Microsoft Windows Server Update Services Operations Guide: Microsoft Corporation Published: January 16, 200

Microsoft Windows Server Update
Services Operations Guide

Microsoft Corporation
Published: January 16, 200
Abstract
This paper documents the major tass in!ol!ed in administerin" and troubleshootin"
Microsoft# $indo%s &er!er' (pdate &er!ices)
The information contained in this document represents the current view of Microsoft
Corporation on the issues discussed as of the date of publication. Because Microsoft
must respond to changing market conditions, it should not be interpreted to be a
commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of
any information presented after the date of publication.
This White Paper is for informational purposes only. MC!"#"$T M%&'# ("
W%!!%(T'#, ')P!'##, MP*'+ "! #T%T,T"!-, %# T" T.' ($"!M%T"( (
T.# +"C,M'(T.
Complying with all applicable copyright laws is the responsibility of the user. Without
limiting the rights under copyright, no part of this document may be reproduced, stored in
or introduced into a retrieval system, or transmitted in any form or by any means
/electronic, mechanical, photocopying, recording, or otherwise0, or for any purpose,
without the e1press written permission of Microsoft Corporation.
Microsoft may have patents, patent applications, trademarks, copyrights, or other
intellectual property rights covering sub2ect matter in this document. '1cept as e1pressly
provided in any written license agreement from Microsoft, the furnishing of this document
does not give you any license to these patents, trademarks, copyrights, or other
intellectual property.
,nless otherwise noted, the e1ample companies, organi3ations, products, domain
names, e4mail addresses, logos, people, places, and events depicted herein are
fictitious, and no association with any real company, organi3ation, product, domain name,
e4mail address, logo, person, place, or event is intended or should be inferred.
5 6778 Microsoft Corporation. %ll rights reserved.
Microsoft, #9* #erver, Windows, and Windows #erver are either registered trademarks
or trademarks of Microsoft Corporation in the ,nited #tates and:or other countries.
The names of actual companies and products mentioned herein may be the trademarks
of their respective owners.
Contents
Microsoft $indo%s &er!er (pdate &er!ices *perations +uide)))))))))))))))))))))))))))))))))))))))))1
Contents))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))) ,
Microsoft $indo%s &er!er (pdate &er!ices *perations +uide ))))))))))))))))))))))))))))-
.dministerin" $indo%s &er!er (pdate &er!ices ))))))))))))))))))))))))))))))))))))))))))))))))))-
Mana"in" $indo%s &er!er (pdate &er!ices )))))))))))))))))))))))))))))))))))))))))))))))))))))6
Monitorin" $indo%s &er!er (pdate &er!ices ))))))))))))))))))))))))))))))))))))))))))))))))))6,
&ecurin" $indo%s &er!er (pdate &er!ices ))))))))))))))))))))))))))))))))))))))))))))))))))))/6
Troubleshootin" $indo%s &er!er (pdate &er!ices ))))))))))))))))))))))))))))))))))))))))))))/6
0erifyin" $&(& &er!er &ettin"s ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))/6
$&(& &er!er .dministration 1ssues ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))2,
Client Computer .dministration 1ssues ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))36
.dditional 4esources for $indo%s &er!er (pdate &er!ices )))))))))))))))))))))))))))))10-
$indo%s &er!er (pdate &er!ices Communities)))))))))))))))))))))))))))))))))))))))))))))))))))))))))10-
More 5ocumentation)))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))) 10-
Microsoft Windows Server Update
Services Operations Guide
This "uide describes the major tass in!ol!ed in administerin" and troubleshootin"
$indo%s &er!er (pdate &er!ices)
Note
. do%nloadable copy of this document is a!ailable at
http://go.icrosoft.co/fw!in"/#$in"%d&'()*+
%n this guide
.dministerin" $indo%s &er!er (pdate &er!ices
Troubleshootin" $indo%s &er!er (pdate &er!ices
.dditional 4esources for $indo%s &er!er (pdate &er!ices
Adinistering Windows Server Update
Services
This section contains bac"round information and procedures for performin" the major
tass in!ol!ed in administerin" $indo%s &er!er (pdate &er!ices)
%n this guide
*!er!ie% of $indo%s &er!er (pdate &er!ices
Mana"in" $indo%s &er!er (pdate &er!ices
Monitorin" $indo%s &er!er (pdate &er!ices
&ecurin" $indo%s &er!er (pdate &er!ices
Overview of Windows Server Update Services
6y usin" $indo%s &er!er (pdate &er!ices 7$&(&8, you can fully mana"e the process of
"ettin" soft%are updates that are released throu"h Microsoft (pdate, and then distribute
them to ser!ers and client computers in your net%or)
'
,ow WSUS wor"s
$&(& pro!ides a mana"ement infrastructure consistin" of the follo%in":
Microsoft Update: the Microsoft $eb site that $&(& components connect to for
updates to Microsoft products)
Windows Server Update Services server: the ser!er component that is
installed on a computer runnin" a Microsoft $indo%s 2000 &er!er %ith &er!ice Pac
9 7&P98 or a Microsoft $indo%s &er!er 200, operatin" system inside the corporate
fire%all) $&(& ser!er soft%are enables administrators to mana"e and distribute
updates throu"h a $eb:based tool, %hich can be accessed from 1nternet ;<plorer on
any computer runnin" a $indo%s operatin" system in the corporate net%or) 1n
addition, a $&(& ser!er can be the update source for other $&(& ser!ers) 1n a
$&(& implementation, at least one $&(& ser!er in the net%or must connect to
Microsoft (pdate to "et a!ailable updates) The administrator can determine, based
on net%or security and confi"uration, ho% many other ser!ers connect directly to
Microsoft (pdate)
Autoatic Updates: the client computer component built into $indo%s 2000
%ith &P,, Microsoft $indo%s =P, and $indo%s &er!er 200, operatin" systems)
.utomatic (pdates enables both ser!er and client computers to recei!e updates from
Microsoft (pdate or from a ser!er runnin" $&(&)
Managing Windows Server Update Services
%n this section
&ettin" (p and 4unnin" &ynchroni>ations
Mana"in" Computers and Computer +roups
Mana"in" (pdates
4unnin" in 4eplica Mode
6acin" (p $indo%s &er!er (pdate &er!ices
Mana"in" $&(& from the Command ?ine
Setting Up and -unning S.nchroni/ations
5urin" synchroni>ation, your ser!er runnin" $indo%s &er!er (pdate &er!ices 7$&(&8
do%nloads updates 7update metadata and files8 from an update source) $hen your
$&(& ser!er synchroni>es for the first time, it %ill do%nload all of the updates you
specified %hen you confi"ured synchroni>ation options) .fter the first synchroni>ation,
0
your $&(& ser!er determines if any ne% updates ha!e been made a!ailable since the
last time it made contact %ith the update source, and then do%nloads only ne% updates)
The S.nchroni/ation Options pa"e is the central access point in the $&(& console for
customi>in" ho% your $&(& ser!er synchroni>es updates) *n this pa"e, you can specify
%hich updates are synchroni>ed automatically, %here your ser!er "ets updates,
connection settin"s, and the synchroni>ation schedule)
.fter you synchroni>e updates to your $&(& ser!er, you must then appro!e them before
the $&(& ser!er can perform any action for them) The e<ceptions to this are updates
classified as Critica! Updates and Securit. Updates, %hich are automatically appro!ed
for detection) @or more information, see A.ppro!in" updates for detection in .ppro!in"
(pdates)
Note
6ecause $&(& initiates all its net%or traffic, there is no need to confi"ure
$indo%s @ire%all on a $&(& ser!er connected directly to Microsoft update)
S.nchroni/ing Updates b. 1roduct and C!assification
Bour $&(& ser!er do%nloads updates based on the products or product families 7for
e<ample, $indo%s, or $indo%s &er!er 200,, 5atacenter ;dition8 and classifications 7for
e<ample, Critical (pdates or &ecurity (pdates8 that you specify) .t the first
synchroni>ation, your $&(& ser!er do%nloads all of the updates a!ailable in the
cate"ories you ha!e specified) .t subseCuent synchroni>ations, your $&(& ser!er
do%nloads only the ne%est updates 7or chan"es to the updates already a!ailable on your
$&(& ser!er8 in the cate"ories you specified)
Bou specify update products and classifications on the S.nchroni/ation Options pa"e
under 1roducts and C!assifications) Products are "rouped in a hierarchy, by product
family) @or e<ample, if you select $indo%s, you automatically select e!ery product that
falls under that product hierarchy) 6y selectin" the parent chec bo< you not only select
all items under it, but all future releases too) &electin" the child chec bo<es %ill not
select the parent chec bo<es) The default settin" for 1roducts is .ll $indo%s Products,
and for Update c!assifications, the default settin" is Critical (pdates and &ecurity
(pdates) Bou must specify update classifications indi!idually)
1f your $&(& ser!er is runnin" in replica mode, you %ill not be able to perform this tas)
@or more information about replica mode, see 4unnin" in 4eplica Mode)
2o specif. update products and c!assifications for s.nchroni/ation
1) *n the $&(& console toolbar, clic Options, and then clic
3
S.nchroni/ation Options)
2) (nder 1roducts and C!assifications, under 1roducts, clic Change)
,) 1n the Add/-eove 1roducts dialo" bo<, under 1roducts, select the
products or product families for the updates you %ant your $&(& ser!er to
synchroni>e, and then clic O4)
9) (nder 1roducts and C!assifications, under Update c!assifications, clic
Change)
-) 1n the Add/-eove C!assifications dialo" bo<, in C!assifications, select
the update classifications for the updates you %ant your $&(& ser!er to
synchroni>e, and then clic O4)
6) (nder 2as"s, clic Save settings, and then clic O4)
Note
1f you %ant to stop synchroni>in" updates for one or more specific products
or product families, clear the appropriate chec bo<es in the Add/-eove
1roducts dialo" bo<, and then clic O4) Bour $&(& ser!er %ill stop
synchroni>in" ne% updates for the products you ha!e cleared) Do%e!er,
updates that %ere synchroni>ed for those products before you cleared them
%ill remain on your $&(& ser!er and %ill be a!ailable on the Updates pa"e)
Configuring 1ro5.6server Settings
Bou can confi"ure your $&(& ser!er to use a pro<y ser!er durin" synchroni>ation %ith
an upstream ser!er or Microsoft (pdate) 1n addition, you can specify a port number and
%hether you %ant your ser!er to connect to the pro<y ser!er by usin" specific user
credentials)
Bou specify pro<y:ser!er settin"s on the S.nchroni/ation Options pa"e under 1ro5.
server) This settin" %ill apply only %hen your $&(& ser!er runs synchroni>ations) 6y
default this option is not enabled, and your $&(& ser!er %ill connect directly to the
upstream ser!er or Microsoft (pdate) 6y default, the pro<y:ser!er option is not selected,
%hich means that your $&(& ser!er %ill attempt to connect directly to another $&(&
ser!er or Microsoft (pdate durin" synchroni>ation)
6ecause $&(& initiates all of its net%or traffic, you do not need to confi"ure $indo%s
@ire%all on a $&(& ser!er connected directly to Microsoft (pdate)
2o specif. a pro5. server for s.nchroni/ation
(
2) (nder 1ro5. server, select the Use a pro5. server when s.nchroni/ing
chec bo<, and then type the ser!er name and port number 7port 20 is the
default8 of the pro<y ser!er)
1f you %ant to connect to the pro<y ser!er by usin" specific user
credentials, select the Use user credentia!s to connect to the pro5.
server chec bo<, and then enter the user name, domain, and pass%ord of
the user in the correspondin" bo<es)
1f you %ant to enable basic authentication for the user connectin" to the
pro<y ser!er, select the A!!ow basic authentication 7password in c!ear
te5t8 chec bo<)
,) (nder 2as"s, clic Save settings, and then clic O4)
Configuring the Update Source
The update source is the location from %hich your $&(& ser!er "ets its updates and
update information 7metadata8) Bou can specify that the update source be either
Microsoft (pdate or another $&(& ser!er 7in this scenario, the $&(& ser!er that acts
as the update source is the upstream ser!er, and your ser!er is the downstream server8)
*ptions for customi>in" ho% your $&(& ser!er synchroni>es %ith the update source
include the follo%in":
Bou can specify a custom port for synchroni>ation) @or "eneral information about
confi"urin" ports, see 5eployin" Microsoft $indo%s &er!er (pdate &er!ices at
http:EE"o)microsoft)comEf%linEFlinidG91///HclcidG0<903)
Bou can use &&? to secure synchroni>ation of update information bet%een
$&(& ser!ers) @or more information about usin" &&?, see &ecurin" $indo%s
&er!er (pdate &er!ices)
2o specif. the update source for .our WSUS server
2) (nder Update Source, do one of the follo%in":
1f you %ant your $&(& ser!er to synchroni>e directly from Microsoft
(pdate, clic S.nchroni/e fro Microsoft Update) 1f your ser!er is runnin"
in replica mode, this option %ill is disabled) @or more information, see
4unnin" in 4eplica Mode)
9
1f you %ant to synchroni>e from another $&(& ser!er in your net%or,
clic S.nchroni/e fro an upstrea Windows Server Update Services
server, and then type the ser!er name and port number in the correspondin"
bo<es)
1f you %ant to use &ecure &ocet ?ayers 7&&?8 %hen synchroni>in"
update information 7metadata8 synchroni>ation, type the port number that the
upstream ser!er uses for &&? connections, and then select the Use SS$
when s.nchroni/ing update inforation chec bo<) @or more information
about usin" &&? durin" synchroni>ation, see &ecurin" $indo%s &er!er
(pdate &er!ices)
1f your $&(& ser!er is runnin" in replica mode, you just need to type the
ser!er name in the Server nae bo<) The upstream ser!er does not ha!e to
be the administration ser!er 7for e<ample, it can be another replica mode
ser!er8) @or more information about replica mode, see 4unnin" in 4eplica
Mode)
Specif.ing Where to Store Updates
@or more information, see &pecifyin" $here to &tore (pdates)
S.nchroni/ing Manua!!. or Autoatica!!.
Bou can either synchroni>e your $&(& ser!er manually or specify a time for it to
synchroni>e automatically on a daily basis)
2o s.nchroni/e .our server anua!!.
2) (nder Schedu!e, clic S.nchroni/e anua!!.)
2o s.nchroni/e .our WSUS server iediate!.
