Problem solve Get help with specific problems with your technologies, process and projects.

Tricks for optimizing WSUS performance

Dealing with the monthly rollout of patches can grind an organization to a halt. Contributor Brien Posey shares some tricks for optimizing performance by carefully adjusting WSUS settings.

Most of the time WSUS does a pretty good job of deploying patches to computers throughout an organization. If you...

want to make sure that WSUS deploys each patch in as timely a manner as possible, then it's worth spending a little time to optimize the patch management process. WSUS is a Web application, so it doesn't have any settings of its own that are directly related to performance, but there are several WSUS settings that you can use to improve the efficiency of your patching operation though.

Download files when available

One of the first things that I recommend doing is configuring WSUS to download patches as soon as they are available, not when they are approved. Normally, patches are not downloaded until you approve them. The problem with that is that as soon as patches are approved, computers try to install them. If the patch has not yet been downloaded though, the update process has to stop and wait for the patch to be downloaded. This whole process can be made more efficient by downloading files as soon as they become available.

To change the download option:

  1. Open the WSUS Admin console and click the Options button in the upper left corner of the screen.
  2. When the Options screen appears, click the Synchronization Options link
  3. Scroll all the way to the bottom of the screen and click the Advanced button.
  4. The Advanced Synchronization Options dialog box will appear.
  5. Make sure that the Store Update Files Locally option is enabled and that the Download Update Files to This Server Only When Updates Are Approved option is not selected.


While you are on the Advanced Synchronization Options screen, take a look at which languages are selected. By default, WSUS will download patches in every available language. I don't know about you, but I'm pretty sure that nobody in my organization speaks Hungarian or Arabic, so why download updates in those languages?

If everyone in your company speaks the same language, then there is no reason to waste time, disk space, and Internet bandwidth by downloading localizations that you are never going to need. Therefore, I recommend selecting the Download Only Those Updates That Match The Local Language of This Server option.

Download express installation files

By default, WSUS downloads patches and pushes those patches to the clients. As you can imagine though, if a patch is large or if you have a large number of clients, this method of installation can consume a considerable amount of network bandwidth and it may take a long time to update all of the clients.

For more information

Microsoft vs. third-party tools for patching

Proper setup of WSUS

Express installation files tend to be larger than the normal patches that WSUS downloads, which means that the download may take a little bit longer to complete. This extended download time is usually more than made up for by the reduced time and bandwidth requirements when updating clients.

When express installation files are used, the entire file is not pushed to the client. Instead, WSUS compares the patch against the file that currently exists on the workstation that's being updated. Only the delta (the bytes that are different) is sent to the client. Since the entire file is not being transmitted, express installation often offers huge time and bandwidth savings.

To configure WSUS to use express installation files:

  1. Open the WSUS Admin console and click the Options button in the upper left corner of the screen.
  2. When the Options screen appears, click the Synchronization Options link
  3. Then scroll all the way to the bottom of the screen and click the Advanced button.
  4. When you do, the Advanced Synchronization Options dialog box will appear. Now, simply select the Download Express Installation Files check box and click OK

Use a dedicated WSUS server

One last issue that I want to discuss is that it is fairly common for smaller organizations to piggyback WSUS on another server. I personally recommend using a dedicated server if possible, or at the very least, carefully choosing which applications are running on your WSUS box.

Of course there are some situations in which having a dedicated WSUS server is just overkill. My network is a good example of that. Since I work out of my home, there are only about 20 computers on my network, and my wife and I are the only users. Being that the closet that I turned into a makeshift server room is already jam packed, and being that there are so few computers to service, I just couldn't bring myself to have a dedicated WSUS server. Instead, I am running WSUS on a semi-dedicated server. The only applications that the server is running are WSUS and MOM. Since my network is so small, MOM isn't really doing all that much, and the server has no trouble handling the combined load of the two applications.

You do have to be careful which applications you run on your WSUS server though. A couple of months ago, someone asked me to write a series of articles on SharePoint Portal Server. I didn't have a server available for running SharePoint, but since I don't normally write about SharePoint, I couldn't see investing in new hardware for a short duration assignment. The only server that had enough capacity to run SharePoint just happened to be my WSUS server. To make a long story short, when I installed SharePoint, it broke WSUS. I certainly didn't expect that to happen, and that's one reason why I recommend using a dedicated WSUS server if possible.

Brien M. Posey, MCSE, is a Microsoft Most Valuable Professional for his work with Windows 2000 Server and IIS. He has served as CIO for a nationwide chain of hospitals and was once in charge of IT security for Fort Knox. As a freelance technical writer, he has written for Microsoft, TechTarget, CNET, ZDNet, MSD2D, Relevant Technologies and other technology companies. You can visit his personal Web site at

Dig Deeper on Patches, alerts and critical updates