Windows Server Update Services (WSUS) share permissions

When planning Microsoft Windows Server Update Services (WSUS) implementations, the following article must be consulted:

https://docs.microsoft.com/en-us/windows-server/administration/windows-server-update-services/plan/plan-your-wsus-deployment

It appears that in some cases there are insufficient permissions provided in the WSUS SMB/CIFS share, therefore receiving Windows event logs with event ID 10012:

The following SMB and NTFS permissions should be set on the top-level shared folder used for the WSUS repository:

  • Network Service (Full control permissions)
  • System (Full control permissions)
  • WSUSSERVER$ (Full control permissions), where WSUSSERVER$ is the hostname of the WSUS server computer object
  • Administrators group (Full control permissions)
  • The above permissions must be present at following levels:
    • SMB share level (right click top level shared folder --> Properties
    --> sharing --> advanced sharing --> permissions).
    • NTFS level (right click top level shared folder --> Properties --> Security).

    For a detailed list of disk, registry and IIS permissions and settings, review the following article: https://www.ajtek.ca/wsus/wsus-permissions-wsuscontent-registry-and-iis/.

    Powered by BetterDocs