2) (nder 2as"s, clic S.nchroni/e now)
*+
2o set up an autoatic s.nchroni/ation schedu!e
2) (nder Schedu!e, clic S.nchroni/e dai!. at, and then in the list select the
time you %ant synchroni>ation to start each day)
Managing Coputers and Coputer Groups
%n this section
Mana"in" Client Computers
Mana"in" Computer +roups
Managing C!ient Coputers
$&(& enables you to mana"e the entire process of updatin" your computers, includin"
manually and automatically determinin" %hich updates they need and recei!e, specifyin"
%hen the updates are installed, and monitorin" the status of update deployment on your
computers)
The central access point in the $&(& console for mana"in" computers is the
Coputers pa"e, %hich displays a list of computers that ha!e been confi"ured to "et
updates from the $&(& ser!er) The computers are displayed by computer "roup, and
you can filter the computer list to a specific computer "roup) 6y selectin" a computer in
the list, you can !ie% its properties, %hich include "eneral details about the computer and
the status of updates for itIfor e<ample, the installation or detection status of an update
for a particular computer)
Bou can also mana"e computer "roups on the Coputers pa"e, %hich includes creatin"
the "roups and assi"nin" computers to them) @or more information about mana"in"
computer "roups, see Mana"in" Computer +roups)
%portant
Bou must first set up a client computer to contact the $&(& ser!er before you
can mana"e it from that ser!er) (ntil you perform this tas, your $&(& ser!er
%ill not reco"ni>e your client computer, and %ill not display it in the computer list
on the Coputers pa"e) @or more information about settin" up a client
**
computer, see 5eployin" Microsoft $indo%s &er!er (pdate &er!ices at
. client computer can only be set to communicate %ith one $&(& ser!er at a
time) 1f you later chan"e this settin" and specify a different $&(& ser!er, the
client computer stops contactin" the $&(& ser!er specified earlier) Do%e!er, the
client computer %ill remain on the list of computers and in the computer "roups
specified on that earlier $&(& ser!er) 1n addition, the ori"inal $&(& ser!er %ill
report the last time the client computer contacted it 7%hich %ill be accurateIit %ill
be before the client computer stopped connectin" to it8) To stop the client
computer from displayin" on the earlier specified $&(& ser!er, you must
remo!e the computer from the $&(& ser!er)
Managing Coputers on the Coputers 1age
The follo%in" are common tass you can perform on the Coputers pa"e) 6efore you
can add a computer to a computer "roup, you must ha!e created a computer "roup) @or
more information about creatin" computer "roups, see Mana"in" Computer +roups)
2o view the properties for a coputer
1) *n the $&(& console toolbar, clic Coputers)
2) 1n Groups, clic the computer "roup to %hich the computer currently belon"s
to)
,) 1n the list of computers, clic the computer for %hich you %ant to !ie%
properties)
9) 1n the properties pane, do either of the follo%in":
Clic the :etai!s tab for "eneral information about the computer)
Clic the Status tab for appro!al and update status for the computer)
2o add a coputer to a coputer group
2) 1n Groups, clic the computer "roup to %hich the computer currently
belon"s)
,) 1n the list of computers, clic the computer that you %ant to mo!e)
9) (nder 2as"s, clic Move se!ected coputer)
*;
-) 1n the Coputer group dialo" bo<, clic the computer "roup that you %ant
to mo!e the computer to, and then clic O4)
Note
1f your computer already belon"s to a computer "roup, then after you perform
this tas it %ill belon" to the ne% computer "roup you specify and not to the
earlier computer "roup) Do%e!er, it %ill remain a member of the .ll
Computers "roup)
2o reove a coputer fro a WSUS server
2) 1n Groups, clic the computer "roup to %hich the computer currently belon"s
to)
,) 1n the list of computers, clic the computer you %ant to remo!e)
9) (nder 2as"s, clic -eove the se!ected coputer, and then clic O4)
Note
.fter you perform this tas, you %ill not be able to mana"e update distribution
for the client computer on the $&(& console, nor %ill the client computer %ill
not be able to recei!e updates from the $&(& ser!er)
Managing Coputer Groups
$&(& enables you to tar"et updates to "roups of client computers) This capability can
help you ensure that specific computers "et the ri"ht updates at the most con!enient
times on an on"oin" basis) @or e<ample, if all computers in one department of your
or"ani>ation ha!e a specific confi"uration 7such as all computers in the .ccountin"
team8, you can determine %hat updates those computers "et, at %hat time, and then use
$&(& reportin" features to e!aluate the success of update acti!ity for that computer
"roup)
6y default, each computer is already assi"ned to the .ll Computers "roup) Computers
%ill also be assi"ned to the (nassi"ned Computers "roup until you assi"n them to
another "roup) 4e"ardless of the "roup you assi"n a computer to, it %ill also remain in
the .ll Computers "roup) . computer can be in only one other "roup in addition to the .ll
Computers "roup)
*)
Bou can assi"n computers to computer "roups by usin" one of t%o methods, server4side
or client4side targeting, dependin" on %hether or not you %ant to automate the process)
$ith ser!er:side tar"etin", you use the Move the se!ected coputer tas on the
Coputers pa"e to mo!e one or more client computers to one computer "roup at a time)
$ith client:side tar"etin", you use +roup Policy or edit the re"istry settin"s on client
computers to enable those computers to automatically add themsel!es into the computer
"roups) Bou must specify %hich method you %ill use by selectin" one of the t%o options
on the Coputers Options pa"e)
Note
1f your $&(& ser!er is runnin" in replica mode, you %ill not be able to create
computer "roups on that ser!er, you %ill only inherit the computer "roups created
on the administration ser!er from %hich your ser!er inherits its settin"s) @or more
information about replica mode, see 4unnin" in 4eplica Mode)
Server6side 2argeting
$ith ser!er:side tar"etin", you use the $&(& console to both create "roups and then
assi"n computers to the "roups) &er!er:side tar"etin" is an e<cellent option if you do not
ha!e many client computers to update and you %ant to mo!e client computers into
computer "roups manually)
To enable ser!er:side tar"etin" on your $&(& ser!er, clic the Use the Move
coputers tas" in Windows Server Update Services option on the Coputers
Options pa"e)
C!ient6side 2argeting
$ith client:side tar"etin", you enable client:computers to add themsel!es to the
computer "roups you create in the $&(& console) Bou can enable client:side tar"etin"
throu"h +roup Policy 7in an .cti!e 5irectory net%or en!ironment8 or by editin" re"istry
entries 7in a non:.cti!e 5irectory net%or en!ironment8 for the client computers) $hen
the client computers connect to the $&(& ser!er, they %ill add themsel!es into the
correct computer "roup) Client:side tar"etin" is an e<cellent option if you ha!e many
client computers and %ant to automate the process of assi"nin" them to computer
"roups)
To enable client:side tar"etin" on your $&(& ser!er, clic the Use Group 1o!ic. or
registr. settings on c!ient coputers option on the Coputers Options pa"e)
2o specif. the ethod for assigning coputers to groups
1) *n the $&(& console toolbar, clic Options, and then clic Coputer
*<
Options)
2) 1n Coputer Options, do one of the follo%in":
1f you %ant to create "roups and assi"n computers throu"h the $&(&
console 7ser!er:side tar"etin"8, clic Use the Move coputers tas" in
Windows Server Update Services)
1f you %ant to create "roups and assi"n computers by usin" +roup Policy
or by editin" re"istry settin"s on the client computer 7client:side tar"etin"8,
clic Use Group 1o!ic. or registr. settings on coputers)
Managing Coputer Groups on =our WSUS Server
4e"ardless of the method you use to assi"n client computers to computer "roups, you
must also create the computer "roups in the $&(& console) 1n you use the client:side
tar"etin" method, you must create the computer "roups in the $&(& console before
your client computers can add themsel!es to them)
2o create a coputer group in the WSUS conso!e
2) (nder 2as"s, clic Create a coputer group)
,) 1n Group nae, type a name for your ne% computer "roup, and then clic
O4)
2o reove a coputer group
2) 1n Groups, clic the computer "roup you %ant to remo!e)
,) (nder 2as"s, clic :e!ete the se!ected group, and then clic O4)
Note
Bou cannot remo!e the Unassigned Coputers or A!! Coputers "roup)
;!ery client computer remains a member of the A!! Coputers "roup in
addition to any "roup you assi"n it to) Client computers are members of the
Unassigned Coputers "roup only until you assi"n them to a computer
"roup)
*'
Managing Updates
%n this section
(pdates *!er!ie%
0ie%in" (pdates
.ppro!in" (pdates
Testin" (pdates
&torin" (pdates
Updates Overview
(pdates are used for patchin" or pro!idin" a full file replacement for soft%are that is
installed on a computer) ;!ery update that is a!ailable on Microsoft (pdate is made up of
t%o components:
Metadata pro!ides information about the update) @or e<ample, metadata
supplies information for the properties of an update, thus enablin" you to find out
%hat the update is useful for) Metadata also includes end:user license a"reements
7;(?.s8) The metadata paca"e do%nloaded for an update is typically much smaller
than the actual update file paca"e)
Update fi!es are the actual files reCuired to install an update on a computer)
,ow WSUS Stores Updates
$hen updates are synchroni>ed to your $&(& ser!er, the metadata and update files are
stored in t%o separate locations) Metadata is stored in the $&(& database) (pdate files
can be stored either on your $&(& ser!er or on Microsoft (pdate ser!ers, dependin" on
ho% you ha!e confi"ured your synchroni>ation options) 1f you choose to store update files
on Microsoft (pdate ser!ers, only metadata is do%nloaded at the time of synchroni>ationJ
you appro!e the updates throu"h the $&(& console, and then client computers "et the
update files directly from Microsoft (pdate at the time of installation) @or more information
about your options for storin" updates, see 5eployin" Microsoft $indo%s &er!er (pdate
&er!ices at http:EE"o)microsoft)comEf%linEFlinidG91///HclcidG0<903)
Managing Updates b. Using WSUS
$hether you ha!e just deployed $&(& or are performin" daily tass, you %ill be settin"
up or 7reconfi"urin"8 and runnin" synchroni>ations, addin" computers and computer
"roups, and deployin" updates on a re"ular basis) The order in %hich you perform any of
these "eneral tass mi"ht chan"e, dependin" on a number of circumstancesIfor
*0
e<ample, you mi"ht chan"e your client computer confi"urations, 7such as addin" ne%
computers, up"radin" soft%are8)
.lthou"h the order you mi"ht need to perform the follo%in" "eneral tass mi"ht be
different, necessitated by your or"ani>ational needs, the follo%in" is an e<ample of the
order of "eneral tass you mi"ht undertae in updatin" computers by usin" $&(&)
1) 6efore confi"urin" options in the $&(& console, determine an o!erall update
mana"ement plan based on your net%or capabilities, company needs, and layout)
Considerations mi"ht include the follo%in":
1f and ho% you %ant to set up a hierarchy of $&(& ser!ers
$hich database to use to store update metadata 7for e<ample, M&5;,
$M&5;, &K? &er!er 20008
$hat computer "roups you %ant to create, and the method you %ill use to
assi"n computers to them 7for e<ample, ser!er:side or client:side tar"etin"8
$hether you %ant updates to synchroni>e automatically at a specific time
2) &et synchroni>ation options on the Options pa"e, such as update source,
product and update classification, lan"ua"e, connection settin"s, stora"e location,
and automatic synchroni>ation schedule)
,) +et the updates and associated metadata on your $&(& ser!er throu"h
synchroni>ation from either Microsoft (pdate or an upstream $&(& ser!er,
dependin" on the location you ha!e specified for your update source)
9) .ppro!e or decline updates by "roup from the Updates pa"e) Bou can appro!e
updates for either installation or detection only) @or detection only, $&(& does not
install updates but instead checs computers in the "roups you specified, to see if a
specific update is needed) To "et the result of the detection 7or, in other %ords, to find
out if the update is needed8, chec the &tatus of (pdates report) Bou can set a
deadline for automatic installation or detection) @or installation, you ha!e the option of
allo%in" users to install the updates themsel!es 7if they are local administrators on
their client computers8)
-) Confi"ure automatic appro!als for either installation or detection 7by classification
and "roups8 in Options, on the Autoatic Approva!s pa"e) 1f the installation and
detection rules conflict, $&(& %ill use the installation rule) *n this pa"e, you can
also confi"ure %hether you %ant to enable automatic appro!al of re!isions to e<istin"
updates or appro!e re!isions manually) 1f you choose to appro!e manually, then your
$&(& ser!er %ill continue usin" the older !ersion until you manually appro!e the
re!ision)
*3
6) Chec status of the updates on the Updates pa"e or in the &tatus of (pdates
report)
Update 1roducts and C!assifications
(pdates a!ailable on Microsoft (pdate are differentiated by product 7or product family8
and classification)
1roducts Updated b. WSUS
. product is a specific edition of an operatin" system or application, for e<ample
Microsoft $indo%s &er!er 200,, 5atacenter ;dition) . product family is the base
operatin" system or application from %hich the products are deri!ed) .n e<ample of a
product family is Microsoft $indo%s, of %hich Microsoft $indo%s &er!er 200,,
5atacenter ;dition is a member) *n the &ynchroni>ation *ptions pa"e under Products
and Classifications, products are displayed in a hierarchy, under their product family) .t
this location on the $&(& console, you can select the products or product families for
%hich you %ant your ser!er to automatically synchroni>e updates) Bou can specify many
products at once if they belon" to the same product family, because by selectin" a parent
chec bo< you also select all items under it) &electin" the child chec bo<es %ill not
select the parent chec bo<es) @or e!ery selection, you also are automatically selectin"
future releases)
Update C!assifications
(pdate classifications represent the type of update) @or any "i!en product or product
family, updates could be a!ailable amon" multiple classifications 7for e<ample,
$indo%s =P family Critical (pdates and &ecurity (pdates8) The follo%in" table lists
e<amples of update classifications)
(pdate Classification 5escription
Connectors &oft%are components desi"ned to support
connection bet%een soft%are
Critical (pdates 6roadly released fi<es for specific problems
addressin" critical, non:security related
bu"s
5e!elopment Lits &oft%are to aid the %ritin" of ne%
applications that usually includes a !isual
builder, an editor, and a compiler
5ri!ers &oft%are components desi"ned to support
ne% hard%are
*(
(pdate Classification 5escription
@eature Pacs Me% product functionality usually included
in the ne<t full product release
