Step 3: Install WSUS on Your Server

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2, Windows Server Update Services

After reviewing the installation requirements and optionally installing MSDE, you should consider whether to run the IIS Lockdown Tool. Microsoft strongly recommends that you run the IIS Lockdown Wizard component to help keep your Windows 2000 Servers that are running IIS secure. The IIS Lockdown Wizard turns off unnecessary features, thereby reducing vulnerability to attackers. If you install the IIS Lockdown Tool and the URLScan tool on a server running WSUS, you must also read and perform the steps in the IIS Lockdown Tool section below.

With the preliminary considerations out of the way, you are ready to install WSUS. The following procedure uses the default WSUS installation options for Windows 2000 Server, which require you to supply database software, store updates locally, and use the IIS Default Web site on port 80. You can find procedures for custom installation options, such as storing updates remotely or using a Web site using a custom port number, in the “Deploying Microsoft Windows Server Update Services” white paper.

Step 3 contains the following procedures:

  • Download and install IIS Lockdown Tool.

  • Install WSUS on Windows 2000 Server.

IIS Lockdown Tool

Installation of the IIS Lockdown Tool is not required. However, if you do install IIS Lockdown Tool, you must read and follow the recommendations in this section for WSUS to function. To download the latest version of IIS Lockdown Tool, go to

When the IIS Lockdown Tool is installed on Windows 2000 Server, it denies Execute permissions to the %windir% folder, which then causes an error in the WSUS administrative console. To recover from this error, you must manually grant Read and Execute permissions to %windir%\\Framework\V1.1.4322\Csc.exe.

For more information, see this Knowledge Base article on the Microsoft Support Web site.

The URLScan tool is an optional component of the IIS Lockdown Tool. If you elect to use the URLScan tool on the server running WSUS, then you must edit the Urlscan.ini file to allow *.exe requests.

After you edit this file, you must restart both IIS and the WSUS server. You can find the Urlscan.ini file in the \WINNT\System32\Inetserv\Urlscan folder on the boot drive of your computer.

To edit the Urlscan.ini file

  1. Open Urlscan.ini in a text editor.

  2. Remove ".exe" from the [DenyExtensions] section.

  3. Ensure that the following settings appear under the [AllowVerbs] section:

    • GET

    • HEAD

    • POST


WSUS Installation

You must log on to the server you plan to install WSUS on by using an account that is a member of the local Administrators group. Only members of the local Administrators group can install WSUS.

To install WSUS on Windows 2000 Server

  1. Double-click the installer file WSUSSetup.exe.


The latest version of WSUSSetup.exe is available at

  1. On the Welcome page of the wizard, click Next.

  2. Read the terms of the license agreement carefully, click I accept the terms of the License Agreement, and then click Next.

  3. On the Select Update Source page, you can specify where clients get updates. If you select the Store updates locally check box, updates are stored on the WSUS server and you select a location in the file system to store updates. If you do not store updates locally, client computers connect to Microsoft Update to get approved updates.

    Keep the default options, and click Next.

  4. On the Database Options page, click Use an existing database server on this computer, select the instance name from the SQL instance name box, and then click Next.

  5. On the Web Site Selection page, you specify the Web site that WSUS will use. This page also lists two important URLs based on this selection: the URL to which you will point WSUS client computers to get updates, and the URL for the WSUS console where you will configure WSUS.

    If you already have a Web site on port 80, you may need to create the WSUS Web site on a custom port. For more information about running WSUS on a custom port, see the “Deploying Microsoft Windows Server Update Services” white paper.

    Keep the default option, and click Next.

  6. On the Mirror Update Settings page, you can specify the management role for this WSUS server. If this is the first WSUS server on your network or you want a distributed management topology, skip this screen.

    If you want a central management topology, and this is not the first WSUS server on your network, select the check box, and type the name of an additional WSUS server in the Server name box. For more information about management roles, see the “Deploying Microsoft Windows Server Update Services” white paper.

    Keep the default option, and click Next.

  7. On the Ready to Install Windows Server Update Services page, review the selections, and click Next.

  8. If the final page of the wizard confirms that WSUS installation was successfully completed, click Finish.