Open Server Manager
Click Add roles and features
Click Next, choose Role-base or feature-based installation
Click Next. Choose your server. I will be installing this on the local server.
Click Next. Scroll down and choose Windows Server Update Services.
I believe .NET Framework 3.5 is required. I don’t remember because this is a reinstall and I already have it and .NET Framework 4.5 installed as well.
Click Next.
Click Next. Here you have the option of installing it with the Windows Internal Database (which is more than capable for smaller environments) or installing to a SQL server database that you might have in your environment. You can either choose WID Database and WSUS Services or Database and WSUS Services.
Click Next. Now choose how you want to store your updates. You can choose to store them on a file share of some sort or you can have each client download directly from Microsoft update. In my environment, we have one location where the servers reside and then some remote locations. I’d still like to manage the updates for them but in my opinion, it would be better for those clients to download straight from Microsoft Update instead of over our VPN so I will uncheck the box.
Click Next. I also have a database server so I will elect to use that so I will enter the name of that here. If you elected to use the Windows Internal Database (WID), you will not see this.
Click Next. Make sure everything is the way you like it and click Install.
And now we wait.
After it is finished installing and you elected to use your own database server, you will be met with this dialog box when you open WSUS. Put in the name of your database server and click Run.
Next will be the Configuration Wizard. Click Next.
It’s obviously up to you whether you would like to share your data with Microsoft. Click Next.
This is my only server running WSUS so I will click Next.
I don’t need to use a Proxy Server so I will click Next.
This part is self explanatory. Click Start Connecting. This may take awhile.
Click Next. Now choose the products that you would like to manage updates for.
Click Next. Now choose your classifications.
Click Next. Choose how you would like to handle synchronizations. I like mine to be as automatic as I can.
Click Next. Choose whether you would like to Begin Initial Synchronization or not.
Once it opens, I’m going to turn on Automatic Approvals so I will go to Options.
Click Automatic Approvals.
You should see Default Automatic Approval Rule. (If not create it.) Check the box next to it and click Edit.
Select which updates to approve. This is up to you.
Well looks like I’ll have to wait to change that.
Eventually you’ll have to configure your clients and servers to receive updates from your WSUS server through Group Policy. When you do that, you can specify how they are grouped in WSUS. Now I don’t remember if this is done automatically after you set it and push the Group Policy or if you have to do this first manually but I’d rather be safe than sorry so I will create the two groups here. This is not necessary to do and they can be left unassigned.

Rick click All Computers and click Add Computer Group…, name each group (remember these for the group policy creation later) and click Add.

I chose Workstations and Servers so I will eventually have to create two separate group policies, one for my workstations and one for my servers. Another option I thought of would be to do this by site or location.
There are a ton more settings that you can change that I won’t go into now but maybe I’ll cover in future posts. This should get you pointed in the right direction. Your clients will not pull updates from this server unless configured to do so and that should be done through group policy. I cover that here.

UPDATE 9/12/17

I forgot a step. In order for the computers to go into their groups (after being assigned via Group Policy) a setting needs to be changed here. Click Options –> Computers –> Use Group Policy or registry settings on computers –> OK.