how to install wsus update on windows server 2003

Posted on 2009-03-31
Last Modified: 2012-05-06
how to install wsus update on windows server 2003
Question by:ashjuv
LVL 47

Expert Comment

by:Donald Stewart
ID: 24031471
LVL 57

Accepted Solution

Pete Long earned 250 total points
ID: 24031952
Hello ashjuv,

WSUS Installing and configuring Windows Software Update Services.

Pre Flight Checks

1.      Download the WSUS 3.0 SP1  executable from from
2.      You  will need 30-30Gb Free Drive space for your updates.
3.      Also Ensure IIS in installed and running ? put on the latest patches and updates before you start.
4.      Install this beforehand. Microsoft Report Viewer Redistributable 2005

Install WSUS

1.      Run the WSUS exe.
2.      Next.
3.      Select "Full Server installation including Administration Console".
4.      Next
5.      Accept the EULA > Next.
6.      Ensure "Store updates locally" is ticked and select a location to hold the updates (need 20-30Gb Free)
7.      Select "Install Windows Internal Database on this computer" Unless you want to use an existing SQL server > Next
8.      Select "Create a Windows Server Update Services 3.0 SP1 Web site? > Next.

Note: the URL i.e http://server-name:8530

9.      Review the information > Next.
10.      WSUS Will install.
11.      When done - click finish.

After a few seconds the configuration wizard will start. (Note you can run this at any time from the WSUS snap in > Options > WSUS Server Configuration Wizard.)

1.      Next.
2.      If you want to help leave the box ticked > Next.
3.      Unless you have a WSUS server ?In front? of this one leave ?Synchronise with Microsoft Update? Ticked > Next
4.      Enter Proxy details if appropriate*  > Next
5.      Click Start connecting.
6.      You should connect to the Microsoft update site. (This downloads an XML file that contains a full list of updates). > Next
7.      Select the language (you want the updates in!) remember the eventual downloaded updates folder size will be multiplied by the amount of languages you select. > Next.
8.      Select the products you want to update, again the more products the bigger the folder > Next.
9.      Select WHAT you want to download > Next.
10.      Select the frequency that WSUS will sync with Microsoft by selecting Synchronize automatically, set it ?Out of Hours? >Next.
11.      Tick ?Begin Initial synchronisation? > Next
12.      Click Finish.

Note the initial Synchronisation can take a very long time. Keep selecting ?Updates? and you will see the numbers going up.
*NB if you?re using ISA as a proxy you might need to change the port number to 8080 or it may fail (took me 15 minutes to work that out)
You now need to get your clients pointed to the WSUS Server ? to do this use either local policy on each machine ? Or Group policy on the domain.
OK now you need it to start seeing the clients before you do anything else...........

Point the clients to the WSUS Server

1.      If you are setting this up on the Domain skip to number 2, On the client click Start > Run > gpedit.msc {enter}
2.      If you are doing this on a Local PC skip to number 3, On a domain controller: Note this policy can be applied to an OU (Like the Computers OU for example)or the at domain level, for the purpose of this exercise we will apply it at domain level. Open administrative tools > Active directory users and computers, right click the domain, and select Properties > Group Policy > You will see one of two things, either one button to open the group policy management console, or one or more policies, and lots of buttons,
i.      One Button: Press the ?Open? button to launch the Group policy Management Console > Right Click the Domain Name > Create and Link a GPO Here > Call it WSUS > OK > Right click the WSUS GPO > Edit.
i.      Lots of Burtons > Click New > Call it WSUS > Edit.
3.      Navigate to Computer Configuration > Administrative Templates >Windows Components > Windows Update. On the right pane locate "Configure Automatic Updates" and right click it, select properties.
4.      Select Enabled, in the first drop down box you set the action for the updates, I prefer not to frighten my users so I select "4 - Auto download and schedule the install" you can now set the schedule by default its set to 0300 which isn?t no good if all your PC's are shut down at that time (set it to 1400 or something more sensible)
5.      Click "Next Setting" > Enable > in both box's type the URL of your WSUS server (i.e. Http://:8530). Then Click "Next Setting" > if you see a "enable client side targeting properties page click "Next Setting" the next screen should ask for a wait period after start-up for the updates to run select enables and enter 5 minutes.
6.      Click "Next Setting" this comes in to play if an update requires a reboot, for an explanation click the "Explain" tab, I set this to Enable. That means it will inform the user but not reboot.
7.      Click Apply > OK > Then exit the policy editor.
8.      You can force the policy to take effect, by clicking..
i.      XP, Vista and server 2003: Start > run > gpupdate /force {enter}

You can test to see if they have applied by right clicking "My computer" > Properties > Automatic Updates, and the time you set in policy should be shown and all the options "greyed out"

Create some groups and move your PC?s into them.

