Run WSUS 3.0 Server Setup

  • Article

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2, Windows Server 2008, Windows Server Update Services

After reviewing the previous topics, you are ready to install WSUS. You must log on with an account that is a member of the local Administrators group. Only members of the local Administrators group can install WSUS.

If you want to perform an unattended installation, see Appendix A: Unattended Installations later in this guide.

Important

Be sure to read the WSUS Release Notes. Release notes often contain important late-breaking information about the release. Look for the WSUS Release Notes in the following location:
<WSUSInstallationDrive>:\Program Files\Microsoft Windows Server Update Services\Documentation\En

Note

The latest version of WSUS setup is available on the Microsoft Web site for Windows Server Update Services at https://go.microsoft.com/fwlink/?LinkId=74472.

Before you begin

Before you start WSUS Setup, you should make sure that the root of the drive where WSUS stores updates has certain permissions. WSUS Setup does not modify permissions on the root drive where you store updates, but this drive may not have appropriate permissions set. For example, security tools may have been used to strip away default permissions from the disk before the installation of WSUS. To manage this problem, use the following procedure to check the drive and directories where updates are stored to ensure permissions are set correctly.

To check permissions on the drive and directories where updates are stored

  1. Double-click My Computer, right-click the drive where updates are stored, and then click Sharing and Security.

  2. Ensure that the drive has read permissions for the built-in Users group or NT Authority\Network Service.

  3. Ensure that the root folder on the drive also has read permissions for NT Authority\Network Service.

  4. Ensure that the content directory itself (usually <drivename>:\WSUS\WsusContent) has read permissions for NT Authority\Network Service. These permissions should have been set by the installation program.

The default Web site needs to allow anonymous access (that is, read access) by the IUSER_servername account. Some applications, notably Windows SharePoint Services, will remove anonymous access.

To check for anonymous access to the default Web site

  1. Go to the Internet Information Services (IIS) Manager, click the server name, click Web Sites, and then right-click the WSUS Web site.

  2. In the context menu select Permissions.

  3. In the Security tab you should see the Internet Guest Account listing.

  4. If you do not see this account, you will need to add it.

  5. Add a user account named IUSR*_serverName* to the local machine, where serverName is the name of the server.

  6. Give this account the following permissions: Read & Execute, List Folder Contents, and Read. You should deny write access to this account.

  7. Return to IIS Manager, right-click the WSUS Web site, and then click Permissions.

  8. Add the newly-created user to this Web site.

For more information about allowing anonymous access to Web sites, see Allowing Anonymous Access to Web Sites (IIS 6.0) at https://go.microsoft.com/fwlink/?LinkId=75850.

Installing WSUS

To install WSUS on your server

  1. Double-click the installer file.

  2. On the Welcome page, click Next.

  3. On the Installation Mode Selection page, select the Full server installation including Administration Console check box, and then click Next.

  4. Read the terms of the license agreement carefully. Click I accept the terms of the License agreement, and then click Next.

  5. On the Select Update Source page, you can specify where client computers get updates. If you select the Store updates locally check box, updates are stored on WSUS, and you can select a location in the file system where updates should be stored. If you do not store updates locally, client computers connect to Microsoft Update to get approved updates.

    Make your selection, and then click Next.

    For more information, see Determine Where to Store WSUS Updates earlier in this guide.

  6. On the Database Options page, you select the software used to manage the WSUS database. By default, WSUS offers to install Windows Internal Database. To accept the default setting, click Install Microsoft SQL Server 2005 Embedded Edition (Windows) on this computer. If you cannot use Windows Internal Database, click Using an existing database server on this computer, and select the instance name from the drop-down list. The instance name should appear as <serverName>\<instanceName>, where serverName is the name of the server and instanceName is the name of the SQL instance. Make your selection, and then click Next.

    For more information, see Choose the Database Used for WSUS 3.0 earlier in this guide.

  7. On the Web Site Selection page, you specify the Web site that WSUS will use to point client computers to WSUS. If you wish to use the default IIS Web site on port 80, select the first option. If you already have a Web site on port 80, you can create an alternate site on port 8530 by selecting the second option. Make your selection, and then click Next.

    For more information, see Configure IIS earlier in this guide.

  8. On the Ready to Install Windows Server Update Services page, review your choices, and then click Next.

  9. The final page of the installation wizard will tell you whether or not the WSUS 3.0 installation was completed successfully. The final page of the installation wizard will tell you whether or not the WSUS 3.0 installation was completed successfully. After you click Finish the configuration wizard will be launched.