+uidance &cripts, sample code, and technical
"uidance desi"ned to help in the
deployment and use of a product or
technolo"y
&ecurity (pdates 6roadly released fi<es for specific products,
addressin" security issues
&er!ice Pacs Cumulati!e sets of all hotfi<es, security
updates, critical updates, and updates
created since the release of the product
&er!ice pacs mi"ht also contain a limited
number of customer reCuested desi"n
chan"es or features)
Tools (tilities or features that aid in accomplishin"
a tas or set of tass
(pdate 4ollups Cumulati!e set of hotfi<es, security
updates, critical updates, and updates
paca"ed to"ether for easy deployment
. rollup "enerally tar"ets a specific area,
such as security, or a specific component,
such as 1nternet 1nformation &er!ices 711&8)
(pdates 6roadly released fi<es for specific problems
addressin" a non:critical, non:security
related bu"s
>iewing Updates
*n the Updates pa"e, you can do the follo%in":
0ie% the list of updates) The list of updates displays updates that ha!e been
synchroni>ed from the update source to your ser!er runnin" $indo%s &er!er (pdate
&er!ices 7$&(&8 and are a!ailable for appro!al) Bou can filter the list of updates by
usin" criteria such as classifications and products, appro!al status, synchroni>ation
*9
date, and te<t strin") 1n addition, you can sort the list of updates by clicin" the
appropriate column headin" in the list of updates title bar
0ie% details, status, and re!ision history for each update)
.ppro!e updates for installation)
.ppro!e updates for detection)
5ecline updates)
2o open the Updates page
*n the $&(& console toolbar, clic Updates)
2o view updates
1) *n the $&(& console toolbar, clic Updates) (pdates are displayed in the
list of updates)
2) To sort by additional information, do%nload status, title, classification, release
date, or appro!al status, clic the appropriate column headin")
2o fi!ter the !ist of updates disp!a.ed on the Updates page
1) *n the $&(& console toolbar, clic Updates)
2) (nder >iew, select the appropriate criteria for your filter in the list bo<es, and
then clic App!.) The list of updates %ill reflect your chosen criteria) The
Contains 2e5t bo<, under >iew, enables you to enter te<t to search on the
follo%in" criteria for an update: 2it!e, :escription, and Microsoft Lno%led"e
6ase 74?8 artic!e nuber) ;ach of these items is a property listed on the
:etai!s tab in the update properties)
2o view the properties for an update
2) 1n the list of updates, clic the update for %hich you %ant to !ie% properties)
,) 1n the properties pane, clic one of the tabs for the follo%in":
The :etai!s tab displays both "eneral properties 7for e<ample, title,
description, and release date8 and installation information 7for e<ample,
reCuirements for installation, includin" %hether the update is uninstallable8
about the update) 1n addition, the :etai!s tab indicates if the update
supersedes or is superseded by another update)
;+
The Status tab displays do%nload, appro!al, and installation status for
the update by computer "roup) Bou can further e<pand computer "roups to
see update status by computer)
The -evisions tab displays re!ision information about the update,
includin" "eneral properties about the re!ision and appro!al status)
Note
Bou can perform this procedure on only one update at a time) 1f you select
multiple updates, the first update selected %ill be displayed in the properties
pane)
Approving Updates
.fter updates ha!e been synchroni>ed to your $&(& ser!er, you must appro!e them to
initiate a deployment action) $hen you appro!e an update, you are essentially tellin"
$&(& %hat to do %ith it 7for e<ample, your choices are %nsta!!, :etect on!., -eove, or
:ec!ine update8) $hen appro!in" an update, you specify a default appro!al settin" for
the A!! Coputers "roup, and any necessary settin"s for each computer "roup in the
Approve Updates dialo" bo<) 1f you do not appro!e an update, its appro!al status
remains Not approved and your $&(& ser!er performs no action for the update) The
e<ceptions to this are in the Critica! Updates and Securit. Updates classifications,
%hich by default are automatically appro!ed for detection after they are synchroni>ed)
The Updates pa"e is the central access point in the $&(& console for appro!in"
updates) *n the Updates pa"e, you can specify the action you %ant $&(& to e<ercise
for the update by computer "roup) Bou do this by selectin" one of the options under
2as"s) The follo%in" pro!ides more information about the different appro!als you can
enable on the Updates pa"e)
1f your $&(& ser!er is runnin" in replica mode, you %ill not be able to appro!e updates
on your $&(& ser!er) @or more information about replica mode, see 4unnin" in 4eplica
Mode)
Approving Updates for :etection
$hen you appro!e an update for detection, the update is not installed) 1nstead, $&(&
checs %hether the update is compliant %ith or needed by computers in the "roups you
specify for the :etect on!. approva! option in the Approve Updates dialo" bo<) The
detection occurs at the scheduled time that the client computer communicates %ith the
$&(& ser!er) Bou can see the result of the detection either in the &tatus of (pdates
report or on the Updates pa"e, by clicin" the Status tab for a specific update) 1n either
;*
case, the information you need %ill appear in the Needed column, %hich represents the
number of computers that ha!e been detected as needin" a particular update) 1f the client
computer does not need the update, the number in Needed is >ero)
6y default, Critical (pdates and &ecurity (pdates are automatically appro!ed for
detection)
2o approve updates for detection
2) 1n the list of updates, clic one or more updates that you %ant to appro!e for
detection)
,) (nder Update 2as"s, clic Change appro!al)
9) 1n the Approve Updates dialo" bo<, !erify that Approva! is set to :etect
on!. for the .ll Computers "roup)
-) 1f you %ant to set a different default appro!al settin" for one or more "roups,
under Group approva! settings for the se!ected updates, find the "roup7s8 for
%hich you %ant to set the special appro!al settin", and then, in the Approva!
column, select an appro!al settin")
Approving Updates for %nsta!!ation
Bou can select one or multiple updatesJ if you select multiple updates, you can appro!e
them for installation at onceJ you can also appro!e installation by computer "roup) This
%ould be the %nsta!! approva! option in the Approve Updates dialo" bo<) 1n addition,
%hen you specify this appro!al action, you can do one of the follo%in":
(se the settin"s on the client computers to determine %hen to install updates)
$hen you select this option, users in the tar"eted computer "roup %ill recei!e a
notification dialo" bo< and an Autoatic Updates icon on their tasbar %hen
updates are ready to be installed on their computers) They can then install the
updates immediately, or at a later time, by clicin" the Autoatic Updates icon) 1f
you ha!e confi"ured .utomatic (pdates, either by +roup Policy or locally, to notify
the user before installation, these notifications %ill be offered to any non:administrator
%ho lo"s onto the computer in the tar"eted computer "roup)
&et a deadline for automatic installation) $hen you select this option, you set
specific times and dates to install updates, o!erridin" any settin"s on the client
computers) 1n addition, you can specify a past date for the deadline if you %ant to run
an appro!al action immediately 7that is, %hen the client computers ne<t contact the
$&(& ser!er8)
;;
%portant
Bou cannot set a deadline for automatic installation for an update if user input is
reCuired 7for e<ample, acceptin" a license a"reement or specifyin" a settin"
rele!ant to the update8) 1f you set a deadline for such an installation
synchroni>ation %ill fail) To determine %hether an update %ill reCuire user input,
loo at the Ma. re@uest user input field in the update properties for an update
displayed on the Updates pa"e) .lso chec for a messa"e in the Approve
Updates bo< %hich says A2he se!ected update re@uires user input and does
not support and insta!!ation dead!ine)A
2o approve updates for insta!!ation
installation)
,) (nder Update 2as"s, clic Change approva!)
9) 1n the Approve Updates dialo" bo<, !erify that Approva! is set to %nsta!! for
the .ll Computers "roup)
-) To specify ho% and %hen the update %ill be installed for computers in the
computer "roup, ne<t to :ead!ine, clic None, and then clic one of the follo%in"
options:
1f you %ant to enable users to determine %hen to install the updates, clic
Use c!ient settings to deterine update insta!!ation tie, and then clic
O4) 1f you ha!e confi"ured .utomatic (pdates, either by domain:based or
local +roup Policy, to notify the user before installation, these notifications
%ill be offered to any non:administrator %ho lo"s onto the computer in the
tar"eted computer "roup)
1f you %ant the update to be installed automatically, clic %nsta!! the
update b. the se!ected date and tie, specify the date and time of the
deadline, and then clic O4) 1f you %ant the install to occur immediately 7that
is, %hen the client computers ne<t contact the $&(& ser!er8, you can
specify a past date for the deadline)
6) 1f you %ant to set a different default appro!al settin" for one or more "roups,
%hich you %ant to set the special appro!al settin", and then, in the Approva!
column, clic an appro!al settin")
;)
Note
@or more information about do%nloadin" and installin" updates, see 6est
Practices %ith $indo%s &er!er (pdate &er!ices)
:ec!ining Updates
This option is a!ailable as a tas under Update 2as"s on the Updates pa"e) 1f you select
this option, the update is remo!ed from the list of a!ailable updates) 5eclined updates %ill
appear in the updates list only if you select either :ec!ined or A!! updates in the
Approva! list %hen specifyin" the filter for the update list under >iew)
2o dec!ine updates
2) 1n the list of updates, clic one or more updates that you %ant to decline)
,) 1n Update 2as"s, clic :ec!ine update or :ec!ine se!ected updates,
dependin" on %hether you ha!e selected one or multiple updates to decline)
Approving Updates for -eova!
Bou can appro!e an update for remo!al 7that is, appro!e uninstallin" the update8) This
option is only a!ailable if the update supports uninstallin", and you %ould choose the
-eove approva! option in the Approve Updates dialo" bo<) Bou can specify a
deadline for the update to be uninstalled, as %ell as specify a past date for the deadline if
you %ant to run an appro!al action immediately 7that is, %hen the client computers ne<t
contact the $&(& ser!er8)
2o approve updates for reova!
remo!al)
,) (nder Update 2as"s, clic Change approva!)
9) 1n the Approve Updates dialo" bo<, !erify that Approve is set to -eove
for the .ll Computers "roup)
-) 1f you %ant to set a deadline for the update7s8 to be automatically remo!ed,
ne<t to :ead!ine, clic None, specify the date and time for the deadline, and
then clic O4) 1f you %ant the update remo!al to occur immediately 7that is, %hen
;<
the client computers ne<t contact the $&(& ser!er8, you can specify a past date
for the deadline)
6) 1f you %ant to set a different default appro!al settin" for one or more "roups,
%hich you %ant to set the special appro!al settin", and then, in the .ppro!al
column, clic an appro!al settin")
Approving Updates Autoatica!!.
*n the Autoatic Approva! Options pa"e, you can confi"ure your $&(& ser!er to
automatically appro!e installation or detection for updates and associated metadata
%hen they are do%nloaded to the $&(& ser!er durin" synchroni>ation) This is different
from appro!in" updates on the Updates pa"e, %here, by default, updates are appro!ed
for detection)
Bou can confi"ure automatic appro!al for updates by update classifications and "roups) 1f
the installation and detection rules you set conflict, your $&(& ser!er %ill follo% the
installation rules)
*n the Autoatic Approva! Options pa"e, you can also select an option to
automatically appro!e re!isions to e<istin" updates as they become a!ailable) This option
is selected by default) . re!ision is a !ersion of an update that has had chan"es made to
it 7for e<ample, it mi"ht ha!e e<pired, or (1 te<t, the ;(?., or applicability rules for
computers mi"ht ha!e chan"ed8) 1f you do not choose to automatically appro!e the
re!ised !ersion of an update, $&(& %ill use the older !ersion, and you must manually
appro!e the update re!ision)
Autoatica!!. Approving Updates for :etection
$hen you select this option, you can create a rule that your $&(& ser!er %ill
automatically apply durin" synchroni>ation) @or the rule, you specify %hat updates you
%ant to automatically appro!e for detection, by update classification and by computer
"roup) This applies only to ne% updates, as opposed to re!ised updates) This settin" is
a!ailable on the Autoatic Approva! Options pa"e)
*n this pa"e, you can also set a rule for automatically appro!in" updates for installation)
1n the e!ent that rules conflict 7for e<ample, you ha!e specified the same update
classification and same computer "roup combination in both the rule to automatically
appro!e for detection and automatically appro!e for installation8, then your $&(& ser!er
applies the rule to automatically appro!e for installation)
;'
2o autoatica!!. approve updates for detection
1) *n the $&(& console toolbar, clic Options, and then clic Autoatic
Approva! Options)
2) 1n Updates, under Approve for :etection, select the Autoatica!!.
approve updates for detection b. using the fo!!owing ru!e chec bo< 7if it is
not already selected8)
,) 1f you %ant to specify update classifications to automatically appro!e durin"
synchroni>ation, do the follo%in":
Me<t to C!assifications, clic Add/-eove C!assifications)
1n the Add/-eove C!assifications dialo" bo<, select the update
classifications that you %ant to automatically appro!e, and then clic O4)
9) 1f you %ant to specify the computer "roups for %hich to automatically appro!e
updates durin" synchroni>ation:
Me<t to Coputer groups, clic Add/-eove Coputer Groups)
1n the Add/-eove Coputer Groups dialo" bo<, select the computer
"roups for %hich you %ant to automatically appro!e updates, and then clic
O4)
-) (nder 2as"s, clic Save settings, and then clic O4)
Autoatica!!. Approve Updates for %nsta!!ation
$hen you select this option, you can create a rule that your $&(& ser!er %ill
automatically apply durin" synchroni>ation) @or the rule, you specify %hat updates you
%ant to automatically appro!e for installation, by update classification and by computer
"roup) This applies only to ne% updates, as opposed to re!ised updates) This settin" is
a!ailable on the Autoatic Approva! Options pa"e)
*n this pa"e, you can also set a rule for automatically appro!in" updates for detection) 1n
the e!ent that rules conflict 7for e<ample, you ha!e specified the same update
classification and same computer "roup combination in both the rule to automatically
appro!e for installation and automatically appro!e for detection8, then your $&(& ser!er
applies the rule to automatically appro!e for installation)
2o autoatica!!. approve updates insta!!ation
Approva! Options)
2) 1n Updates, under Approve for %nsta!!ation, select the Autoatica!!.