As with previous versions of SUS, WUS, and WSUS, as new PC?s are detected they get put in ?Unassigned computers? I suggest you create some groups ? I?m my case I create a "Live" Group and a "Test" Group that way I can test the updates on a few PC's (The ones in my office) before I fire them at everyone.

To Create a Group

1.      Open the WSUS admin console.
2.      Expand > Update Services >{ server name} > Computers > All computers > Right Click > Add computer group > Give it a name > Add > Repeat as necessary i.e. You might want to create groups for servers, or exchange servers, or web servers, etc.
If you?re running through this your PC?s may not have reported yet so to find them do the following.
1.      Open the WSUS admin console.
2.      Expand > Update Services >{ server name} > Computers > All computers > Unassigned Computers > Change the Status Drop down to ?Any? and click Refresh.
3.      To move them to the group you created simply right click them and select ?Change Membership? > Then select the appropriate group > OK.
Send out the updates.

Unless you approve the updates to be sent out, nothing will happen, the WSUS server just logs everything and does some reports, before an update can be sent out to a client you need to approve it.

1.      Open the WSUS admin console.
2.      Expand > Update Services >{ server name} > Updates  > All Updates > Ensure the Approval drop down is set to ?Unapproved? and click refresh.
3.      Select the updates you want to approve (Normal selection rules apply unlike earlier versions you can multiple select using the shift and control keys as required).
4.      Click ?Approve? (it?s on the far right window.
5.      Select the group you want to approve the update for (click the little down arrow).
6.      Select Approved for Install. > OK.
7.      Hopefully after the progress bar has finished it should have a long list of ?Successes? > Click Close.

WARNING - I didn?t write the updates, Microsoft did, if you approve something that breaks your clients then moan at them not me.

Force a Client update

On the client run the following batch file

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=cut below-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
@echo on
net stop wuauserv
REG DELETE "HKLM\Software\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update" /v LastWaitTimeout /f
REG DELETE "HKLM\Software\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update" /v DetectionStartTime /f
Reg Delete "HKLM\Software\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update" /v NextDetectionTime /f
net start wuauserv

@echo off
Echo This client will now check for updates on the WSUS Server.
Echo Wait at least 30 minutes then check C:\Window\Windows update.log
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=cut above-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=


Troubleshoot from the client using the CLient Diagnostics Tool
Other Diagnostic tools

Machines are not importing

Make sure the URL thats defined in the group policy is the FQDN of the WSUS Server.
Try removing the port number from the URL specified in Group Policy (sometimes it set up on Port 80 and tells you it hasnt).


LVL 38

Assisted Solution

ChiefIT earned 250 total points
ID: 24035533
Best Practices: Disaster Recovery Testing

Besides backup, any IT division should have a disaster recovery plan. You will find a few tips below relating to the development of such a plan and to what issues one should pay special attention in the course of backup planning.


Author Comment

ID: 24036218
thanks, if these workstaion don't show hundred percent sooner than later then I am going to come abck and ask another question.

thanks for all ur help
LVL 38

Expert Comment

ID: 24046561
I appreciate your desire to stick with one question for one answer. Supplying a quick how to guide was your original question, but we all have configured WSUS servers and know there are most likely straglers that don't sign in. In my opinion, o real need to ask another question.

You have a couple of my favorite techs on this question that could quickly respond to helping you with WSUS stragglers. I think one of us could help you resolve any remaining issues pretty quickly.

LVL 57

Expert Comment

by:Pete Long
ID: 24052510
-Wont be me -  Im useless :)
LVL 57

Expert Comment

by:Pete Long
ID: 24066580

Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

So you have two Windows Servers and you have a directory/folder/files on one that you'd like to mirror to the other?  You don't really want to deal with DFS or a 3rd party solution like Doubletake. You can use Robocopy from the Windows Server 200…
Recently, I had the need to build a standalone system to run a point-of-sale system. I’m running this on a low-voltage Atom processor, so I wanted a light-weight operating system, but still needed Windows. I chose to use Microsoft Windows Server 200…
This video shows how to quickly and easily add an email signature for all users on Exchange 2016. The resulting signature is applied on a server level by Exchange Online. The email signature template has been downloaded from: www.mail-signatures…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…

828 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question