Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium


how to install wsus update on windows server 2003

Posted on 2009-03-31
Medium Priority
Last Modified: 2012-05-06
how to install wsus update on windows server 2003
Question by:ashjuv
LVL 47

Expert Comment

by:Donald Stewart
ID: 24031471
LVL 58

Accepted Solution

Pete Long earned 1000 total points
ID: 24031952
Hello ashjuv,

WSUS Installing and configuring Windows Software Update Services.

Pre Flight Checks

1.      Download the WSUS 3.0 SP1  executable from from http://www.microsoft.com/downloads/details.aspx?FamilyId=F87B4C5E-4161-48AF-9FF8-A96993C688DF&displaylang=en#filelist
2.      You  will need 30-30Gb Free Drive space for your updates.
3.      Also Ensure IIS in installed and running ? put on the latest patches and updates before you start.
4.      Install this beforehand. Microsoft Report Viewer Redistributable 2005 http://www.microsoft.com/downloads/details.aspx?familyid=8a166cac-758d-45c8-b637-dd7726e61367&displaylang=en

Install WSUS

1.      Run the WSUS exe.
2.      Next.
3.      Select "Full Server installation including Administration Console".
4.      Next
5.      Accept the EULA > Next.
6.      Ensure "Store updates locally" is ticked and select a location to hold the updates (need 20-30Gb Free)
7.      Select "Install Windows Internal Database on this computer" Unless you want to use an existing SQL server > Next
8.      Select "Create a Windows Server Update Services 3.0 SP1 Web site? > Next.

Note: the URL i.e http://server-name:8530

9.      Review the information > Next.
10.      WSUS Will install.
11.      When done - click finish.

After a few seconds the configuration wizard will start. (Note you can run this at any time from the WSUS snap in > Options > WSUS Server Configuration Wizard.)

1.      Next.
2.      If you want to help leave the box ticked > Next.
3.      Unless you have a WSUS server ?In front? of this one leave ?Synchronise with Microsoft Update? Ticked > Next
4.      Enter Proxy details if appropriate*  > Next
5.      Click Start connecting.
6.      You should connect to the Microsoft update site. (This downloads an XML file that contains a full list of updates). > Next
7.      Select the language (you want the updates in!) remember the eventual downloaded updates folder size will be multiplied by the amount of languages you select. > Next.
8.      Select the products you want to update, again the more products the bigger the folder > Next.
9.      Select WHAT you want to download > Next.
10.      Select the frequency that WSUS will sync with Microsoft by selecting Synchronize automatically, set it ?Out of Hours? >Next.
11.      Tick ?Begin Initial synchronisation? > Next
12.      Click Finish.

Note the initial Synchronisation can take a very long time. Keep selecting ?Updates? and you will see the numbers going up.
*NB if you?re using ISA as a proxy you might need to change the port number to 8080 or it may fail (took me 15 minutes to work that out)
You now need to get your clients pointed to the WSUS Server ? to do this use either local policy on each machine ? Or Group policy on the domain.
OK now you need it to start seeing the clients before you do anything else...........

Point the clients to the WSUS Server

1.      If you are setting this up on the Domain skip to number 2, On the client click Start > Run > gpedit.msc {enter}
2.      If you are doing this on a Local PC skip to number 3, On a domain controller: Note this policy can be applied to an OU (Like the Computers OU for example)or the at domain level, for the purpose of this exercise we will apply it at domain level. Open administrative tools > Active directory users and computers, right click the domain, and select Properties > Group Policy > You will see one of two things, either one button to open the group policy management console, or one or more policies, and lots of buttons,
i.      One Button: Press the ?Open? button to launch the Group policy Management Console > Right Click the Domain Name > Create and Link a GPO Here > Call it WSUS > OK > Right click the WSUS GPO > Edit.
i.      Lots of Burtons > Click New > Call it WSUS > Edit.
3.      Navigate to Computer Configuration > Administrative Templates >Windows Components > Windows Update. On the right pane locate "Configure Automatic Updates" and right click it, select properties.
4.      Select Enabled, in the first drop down box you set the action for the updates, I prefer not to frighten my users so I select "4 - Auto download and schedule the install" you can now set the schedule by default its set to 0300 which isn?t no good if all your PC's are shut down at that time (set it to 1400 or something more sensible)
5.      Click "Next Setting" > Enable > in both box's type the URL of your WSUS server (i.e. Http://:8530). Then Click "Next Setting" > if you see a "enable client side targeting properties page click "Next Setting" the next screen should ask for a wait period after start-up for the updates to run select enables and enter 5 minutes.
6.      Click "Next Setting" this comes in to play if an update requires a reboot, for an explanation click the "Explain" tab, I set this to Enable. That means it will inform the user but not reboot.
7.      Click Apply > OK > Then exit the policy editor.
8.      You can force the policy to take effect, by clicking..
i.      XP, Vista and server 2003: Start > run > gpupdate /force {enter}

You can test to see if they have applied by right clicking "My computer" > Properties > Automatic Updates, and the time you set in policy should be shown and all the options "greyed out"

Create some groups and move your PC?s into them.

