In the world that we live in, managing Windows updates can be a very difficult thing. All computers need some updates to keep running smoothly (and to keep them secure). Some people just don't worry about installing Windows updates, but I am not very comfortable with that. A good solution that I found is called Windows Server Update Services (WSUS).

WSUS becomes the place where all of your computers receive their windows updates. It gives you the ability to approve specific updates that will be installed on assigned computers. WSUS also keeps track of what updates a computer has received. WSUS also gives you the ability to specify when updates are installed.

This article shows you how to set up WSUS. WSUS will be good for those who need a way to manage Windows Update (WSUS could be installed as a backup or as your primary method).

The Server

Over the past few days I have been setting up a new server. First we installed Windows Server 2003 on it. Then, we installed MSSQL 2005 and Deployment Solution (you can read up on this in my last article: Installing Deployment Solution for Clients 6.8 using MSSQL 2005).

Now, on that same server, I wanted to install WSUS. I tied WSUS into MSSQL. So, here is how I did it:

Download WSUS 3.0

The first thing that we need to do is download WSUS. Microsoft just came out with a new version, WSUS 3.0. I suggest using this new version. The older version was web based and had limited settings. Version 3.0 is managed through the Management Console. It also has a lot more features. To download the newest version of WSUS, click here.
Microsoft has a complete set of documentation dealing with WSUS. If you would like to take a look at that, click here. Make sure that you are using Internet Explorer when you view Microsoft documentation. For some reason, other browsers don't work as well.

Prerequisites

Updates

There are a few things that need to be installed before you dive into WSUS. Here is a list of what you need and where to find it:

• IIS: To install this please see my last article: Installing Deployment Solution for Clients 6.8 using MSSQL 2005 (look under the section called: "Install IIS"
• Update for Background Intelligent Transfer Service (BITS) 2.0
• Microsoft .NET Framework Version 2.0
• Microsoft Report Viewer Redistributable 2005
• Microsoft Management Console 3.0

SQL Server 2005 Service Pack 1

We need to download Service Pack 1 for all of this to work. To download Service Pack 1, click here. Once it is downloaded:

• Navigate to the executable and double click it
• Click the "Run" button
  
  

  Click to view.

• On this window, click the "Next" button
  
  

  Click to view.

• After carefully reading the EULA, Click the check box next to "I accept the licensing…" Click the "Next" button
  
  

  Click to view.

• On the window that is shown below, click the "Next" button
  
  

  Click to view.

• On the "Authentication Mode" window, click the "Next" button to continue
  
  

  Click to view.

• Click the "Install" button to start the installation
  
  

  Click to view.

• It takes a long time to update everything...
  
  

  Click to view.

  Note: A window may appear informing you that some system files are locked. If you press the "Continue" button, everything should install just fine. You will have to reboot when the process is done.
• When it is done installing, it will look like this:
  
  

  Click to view.

  Click the "Next" button to continue

• Click the "Finish" button
  
  

  Click to view.

  Note: You may have to reboot your computer

SQL Server 2005 Service Pack 2

The process of installing Service Pack 2 is very similar to installing Service Pack 1. There are very minor GUI changes.

Space Requirements

You need to make sure to have the following space free before you install:

• 1 gig free for the install files
• 2 gig free for the database
• 30 gig free to store the actual Windows Updates on your server

That is a total of 33 gig. Microsoft doesn't do anything small these days, do they?

Permissions

The Network Service account is built into Windows Server. You don't need to create it. The account is a pre-built local account that is created when you install Windows Server 2003. WSUS uses this account to do everything that it needs to do on the Server.

You need to give the "Network Service" local account "Full Control" to
%windir%\Microsoft .NET\Framework\v2.0.50727\Temporary ASP.NET Files

• Navigate to %windir%\Microsoft .NET\Framework\v2.0.50727\
  
  

  Click to view.

• Right click on the "Temporary ASP.NET" folder, go to "Properties"
  
  

  Click to view.

• Click on the "Security" tab
  
  

  Click to view.

• Click on the "Add" button, and the following window will appear:
  
  

  Click to view.

• Now, click on the "Advanced" button
• In the window that appears, click on the "Find Now" button. In the list, find the "Network Service" account and select it like is shown below:
  
  

  Click to view.

• Click the "OK" button
• Now, you will see the following window:
  
  

  Click to view.

  Click the "OK" button

• With the "Network Service" account selected, click the "Full Control" Check box as shown below:
  
  

  Click to view.

• Click "OK" - the following window will appear:
  
  

  Click to view.

• Select "Yes" and you are done

%windir%\Temp

• Use the process outlined above to give "Full Control" to the "Network Service" account.

Install WSUS on the Server

Now we are all done with installing the prerequisites, we are ready to install WSUS 3.0. Here is how:

• Navigate to the where you saved the WSUS installer and double click it.
• A "Open File - Security Warning" window might appear, if it does just click the "Run" button to continue
• On the following window, click the "Next" button to continue
  
  

  Click to view.

• We are doing a "Full Server installation including Administration Console," make sure that radio button is selected and click the "Next" button to continue
  
  

  Click to view.

• The following window will appear:
  
  

  Click to view.

  It takes a minute to prepare the install

• After carefully reading the EULA, select the "I accept…" radio button, and click the "Next" button to continue
  
  

  Click to view.

• I want our windows updates to be stored on the server. If you uncheck the "Store updates locally" box the computers will get their updates from Microsoft's Update site. Click the "Next" button to continue
  
  

  Click to view.