;0
approve updates for insta!!ation b. using the fo!!owing ru!e chec bo< 7if it is
not already selected8)
,) 1f you %ant to specify update classifications to automatically appro!e durin"
synchroni>ation, do the follo%in":
Me<t to C!assifications, clic Add/-eove C!assifications)
1n the Add/-eove C!assifications dialo" bo<, select the update
classifications that you %ant to automatically appro!e, and then clic O4)
9) 1f you %ant to specify the computer "roups for %hich to automatically appro!e
updates durin" synchroni>ation:
Me<t to Coputer groups, clic Add/-eove Coputer Groups)
1n the Add/-eove Coputer Groups dialo" bo<, select the computer
"roups for %hich you %ant to automatically appro!e updates, and then clic
O4)
-) (nder 2as"s, clic Save settings, and then clic O4)
Autoatica!!. Approving -evisions to Updates
The Autoatic Approva! Options pa"e contains an option to automatically appro!e
re!isions to e<istin" updates as they become a!ailable) This option is selected by default)
. re!ision is a !ersion of an update that has chan"es 7for e<ample, it mi"ht ha!e e<pired,
or ha!e an updated ;(?., (1 te<t, or applicability rules for computers8) 1f you confi"ure
your $&(& ser!er to automatically appro!e ne% re!isions of an update but an e<pired
re!ision for the update is synchroni>ed, your $&(& ser!er %ill automatically decline the
update) 1f you choose not to automatically appro!e the re!ised !ersion of an update, your
$&(& ser!er %ill use the older re!ision, and you must manually appro!e the update
re!ision)
2o autoatica!!. approve revisions to updates
Approva! Options)
2) (nder -evisions to Updates, clic Autoatica!!. approve the !atest
revision of the update)
Approving Superseding or Superseded Updates
Typically, an update that supersedes other updates does one or more of the follo%in":
;3
;nhances, impro!es, andEor adds to the fi< pro!ided by one or more pre!iously
released updates)
1mpro!es the efficiency of its update file paca"e, %hich is installed on client
computers if the update is appro!ed for installation) @or e<ample, the superseded
update mi"ht contain files that are no lon"er rele!ant to the fi<, or to the operatin"
systems no% supported by the ne% update, so those files are not included in the
supersedin" updateNs file paca"e)
(pdates ne%er !ersions of operatin" systems) 1t is also important to note that the
supersedin" update mi"ht not support earlier !ersions of operatin" systems)
Con!ersely, an update that is superseded by another update does the follo%in":
@i<es a similar !ulnerability to the update that supersedes it) Do%e!er, the update
that supersedes it mi"ht enhance the fi< that the superseded update pro!ides)
(pdates earlier !ersions of operatin" systemsIin some cases these !ersions of
operatin" systems are no lon"er updated by the supersedin" update)
1n the list of updates on the Updates pa"e, an icon ne<t to the update indicates that it
has a supersedure relationship to another update) The :etai!s tab in the properties for
the update tells you %hether the update supersedes or is superseded by another update)
1n addition, you can determine %hich updates supersede or are superseded by the
update by looin" at the Supersedes and Superseded b. entries) The properties bo< for
the update is a!ailable at !arious locations in the $&(& console 7for e<ample, on the
Updates pa"e, on the Coputers pa"e8)
$&(& does not automatically decline superseded updates, and it is recommended that
you do not assume that superseded updates should be declined in fa!or of the ne%,
supersedin" update) 6efore declinin" a superseded update, mae sure that it is no lon"er
needed by any of your client computers) @ollo%in" are e<amples of scenarios %here you
mi"ht need to install a superseded update:
1f a supersedin" update supports only ne%er !ersions of an operatin" system,
and some of your client computers run earlier !ersions of the operatin" system)
1f a supersedin" update has more restricted applicability than the update it
supersedes, %hich %ould mae it inappropriate for some client computers)
1f an update no lon"er supersedes a pre!iously released update due to ne%
chan"es) 1t is possible that throu"h chan"es at each release, an update no lon"er
supersedes an update it pre!iously superseded in an earlier !ersion) 1n this scenario,
you %ill still see a messa"e on the :etai!s tab for the superseded update that it has
been superseded, e!en thou"h the update that supersedes it has been replaced by
an update that does not)
;(
-ecoended 1rocess for Approving a Superseding Update
6ecause a supersedin" update typically enhances a fi< pro!ided by a pre!iously
released, superseded update, it is recommended that you first see ho% many client
computers %ill be compliant %ith the ne% update, and %or bac%ard from there) (se the
follo%in" process)
2o approve a superseding update
1) .ppro!e the supersedin" update for %nsta!! on all computers %here the fi<
pro!ided by the update is appropriate)
2) Chec the resultin" status of the appro!al action on your computers) Mote
%hich computers sho% status as Not needed for the update, and then compare
the properties of those computers %ith the properties of the update)
,) (se the information a!ailable in the update properties to help you determine
%hich pre!iously released !ersion of the updates are a!ailable) @or e<ample,
loo under Supersedes on the :etai!s tab, and chec the :escription and 4?
artic!e nuber entries if appropriate)
9) +et information about the superseded, pre!iously released !ersions of the
updatesJ for e<ample, !ie% their properties)
-) $hen you find a superseded update that seems appropriate for the
remainin" client computers, appro!e the update for installation)
6) 4epeat this process until all of your client computers are updated %ith the
intended fi<)
Approving Office Updates
1f you use $&(& to update Microsoft *ffice on your net%or computers, consider the
follo%in":
1f you ha!e purchased a Aper userA license a"reement for *ffice, you must
ensure that each userNs installation of *ffice is updated 7for e<ample, there mi"ht be
t%o users %ho run indi!idually licensed copies of Microsoft *ffice on the same
computer8) This means a particular user has to be lo""ed on to the computer for that
specific copy of *ffice to be updated) @or e<ample, if t%o people both ha!e accounts
on a computer that is runnin" Microsoft *ffice, then each of them has to lo" on and
update his or her *ffice installation, other%ise one of them %ill not ha!e an updated
!ersion of *ffice)
;9
(sers can access the public Microsoft *ffice *nline $eb site and can loo for
updates to their *ffice installation throu"h the Microsoft *ffice (pdate %i>ard) (sin"
+roup Policy, you mi"ht %ant to create policies that pre!ent users from "ettin" their
o%n *ffice updates from Microsoft *ffice *nline)
(nlie $indo%s (pdate or Microsoft *ffice *nline, %hich are public $eb sites
that users can !isit directly, Microsoft (pdate is accessed only by $&(& ser!ers) 1t is
currently in beta release and maes security updates a!ailable only for *ffice =P and
*ffice 200,) &ome critical updates are not a!ailable throu"h Microsoft (pdate)
Therefore, some updates mi"ht appear on the Microsoft *ffice *nline $eb site that
are not a!ailable on Microsoft (pdate)
Approving SA$ Server and B5change Server Updates
Updating Microsoft SA$ Server %nstances
Bour installations 7instances8 of Microsoft &K? &er!er on one computer can possibly "et
comple<, because you can enable any of the follo%in" &K? &er!er scenarios:
Multiple instances of &K? ser!er on the computer at the same time)
Multiple !ersions 7releases8 of &K?)
&K? &er!er instances in multiple lan"ua"es on the same computer)
Typically, there is nothin" e<tra you ha!e to do to update these multiple
instancesJ you just need to mae sure that %hen you specify your synchroni>ation
options 7for e<ample, product, update classifications, and lan"ua"e options8, you
account for reCuirements for the !ersions of the &K? &er!er instances you ha!e on
the computer) @or more information about confi"urin" synchroni>ation options, see
&ettin" (p and 4unnin" &ynchroni>ations)
Updating Microsoft SA$ Server and Microsoft B5change Servers 2hat Are 1art of a
C!uster
6oth Microsoft &K? &er!er and Microsoft ;<chan"e &er!er can be installed in a
clustered environment) 1f there is an update a!ailable for ser!ers in a cluster that are
runnin" these pro"rams, each ser!er in the cluster must be updated indi!idually)
Microsoft recommends that you update passi!e cluster nodes indi!idually 7for e<ample,
stop the cluster ser!ice for the ser!er %hile you update it8 until all cluster nodes are
updated)
Note
Bou can ha!e both a stand:alone instance and a cluster instance of &K? &er!er
on the same ser!er) 1f you are updatin" a ser!er that is runnin" both a stand:
alone instance and a cluster instance of &K? ser!er, both &K? &er!er instances
)+
%ill be updated if you ha!e specified the correct synchroni>ation options 7product,
update classification, and lan"ua"e8) @or more information about settin"
synchroni>ation options, see &ettin" (p and 4unnin" &ynchroni>ations)
2esting Updates
(ntil you install an update, you cannot be certain about the impact it %ill ha!e on the
e<istin" code runnin" on your systems) 6y installin" an update in a test en!ironment
before deployin" it to your production en!ironment, you can analy>e and assess its
impact before it has the opportunity to harm your production systems) This can pre!ent
unplanned do%ntime and lost producti!ity)
$&(& enables you to create custom computer "roups, %hich you can use to test
updates) @or e<ample, the follo%in" fi"ure depicts three computer "roups: t%o custom
"roups created by the administrator 7Test and .ccountin"8, as %ell as the built:in .ll
Computers "roup)
1n this e<ample, the Test "roup contains a small number of computers representati!e of
all the computers contained in the .ccountin" "roup) This creates a !irtual test lab) The
administrator can first appro!e updates for the Test "roup) 1f the testin" "oes %ell, the
administrator can roll out the updates to the .ccountin" "roup)
Bou can e<pand this basic scenario to fit testin" needs for your or"ani>ation) @or
e<ample, you can create multiple test computer "roups that resemble actual computer
"roups containin" computers %ith different confi"urations)
)*
Storing Updates
%n this section
&pecifyin" $here to &tore (pdates
Mana"in" the 5atabases
Specif.ing Where to Store Updates
Bou can specify %hether you %ant to store update files on your local $&(& ser!er or on
Microsoft (pdate) 1f you choose to store the updates locally, you can limit the updates
do%nloaded to your ser!er by lan"ua"e) 1f you choose to store the update files on
Microsoft (pdate, then your $&(& ser!er obtains only update information 7metadata8 for
the criteria you ha!e specified on the S.nchroni/ation Options pa"e) 1n this scenario,
the update files come directly from Microsoft (pdate and are do%nloaded at the time of
installation on the client computers recei!in" updates) Bou %ill need to mae sure your
client computers ha!e direct access to Microsoft (pdate in this scenario)
$oca! Storage Considerations
1f you decide to store update files on your ser!er, the recommended minimum dis si>e is
,0 +6) Do%e!er, dependin" on the synchroni>ation options you specify, you mi"ht need
to use a lar"er dis) @or e<ample, %hen specifyin" ad!anced synchroni>ation options, as
in the follo%in" procedure, if you select options to do%nload multiple lan"ua"es andEor
the option to do%nload e<press installation files, your ser!er dis can easily reach ,0 +6)
Therefore if you choose any of these options, install a lar"er dis 7for e<ample, 100 +68)
1f your dis "ets full, you can install a ne%, lar"er dis and then mo!e the update files to
the ne% location) To do this, after you create the ne% dis dri!e, you %ill need to run the
$&(&util)e<e tool 7%ith the ovecontent command8 to mo!e the update files to the ne%
dis) @or this procedure, see Mana"in" $&(& from the Command ?ine)
.bout ;<press 1nstallation @iles
;<press installation files do%nload in a paca"e that is usually multiple times lar"er than
a re"ular update paca"e) The e<press installation file paca"e contains the different
!ersions of the update that %ill apply to specific client computer confi"urations) 1f you
select this option, the paca"e containin" all multiple !ersions of update files is
do%nloaded to your $&(& ser!er) Do%e!er, %hen your client computers connect to the
ser!er, they %ill do%nload only the update files they need, %hich are the files that are
compliant for the specific computer) Bou mi"ht ha!e selected the e<press installation file
option if you are less concerned %ith e<ternal band%idth than internal band%idth usa"e)
6esides band%idth, another consideration %hen choosin" to do%nload e<press
installation files, as mentioned earlier, is dis space) 1f you choose to do%nload e<press
);
installation files, they %ill tae more dis space) Therefore, use a lar"er dis 7more than
,0 +68 if you select this option)
The option to do%nload and store e<press installation files is in co!ered in step , in the
follo%in" procedure)
2o specif. where to store down!oaded update fi!es
2) (nder Update Ci!es and $anguages, clic Advanced)
,) (nder Update Ci!es, select %hether to store update files on the ser!er
runnin" $indo%s &er!er (pdate &er!ices 7$&(&8 or on Microsoft (pdate) 1f you
choose to store update files on your ser!er, you can choose either to do%nload
update files only %hen they are appro!ed, or to do%nload e<press installation
files)
9) 1f you selected to store the files on the $&(& ser!er, under $anguages,
select %hether you %ant to limit the updates do%nloaded to your $&(& ser!er
by lan"ua"e, and then clic O4) Mote that if you select to do%nload all lan"ua"es
7%hich is selected by default8 that this %ill tae more dis space) 1f possible,
consider limitin" the lan"ua"es you do%nload if you are also choosin" to store
update files on your $&(& ser!er)
-) 1n 2as"s, clic Save settings, and then clic O4)
Note
1f your $&(& ser!er is runnin" in replica mode, you %ill not be able to
perform this tas) @or more information about replica mode, see 4unnin" in
4eplica Mode)
Changing the $ocation where =ou Store Update Ci!es $oca!!.
Bou mi"ht need to chan"e the location %here $&(& stores updates locally) This mi"ht
be reCuired if the dis becomes full and there is no lon"er any room for ne% updates) Bou
mi"ht also ha!e to do this if the dis %here updates are stored fails and the replacement
dis uses a ne% dri!e letter)
Bou accomplish this mo!e %ith the ovecontent command of $&(&util)e<e, a
command:line tool that is copied to the file system of the $&(& ser!er durin" $&(&
&etup) 6y default, &etup copies $&(&util)e<e to the follo%in" location:
W#,#nstallation+rive:OPro"ram @ilesOMicrosoft $indo%s &er!er (pdate &er!icesOToolsO
))
Bou must be a member of the local .dministrators "roup on the $&(& ser!er to use the
ovecontent command of $&(&util)e<e) These operations can only be run from the
$&(& ser!er itself, %hich must be a ,2:bit platform)
Bou must create the ne% path for local $&(& update stora"e prior to usin"
$&(&util)e<e) The ovecontent command taes an optional 6s"ipcop. parameter) The
6s"ipcop. parameter enables you to chan"e the location of local $&(& update stora"e
%ithout copyin" any files) @or more information about $&(&util)e<e, see 5eployin"
Microsoft $indo%s &er!er (pdate &er!ices at http:EE"o)microsoft)comEf%linEF
linidG91///HclcidG0<903)
2o change the !ocation of !oca! WSUS update storage
1) Clic Start, and then clic -un.