As with previous versions of SUS, WUS, and WSUS, as new PC?s are detected they get put in ?Unassigned computers? I suggest you create some groups ? I?m my case I create a "Live" Group and a "Test" Group that way I can test the updates on a few PC's (The ones in my office) before I fire them at everyone.

To Create a Group

1.      Open the WSUS admin console.
2.      Expand > Update Services >{ server name} > Computers > All computers > Right Click > Add computer group > Give it a name > Add > Repeat as necessary i.e. You might want to create groups for servers, or exchange servers, or web servers, etc.
If you?re running through this your PC?s may not have reported yet so to find them do the following.
1.      Open the WSUS admin console.
2.      Expand > Update Services >{ server name} > Computers > All computers > Unassigned Computers > Change the Status Drop down to ?Any? and click Refresh.
3.      To move them to the group you created simply right click them and select ?Change Membership? > Then select the appropriate group > OK.
Send out the updates.

Unless you approve the updates to be sent out, nothing will happen, the WSUS server just logs everything and does some reports, before an update can be sent out to a client you need to approve it.

1.      Open the WSUS admin console.
2.      Expand > Update Services >{ server name} > Updates  > All Updates > Ensure the Approval drop down is set to ?Unapproved? and click refresh.
3.      Select the updates you want to approve (Normal selection rules apply unlike earlier versions you can multiple select using the shift and control keys as required).
4.      Click ?Approve? (it?s on the far right window.
5.      Select the group you want to approve the update for (click the little down arrow).
6.      Select Approved for Install. > OK.
7.      Hopefully after the progress bar has finished it should have a long list of ?Successes? > Click Close.

WARNING - I didn?t write the updates, Microsoft did, if you approve something that breaks your clients then moan at them not me.

Force a Client update

On the client run the following batch file

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=cut below-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
@echo on
net stop wuauserv
REG DELETE "HKLM\Software\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update" /v LastWaitTimeout /f
REG DELETE "HKLM\Software\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update" /v DetectionStartTime /f
Reg Delete "HKLM\Software\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update" /v NextDetectionTime /f
net start wuauserv

@echo off
Echo This client will now check for updates on the WSUS Server.
Echo Wait at least 30 minutes then check C:\Window\Windows update.log
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=cut above-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=


Troubleshoot from the client using the CLient Diagnostics Tool
Other Diagnostic tools

Machines are not importing

Make sure the URL thats defined in the group policy is the FQDN of the WSUS Server.
Try removing the port number from the URL specified in Group Policy (sometimes it set up on Port 80 and tells you it hasnt).


LVL 39

Assisted Solution

ChiefIT earned 1000 total points
ID: 24035533
Get free NFR key for Veeam Availability Suite 9.5

Veeam is happy to provide a free NFR license (1 year, 2 sockets) to all certified IT Pros. The license allows for the non-production use of Veeam Availability Suite v9.5 in your home lab, without any feature limitations. It works for both VMware and Hyper-V environments


Author Comment

ID: 24036218
thanks, if these workstaion don't show hundred percent sooner than later then I am going to come abck and ask another question.

thanks for all ur help
LVL 39

Expert Comment

ID: 24046561
I appreciate your desire to stick with one question for one answer. Supplying a quick how to guide was your original question, but we all have configured WSUS servers and know there are most likely straglers that don't sign in. In my opinion, o real need to ask another question.

You have a couple of my favorite techs on this question that could quickly respond to helping you with WSUS stragglers. I think one of us could help you resolve any remaining issues pretty quickly.

LVL 58

Expert Comment

by:Pete Long
ID: 24052510
-Wont be me -  Im useless :)
LVL 58

Expert Comment

by:Pete Long
ID: 24066580

Featured Post

Receive 1:1 tech help

Solve your biggest tech problems alongside global tech experts with 1:1 help.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

by Batuhan Cetin Within the dynamic life of an IT administrator, we hold many information in our minds like user names, passwords, IDs, phone numbers, incomes, service tags, bills and the order from our wives to buy milk when coming back to home.…
Scenerio: You have a server running Server 2003 and have applied a retail pack of Terminal Server Licenses.  You want to change servers or your server has crashed and you need to reapply the Terminal Server Licenses. When you enter the 16-digit lic…
Whether it be Exchange Server Crash Issues, Dirty Shutdown Errors or Failed to mount error, Stellar Phoenix Mailbox Exchange Recovery has always got your back. With the help of its easy to understand user interface and 3 simple steps recovery proced…
Is your OST file inaccessible, Need to transfer OST file from one computer to another? Want to convert OST file to PST? If the answer to any of the above question is yes, then look no further. With the help of Stellar OST to PST Converter, you can e…

579 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question