Readme for Windows Server Update Services 2.0

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2, Windows Server Update Services

This document describes known issues affecting Windows Server Update Services (WSUS). It includes recommendations and requirements for installing WSUS.

A downloadable copy of this document is available on the Microsoft Download Center at

Microsoft® Windows Server™ Update Services (WSUS) requires that Internet Information Services (IIS) be installed. However, on Microsoft Windows Server 2003 and Microsoft Windows® 2000 Server, IIS is not installed by default, so Windows Server Update Services Setup might be unable to continue, displaying an error message saying that IIS is not installed.

To install IIS:

  1. Open Control Panel.

  2. Double-click Add or Remove Programs.

  3. Click Add/Remove Windows Components.

  4. In the Components list, click Application Server.

  5. Click Details.

  6. Select the ASP.NET check box. Enable network COM+ access and Internet Information Services (IIS) will be selected automatically.

  7. Select Internet Information Services (IIS), and then click Details to view the list of IIS optional components.

  8. Select all optional components you want to install. The World Wide Web Service optional component includes important subcomponents such as the Active Server Pages component and Remote Administration (HTML). To view and select these subcomponents, click World Wide Web Service, and then click Details. Click OK until you return to the Windows Components Wizard.

  9. Click Next, and complete the Windows Components Wizard.

  10. After you install IIS, run Windows Server Update Services Setup.

Windows Server Update Services Setup may fail to create a Web site if no sites were present in IIS when Setup was run. This may happen, for example, if you had a Software Update Services (SUS) 1.0 site as the only site in IIS and you deleted it before installing WSUS.

In this case, you need to create a new Web site by using the Internet Information Services (IIS) Manager snap-in. Once this is done, you can select this site or specify a new site during WSUS Setup.

If you already attempted to install WSUS and Setup failed because no sites were present, open IIS Manager snap-in, and delete the site "Web Site #1". Then follow the steps described earlier, and run Setup again.

The following table shows required software for each supported operating system. Make sure the WSUS server meets this list of requirements before you run WSUS Setup. If any of these updates require restarting the computer when installation is completed, you should perform the restart prior to installing WSUS.


Operating System Requirements Downloads

All operating systems

Microsoft Internet Information Services (IIS) 5.0

Install from operating system.

See Issue 1: IIS must be installed.

All operating systems

Background Intelligent Transfer Service (BITS) 2.0

For Windows Server 2003 operating systems, see Update for Background Intelligent Transfer Service (BITS) 2.0 and WinHTTP 5.1 Windows Server 2003 (KB842773) on the Download Center (

For Windows Server 2000 operating systems, see Update for Background Intelligent Transfer Service (BITS) 2.0 and WinHTTP 5.1 Windows 2000 (KB842773) on the Download Center (

Windows Server 2003

Microsoft .NET Framework 1.1 Service Pack 1 for Windows Server 2003

Microsoft .NET Framework 1.1 Service Pack 1 for Windows Server 2003

Alternatively, go to Windows Update and scan for Critical Updates and Service Packs; install Microsoft .NET Framework 1.1 Service Pack 1 for Windows Server 2003.

Windows Server 2003

Database software that is 100-percent compatible with Microsoft SQL


Windows 2000 Server

Database software that is 100-percent compatible with Microsoft SQL

If you are not using Microsoft SQL Server 2000, you can install Microsoft SQL Server 2000 Desktop Engine (MSDE 2000). This requires several steps. For more information, see Installing MSDE on Windows 2000 below.

Windows 2000 Server

Microsoft Internet Explorer 6.0 Service Pack 1

Internet Explorer 6 Service Pack 1

Windows 2000 Server

Microsoft .NET Framework Version 1.1 Redistributable Package

Microsoft .NET Framework Version 1.1 Redistributable Package

Windows 2000 Server

Microsoft .NET Framework 1.1 Service Pack 1

Microsoft .NET Framework 1.1 Service Pack 1

Alternatively, go to Windows Update and scan for Critical Updates and Service Packs; install Microsoft .NET Framework 1.1 Service Pack 1 for Windows Server 2000.

In addition to these requirements, WSUS might install or configure ASP.NET version 1.1 on your server, if necessary. (WSUS Setup configures ASP.NET.)

If you are using Windows 2000 for WSUS and do not have access to Microsoft SQL Server 2000, you should install Microsoft SQL Server 2000 Desktop Engine (MSDE) before running WSUS Setup. If you already have MSDE installed on your WSUS server, you do not have to set up a special instance of it for WSUS. You can simply indicate the existing instance name during the WSUS setup process.