2) 1n the Open bo<, type cd, and then clic O4)
,) .t the command prompt, na!i"ate to the directory that contains
$&(&util)e<e)
9) Type the follo%in", and then press ;MT;4:
wsusuti!.e5e ovecontent contentpath logfile P6s"ipcop.Q
@or e<ample, type:
wsusuti!.e5e ovecontent ::DWSUS*D ::Dove.!og
%here 5:O$&(&1 is the ne% path for local $&(& update stora"e, and
5:Omo!e)lo" is the path to the lo" file)
Note
1f you do not %ant to use $&(&util)e<e to chan"e the location of local $&(&
update stora"e, you can also use MT@& functionality to add a partition to the
current location of local $&(& update stora"e) @or more information about
MT@&, "o to Delp and &upport Center in $indo%s &er!er 200,)
Managing the :atabases
The $&(& database is a reCuired component of $&(& 7%hich is confi"ured durin"
setup8 that stores the follo%in" types of information:
$&(& ser!er confi"uration information
Metadata that describes %hat each update is useful for
)<
.side from the actual update files, the metadata is the second part of e!ery update
a!ailable on Microsoft (pdate) (pdate files are stored separately, either on Microsoft
(pdate, or on your $&(& ser!er) @or more information, see &pecifyin" $here to &tore
(pdates)
1nformation about client computers, updates, and client interaction %ith updates
5ependin" on your ser!er and net%or confi"urations, you are runnin" an M&5;,
$M&5;, or &K? &er!er 2000 database for your $&(& installation 7for more information
about your database options %hen installin" $&(&, see AChoose the 5atabase (sed for
$&(&A in 5eployin" Microsoft $indo%s &er!er (pdate &er!ices at
The follo%in" table describes non:deployment tass you mi"ht ha!e to perform as part of
re"ular operations)
:atabase anageent tas"s
5atabase Tass
M&5; Mae space in the database %hen
the 2:+6 limit is reached) @or more
information, see Mana"in" $&(& from
the Command ?ine)
6acup E restore) @or more
information, see 6acin" (p $indo%s
Mo!e data to a &K? &er!er 2000
database 7for e<ample, if you are
up"radin" the database from M&5; to
&K? &er!er 20008)
$M&5; 6acup E restore) @or more
information, see 6acin" (p $indo%s
Mo!e data to a &K? &er!er 2000
database 7for e<ample, if you are
up"radin" the database from $M&5;
to &K? &er!er 20008) &ee
)'
5atabase Tass
&K? &er!er 2000 6acup E restore)
Mo!e data to another &K? &er!er
2000 database 7for e<ample, if you
mo!e $&(& to another ser!er and you
%ill a"ain use &K? &er!er 2000 for the
database8)
%n this section
Mi"ratin" the database from M&5; or $M&5; to &K? &er!er 2000
Migrating the database fro MS:B or WM:SB to SA$ Server ;+++
This topic discusses ho% to mi"rate the $&(& database 7&(&568 from an M&5; or
$M&5; instance 7%hich is installed durin" $&(& &etup8 to a full !ersion of Microsoft
&K? &er!er 2000)
-easons to igrate the WSUS database to SA$ Server ;+++
1f you chose to use the M&5; or $M&5; to host the $&(& database %hen you set up
your $&(& ser!er and ha!e been runnin" $&(& for some time, you mi"ht be
considerin" up"radin" the database en"ine to a full installation of &K? &er!er 2000)
(sin" &K? &er!er 2000 can pro!ide the follo%in":
More stora"e capacity : @or e<ample, the M&5; can store a ma<imum of 2 +6
of data) 5ependin" on the types of updates you synchroni>e re"ularly, you mi"ht find
that the 2 +6 "ets filled up Cuicly, and you need to freCuently mana"e the space in
your database)
.bility to administer the $&(& database directly : you can utili>e the
mana"ement capabilities pro!ided by &K? &er!er 2000 throu"h the ;nterprise
Mana"er)
:atabase -e@uireents
$&(& reCuires &K? &er!er 2000 %ith &er!ice Pac ,a) 1f you use the full
!ersion of &K? &er!er, the &K? ser!er administrator should first !erify that the nested
tri""ers option on the &K? ser!er is turned on) 5o this before settin" up the $&(&
database)
Bou cannot use &K? authentication) $&(& only supports $indo%s
authentication) $&(& &etup creates a database named &(&56)
)0
Bou can use database soft%are that is 100:percent compatible %ith Microsoft
&K? and not listed in A4emote &K? limitations) A Microsoft &K? &er!er 2000 has
been tested e<clusi!ely for use %ith remote &K?)
Scenarios
The follo%in" scenarios are presented in this topic:
Mi"ratin" the M&5; or $M&5; to &K? &er!er 2000 runnin" on the same ser!er
Mi"ratin" the M&5; or $M&5; to &K? &er!er 2000 runnin" on another ser!er
7remote &K?8
Mi"ratin" the $&(& database from a M&5; or $M&5; instance to &K? &er!er 2000
instance runnin" on the same ser!er
This procedure mi"rates the $&(& database to a &K? &er!er 2000 instance runnin" on
the same ser!er) Mote that there mi"ht be some differences in the procedures if your
ser!er is runnin" $indo%s 2000, %hich are noted %ithin the procedure)
To mi"rate the $&(& database from an M&5; or $M&5; instance to a &K? &er!er
2000 instance on the same ser!er
1) 1nstall &K? &er!er 2000a 7%ith the Server and C!ient 2oo!s option8 and &K?
&er!er 2000a &er!ice Pac , or hi"her on your $&(& ser!er)
2) 1n &K? &er!er ;nterprise Man"er, add the M&5; or $M&5; instance to the
&K? &er!er +roup) This enables you to mana"e the M&5; or $M&5; instance in
;nterprise Mana"er:
a) Clic Start, point to 1rogras, point to Microsoft SA$ Server, and then
clic Bnterprise Manager)
b) (nder the Conso!e -oot, e<pand Microsoft SA$ Servers, ri"ht:clic SA$
Server Group and then clic New SA$ Server -egistration)
c) Complete the -egister SA$ Server %i>ard, choosin" the follo%in" options
%hen prompted:
1n the Se!ect a SA$ Server pa"e, under Avai!ab!e Servers, type:
P&er!erMameQO$&(&, and then clic Add)
(nder Connect Using, select 2he Windows account inforation % use to
!og on to . coputer 7Windows Authentication8)
,) Close any 1nternet bro%ser that is connectin" to the $&(& console)
9) &top the %%S Adin ser!ice and the Update Services ser!ice:
)3
a) Clic Start, point to 1rogras, point to Adinistrative 2oo!s, and then clic
Services)
b) 4i"ht:clic %%S Adin Service, and then clic Stop)
c) 4i"ht:clic Update Services, and then clic Stop)
-) 5etach the $&(& database 7SUS:?8 from the $M&5; or M&5; instance
a) 1n &K? &er!er ;nterprise Mana"er, under the EServerNaeDWSUSF node,
e<pand :atabases)
b) 4i"ht:clic SUS:?, point to A!! 2as"s, and then clic :etach :atabase)
Clic O4, and then clic O4, %hen the confirmation dialo" bo<es appear)
6) .ttach SUS:? to the destination &K? instance) Mote that the default instance is
7$oca!87Windows N28)
a) (nder the instance node, ri"ht:clic :atabases, point to A!! 2as"s, and then
clic Attach :atabase)
b) 1n the Attach :atabase bo<, under M:C fi!e of database to attach, bro%se
to the location of the susdb)mdf file 7by default this is C:D1rogra
Ci!esDMicrosoft SA$ ServerDMSSA$GWSUSD:ata if you installed the M&5;,
and C:DWSUSDMSSA$GWSUSD:ata if you installed $M&5;8, and then clic O4)
7Mote that SUS:? includes both SUS:?.df and SUS:?H!og.!df, %hich is the
master lo" file) &K? %ill add both for you)8 Clic O4 a"ain %hen the confirmation
dialo" bo< appears)
/) 1n the destination &K? instance, add t%o ne% lo"ins: P&er!erMameQO.&PM;T and
MT .(TD*41TBOM;T$*4L &;401C; 7the MT .(TD*41TBOM;T$*4L &;401C;
lo"in is not reCuired if the $&(& ser!er is runnin" $indo%s 2000 &er!er8)
a) (nder the instance name 7for e<ample, 7$oca!87Windows N288 clic
Securit., ri"ht:clic $ogins, and then clic New $ogin)
b) 1n the SA$ Server $ogin 1roperties I New $ogin dialo" bo<, in the Nae
bo<, type: P&er!erMameQO.&PM;T)
c) ?ea!e the defaults for Authentication 7$indo%s .uthentication8 and
:oain 7P&er!erMameQ8)
d) 1n the :atabase bo<, select SUS:?)
e) 1n the :atabase ro!es for SUS:? bo<, under 1erit in :atabase -o!e,
select pub!ic, and select webService, and then clic O4)
f) Close ;nterprise Mana"er)
)(
") 4epeat steps a throu"h f to add the N2 AU2,O-%2=DNB2WO-4 SB->%CB
account) Mote: this is not reCuired if the $&(& ser!er is runnin" $indo%s &er!er
2000)
2) ;dit the re"istry to point $&(& to the &K? instance that no% holds &(&56)
a) Clic Start, clic -un, type: re"edit, and then clic O4)
b) @ind the follo%in" ey:
,4$MDSOC2WA-BDMicrosoftDUpdateServicesDServerDSetupDS@!ServerNae,
and in the >a!ue data bo<, type: P&er!erMameQOP1nstanceMameQ and then clic
O4) 1f the instance name is the default instance, then simply type: P&er!erMameQ.
3) (se Add or -eove 1rogras in Contro! 1ane! to uninstall the $M&5; or
M&5; instance) The name of the M&5; or $M&5; instance to remo!e is
Microsoft SA$ Server :es"top Bngine 7WSUS8)
10) *pen Services and then start the %%S Adin ser!ice and Update Services
ser!ice)
a) Clic Start, point to 1rogras, point to Adinistrative 2oo!s, and then clic
Services)
b) 4i"ht:clic %%S Adin Service, and then clic Start)
c) 4i"ht:clic Update Services, and then clic Start)
11) 0erify that the database mi"ration has been successful by openin" the $&(&
console from 1nternet ;<plorer 7in the .ddress bo<, type: http:EE
P&er!erMameQE$&(&.dmin8)
Note
Bou mi"ht ha!e to restart the ser!er for these settin"s to tae effect)
Mi"ratin" the $&(& database from an M&5; or $M&5; instance to a &K? &er!er 2000
instance on another ser!er
The "oal of this scenario is to tae the $&(& database 7&(&568 runnin" in a M&5; or
$M&5; instance 7%hich you can choose to install durin" $&(& &etup8 and to mo!e and
up"rade it to a &K? &er!er 2000 instance runnin" on a remote ser!er) 6y up"radin" the
$&(& database you are able to mana"e it usin" all of the features pro!ided by &K?
&er!er 2000)
.t the completion of this scenario, you %ill ha!e a $&(& implementation consistin" of a
front:end ser!er throu"h %hich you access the $&(& console and administer $&(&,
and a bac:end se!er runnin" &K? &er!er 2000, %hich %ill host the $&(& database)
4emote &K? &cenario ?imitations
)9
Bou cannot use $indo%s 2000 &er!er on the front:end ser!er in a remote &K?
pair)
Bou cannot use a ser!er confi"ured as a domain controller for either the front end
or the bac end of the remote &K? pair)
Bou cannot use $M&5; or M&5; for database soft%are on the bac:end ser!er)
6oth the front:end and the bac:end ser!ers must be joined to an .cti!e
5irectory domain)
.bout this procedure
There are 11 steps that mae up this procedure) &ome of the steps reCuire a number of
sub:procedures)
@or ease of e<planation, &er!er1 and &er!er2 are used to indicate the front:end and
bac:end ser!ers respecti!ely) Mote that in each step, %here appropriate, it is noted on
%hich ser!er you must perform the procedures) More information about &er!er1 and
&er!er2:
&er!er1
This %ill the front:end ser!er at the completion of this scenario)
&tartin" confi"uration: $indo%s &er!er 2000 or 200, operatin" system runnin"
$&(& usin" M&5; or $M&5; to host the $&(& database)
&er!er2
This %ill be the bac:end ser!er at the completion of this scenario)
&tartin" confi"uration: $indo%s 2000 or 2000 &er!er operatin" system runnin"
full !ersion of &K? &er!er 2000 sp, or hi"her) Mote: 0erify that nested tri""ers are
turned on)
To mi"rate the $&(& database from an M&5; or $M&5; instance to a &K? &er!er
2000 instance on another ser!er
&tep 1 P*n &er!er2Q: 1nstall $&(& %ith the Eb option)
Completion of this step reCuires the follo%in" procedures:
1nstall $&(& on the bac:end ser!er
1dentify ho% update stora"e is bein" mana"ed on the front:end ser!er
&et permissions on the bac:end ser!er
Motes:
<+
Bou must run $&(& &etup from a command line so that you can use command:
line options) (se the Eb command:line option)
Bou do not need to ha!e 11& installed on the bac:end ser!er) ;<cept for 11&, all
other prereCuisites for a normal $&(& installation are reCuired)
To install $&(& on the bac:end ser!er
1) 5o%nload the $&(& setup files to the ser!er) .t the 4un command or at a command
line, na!i"ate to the folder containin" the $&(& setup files you do%nloaded and type
the follo%in" command: %sussetup)e<e Eb
2) Complete the $&(& &etup %i>ard, selectin" the follo%in" options:
*n the :atabase Options pa"e, in the Se!ect SA$ instance nae bo<,
select the &K? &er!er instance %here you %ant to install the $&(& database)
Mote that J:efau!tK %ill be the only instance a!ailable if you decide not to create
any ne% instances)
*n the Connecting to SA$ Server %nstance pa"e, %ait to be prompted %ith
for a successful connection to the &K? ser!er, and then clic Ne5t)
To identify ho% update stora"e is bein" mana"ed on the front:end ser!er
Bou must run a &K? script to identify ho% update stora"e is bein" mana"ed on the front:
end ser!er) 5ependin" on %hether client computers are "ettin" updates locally from the
front:end ser!er or are do%nloadin" updates directly from Microsoft, you %ill use one of
the follo%in" scripts) Mote that you established %here clients obtain updates %hen you
ori"inally installed $&(& on the front:end ser!er)
1f you cannot remember ho% you confi"ured the front:end ser!er, you can find out by
readin" the lo" file located on the front:end ser!er by typin" the follo%in" at a command
prompt:
Rdri!eROPro"ram @ilesO(pdate &er!icesO?o"filesO$&(&&etupSP1nstall5ateQ)lo"
$here P1nstall5ateQ is the date you installed $&(&) @rom this file you need the !alue for
t%o eys: ,ostOnMu, and $oca!ContentCache$ocation)
1f you chose local stora"e on the front:end ser!er, at a command prompt type:
APRdri!eRQOpro"ram filesOupdate ser!icesOtoolsOosClOosCl)e<eA :&
P&K?&er!erMameO1nstanceMameQ :; :b :n :K A(&; &(&56 (P5.T;
dbo)tbConfi"uration. &;T Dost*nMuGN0N (P5.T; dbo)tbConfi"uration6 &;T
?ocalContentCache?ocationGMNP?ocalContentCache?ocation0alueQNA
$here
<*
PRdri!eRQOpro"ram filesOupdate ser!icesOtoolsOosClOosCl)e<e is the default
location of the osCl)e<e tool on &er!er2)
P&K?&er!erMameO1nstaceMameQ is the name of the &K? &er!er instance that
holds the &(&56 database on &er!er2) Mote that O1nstanceMame is not necessary if
you are usin" the default instance)
P?ocalContentCache?ocation0alueQ is the path to the folder on &er!er1 %here
update files are stored) @or e<ample, C:O$&(&O$&(&Content)
Note
5o not use a net%or location or a (MC path) 5o not add a trailin" bacslash 7O8)
1f you chose remote stora"e on Microsoft (pdate, at a command prompt, type:
APRdri!eRQOpro"ram filesOupdate ser!icesOtoolsOosClOosCl)e<eA :&
P&K?&er!erMameO1nstanceMameQ :; :b :n :K A(&; &(&56 (P5.T;
dbo)tbConfi"uration. &;T Dost*nMuGN1N (P5.T; dbo)tbConfi"uration6 &;T
?ocalContentCache?ocationGMNPR&er!er15ri!eQOpro"ram filesO(pdate
&er!icesO$susContentNA
$here
PRdri!eRQOpro"ram filesOupdate ser!icesOtoolsOosClOosCl)e<e is the default
location of the osCl)e<e tool on &er!er2)
P&K?&er!erMameO1nstanceMameQ is the name of the &K? &er!er instance on
&er!er2) Mote that O1nstanceMame is not necessary if you are usin" the default
instance)
PR&er!er15ri!eRQOpro"ram filesOupdate ser!ices is the location of the Update
Services folder on &er!er1
To set permissions on the bac:end ser!er
