Windows Server 2003 : Administering Software Update Services (part 1) - Installing SUS on a Windows Server 2003 Computer

1/8/2014 3:09:19 AM
To maintain a secure computing environment, it is critical to keep systems up to date with security patches. Since 1998, Microsoft has provided Windows Update as a Webbased source of information and downloads. With Windows XP and Windows 2000 Service Pack 3, Microsoft added Automatic Updates, whereby a system automatically connects to Windows Update and downloads any new, applicable patches or “hotfixes.” Although the Windows Update servers and Automatic Updates client achieve the goal of keeping systems current, many administrators are uncomfortable with either computers or users deciding which patches should be installed, because a patch might interfere with the normal functioning of a business-critical application.

The latest improvements to these technologies deliver Software Update Services (SUS). SUS is a client-server application that enables a server on your intranet to act as a point of administration for updates. You can approve updates for SUS clients, which then download and install the approved updates automatically without requiring local administrator account interaction.

1. Understanding SUS

Since 1998, Microsoft Windows operating systems have supported Windows Update, a globally distributed source of updates. Windows Update servers interact with client-side software to identify critical updates, security rollups, and enhancements that are appropriate to the client platform, and then to download approved patches.

Administrators wanted a more centralized solution that would assure more direct control over updates that are installed on their clients. Software Update Services is a response to that need. SUS includes several major components:

  • Software Update Services, running on an Internet Information Services (IIS) server The server-side component is responsible for synchronizing information about available updates and, typically, for downloading updates from the Microsoft Internet-based Windows Update servers or from other intranet servers running SUS.

  • The SUS administration Web site All SUS administration is Web-based. After installing and configuring SUS, administration typically consists of ensuring that the SUS server is synchronizing successfully, and approving updates for distribution to network clients.

  • Automatic Updates The Automatic Updates client is responsible for downloading updates from either Windows Update or an SUS server, and installing those updates based on a schedule or an administrator’s initiation.

  • Group Policy settings Automatic Updates clients can be configured to synchronize from an SUS server rather than the Windows Update servers by modifying the clients’ registries or, more efficiently, by configuring Windows Update policies in a Group Policy Object (GPO).

2. Installing SUS on a Windows Server 2003 Computer

SUS has both client and server components. The server component runs on a Windows 2000 Server (Service Pack 2 or later) or a Windows Server 2003 computer. Internet Information Services (IIS) must be installed before setting up SUS and,  IIS is not installed by default on Windows Server 2003. For information about how to install IIS.

SUS is not included with the Windows Server 2003 media, but it is a free download from the Microsoft SUS Web site at The client and server components are available in separate downloads.


The SUS download is not available in every localized language. However, this download determines the installation and administrative interface for the server component only. Patches for all locales can be made available through SUS.

After downloading the latest version of SUS, double-click the installation file for the server component and the installation routine will start. After you agree to the license agreement, choose Custom setup and the Setup Wizard will prompt you for the following information:

  • Choose File Locations Each Windows Update patch consists of two components: the patch file itself and metadata that specifies the platforms and languages to which the patch applies. SUS always downloads metadata, which you will use to approve updates and which clients on your intranet will retrieve from SUS. You can choose whether to download the files themselves and, if so, where to save the updates.


    If you elect to maintain the update files on Microsoft Windows Update servers, Automatic Updates clients will connect to your SUS server to obtain the list of approved updates and will then connect to Microsoft Windows Update servers to download the files. You can thereby maintain control of client updating and take advantage of the globally dispersed hosting provided by Microsoft.

    If you choose the Save The Updates To This Local Folder option, the Setup Wizard defaults to the drive with the most free space and will create a folder called SUS on that drive. You can save the files to any NTFS partition; Microsoft recommends a minimum of 6 gigabytes (GB) of free space.


    The SUS partition and the system partition must be formatted as NTFS.

  • Language Settings Although the SUS administrative interface is provided in English and a few additional languages, patches are released for all supported locales. This option specifies the localized versions of Windows servers or clients that you support in your environment.

  • Handling New Versions Of Previously Approved Updates Occasionally, an update itself is updated. You can direct SUS to automatically approve updates that are new versions of patches that you have already approved, or you can continue to approve each update manually.

  • Ready To Install Before installation begins, the Setup Wizard will remind you of the URL clients should point to, http://SUS_servername. Note this path because you will use it to configure network clients.

  • Installing Microsoft Software Update Services The Setup Wizard installs SUS.