Installing MSDE on Windows 2000 Server is a four-step process. First, you must download and expand the MSDE archive to a folder on your WSUS server. Next, use a command prompt and command-line options to run MSDE Setup, set the sa password, and assign WSUS as the instance name. Then, when the MSDE installation finishes, you should verify that the WSUS instance is running as an NT service. Finally, you must add a security update to MSDE to protect your WSUS server.

You must download and expand the MSDE archive to a folder on your WSUS server. See Microsoft SQL Server 2000 Desktop Engine (MSDE 2000) Release A.

Use a command prompt and command-line options to run MSDE Setup, set the sa password, and assign WSUS as the instance name. When the MSDE installation finishes, you should verify the WSUS instance is running as an NT service.

To install MSDE, set the sa password, and assign an instance name:

  1. At the command prompt, navigate to the MSDE installation folder specified in “Step 1: Download and expand the MSDE archive.”

  2. Type the following: setup sapwd="password" instancename=WSUS

    where password is a strong password for the sa account on this instance of MSDE, and instancename is the name of the database instance. Alternatively, you can use the default instance name (instead of "WSUS") for your WSUS database. If you choose to do this then you do not have to type instancename=WSUS in your command-line parameter. This command launches the MSDE setup program, sets the sa password, and names this instance of MSDE to whatever value you specify.

You should make sure that you can see the WSUS instance of MSDE.

  1. Click Start, and then click Run.

  2. In the Open box, type services.msc and then click OK.

Scroll down the list of services, and verify that a service named MSSQL$WSUS (if you used "WSUS" for the instancename) or MSSQLSERVER (if you used the default instancename) exists.

At the end of the MSDE installation, you have to start the instance. If you used "WSUS" for the instancename, then you would start "MSSQL$WSUS." If you used the default instancename, then you would start MSSQLSERVER. Unless you start this service WSUS will not be able to use the database instance.

You must download and install the security update described in the bulletin MS03-031: Cumulative Security Patch for SQL Server.

To download the security update, see SQL Server 2000 (32-bit) Security Patch MS03-031.

The following are the minimum disk-space requirements to install Windows Server Update Services:

  • 1 gigabyte (GB) on the system partition

  • 2 GB for the volume on which database files will be stored

  • 6 GB, based on content projection numbers

If you plan to install Windows Server Update Services on a server that has Windows Update Services Beta 1 or Beta 2 installed, you first need to uninstall the earlier version by using Add or Remove Programs in Control Panel.

This option is turned on by default; however, it can be turned off by a SQL Server administrator.

If you plan to use a SQL Server database as the Windows Server Update Services data store, the SQL Server administrator should verify that the nested triggers option on the server is turned on before the WSUS administrator installs WSUS and specifies the database during setup.

WSUS Setup turns on the RECURSIVE_TRIGGERS option, which is a database-specific option; however, it does not turn on the nested triggers option, which is a server global option.

To see if nested triggers are on, use the following:

sp_configure 'nested triggers'

To turn on the nested triggers option in SQL Server, run the following from a batch file on the computer running SQL Server:

sp_configure 'nested triggers', 1




You can perform unattended installations of WSUS. For more information and command-line parameters, see "Appendix A: Unattended Installation" in Deploying Microsoft Windows Server Update Services.

If you are running Internet Information Services (IIS) on a computer running Windows 2000 Server, install the latest version of IIS Lockdown Wizard (which includes URLScan) from the IIS Lockdown Tool page on Microsoft TechNet. Microsoft strongly recommends that you install this tool to help keep your IIS servers secure. The IIS Lockdown Wizard works by turning off unneeded features of IIS, thereby reducing the security risk exposure.

WSUS Setup does not install these components. You have to install them manually. You do not need to install IIS Lockdown on computers running Windows Server 2003, because the functionality is built in.

Windows Server Update Services stores its configuration data in a database (either MSDE or SQL Server). However, changing the configuration data by accessing the database directly is not supported. Administrators should not attempt to modify WSUS configuration in this way. The supported way of changing your WSUS configuration is by using the WSUS console or by calling WSUS APIs.

On the administrator's workstation, you must configure Internet Explorer to allow active scripting before you can use Internet Explorer to access the WSUS administration site.

Windows Server Update Services Setup will restart IIS without notification. This could affect existing Web sites within your organization.