1f the bac:end ser!er is runnin" $indo%s &er!er 200,:
a) *n the &er!er2, clic &tart, point to .dministrati!e Tools, and then clic
Computer Mana"ement)
b) 1n the tree, e<pand ?ocal (sers and +roups, and then clic +roups)
c) 1n the details pane, double:clic $&(& .dministrators)
d) 1n the $&(& .dministrators Properties dialo" bo<, clic .dd)
e) 1n &elect (sers, Computers or +roups, clic *bject Types)
f) 1n *bject Types, clic Computers, and then clic *L)
<;
") 1n &elect (sers, Computers, or +roups, enter the name of the front:end
ser!er, and then clic *L)
h) 1n the $&(& .dministrators Properties dialo" bo<, clic *L)
1f the bac:end ser!er is runnin" $indo%s 2000 &er!er
This procedure has t%o parts::if &er!er2 is runnin" $indo%s 2000 &er!er, you must first
create a "lobal security "roup and add &er!er1 as a member, then confi"ure permissions
on &er!er2)
Part 1: Create a "lobal security "roup and add the front:end ser!er as a member
1) *n a computer %ith .cti!e 5irectory .dministrati!e Tools installed, clic &tart,
point to .dministrati!e Tools, and then clic .cti!e 5irectory (sers and Computers)
2) 1n the tree, ri"ht:clic the folder in %hich you %ant to create the ne% "roup)
,) Point to Me%, and then clic +roup)
9) Type the name of the ne% "roup)
-) 1n +roup &cope, clic +lobal)
6) 1n +roup Type, clic &ecurity, and then clic *L) . "lobal security "roup is
created)
/) 5ouble:clic the "lobal security "roup you just created)
2) 1n the "roup properties dialo" bo<, clic the Members tab)
3) Clic .dd)
10) 1n &elect (sers, Contacts, or Computers, clic *bject Types)
11) 1n *bject Types, clic Computers, and then clic *L)
12) 1n ;nter the *bject names to select 7e<amples8, enter the name of &er!er1, and
then clic *L)
1,) 1n the "lobal security "roup properties dialo" bo<, clic *L)
Part 2: &et permissions on the $indo%s 2000 &er!er bac:end ser!er
1) *n &er!er2, clic &tart, point to .dministrati!e Tools, and then clic Computer
Mana"ement)
2) 1n the tree, e<pand ?ocal (sers and +roups, and then clic +roups)
,) 1n the details pane, double:clic $&(& .dministrators)
9) 1n the $&(& .dministrators Properties dialo" bo<, clic .dd)
<)
-) 1n &elect (sers or +roups, select your domain from the ?oo in drop:do%n list)
6) 5ouble:clic the "lobal security "roup you created in the precedin" procedure,
and then clic *L)
/) 1n the $&(& .dministrators Properties dialo" bo<, clic *L)
&tep 2 P*n &er!er2Q: 5etach the $&(& database 7&(&568)
1) 1n &K? &er!er ;nterprise Mana"er, under the Server;NaeD%nstanceNae
node, e<pand :atabases)
2) 4i"ht:clic SUS:?, point to A!! 2as"s, and then clic :etach :atabase) Clic
O4, and then clic O4, %hen the confirmation dialo" bo<es appear)
,) ?ocate and then rename the e<istin" susdb)mdf and susdbSlo")ldf files) 1t is
important to note %here they are stored in the file system) Bou %ill be copyin" the
files of the same name from &er!er1 later in this process to the same location)
&tep , P*n &er!er1Q: 1nstall Microsoft &K? &er!er 2000 %ith AClient Tools *nlyA option)
This step %ill enable you to use the &K? &er!er ;nterprise Mana"er on &er!er1)
&tep 9 P*n &er!er1Q: &top the 11& .dmin ser!ice and the (pdate &er!ices ser!ice, and
close any 1nternet bro%ser that is connectin" to the $&(& console)
1) Clic Start, point to 1rogras, point to Adinistrative 2oo!s, and then clic
Services)
2) 4i"ht:clic %%S Adin Service, and then clic Stop)
,) 4i"ht:clic Update Services, and then clic Stop)
&tep - P*n &er!er1Q: 5etach the $&(& database)
1) 1n &K? &er!er ;nterprise Mana"er, under the EServer*NaeFDWSUS node,
e<pand :atabases)
2) 4i"ht:clic SUS:?, point to A!! 2as"s, and then clic :etach :atabase) Clic
O4, and then clic O4, %hen the confirmation dialo" bo<es appear)
,) Close ;nterprise Mana"er)
&tep 6: Copy the &(&56)mdf and &(&56Slo")ldf files from &er!er1 to &er!er2)
1n &tep 2, you noted the folder location on &er!er2 %here these files are stored)
Copy the files to this folder on &er!er2)
&tep / P*n &er!er2Q: .ttach the $&(& database to a &K? &er!er 2000 instance)
1) (nder the E%nstanceNaeF node, ri"ht:clic :atabases, point to A!! 2as"s, and
then clic Attach :atabase)
<<
2) 1n the Attach :atabase bo<, under M:C fi!e of database to attach, bro%se to
the location of the susdb)mdf file , and then clic *L) 7Mote that &(&56 includes
both &(&56)mdf and &(&56Slo")ldf, %hich is the master lo" file) &K? %ill add both
for you)8 Clic *L a"ain %hen the confirmation dialo" bo< appears)
&tep 2 P*n &er!er1Q: Confi"ure the front end computer to use the database on the
bacend computer)
1n this step, you edit the re"istry to point $&(& to destination &K? instance)
1) Clic &tart, clic 4un, type: re"edit, and then clic *L)
2) @ind and double:clic the follo%in" ey:
,4$MDSOC2WA-BDMicrosoftDUpdateServicesDServerDSetupDS@!ServerNae
,) 1n the 0alue data bo<, type: P&er!er2MameQOP1nstanceMameQ and then clic *L) 1f the
instance name is the default instance, then simply type: P&er!er2MameQ)
Note
$hen enterin" P&er!er2MameQ, do not add the domain name, such as P5omainMameQO
P&er!er2MameQ)
&tep 3 P*n &er!er1Q: 5elete the $M&5; or M&5; instance)
(se Add or -eove 1rogras in Contro! 1ane! to uninstall the $M&5; or M&5;
instance) The name of the M&5; or $M&5; instance to remo!e is Microsoft SA$
Server :es"top Bngine 7WSUS8)
&tep 10 P*n &er!er1Q: &tart the 11& .dmin ser!ice and the (pdate &er!ices ser!ice)
1) Clic Start, point to 1rogras, point to Adinistrative 2oo!s, and then clic
Services)
2) 4i"ht:clic %%S Adin Service, and then clic Start)
,) 4i"ht:clic Update Services, and then clic Start)
&tep 11: 0erify that the database mi"ration %as successful)
@rom any computer in your net%or, open an 1nternet ;<plorer bro%ser and access the
$&(& console at http:EEP&er!er1 nameQO$&(&admin)
Note
Bou mi"ht need to restart &er!er1 in order for these settin"s to tae effect)
See A!so
Mana"in" the 5atabases
5eployin" Microsoft $indo%s &er!er (pdate &er!ices
<'
-unning in -ep!ica Mode
. $&(& ser!er runnin" in replica mode inherits the update appro!als and computer
"roups created on an administration ser!er) 1n a scenario that uses replica mode, you
typically ha!e a sin"le administration ser!er, and one or more subordinate replica $&(&
ser!ers spread out throu"hout the or"ani>ation, based on site or or"ani>ational
topo"raphy) Bou appro!e updates and create computer "roups on the administration
ser!er, %hich the replica mode ser!ers %ill then mirror) 4eplica mode ser!ers can be set
up only durin" $&(& &etup, and if you implemented this scenario, it is liely because it
is important in your or"ani>ation that update appro!als and computer "roups are
mana"ed centrally)
1f your $&(& ser!er is runnin" in replica mode, you %ill be able to perform only limited
administration capabilities on the ser!er, %hich %ill primarily consist of:
.ddin" and remo!in" computers from computer "roups
Computer "roup membership is not distributed to replica ser!ers, only the
computer "roups themsel!es) Therefore, on a replica mode ser!er, you %ill inherit the
computer "roups that you created on the administration ser!er) Do%e!er, the
computer "roups %ill be empty) Bou must then assi"n the client computers that
connect to the replica ser!er to the computer "roups)
&ettin" a synchroni>ation schedule
&pecifyin" pro<y:ser!er settin"s
&pecifyin" the update source
This can be a ser!er other than the administration ser!er)
0ie%in" a!ailable updates
Monitorin" update, synchroni>ation, and computer status, and monitorin" $&(&
settin"s on the ser!er
.ll standard $&(& reports are a!ailable on replica mode ser!ers)
@or more information about settin" up and runnin" in replica mode, see 5eployin"
?ac"ing Up Windows Server Update Services
.lthou"h $&(& does not pro!ide a built:in bacup tool, you can use the 6acup (tility
that is a!ailable on all ser!ers runnin" $indo%s 2000 or $indo%s &er!er 200, to easily
<0
bac up and restore both the $&(& database and update file stora"e folder) The 6acup
(tility is also no%n as Mtbacup)e<e)
6acin" up $&(& in!ol!es bacin" up the follo%in":
The $&(& database, %hich contains:
(pdate metadata, includin" information about updates 7for e<ample,
properties8) Metadata is also %here ;(?.s are stored)
$&(& ser!er confi"uration information, %hich includes all settin"s for your
$&(& ser!er 7that is, options you specified throu"h the $&(& console and
settin"s confi"ured by $&(& automatically durin" setup8)
1nformation about client computers, updates, and client interaction %ith
updates) Bou can access this information throu"h the $&(& console %hen you
!ie% status and run reports on update status and client computer status)
The folder %here the update files are stored) (pdate files are the actual files
reCuired to install an update on a computer) 6y default, update files are stored in the
;systemdrive;O$&(&O$&(&Content folder on your $&(& ser!er) 1f you ha!e
chosen to store update files on Microsoft (pdate 7either durin" setup or on the
Options pa"e8, you do not ha!e to bac up the update file stora"e folder on your
$&(& ser!er)
1f you are usin" a full !ersion of Microsoft &K? &er!er 2000 for your database, %hich is
not installed by $&(&, you can use &K? &er!er ;nterprise mana"er as an alternati!e to
the 6acup (tility) @or more information about &K? &er!er ;nterprise Mana"er, refer to
your &K? &er!er documentation) @or more information about database options and
confi"urations for $&(&, see 5eployin" Microsoft $indo%s &er!er (pdate &er!ices at
2o bac" up the update fi!e storage fo!der
1) *n your $&(& ser!er, clic Start, and then clic -un)
2) 1n the Open bo<, type ;systemdrive;O;windir;Os.ste);Ontbac"up.e5e
and then clic O4)
,) 1n the 6acup or 4estore $i>ard, clic Ne5t)
9) 0erify that ?ac" up fi!es and settings is selected, and then clic Ne5t)
-) Clic $et e choose what to bac" up, and then clic Ne5t)
6) &elect the $&(&Content folder 7under ;systemdrive;O$&(&O8, and then
clic Ne5t)
<3
/) (se the ?rowse button to choose a place to sa!e your bacup, type a name
for the bacup, and then clic Ne5t)
2) 1f you %ant to set additional specifications for your bacup, includin" %hether
it %ill be an incremental bacup, %hether you %ant to !erify the bacup, set a
recurrin" schedule for the bacup, or other options, clic Advanced, and then
follo% the instructions in the %i>ard)
3) $hen the %i>ard is finished, clic Cinish)
10) $hen the messa"e appears that informs you that the bacup is complete,
clic C!ose)
2o bac" up the WSUS database
and then clic O4)
9) 0erify that ?ac" up fi!es and settings is selected, and then clic Ne5t)
-) Clic $et e choose what to bac" up, and then clic Ne5t)
6) (nder ;systemdrive;O$&(&OM&&K?T$&(&O, select the :ata and $OG
folders, and then clic Ne5t)
/) (se the ?rowse button to choose a place to sa!e your bacup, type a name
for the bacup, and then clic Ne5t)
2) 1f you %ant to set additional specifications for your bacup, includin" %hether
it %ill be an incremental bacup, %hether you %ant to !erify the bacup, set a
recurrin" schedule for the bacup, or other options, clic Advanced, and then
follo% the prompts that appear in the %i>ard)
3) $hen the %i>ard is finished, clic Cinish)
10) $hen the messa"e appears that informs you that the bacup is complete,
clic C!ose)
2o restore the update fi!e storage fo!der
and then clic O4)
<(
9) Clic -estore fi!es and settings, and then clic Ne5t)
-) 1n the What to restore dialo" bo<, under %tes to restore, e<pand the file
that contains the $&(&Content folder 7under ;systemdrive;O$&(&O8, and then
clic Ne5t)
.lternati!ely, you can select a subset of the ;systemdrive
;O$&(&O$&(&Content folder to restore) $ithin the ;systemdrive
;O$&(&O$&(&Content folder, you can restore one, all, or a combination of
its subfolders and files)
6) 1f you %ant to set additional specifications for your restore, includin" %hether
you %ant to restore the files or folders to a different location, replace e<istin"
files, restore security settin"s, or specify other options, clic Advanced, and then
/) $hen the %i>ard is finished, clic Cinish)
2) $hen the messa"e appears that informs you that restorin" is complete, clic
C!ose)
2o restore the WSUS database
and then clic O4)
9) Clic -estore fi!es and settings, and then clic Ne5t)
-) 1n the What to restore dialo" bo<, under %tes to restore, e<pand the file
that contains the :ata and $OG folders 7under ;systemdrive
;O$&(&OM&K?T$&(&8, and then clic Ne5t)
.lternati!ely, you can select a subset of the ;systemdrive
;O$&(&OM&K?T$&(&O5ata or ;systemdrive;O$&(&OM&K?T$&(&O?*+
folders to restore) $ithin the ;systemdrive;O$&(&OM&K?T$&(&O5ata and
;systemdrive;O$&(&OM&K?T$&(&O?*+ folders, you can restore one, all,
or a combination of their subfolders and files)
6) 1f you %ant to set additional specifications for your restore, includin" %hether
you %ant to restore the files or folders to a different location, replace e<istin"
files, restore security settin"s, or specify other options, clic Advanced, and then
<9
/) $hen the %i>ard is finished, clic Cinish)
2) $hen the messa"e appears that informs you that restorin" is complete, clic
C!ose)
?est 1ractices with Windows Server Update Services
This section pro!ides best practices for mana"in" updates throu"h $&(&)
Use Group 1o!ic. to Update Mu!tip!e Coputers
1f you ha!e set up .cti!e 5irectory in your net%or, you can confi"ure one or multiple
computers simultaneously, by includin" them in a +roup Policy object 7+P*8, and then
confi"urin" that +P* %ith $&(& settin"s) Microsoft recommends that you create a ne%
+roup Policy object 7+P*8 that contains only $&(& settin"s) ?in this $&(& +P* to an
.cti!e 5irectory container appropriate for your en!ironment) 1n a simple en!ironment, you
mi"ht lin a sin"le $&(& +P* to the domain) 1n a more comple< en!ironment, you mi"ht
lin multiple $&(& +P*s to se!eral or"ani>ational units 7*(s8, %hich %ill enable you to
apply different $&(& policy settin"s to different types of computers)
%portant
Microsoft recommends that you do not edit the :efau!t :oain or :efau!t
:oain Contro!!er +P*s)
Typically, %hen you confi"ure $&(& throu"h +roup Policy 7in an .cti!e 5irectory
net%or en!ironment8, you set up your client computers to connect to a $&(& ser!er
and do%nload updates once a day) 6y default, this is e!ery 22 hours 7minus a random
time offset, described later in this topic8 at %hich time the appro!al actions you specified
for the ne% updates 7for e<ample, installation, detection, or remo!al8 run on the client
computer)
Do%e!er, if you are a%are of and %ant to protect computers a"ainst immediate security
threats, you mi"ht %ant to set up more a more freCuent schedule for computers to
contact the $&(& ser!er, do%nload, and install updates)
2o specif. how and when coputers are updated through Group 1o!ic.
