Install and configure WSUS 3.0 SP2 – Step-By-Step

Microsoft Windows Server Update Services 3.0 SP2 (WSUS 3.0 SP2) enables information technology administrators to deploy the latest Microsoft updates, hotfixes and service packs to computers running Microsoft Windows Server 2003 family, Windows Server 2008, Microsoft Windows Vista family,  Microsoft Windows XP with Service Pack 2 operating systems. By using WSUS, administrators can fully manage and take control of the distribution of updates that are released through Microsoft Update.

Prerequisites for WSUS server

  • Windows Server 2003 SP1 or Windows Server® 2008
  • Microsoft Internet Information Services (IIS) 6.0 or later
  • Windows Installer 3.1 or later
  • Microsoft .NET Framework 2.0
  • Microsoft Report Viewer Redistributable 2005
  • Microsoft Management Console 3.0
  • SQL Server 2005 SP1 or later

Prerequisites for WSUS clients (x86 and x64)

  • Windows XP SP2, Windows Vista, Windows 7
  • Windows Server 2003 or Windows Server 2008

WSUS Deployment Scenarios

WSUS is flexible enough to deploy starting from small to enterprise organisation. just you need to make sure active directory, DNS and DHCP working perfect. If port 80 is occupied by your company web site you can use port 8530. I used port 8530 on WSUS server. I have ISA 2004 so I will show how to add WSUS publishing rule in ISA 2004 also.

Install Prerequisites

1. IIS installation

go to add/remove windows component and select Application server

click next

Select as above. you must select and IIS,  then check Internet Information Services and click Details.

Check BITS, check IIS manager and click on details

Check ASP and WWW and click ok.

2. MMC 3.0 installation

no need to install you installed service pack on your server

3. .net framework installation

Download .net 2 framework from the link

run installation, click next, accept EULA and follow the installation screen.


4. MS report viewer installation, Download report viewer from  the Link

run installation, click next, accept EULA and follow the installation screen.

5. SQL Server 2005 SP1 installation

download SQL server 2005 from the link


Click next and click install, click  next again


follow installation screen until finish.


Now you have fulfil prerequisite as mention above.

WSUS installation

download WSUS from website. sign in using hotmail or live account. download x86 or x64 as you prefer. here I am installing x86 version.

Click on run

click next

Check Full server installation radio button, click next

Accept EULA

You must have two partition in your server as you can see above. I selected D:\WSUS . click next

Check use existing database. It is required for enterprise deployment. internal database will not work if you have large number of desktop and server. click next.


Click next

On the next screen “web site selection” check create Microsoft Windows Server Update Services Web Site on port 8530



Click next


Click next , Click next again

Click finish. WSUS config wizard will start next

click next

Click next

Provide proxy server IP and credentials above if you have proxy server. in my case I typed my ISA server IP, port 80 and my domain admin credentials.

Click on start connecting and wait until finish, click next and follow the config screen to select your language, products, classification


wait until synchronisation finish. It might take 30/40 minutes depending on speed of your internet.

Setup IIS Security

Now set permission in IIS in WSUS server, you may set anonymous logon. Don’t worry its inside  your firewall.



Configure WSUS

open WSUS management console. In the Left hand side pan, click on Options then click on Change Update File and Language. Check Download Update files to the server when updates are approved. Select appropriate language. Then Click Apply and Ok.



Click on Automatic Approval and create new rules and run the rules. In my case I have two custom rules.



In the left hand side pan right click on All Computers, Click on Add Computer Group. For example, I have three computer groups; desktop, Windows7 and Server.

Group Policy Configuration

This part describes how to use GPO to deliver Automatic Updates 


Open group policy management console, Right click on the Group policy objects container and click new. create policies for each of computer groups. For Example, WSUS Policy for desktop, WSUS Policy for Windows 7 and WSUS Server policy.













 Now right click on WSUS policy that is desktop policy you just created and change settings of four GPO that are enabled here on screen













Configure Auto download and schedule installation that fit for you
















Point WSUS server and port as http://yourserver:8530 in both the box
















Type target group to populate desktop/pc in WSUS Server.















Check enabled in following box not to reboot machine if user logged on


Repeat this process for WSUS server policy, Windows 7 Policy and so on.

In GPO management console, Right click on the organisational unit that contain desktop/workstation and link existing WSUS policy you created in above steps with this organisational unit.













 Link it with WSUS policy
















Repeat same steps for all other organisational unit in GPO management console. Now you may close GPO now.

Important! Do NOT link WSUS policy in child OU. Link directly to the top of OU hierarchy otherwise workstation will not populate. 












 Publish WSUS policy in ISA Server

If you have ISA 2004/2006 or Forefront TMG 2010, you have to set WSUS policy in ISA firewall access rule. so that ISA doesn’t block communication between server and client. You don’t need to do it if nothing blocking between Client and Server communication and don’t have a firewall.

To publish WSUS policy, Open ISA management console

Go to Network Object and expand WEB listener,  right click on web listener click new. Type Name of WSUS server. Name should be netbios name of WSUS server. Follow the screen shot.




Click next, click finish.

In the right hand side Tasks Pan, Click on publish a web server and follow the screen shot






On the next screen shot select the web listener (WSUS server) you added in the previous steps.




Right click on the WSUS Publishing policy, click on property>Click Bridging Tab and check web server and port 8530


On the paths add these path if these aren’t exist already



uncheck verify and block option. Apply Changes and click ok.


Go to client machine, run gpupdate /force if client not showing on WSUS

Run wuauclt /resetauthorization /detectnow command from client machine.

Check Registry of client.













Auto update and patch up gives administrator more time to concentrate other things without spending time on patching up servers and pc. I enjoyed deploying WSUS. I hope these instruction would be handy for you.

Relevant Articles:

WSUS 3.0 SP2: Understanding WSUS deployment topology

How to configure automatic updates by using Group Policy or registry settings

How to configure Windows Server Update Services (WSUS) to use BranchCache

How to Configure WSUS for Roaming Clients

Troubleshooting WSUS server

Windows Server 2008: Windows Server Update Services Role–Step by Step Guide

WSUS: Best practice guide lines for WSUS installation, configuration and management

WSUS Health Check

Beer mugAdd to FacebookAdd to DiggAdd to Del.icio.usAdd to StumbleuponAdd to RedditAdd to BlinklistAdd to TwitterAdd to TechnoratiAdd to Yahoo BuzzAdd to Newsvine

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.