Windows Server Update Services (WSUS) share permissions

When planning Microsoft Windows Server Update Services (WSUS) implementations, the following article must be consulted:

https://docs.microsoft.com/en-us/windows-server/administration/windows-server-update-services/plan/plan-your-wsus-deployment

It appears that in some cases there are insufficient permissions provided in the WSUS SMB/CIFS share, therefore receiving Windows event logs with event ID 10012:
http://www.eventid.net/display-eventid-10012-source-Windows%20Server%20Update%20Services-eventno-9198-phase-1.htm

The following SMB and NTFS permissions should be set on the top-level shared folder used for the WSUS repository:

  • Network Service (Full control permissions)
  • System (Full control permissions)
  • WSUSSERVER$ (Full control permissions), where WSUSSERVER$ is the hostname of the WSUS server computer object
  • Administrators group (Full control permissions)

    • The above permissions must be present at following levels:
    • SMB share level (right click top level shared folder –> Properties
    –> sharing –> advanced sharing –> permissions).
    • NTFS level (right click top level shared folder –> Properties –> Security).

    For a detailed list of disk, registry and IIS permissions and settings, review the following article: https://www.ajtek.ca/wsus/wsus-permissions-wsuscontent-registry-and-iis/.

    Microsoft, WSUS
    What are your Feelings

    Powered by BetterDocs