1) 1n +roup Policy *bject ;ditor, e<pand Coputer Configuration, e<pand
Adinistrative 2ep!ates, e<pand Windows Coponents, and then clic
Windows Update)
'+
2) 1n the details pane of +roup Policy *bject ;ditor, confi"ure the appropriate
policies) &ee the follo%in" table for e<amples of the policies you mi"ht %ant to
set)
1o!icies for Configuring Autoatic Updates ?ehavior
Policy 5escription
Confi"ure .utomatic (pdates 6y enablin" this settin" you enable your
computer to recei!e updates throu"h
.utomatic (pdates on a computer or
computer "roup) To complete this settin",
you must then select one of the follo%in"
four options:
Motify before do%nloadin" any
updates and notify a"ain before
installin" them)
5o%nload the updates
automatically and notify %hen they are
ready to be installed 7default settin"8
.utomatically do%nload updates
and install them on the schedule
specified belo%
.llo% local administrators to select
the confi"uration mode that .utomatic
(pdates should notify and install
updates
Mo auto:restart for scheduled .utomatic
(pdates installations
&pecifies that to complete a scheduled
installation, .utomatic (pdates %ill %ait for
the computer to be restarted by any user
%ho is lo""ed on, instead of causin" the
computer to restart automatically)
'*
Policy 5escription
.utomatic (pdates detection freCuency Confi"ures the freCuency %ith %hich
computers contact the $&(& ser!er) The
e<act time bet%een contact %ill actually be
the number of hours you specify here,
minus >ero to t%enty percent of the hours
specified) @or e<ample, if this policy is used
to specify a 20:hour contact freCuency, then
all client computers to %hich this policy is
applied %ill chec for updates any%here
bet%een 16 and 20 hours) 1f you lea!e this
policy set to :isab!ed or Not Configured,
$indo%s %ill chec for a!ailable updates at
the default inter!al of 22 hours)
.llo% .utomatic (pdates immediate
installation
&pecifies %hether .utomatic (pdates
should automatically install certain updates
that neither interrupt $indo%s ser!ices nor
restart $indo%s)
1t %ill tae a fe% minutes before the ne% policies you ha!e confi"ured tae effect) 1t %ill
be about 20 minutes after +roup Policy refreshes 7applies any ne% settin"s to the client
computer8) 6y default, computer +roup Policy refreshes in the bac"round e!ery 30
minutes, %ith a random offset of 0 to ,0 minutes) 1f you %ant to refresh +roup Policy
sooner, you can "o to a command prompt on the client computer and type:
gpupdate /force)
@or more information about +roup Policy, see +roup Policy at
http:EE"o)microsoft)comEf%linEF?in15G192,2) @or more information about options for
settin" up and confi"urin" your client computers in both .cti!e 5irectory and non:.cti!e
5irectory net%or en!ironments, see 5eployin" Microsoft $indo%s &er!er (pdate
&er!ices at http:EE"o)microsoft)comEf%linEF?in15G91///)
Schedu!e Update %nsta!!ations when there is $itt!e Chance for $ost
1roductivit.
1n mana"in" the process of updatin" computers 7%hich includes $&(& ser!ers8, one of
your main "oals is to ha!e any planned do%ntime occur %hen there is little chance for
lost producti!ity) The follo%in" are su""estions for accomplishin" this:
';
To update $&(& ser!ers or specific computers efficiently, put the $&(& ser!ers
or computers in their o%n computer "roup, and deploy to that "roup %ith a deadline
set for a time %hen it is feasible for the $&(& ser!ers or computers to be do%n 7for
e<ample, on &unday at ,:00 .)M8)
5eploy updates by usin" a deadline in the future) @or e<ample, set the $&(&
ser!ers or computers %ith a scheduled installation at a time %hen it is feasible for
them to be briefly offline 7for e<ample, on &unday at ,:00 .)M8)
Confi"ure client computers or $&(& ser!ers throu"h +roup Policy to
immediately install updates that do not reCuire a restart) 76efore you appro!e an
update for installation, you can read the :escription field in the properties for an
update in order to determine %hether the update %ill reCuire restartin" the computer)
Bou can !ie% the properties for an update by selectin" it in the list of updates on the
Updates pa"e in the $&(& console)8 ;nable the policy to install immediately any
updates that do not reCuire a computer restart, so that they are installed e!ery day)
Computers can then install any updates that do not interrupt ser!ice %hen they are
ready to install 7that is, schedulin" for &unday mornin" installation %ould be
unnecessary8) The tile of this policy is A!!ow Autoatic Updates iediate
insta!!ation 7see the table earlier in this topic for more information8)
Cor a5iu contro! over when .our servers are restarted as
necessitated b. an update insta!!ationL set Group 1o!ic. to
:own!oad the updates autoatica!!. and notif. when the. are
read. to be insta!!edL and then create a script that enab!es to
.ou accept and insta!! the updates and then restart the
coputer on deand
&ome updates reCuire a computer restart after they are installed 7and, by default, %ill
restart computers - minutes after they are installed)8 6y not restartin" your ser!ers after
installin" these updates, you lea!e them at ris) Pbena"Q Do%e!er, dependin" on your
net%or confi"uration, it mi"ht also risy to restart your ser!ers automatically, since many
other resources in your net%or could depend on a sin"le ser!er) 1n this case, it mi"ht not
be feasible to schedule automatic scheduled restarts of your ser!er)
There are a couple of +roup Policies that enable you to confi"ure %hen a computer is
restarted) Do%e!er, %hen talin" about ser!ers, these policies ha!e some limitations o!er
control:
Mo auto:restart for scheduled .utomatic (pdates installationsIthis policy %ill
pre!ent automatic restarts of your ser!er, and %ill enable manual restartIho%e!er,
you ha!e to lo" on to the ser!er and then initiate the restart) This mi"ht not be
practical if your ser!er is typically unattended)
')
5elay restart for scheduled installationsIthis policy can delay the time bet%een
the update installation and the computer restart, ho%e!er, the ma<imum time you can
set here is ,0 minutes)
1f these are issues for you, consider the follo%in" procedure:
1) (se +roup Policy to confi"ure automatic do%nload, and manual installation of
the updates) To do this, you %ould enable the Confi"ure .utomatic (pdates +roup
Policy settin" by selectin" the 5o%nload the updates automatically and notify %hen
they are ready to be installed option)
2) Create a script to automate installin" the updates and then restartin" of your
ser!er) This script %ould ha!e the effect of a UbuttonV you %ould push to initiate all
this, therefore the updates install and the ser!er restarts %hen you run the script) Bou
can do this at the most appropriate time) @or more information about creatin" scripts
to automate .utomatic (pdates tass 7for e<ample do%nloadin" and installin"
updates on ser!er and client computers8, see $indo%s (pdate ."ent &oft%are
5e!eloperNs Lit 7http:EE"o)microsoft)comEf%linEF?in15G9,1018
Managing WSUS fro the Coand $ine
This topic does the follo%in"
&ummari>es the purpose and functionality of $&(&util)e<e and its parameters)
Pro!ides and defines the synta< you %ould use to run specific tass)
?ins to A5eployin" Microsoft $indo%s &er!er (pdate &er!icesA %here more
information 7for e<ample, scenarios8 is a!ailable)
-unning WSUSuti!.e5e
WSUSuti!.e5e is a tool that you can use to mana"e your $&(& ser!er from the
command line) $&(&util)e<e is located in the ;drive;OPro"ram @ilesO(pdate
&er!icesOTools folder on your $&(& ser!er) Bou can run specific commands %ith
$&(&util)e<e to perform specific functions, as summari>ed in the follo%in" table) The
synta< you %ould use to run $&(&util)e<e %ith specific commands follo%s the table)
'<
Suar. of Coands =ou Can Use with WSUSuti!
Command $hat it enables you
to do
$hen you mi"ht use it
e5port The first of the t%o
parts that mae up
the e<port E import
process)
The e5port
command enables
you to e<port update
metadata to an
e<port paca"e file)
Bou cannot use this
parameter to e<port
update files, update
appro!als, or ser!er
settin"s)
*n an on"oin" basis, if
you are runnin" a net%or
%ith limited or restricted
1nternet connecti!ity
iport The second of the
t%o parts that mae
up the e<portEimport
process)
The iport
command imports
update metadata to a
ser!er from an e<port
paca"e file created
on another $&(&
ser!er) This
synchroni>es the
destination $&(&
ser!er %ithout usin"
a net%or
connection)
*n an on"oin" basis, if
you are runnin" a net%or
%ith limited or restricted
connecti!ity
igratesus This command
mi"rates update
appro!als from a
&(& 1)0 ser!er to a
$&(& ser!er)
1f you are up"radin"
your implementation &(&
1)0 to $&(&)
''
to do
ovecontent Chan"es the file
system location
%here the $&(&
ser!er stores update
files, and optionally
copies any update
files from the old
location to the ne%
location
Dard dri!e is full
5is fails
reset Checs that e!ery
update metadata ro%
in the database has
correspondin" update
files stored in the file
system) 1f update files
are missin" or ha!e
been corrupted,
$&(& do%nloads
the update files
a"ain)
.fter restorin" the
$&(& database)
$hen troubleshootin"
de!eteunneededrevisions Pur"es the update
metadata for
unnecessary update
re!isions from the
database)
To free up space %hen
an M&5; is full
'0
to do
!istinactiveapprova!s 4eturns a list of
update titles %ith
appro!als that are in
a permanently
inacti!e state
because of a chan"e
in ser!er lan"ua"e
settin"s)
$hen you chan"e
lan"ua"e settin"s on an
upstream ser!er 7that is the
parent to a replica ser!er8
and %ant to see %hich
updates are no lon"er
acti!e because they are not
in the ne% lan"ua"es you
ha!e specified) Bou can run
this command if you %ant to
see a list of inacti!e
appro!als 7for e<ample, to
help you decide if you %ant
to remo!e the inacti!e
appro!als8) Bou do not ha!e
to run this command before
runnin" the
reoveinactiveapprova!s
command)
reoveinactiveapprova!s 4emo!es appro!als
for updates that are
in a permanently
inacti!e state
because of a chan"e
in $&(& ser!er
lan"ua"e settin"s)
$hen you chan"e
lan"ua"e settin"s on an
upstream ser!er 7that is the
parent to a replica ser!er8
and %ant to remo!e
updates that are no lon"er
acti!e because they are not
in the ne% lan"ua"es you
ha!e specified) This %ould
fi< the resultin" mismatch in
the number of updates
displayed on the parent and
replica ser!ers in this
scenario) Bou do not ha!e
to run the
!istinactiveapprova!s
command before runnin"
this command)
'3
B5port
@or bac"round and procedural information about e<portin" and importin" updates, see
A&et (p a 5isconnected Met%or 71mport and ;<port (pdates8A in 5eployin" Microsoft
$indo%s &er!er (pdate &er!ices at http:EE"o)microsoft)comEf%linEFlinidG91///)
S.nta5
.t the command line ;drive;OPro"ram @ilesO(pdate &er!icesOToolsW, type:
wsusuti! e5port package logfile
The parameters are defined in the follo%in" table)
Parameter 5efinition
package The path and file name of the paca"e )cab
to create)
lo"file The path and file name of the lo" file to
create)
/he!p or /# 5isplays command:line help for e<port
command)
%port
@or bac"round and procedural information about e<portin" and importin" updates, see
A&et (p a 5isconnected Met%or 71mport and ;<port (pdates8A in 5eployin" Microsoft
$indo%s &er!er (pdate &er!ices at http:EE"o)microsoft)comEf%linEFlinidG91///)
S.nta5
wsusuti! iport package logfile
The parameters are defined in the follo%in" table:
package The path and file name of the paca"e )cab
to import)
'(
logfile The path and file name of the lo" file to
create)
/he!p or /# 5isplays command:line help for import
command)
Migratesus
&(& 1)0 to $&(& mi"ration scenarios and related procedures are co!ered e<tensi!ely in
the AMi"rate from a &(& &er!er to a $&(& &er!erA topic in 5eployin" Microsoft
$indo%s (pdate &er!ices at http:EE"o)microsoft)comEf%linEF?in15G91///)
S.nta5
wsusuti! igratesus P/content contentshareQ P/approva!s servername PcomputergroupQQ
P/!og logfileQ P/#Q
The parameters are defined in the follo%in" table:
/content contentshare Mi"rates content from a &(& 1)0, %here
contentshare is the path to the folder that
contains &(& 1)0 content)
/approva!s servername Mi"rates appro!als from the &(& 1)0
ser!er, %here servername is the name of
the &(& 1)0 ser!er)
computergroup Computer "roup for %hich you %ant to
apply the appro!als)
/he!p or /# 5isplays command:line help for the
mi"ratesus parameter)
/!og logfile @ile in %hich mi"ration acti!ities are
lo""ed)
Movecontent
$hen you run this command, $&(&util)e<e does the follo%in":
'9
Copies the update files from the old location into the ne% location)
(pdates the $&(& database to refer to the ne% location of the update files)
The destination folder %here update files are mo!ed to must be on an MT@& partition)
The content mo!e tool %ill not try to copy update files if they already e<ist in the
destination folder) $&(&util)e<e sets the same permissions on the destination folder that
%ere set on the ori"inal folder)
Note
Bou can use 5cop., the 6acup utility, or other non:$&(& specific methods to
copy update files from the old location into the ne% one) 1f you copy the files by
usin" a method other than $&(&util)e<e, you still need to run $&(&util)e<e to
perform the second part of the mo!e) 1n this case you %ould use the s"ipcop.
parameter %hen runnin" $&(&util)e<e) &ee A&ynta<A belo% for more
information)
There are t%o scenarios in %hich you mi"ht mo!e update files from one $&(& dri!e to
another:
1f the dri!e is full
1f the hard dis fails
%f the drive is fu!!
