skip to primary navigationskip to content

WSUS Server Installation

The following is a guide to installing a basic WSUS server. You can install the WSUS server on 2003 Server, Web Server edition if you wish (rather than the standard version). To install on Server 2008 R2 you must have Enterprise, Datacenter, Standard, Foundation or HPC edition.

We will assume that you will run a single WSUS server which will get its updates from either Microsoft Update or the WSUS server run by Windows-support.

If you require more complicated configurations then you should refer to the Microsoft documentation in the first instance - see link on main page for the WSUS default home page.

Installing the Base Server

Minimum Spec

The minimum spec for a WSUS server should be;

  • 1Ghz CPU or better
  • 512 MB RAM
  • Sufficient Hard drive capacity for all the downloads, recommended specs follow
  • A minimum of 15 GB free space is required for the volume where WSUS stores content; 60 GB is recommended.
  • A minimum of 2 GB free space is required on the volume where WSUS Setup installs Microsoft internal database.
  • 100 Mbit network connection to the server.

The server install required is not standard, see the additional requirements below.

Review our documentation on securing your server if you are not familiar with doing so. Security checklist.

Additional Requirements

To run WSUS 3.0 your server will also need;

  • .Net framework 2.0 or greater
  • BITS 2.0
  • Internet Explorer 6 with SP1
  • IIS 6
  • Microsoft report viewer 2005

There are a few points to remember

  • Do not make the WSUS server a domain member
  • Do not attempt to install WSUS on a Domain Controller
  • Do not have the inet pubfolder on the system drive
  • Create or rename the default website for use by WSUS
  • Use directory security

Installing and Configuring IIS

Basic Recommendations

  • It is assumed that you will run the IIS component over port 80 on the default website - or a renamed default web site.
  • Install the server onto a different partition to the system drive.
  • Use the Security options to restrict access to your server either by IP range or Domain name

Directory Security

You can limit access to your IIS server by using Directory security. You can choose to grant or deny access based on a single computer, a range of computers or Domain name. Generally you are advised not to use by Domain name as a reverse lookup has to be carried out on each system which can cause performance issues.

Configuring the server to be accessed only by your own IP addresses shouldn't be too much of a problem and should be considered a mandatory step.

Installing WSUS

WSUS is available from the Microsoft site at:

Choosing a Database

Every WSUS installation requires a database. As WSUS comes with Microsoft internal database (effectively a local only MSDE) you can just use this, however if you prefer you can run your own full SQL server

Whatever you choose remember to patch the WMSDE/SQL installation and password protect the SA account!

SQL and MSDE Security

Client Specification

Automatic Updates is the client component of WSUS. Automatic Updates has no hardware requirements other than being connected to the network. You can use Automatic Updates with WSUS on computers running any of the following operating systems:

  • Windows 2000 Professional with Service Pack 3 (SP3) or Service Pack 4 (SP4), Windows 2000 Server with SP3 or SP4, or Windows 2000 Advanced Server with SP3 or SP4.
  • Windows XP Professional, with or without Service Pack 1 or Service Pack 2.
  • Windows Vista - all versions.
  • Windows Server 2003, Standard Edition; Windows Server 2003, Enterprise Edition; Windows Server 2003, Datacenter Edition; or Windows Server 2003, Web Edition.
  • Windows 7 - all versions

Firewall Configuration

If there is a firewall between your WSUS server and the Internet, you will need to configure that firewall to ensure that WSUS can obtain updates. To obtain updates from Microsoft Update, the WSUS server uses port 80 for HTTP protocol and port 443 for HTTPS protocol.

If you do not want these ports and protocols open to all addresses, you can restrict access to only the following domains so that WSUS and Automatic Updates can communicate with Microsoft Update:

  • http://*
  • https://*
  • http://*
  • https://*
  • http://*
  • http://*