By default, the content virtual directory for Windows Server Update Services is set with anonymous access. If you change this setting to require authentication, clients will receive authentication errors and be denied access to download updates. This is a known issue where Winhttp.dll uses the wrong authentication context when implicit authentication is required, so the authentication challenge will fail. To prevent this issue, ensure that the WSUS server and SMS MPs are set up with anonymous access to IIS virtual directories.

The WSUS Server installs two vroots, SelfUpdate and ClientWebService, and some files under the home directory of the default Web site (on port 80). This enables clients to self-update through the default Web site. By default, on Windows Small Business Server 2003, the default Web site is configured to deny access to any IP or localhost other than those of the server. This means the SelfUpdate and ClientWebService vroots are denied access and the clients will not self-update. To grant access to the clients to self-update, complete the following steps on the default Web site’s SelfUpdate and ClientWebService vroots.

  1. Click the vroot Properties, click Directory Security, click IP address and domain name restrictions, and then click Edit.

  2. Select Granted Access, and then click OK. Close all the property pages.

  • If Windows Small Business Server 2003 uses an ISA proxy server to access the Internet, the following must be entered manually in the Settings user interface: proxy server settings, proxy server name, and port.

  • If ISA is using Windows Authentication, proxy server credentials should be entered in the form "DOMAIN\user" (The user belonging to "Internet Users" group).

When a computer is assigned to a target group for the first time, data on the computer is modified with the group information. That data is refreshed periodically or hourly. Therefore, when moving a computer from one computer group to another, it may take up to one hour for that information to refresh on the client and display as changed in the WSUS administrative console.

If you install WSUS on a member server and then want to promote the member server to a domain controller, you will need to take the following steps:

  1. Uninstall WSUS.

  2. Promote the server to a domain controller.

  3. Reinstall WSUS.

If you’re running WSUS Server on a domain controller and want to demote the domain controller to a member server, you will need to complete the following steps:

  1. Uninstall WSUS and retain the database.

  2. Create a user account called ASPNET.

  3. At the command prompt, type aspnet_regiis -i.

  4. Reinstall WSUS and use the retained database.

This is caused by the fact that.NET Framework 1.0 is registered with IIS and that WSUS Server requires.NET Framework 1.1. To resolve this issue, open aspnet_regiis.exe and run the following commands, where website id is the value contained in the following registry key:


  • %windir%\Microsoft.NET\Framework\v1.1.4322\\aspnet_regiis.exe -s W3SVC\<website id>\ROOT\ReportingWebService

  • %windir%\Microsoft.NET\Framework\v1.1.4322\\aspnet_regiis.exe -s W3SVC\<website id>\ROOT\ClientWebService

  • %windir%\Microsoft.NET\Framework\v1.1.4322\\aspnet_regiis.exe -s W3SVC\<website id>\ROOT\SimpleAuthWebService

  • %windir%\Microsoft.NET\Framework\v1.1.4322\\aspnet_regiis.exe -s W3SVC\<website id>\ROOT\WSUSAdmin

  • %windir%\Microsoft.NET\Framework\v1.1.4322\\aspnet_regiis.exe -s W3SVC\<website id>\ROOT\AdministrationWebService

  • %windir%\Microsoft.NET\Framework\v1.1.4322\\aspnet_regiis.exe -s W3SVC\<website id>\ROOT\ServrSyncWebService

  • %windir%\Microsoft.NET\Framework\v1.1.4322\\aspnet_regiis.exe -s W3SVC\<website id>\ROOT\DssAuthWebService

  • %windir%\Microsoft.NET\Framework\v1.1.4322\\aspnet_regiis.exe -s W3SVC\<website id>\ROOT\Content

WSUS offers limited support for running database software on a computer separate from the computer with the rest of the WSUS application.

  • You cannot use Windows 2000 Server as the front-end computer in a remote SQL pair.

  • You cannot use a server configured as a domain controller for either the front-end or the back-end of the remote SQL pair.

  • You cannot use WMSDE or MSDE for database software on the back-end computer.

  • Setup of a remote SQL Server (to use as the WSUS database) fails if Terminal Services is installed on the remote server and is running in application mode. When installing SQL Server on a Terminal Services server, you must do the following:

    1. Before running setup, open a command prompt and type: change user /install

    2. Run SQL Server Setup.

    3. After running setup, at the command prompt type: change user /execute

  • You must be a member of the local administrators security group on both the front-end and back-end computer to set up the remote SQL Server WSUS database.

  • For more information about remote SQL issues, see "Appendix C: Remote SQL" in Deploying Microsoft Windows Server Update Services.