• We have MSSQL 2005 installed on this server, so I selected the "Use an existing database server on this computer" radio button. The only option in the drop-down menu was "<Default>." Click the "Next" button to continue
  
  

  Click to view.

• After WSUS connects to the server, the window will look like this:
  
  

  Click to view.

  Click the "Next" button to continue

• I was not sure what to do on this screen, so I called Altiris…
  
  

  Click to view.

  I was not sure if the Deployment Solution web part used this same port number. According to the WSUS documentation, these are your choices:

  "On the Web Site Selection page, specify the Web site that WSUS 3.0 will use. If you wish to use the default IIS Web site on port 80, select the first option. If you already have a Web site on port 80, you can create an alternate site on port 8530 by selecting the second option. Keep the default option and click Next."

  According to the incredibly helpful Altiris Help Desk guy that I talked to both Notification Server and Deployment Solution default to port 80. Because of that I am going to choose the second option: "Create a Windows Server Update Service Web site." Once you have done that, click the "Next" button (see below).

  

  Click to view.

• Everything is ready to install, click the "Next" button to start the installation
  
  

  Click to view.

• Sit back and wait for this to finish installing…
  
  

  Click to view.

• When everything is done installing, the screen below will appear:
  
  

  Click to view.

  Click the "Finish" button, the WSUS configuration wizard will start automatically

Configure the WSUS Network Connection

We are now going to do the basic configuration of WSUS. Follow guide below:

• We have an average setup that has no special proxy settings, so on the screen below I clicked the "Next" button
  
  

  Click to view.

• On the screen below I was fine with the defaults, so I clicked the "Next" button
  
  

  Click to view.

• I wanted our server to get its updates from Microsoft Update, so I clicked the "Next" button
  
  

  Click to view.

  Note: You may have multiple WSUS servers in your environment. At least one of the WSUS servers needs connect to Microsoft Update. We only have one WSUS server, so it will connect to Microsoft Update.
• In our environment we don't need special proxy information, so I clicked the "Next" button
  
  

  Click to view.

• On the "Connect to Upstream Server" window, WSUS wants to test and see if the settings we have provided so far are correct. Click the "Start Connecting" button to test the settings…
  
  

  Click to view.

• While it is attempting to sync with the server, the window will look like this:
  
  

  Click to view.

• Apparently everything worked so clicked the "Next" button to continue
  
  

  Click to view.

• On the "Choose Languages" window you can choose what language updates you want to download. The more languages you choose the more space is needed on the server to store the updates. I only want English Microsoft Updates, so I clicked the "Next" button to continue
  
  

  Click to view.

• On the choose products screen, you can choose what updates you want WSUS to manage. There are tons of them. Make sure you only download the updates you actually need. The more options you choose, the more space you will need. After I selected all of the programs that I need, I clicked the "Next" button to continue
  
  

  Click to view.

• On the "Choose Classifications" we decided that we would like the option of having all of these different updates, so we picked them all. Choosing all of the different types of updates makes managing updates more complicated (but if you are in a bind, it is nice to have the option). You can also pick what updates go out to the computers under your care. Click the "Next" button to continue
  
  

  Click to view.

• On the "Set Sync Schedule" you can choose to manually sync the server, or to have the server manage the syncs automatically. Here is some useful info from Microsoft about WSUS server syncing:
  

  "If you choose to synchronize automatically, the WSUS server will synchronize at specified intervals. Set the time of the first synchronization and specify the number of synchronizations per day you wish this server to perform. For example, if you specify that there should be four synchronizations a day, starting at 3:00 A.M., synchronizations will occur at 3:00 A.M., 9:00 A.M., 3:00 P.M., and 9:00 P.M."

  I decided that I did not want to worry about the server syncing, so I choose the "Synchronize automatically"

  

  Click to view.

  I would like my server to sync every day at 7:00AM (right before everyone comes to work and hogs up the bandwidth). Click the "Next" button to continue

• We are almost all done. On the screen below click the "Next" button to continue
  
  

  Click to view.

• WSUS tells us that we are not quite done, we still have a few more things to do. If you click on the links on the "What's Next" screen a help file opens that tells you about the task. Click the "Finish" button and you are done!
  
  

  Click to view.

Update Service Window

Once you are done installing, the Update Service Window will open. It looks like this:

Click to view.

If you click on the server name, the following window will appear:

Click to view.

You can see in the middle pane that there are a number of updates that need to be approved. That is the fun part of setting WSUS up is that you get to go in and approve every update for all the choices that you have made. Here is a closer look at that pane:

Click to view.

If you want to start having computers connect to your WSUS server, click on the "To set up a client computer link" to open the WSUS help file on that subject.

Setting up the Client Computers

Pointing computers to the new WSUS that we just set up is really easy. All you have to do is change a few Group Policies (if you have any questions about Group Policies, please see this Juice article: Group Policies: Understanding the Tool).

Here is where you can find the Windows Updates Group Policies:

• 1.Go to Start >> Run, and type in "GPEDIT.MSC" (without the quotes)
• Once the Group Policy window is open, go to Administrative Templates >> Windows Components >> Windows Updates
• To point the computer to the server, double click on "Specify intranet Microsoft update service location"
• Click on the "Enabled" radio button, and enter in the server address.
• Click "OK" when you are done
• After a few minutes your computer will getting its updates from the new WSUS server

Conclusion

After installing WSUS in your environment you don't have to worry about Windows Updates any more. WSUS helps you keep the updates that you want to be installed on the computers that need them.