Install WSUS 3.

0 - Step-By-Step
I've managed to compose a quick installation procedure for those of you who want to utilize the
great free utility from microsoft...

Enjoy!

Pre-Requisites

1. IIS 6.0 with ASP.net installed (windows Components).

go to control panel à add/remove programs à Windows Components
check application server and click details.

make sure that application server console and ASP.net are check and then check Internet
Information Services and click Details.
make sure that BITS, Common files, Internet Information Services Manager, and then
click world wide web service and click details:

make sure that Active server pages and world wide web service are check and click OK
twice and click next.
 Click Finish.
2. MMC 3.0 (no need if win2003 sp2 exists).
3. .net framework 2.0 (exists as part of windows server R2 or available for download from
Microsoft at http://www.microsoft.com/downloads/details.aspx?FamilyID=0856EACB-
4362-4B0D-8EDD-AAB15C5E04F5)
4. Microsoft Report Viewer Setup (available for download from Microsoft at
http://www.microsoft.com/downloads/details.aspx?familyid=8a166cac-758d-45c8-b637-
dd7726e61367)
Wsus3.0 Installation

Install Wsus 3.0 from location: http://www.microsoft.com/downloads/details.aspx?

FamilyId=E4A868D7-A820-46A0-B4DB-ED6AA4A336D9
Check I Accept and then click next.
Check the Store updates locally and type D:\Wsus (or any other folder. Recommended not to use
your system partition for storing WSUS updates) on the path to save the updates. Then click
next.
Chose Install Use and Existing server Database on this computer and leave the path on default
(same location as WSUS update). Then click next.
Click Next.
Check "Use existing IIS Default Web Site" and click next.
WSUS Configuration Wizard
After the setup ends, the following screen will open up:

Click Next.
Check the I would like to join box and click Next.
Choose synchronize from Microsoft update, and click next.
In case you have a proxy server on you organization specify proxy settings, else leave all settings
at default and click next. It is recommended to set the WSUS to work without a proxy server and
allow it a direct connection to the internet (open the appropriate ports on the FW).
In the connect to upstream server page, click start connecting. After the server has finished the
initial sync, the next button will be available. Click next.
In the choose language window, choose English and Hebrew (or any other language of your
choice) and click next.
On the choose products page, check the products you wish to sync (default, windows – all
version, office – all versions, Exchange – all versions). Then click next.
On the choose classifications page, choose all classifications and click next.
On the sync schedule page, choose synchronize automatically when first sync is at 12:00:00AM
and the sync per day setting is set to 24. Then click next.
On the finished page, check both checkboxes and click finish.

WSUS initial configuration

On the Update service administrator console that opens when the setup ends, click options and
on the options tab. On the options window, click automatic approvals.
On the automatic approval window, check the default automatic approval rule (automaticly
approves critical and security updates) and click new rule if you wish to add additional auto-
approve rules for specific products or classifications.
On the add rule wizard specify any other auto approve rules that you wish by product or
classification.
On the choose product window, check only forefront-forefront client security and click ok.

Back on the add rule window under step 3, type rule name (ex. FCS Update rule) and click ok
twice.

Defining WSUS Update Policy (GPO)

Open Group Policy Management Console (GPMC). Start -> Run -> write gpmc.msc -> OK.
Right click on the Group policy objects container and click new.

Write the policy name and click OK.

Expand the group policy objects container and then right-click the object you have just created
and click edit.
Expand the Computer configuration -> Administrative Templates -> Windows Components ->
Windows Update.

Now configure the following options:

1. Configure Automatic Updates
 2. On the specify internet Microsoft update service location, enter the netbios name that
your internal clients will need to address when connecting to the wsus server.

Recommended settings

1. Client Side targeting Specifies the target group name or names that should be used to
receive updates from an intranet Microsoft update service.
If the status is set to Enabled, the specified target group information is sent to the intranet
Microsoft update service which uses it to determine which updates should be deployed to
this computer.
 note: in order for this to work, you need to create groups in the WSUS server.

2. Reschedule automatic updates scheduled installations Specifies the amount of time for
Automatic Updates to wait, following system startup, before proceeding with a scheduled
installation that was missed previously.
If the status is set to Enabled, a scheduled installation that did not take place earlier will
 occur the specified number of minutes after the computer is next started.

3. No auto-restart Specifies that to complete a scheduled installation, Automatic Updates

will wait for the computer to be restarted by any user who is logged on, instead of
causing the computer to restart automatically.
If the status is set to Enabled, Automatic Updates will not restart a computer
automatically during a scheduled installation if a user is logged in to the computer.
 Instead, Automatic Updates will notify the user to restart the computer.

4. Automatic updates detection frequency Specifies the hours that Windows will use to
determine how long to wait before checking for available updates. The exact wait time is
determined by using the hours specified here minus zero to twenty percent of the hours
specified. For example, if this policy is used to specify a 20 hour detection frequency,
then all clients to which this policy is applied will check for updates anywhere between
16 and 20 hours.
If the status is set to Enabled, Windows will check for available updates at the specified
interval.
If the status is set to Disabled or Not Configured, Windows will check for available
 updates at the default interval of 22 hours.

5. Allow automatic updates immediate installation Specifies whether Automatic Updates

should automatically install certain updates that neither interrupt Windows services nor
restart Windows.
If the status is set to Enabled, Automatic Updates will immediately install these updates
 once they are downloaded and ready to install.

6. Allow non-administrators to receive update notifications pecifies whether, when logged

on, non-administrative users will receive update notifications based on the configuration
settings for Automatic Updates. If Automatic Updates is configured, by policy or locally,
to notify the user either before downloading or only before installation, these
notifications will be offered to any non-administrator who logs onto the computer.
If the status is set to Enabled, Automatic Updates will include non-administrators when
 determining which logged-on user should receive notification.

After finished configuring the GPO, go back to the GPMC console and link the GPO to the OU
that contains the computer objects you wish to work with the WSUS server. Do this by right
clicking the OU and choosing link an existing GPO.