies must be modified. You must create computer groups by using the WSUS Administration Console, whether you use server-side targeting or client-side targeting to add client computers to the computer groups.

In the Add Computer Group dialog, for Name , specify the name of the new group. Then select Add. The client computers must trust the certificate that you bind to the WSUS server. Depending on the type of certificate that's used, you might have to set up a service to enable the client computers to trust the certificate that's bound to the WSUS server. If you're using local publishing, you should also configure the client computers to trust the WSUS server's code-signing certificate.

For instructions, see Local publishing. By default, your client computers receive updates from Windows Update. They must be configured to receive updates from the WSUS server instead. This article presents one set of steps for configuring client computers by using Group Policy. These steps are appropriate in many situations. But many other options are available for configuring update behavior on client computers, including using mobile device management.

These options are documented in Manage additional Windows Update settings. If you don't use Active Directory in your network, you'll configure each computer by using the Local Group Policy Editor. These instructions assume that you're using the most recent versions of the policy editing tools.

On older versions of the tools, the policies might be arranged differently. In the object that you expanded in the previous step, expand Administrative Templates , expand Windows components , expand Windows Update , and select Manage end user experience.

On the details pane, double-click Configure Automatic Updates. The Configure Automatic Updates policy opens. Select Enabled , and then select the desired option under the Configure automatic updating setting to manage how Automatic Updates will download and install approved updates. We recommend using the Auto download and schedule the install setting. It ensures that the updates you approve in WSUS will be downloaded and installed in a timely fashion, without the need for user intervention.

If desired, edit other parts of the policy, as documented in Manage additional Windows Update settings. The Install updates from other Microsoft products checkbox has no effect on client computers receiving updates from WSUS. The client computers will receive all updates approved for them on the WSUS server. On the Manage updates offered from Windows Server Update Service details pane, double-click Specify intranet Microsoft update service location.

The Specify intranet Microsoft update service location policy opens. Make sure to include the correct port in the URL. Select OK to close the Specify intranet Microsoft update service location policy. If you've chosen to use client-side targeting, you should now specify the appropriate computer group for the client computers you're configuring. These steps assume that you've just completed the steps for editing policies to configure the client computers. On the Manage updates offered from Windows Server Update Service details pane, double-click Enable client-side targeting.

The Enable client-side targeting policy opens. Select Enabled , and then enter the name of the WSUS computer group to which you want to add the client computers in the Target group name for this computer box. If you're running a current version of WSUS, you can add the client computers to multiple computer groups by entering the group names, separated by semicolons.

For example, you can enter Accounting;Executive to add the client computers to both the Accounting and Executive computer groups. If you used an Active Directory-based GPO to configure the client computers, it will take some time for the Group Policy Update mechanism to deliver the changes to a client computer.

If you used the Local Group Policy Editor to configure an individual client computer, the changes take effect immediately. Restart the client computer. This step makes sure that the Windows Update software on the computer detects the policy changes. The client computer successfully scans for updates. It might or might not find any applicable updates to download and install. Within about 20 minutes, the client computer appears in the list of computers displayed in the WSUS Administration Console, based on the type of targeting:.

If you're using server-side targeting, the client computer appears in the All Computers and Unassigned Computers computer groups.

If you're using client-side targeting, the client computer appears in the All Computers computer group and in the computer group that you selected while configuring the client computer. If you're using server-side targeting, you should now add the new client computer to the appropriate computer groups. Skip to main content. This browser is no longer supported. Download Microsoft Edge More info. Contents Exit focus mode. Is this page helpful?

Asked 6 years, 6 months ago. Active 4 years, 11 months ago. Viewed 47k times. Best Regards. Improve this question. WS-2kx WS-2kx 11 1 1 gold badge 1 1 silver badge 1 1 bronze badge. Are the server and clients both within the same LAN?

I am surprised you have such stringent software? Add a comment. Active Oldest Votes. Improve this answer. Charles Burge Charles Burge 6 6 silver badges 16 16 bronze badges. In my case they were and : Transmission Control Protocol, Src Port: , Dst Port: , Seq: , Ack: , Len: 0 So it's the only way to allow the client's update-service through your firewall. Lenniey Lenniey 5, 2 2 gold badges 17 17 silver badges 28 28 bronze badges.

Andrew Schulman 8, 21 21 gold badges 29 29 silver badges 45 45 bronze badges. Robert R. Well, if you close all ports on your client for whatever "security reason", they won't be able to connect to WSUS — Lenniey. Windows Firewall Default behavior is, that all outgoing connections are allowed and all incoming connections are dropped. Responses for an established connections are allowed as well. So you dont need to open ports for incomming connections.

Yeah, but like I said. You could alter the default configuration of the firewall to disallow everything. Stoinov Stoinov 2 2 gold badges 9 9 silver badges 15 15 bronze badges. However, file content is not downloaded via SSL connections, so if SSL is enabled, then both ports and are required in all cases. See this post by Andy on the Technet forums:.

This uses port 80 and , so you will need to allow outbound traffic from the USS to microsoft. Notes The steps for configuring the firewall are meant for a corporate firewall positioned between WSUS and the Internet. We have no "corporate firewall" in between the primary upstream server and down stream servers and inbetween client systems as stated above.

We do have the local windows firewall enabled on all systems. So am I understanding the Ops guide correctly in that we don't need to open any ports on the local windows firewall for communication between the upstream server to downstream servers and communication between any wsus server and client systems?

The only port that I'm aware of that needs to be open is your inbound webserver port, , so your clients can access and pull updates.

The comment about "Because WSUS initiates all its network traffic, there is no need to configure Windows Firewall on the WSUS server" is referring to the server's connection to pull information from the Windows update servers. The agent themselves on the clients shouldn't really need to have any further configuration either, unless you are explicitly blocking the appropriate ports.

Out of the box, the clients will check into the server using their own outbound connection to the WSUS servers. Thanks for clarifying that Rob. The systems will not be using the out of the box standard firewall settings. I need to mention that our company is hardening all systems by enabling the local windows firewall on every system in the network with our own customized port settings in the firewall.

Essentially the local windows firewall will be locked down tight allowing only our specific ports. This will override the standard windows firewall settings. To continue this discussion, please ask a new question.