  • Completing the Microsoft Software Update Services Setup Wizard The final page of the Setup Wizard indicates the URL for the SUS administration site, http://SUS_servername/SUSAdmin. Note this path as well, because you will administer SUS from that Web location. When you click Finish, your Web browser will start and you will be taken automatically to the SUS administration page.

Software Update Services installs the following three components on the server:

  • The Software Update Synchronization Service, which downloads content to the SUS server

  • An IIS Web site that services update requests from Automatic Updates clients

  • An SUS administration Web page, from which you can synchronize the SUS server and approve updates

IIS Lockdown

When you run the SUS installation on Windows 2000, the SUS Setup Wizard launches the IIS Lockdown Wizard to secure IIS 5.0. Windows Server 2003 is locked down by default, so IIS Lockdown is not necessary.

If you have Web applications running on an IIS server, those applications might not function properly after SUS has been installed. You can re-enable Internet Server Application Programming Interface (ISAPI) filters and open other components that are secured by IIS Lockdown. However, because of the sensitive nature of operating system updates, you should consider running SUS on a dedicated server without other IIS applications.

  •  Windows 7 : Understanding the User Account Control - INTERACTING WITH THE UAC
  •  Windows 7 : Understanding the User Account Control
  •  Windows Server 2003 : Supporting and Troubleshooting Terminal Server (part 5) - Managing User Sessions
  •  Windows Server 2003 : Supporting and Troubleshooting Terminal Server (part 4) - Managing and Troubleshooting Terminal Server - Device Redirection
  •  Windows Server 2003 : Supporting and Troubleshooting Terminal Server (part 3) - Managing and Troubleshooting Terminal Server - Connection Configuration
  •  Windows Server 2003 : Supporting and Troubleshooting Terminal Server (part 2) - Managing and Troubleshooting Terminal Server - Points of Administration
  •  Windows Server 2003 : Supporting and Troubleshooting Terminal Server (part 1) - Installing and Configuring a Terminal Server Environment
  •  Windows 7 : Configuring and Troubleshooting Internet Explorer Security - How to Identify Group Policy Restrictions
  •  Windows 7 : Configuring and Troubleshooting Internet Explorer Security - How to Troubleshoot Certificate Problems
  •  Windows 7 : Configuring and Troubleshooting Internet Explorer Security - Adding Sites to the Trusted Sites List , Protected Mode
    Most View
    Microsoft SharePoint 2010 Web Applications : Presentation Layer Overview - Ribbon (part 1)
    The Cyber-athletic Revolution – E-sports’ Era (Part 1)
    Windows Server 2003 : Implementing Software Restriction Policies (part 4) - Implementing Software Restriction Policies - Creating a Path Rule, Designating File Types
    Sql Server 2012 : Hierarchical Data and the Relational Database - Populating the Hierarchy (part 1)
    Two Is Better Than One - WD My Cloud Mirror
    Programming ASP.NET 3.5 : Data Source-Based Data Binding (part 3) - List Controls
    Windows 8 : Configuring networking (part 5) - Managing network settings - Understanding the dual TCP/IP stack in Windows 8, Configuring name resolution
    Nikon Coolpix A – An Appealing Camera For Sharp Images (Part 2)
    Canon PowerShot SX240 HS - A Powerful Perfection
    LG Intuition Review - Skirts The Line Between Smartphone And Tablet (Part 2)
    Popular Tags
    Microsoft Access Microsoft Excel Microsoft OneNote Microsoft PowerPoint Microsoft Project Microsoft Visio Microsoft Word Active Directory Biztalk Exchange Server Microsoft LynC Server Microsoft Dynamic Sharepoint Sql Server Windows Server 2008 Windows Server 2012 Windows 7 Windows 8 Adobe Indesign Adobe Flash Professional Dreamweaver Adobe Illustrator Adobe After Effects Adobe Photoshop Adobe Fireworks Adobe Flash Catalyst Corel Painter X CorelDRAW X5 CorelDraw 10 QuarkXPress 8 windows Phone 7 windows Phone 8 BlackBerry Android Ipad Iphone iOS
    Top 10
    Review : Acer Aspire R13
    Review : Microsoft Lumia 535
    Review : Olympus OM-D E-M5 Mark II
    TomTom Runner + MultiSport Cardio
    Timex Ironman Run Trainer 2.0
    Suunto Ambit3 Peak Sapphire HR
    Polar M400
    Garmin Forerunner 920XT
    Sharepoint 2013 : Content Model and Managed Metadata - Publishing, Un-publishing, and Republishing
    Sharepoint 2013 : Content Model and Managed Metadata - Content Type Hubs