A replica downstream server may have fewer approvals than the parent upstream server. This is because installation approvals do not flow to a downstream server until the content finishes downloading on the upstream server.

If synchronization fails, you might get an error message. If this occurs, you should first try synchronization.

If you get the following error message, you may need to adjust permissions on the Network Service or ASP.NET accounts:

System.IO.FileNotFoundException: File or Assembly name xxxxxx.dll, or one of its dependencies, was not found

Where xxxx is a random name.

To resolve this issue in Windows Server 20003 operating systems, grant the Network Service account read/write access to %systemroot%\Temp. In Windows 2000 Server, grant the ASP.NET account read/write access to %systemroot%\Temp.

This update may show as installed on the WSUS server even though the installation actually failed on the client. This can cause the package to be reoffered to the client. You can workaround this issue by unapproving the update on the server.

If you install WSUS RTM on a server with a previous version of WSUS (for example, RC), WSUS RTM will uninstall the earlier version and then install the new version. This means that vroots and files associated with WSUS in IIS will be deleted.

If you installed WSUS on the default Web site, you will lose any WSUS-related settings you have made to the WSUS vroots. For example, if you have configured the WSUS vroots for SSL in order to secure WSUS, you will need to configure them again after you install the RTM version of WSUS. Note: you will receive a notification on the WSUS console that SSL is not enabled.

If you had installed WSUS on a Web site other than the Default Web site, then all the additional settings at the WSUS Web site level are lost.

If you want to assign host header values to the default Web site (WSUS Web site) in IIS, you need to add “All Unassigned” or an assigned IP address to the list of IP addresses without host header value to the default Web site. This should also be added to the non-default Web site

Warning: This might break Windows® SharePoint® Services and Exchange functionality.

If you have Internet Explorer hardening (also known as the Microsoft Windows Server 2003 Internet Explorer Enhanced Security Configuration component) enabled on a computer and you do not add the WSUS console to the Trusted sites and Local intranet Web content zones, you will be prompted for user credentials every time you open a page in the WSUS console.

To add the WSUS console to the Local intranet and Trusted sites Web content zones:

  1. Open Internet Options (for example, click Start, point to Control Panel, and then click Internet Options).

  2. On the Security tab, click Local intranet, click Sites, click Advanced, add the URL (http://WSUSServername/WSUSAdmin), and then click OK.

  3. Click Trusted sites, click Sites, add the WSUS console URL, click OK, and then click OK again to exit Internet Options.

Upgrading from the WSUS Release Candidate might fail due to a self-update tree problem. This can occur if multiple clients self-update at the same time you attempt the upgrade.

To resolve this issue:

  1. Disconnect the WSUS server from the network, ensuring that clients cannot connect to it.

  2. At a command prompt, type: iisrestart /reset and then press ENTER.

  3. Run the upgrade.

When you migrate from SUS 1.0 to WSUS, some approvals on the SUS 1.0 server will fail to migrate to the WSUS server. This is because a number of updates that were available to SUS 1.0 are no longer available to WSUS. In addition, because WSUS supports more updates than SUS, there may be important updates on your WSUS server that are unapproved after the migration process finishes.

Microsoft strongly recommends that you review the set of unapproved updates on your WSUS server after migration from SUS 1.0.

For more information about migrating from SUS 1.0 to WSUS, see Step-by-Step Guide to Migrating from Software Update Services to Windows Server Update Services at

If you are planning to upgrade WSUS 2.0 to Service Pack 1, and have migrated your WMSDE installation to SQL Server (whether it is remote or local), make sure to change the following registry entry:

HKLM\Software\Microsoft\Update Services\Server\Setup\WmsdeInstalled

The value should be changed from 1 to 0.

Perform the following steps when migrating to WSUS 2.0 Service Pack 1 with a remote SQL configuration:

1) Run the setup package on the front end with no switches and choose to upgrade

2) Run the setup package on the back end with no switches and choose to upgrade.

The information contained in this document represents the current view of Microsoft Corporation on the issues discussed as of the date of publication. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information presented after the date of publication.


Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation.

Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property.

Unless otherwise noted, the example companies, organizations, products, domain names, e-mail addresses, logos, people, places, and events depicted herein are fictitious, and no association with any real company, organization, product, domain name, e-mail address, logo, person, place, or event is intended or should be inferred.

© 2005 Microsoft Corporation. All rights reserved.

Microsoft, SQL Server, Windows, and Windows Server are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries.

The names of actual companies and products mentioned herein may be the trademarks of their respective owners.

Community Additions