1f the dri!e %here $&(& stores update files is full, you can do one of the follo%in":
.dd more space to your current dri!e by usin" MT@& functionality) This is done
%ithout usin" $&(&util)e<e) This method does not affect $&(& confi"uration or
operation)
1nstall a ne% dri!e, and then mo!e the update files from the old dri!e to the ne%
location by usin" $susutil)e<e)
%f the hard dis" fai!s
1f the hard dis that stores update files fails, you must do the follo%in":
1) 1nstall the ne% dis on your computer, and then restore the update files from your
bacup files) Mote: 1f you ha!e not baced up your update files, $&(&util)e<e
do%nloads the missin" files at the end of the content mo!e operation)
2) 4un the content mo!e operation, specifyin" the location for the ne% dis) 1n
addition, you specify the s"ipcop. parameter, because you are either puttin" the
files in the ne% folder throu"h the 6acup utility or the source folder does not e<istJ
the update files %ill be do%nloaded at the end of this process)
0+
,) $hen the mo!e operation is complete, all the missin" files are do%nloaded)
S.nta5
.t the command line ;drive;<Pro"ram @ilesO(pdate &er!icesOToolsW, type:
wsusuti! ovecontent contentpath logfile 6s"ipcop. P/#Q
The parameters are defined in the follo%in" table)
contentpath The ne% root for content files) The path
must e<ist)
logfile The path and file name of the lo" file to
create)
6s"ipcop. 1ndicates that only the ser!er confi"uration
should be chan"ed, and that the content
files should not be copied)
/he!p or /# 5isplays command:line help for
mo!econtent command)
-eset
Bou use this command if you store updates locally on your $&(& ser!er and %ant to
ensure that the metadata information stored in your $&(& database is accurate) $ith
this command, you !erify that e!ery update metadata ro% in the $&(& database
corresponds to update files stored in the local update file stora"e location on your $&(&
ser!er) 1f update files are missin" or ha!e been corrupted, $&(& do%nloads the update
files a"ain) This command mi"ht be useful to run after you restore your database, or as a
first step %hen troubleshootin" update appro!als)
S.nta5
wsusuti! reset
:e!eteunneededrevisions
1f you use an M&5; database in your $&(& implementation 7for e<ample, if you are
usin" $&(& on a ser!er runnin" $indo%s 20008, you mi"ht need to run this command
periodically %hen the database reaches its 2:+6 limit because once the database is full,
0*
you cannot synchroni>e ne% updates to your ser!er, add ne% computers, or import
e!ents from e<istin" client computers)
$ith re"ular use, it is possible that the 2 +6 %ill be reached Cuicly, as updates can be
!ery lar"e, and update publishers typically create multiple re!isions of each update,
%hich your ser!er %ill synchroni>e automatically for the products and update
classifications you specify) 1n addition, e!ent information for client computers also
populates the database) $hen your M&5; database is close to reachin" its limit, you %ill
recei!e a notification on the $&(& console ,oe pa"e alertin" you to run this command
soon) $hen you run this command, unneeded re!isions and the e!ents associated %ith
those re!isions are deleted from the database)
(nneeded re!isions are re!isions to soft%are or dri!ers updates that ha!e not been
deployed to a computer "roup in at least one monthJ they are also the latest re!isions to
e<pired dri!er updates that ha!e not been deployed to a computer "roup for at least one
month) The one:month time period in both of these cases can be chan"ed, indirectly) 1t
automatically "ets reduced by / to 1- days if you reduce the si>e of a database that is
lar"er than 1 +6 by less than 2- percent in the process of runnin" this command)
Note
@or more information about the databases you can use %ith $&(&, see the
AChoose the 5atabase (sed for $&(&A topic in 5eployin" Microsoft $indo%s
(pdate &er!ices at http:EE"o)microsoft)comEf%linEF?in15G91///)
S.nta5
wsusuti! de!eteunneededrevisions
%portant
6efore runnin" this command, you must stop the $orld $ide $eb publishin"
ser!ice in 11&) Bou must restart it only after you ha!e finished runnin" this
command) To stop or start the 11& ser!ice, open 11&, na!i"ate to and then ri"ht:
clic the $eb site %here $&(& is is installed 7by default this is the 5efault $eb
&ite8, and then clic Stop or Start)
$istinactiveapprova!s
1f you chan"e lan"ua"e options on an upstream $&(& ser!er, you can create a situation
%here the number of updates appro!ed on a parent upstream ser!er does not match the
number of appro!ed updates on a replica ser!er)
Dere is a scenario %here this mi"ht occur:
0;
Bou ha!e confi"ured your upstream parent ser!er to synchroni>e from Microsoft (pdate
and ha!e left the lan"ua"e settin" set to A!! $anguages 7the default8) Bou then run
synchroni>ation and appro!e ,00 updates, of %hich -0 are not ;n"lish lan"ua"e
updates) Bou then chan"e the lan"ua"e settin" on the ser!er to Bng!ish on!.) .fter this,
a replica ser!er synchroni>es from the parent upstream ser!er and do%nloads only the
Aacti!eA appro!als, %hich no% are only the ;n"lish lan"ua"e ones 7replica ser!ers al%ays
only synchroni>e acti!e appro!als8) .t this point, if you loo on the $&(& console on the
parent ser!er, you %ill see that ,00 updates are appro!ed) 1f you do the same on the
replica ser!er, you %ill see that only 2-0 are appro!ed) Bou %ould use
!istinactiveapprova!s to see a list of the updates on the parent upstream ser!er that are
permanently inacti!eIin this case, you %ould see the -0 updates that are not ;n"lish)
Bou can run this command if you %ant to see a list of the inacti!e appro!als 7for e<ample,
to help you decide if you %ant to remo!e the inacti!e appro!als8) Bou do not ha!e to run
this command before runnin" the reoveinactiveapprova!s command)
S.nta5
wsusuti! !istinactiveapprova!s
-eoveinactiveapprova!s
The scenario in %hich you %ould use this command is the same as the one described for
!istinactiveapprova!s) Do%e!er, %hile you use !istinactiveapprova!s to list the inacti!e
appro!als on the parent upstream ser!er, you use reoveinactiveapprova!s to remo!e
them) Bou do not ha!e to run the !istinactiveapprova!s command before runnin" this
command)
S.nta5
wsusuti! reoveinactiveapprova!s
Monitoring Windows Server Update Services
%n this section
(pdate &tatus Terminolo"y
4unnin" 4eports
0)
Update Status 2erino!og.
Bou can access update status from !arious locations in the $&(& console) The follo%in"
table defines each possible status that can be reported by $&(& for an update) Typically,
$&(& presents update status for a particular computer 7for e<ample, the status of an
update on one computer8 or computer "roup 7for e<ample, status for the fi!e computers
in Computer +roup = on %hich the update has been installed8)
Update Status :efinitions
&tatus 5escription
1nstalled The update %as installed on the computer)
0<
&tatus 5escription
Meeded This is the positi!e result of a 5etect only
appro!al) $hen referrin" to the status of
one computer, Meeded means the update is
compliant %ith 7and should be installed on8
the computer) $hen referrin" to status for a
computer "roup, the Needed column
displays the number of computers in the
"roup %ith %hich the update is compliant)
.dditionally, a positi!e Meeded result
means, technically, that as of the last time
client computers made contact %ith the
$&(& ser!er, the update %as determined
to be compliant, but has not been installed)
Therefore, it is possible that any of the
follo%in" could be true %hen the status for
an update is Meeded:
Bou ha!e appro!ed the update for
installation but the client computers ha!e
not yet contacted the $&(& ser!er since
you made this chan"e)
Bou ha!e not yet appro!ed the update for
installation, althou"h the 5etect only action
has been performed)
The update has already been do%nloaded
and installed, but the client computer has
not contacted the $&(& ser!er since the
update %as installed)
The update has already been do%nloaded
and installed but the update reCuires that
the client computer be restarted before
chan"es "o into effect, and the client
computer has not yet been restarted)
The update has been do%nloaded to the
computer but not installed)
The update has been neither do%nloaded
nor installed on the computer)
0'
&tatus 5escription
Mot needed This is the ne"ati!e result of a 5etect only
appro!al) $hen referrin" to the status of
one computer, Mot needed means the
update is not compliant %ith or reCuired by
that computer) $hen referrin" to the status
for a computer "roup, the Not needed
column displays the number of computers in
the "roup for %hich the update is not
compliant or reCuired)
(nno%n Typically, this means that since the time that
the update %as synchroni>ed to the $&(&
ser!er, the computer has not contacted the
$&(& ser!er)
@ailed .n error occurred %hen either a detection or
an installation %as attempted on the
computer for the update)
?ast contacted This is the date on %hich the computer last
contacted the $&(& ser!er)
-unning -eports
4eports enable you to monitor the components of your $indo%s &er!er (pdate &er!ices
implementation)
Using the -eports 1age
Bou can "enerate three main reports from the -eports pa"e, as described in the
follo%in" table, and in the sections that follo%)
-eports Avai!ab!e on -eports 1age
4eport Mame @unction
&tatus of (pdates 0ie% the status of all appro!ed updates by
computer "roup and computer)
00
4eport Mame @unction
&tatus of Computers 0ie% the status of client computers and the
status of updates on those computers 7for
e<ample, a summary of updates that ha!e
been installed or are needed for a particular
computer8)
&ynchroni>ation 4esults 0ie% a list of ne% updates, update
re!isions, and errors that occurred durin"
synchroni>ation)
&ettin"s &ummary 0ie% or print a summary of the settin"s
confi"ured throu"h the Options pa"e)
Status of Updates -eport
The &tatus of (pdates report enables you to !ie% the status for all of your appro!ed
updates) Bou can !ie% the report in three %ays: you can !ie% the status of an update at a
hi"h le!el, by computer "roup, and by computer)
The report displays information resultin" from the most recent contact bet%een client
computers and the $&(& ser!er) The freCuency %ith %hich client computers contact the
$&(& ser!er is confi"ured throu"h +roup Policy) 6y default, this is e!ery 22 hours)
(nless you %ant to chan"e the contact freCuency for your client computers, "enerate this
report the day after you appro!e updates, so that it reflects your latest appro!als) @or
more information about confi"urin" +roup Policy, see 5eployin" Microsoft $indo%s
&er!er (pdates &er!ices at http:EE"o)microsoft)comEf%linEFlinidG91///HclcidG0<903)
Note
Bou can use a command:line tool on client computers that are runnin" the $&(&
client soft%are 7.utomatic (pdates8 in order to initiate contact bet%een the client
computer and $&(& ser!er) This can be useful if you %ant to "et immediate
update status for a particular computerIyou can run this tool to force connection
and then "enerate a &tatus of (pdates report)
2o initiate iediate contact between a c!ient coputer and WSUS server
*n the client computer, at the command prompt, type wuauc!t.e5e
/detectnow, and then press BN2B-)
03
2o run a Status of Updates report
1) *n the $&(& console toolbar, clic -eports)
2) *n the -eports pa"e, clic Status of Updates)
Update suar. view
The update summary !ie% is the default !ie% that appears %hen you run a &tatus of
(pdates report) 6y default, the report displays an alphabetical list of appro!ed updates)
Bou can filter the display by both appro!al action and computer "roup by main"
appropriate selections under >iew and then clicin" App!.) Bour filter is reset to the
default list of all updates %hen you close the &tatus of (pdates report)
The columns displayed in the update summary !ie% are described in the follo%in" table)
:escription of Co!uns :isp!a.ed in Update Suar. >iew
Column Mame 5escription
Title The name of the update)
To !ie% the properties for an update, clic
an update in this column) The update
properties bo< pro!ides the follo%in"
information:
The :etai!s tab contains "eneral
information about the update)
The Status tab contains status information
for the update by computer "roup) This is
also %hat you see in computer "roup !ie%)
Bou can also e<pand this !ie% into computer
!ie% by e<pandin" a computer "roup)
The -evisions tab displays information
about chan"es to the update)
1nstalled The number of computers on %hich the
update has been installed)
0(
Meeded The number of computers for %hich the
update is applicable but not installed) @or
these computers, a detect:only action has
been performed for the update) 1f an update
reCuires a restart, then a computer that has
installed the update %ill continue to appear
in the Meeded column until it is restarted)
@ailed The number of computers that last reported
a failed do%nload, installation, or remo!al
7uninstallation8)
?ast (pdated The date that the latest action for this
update occurred)
Coputer group view
The computer "roup !ie% displays the status of an update by computer "roup) To use this
!ie%, e<pand any update that is listed in update summary !ie%)
The columns displayed in the computer "roup !ie% are described in the follo%in" table)
:escription of Co!uns :isp!a.ed in Coputer Group >iew
Computer +roup The name of the computer "roup to %hich
the update has been tar"eted)
.ppro!al The action that this update has been
appro!ed for, specific to the "roup)
5eadline The deadline for the action, if you ha!e set
a deadline)
1nstalled The number of computers on %hich the
update has been installed)
09
Meeded The number of computers for %hich the
update is applicable but not installed) @or
these computers, a detect:only action has
been performed for the update) 1f an update
reCuires a restart, then a computer that has
installed the update %ill continue to appear
in the Meeded column until it is restarted)
@ailed The number of computers that last reported
a failed do%nload, installation, or remo!al
7uninstallation8)
Coputer view
The computer !ie% displays the status of each computer in a computer "roup) To use the
computer !ie%, e<pand a computer "roup)
The columns displayed in this !ie% are described in the follo%in" table)
:escription of Co!uns :isp!a.ed in Coputer >iew
Computer Mame Mame of the computer
To see the properties for the computer, clic
the computer name) The computer
properties dialo" bo< that appears displays
details and status for the computer) The
Status tab displays the result of the last
communication bet%een the $&(& ser!er
and the computer, and the status of updates
for %hich an action has been appro!ed on
the computer)
3+
&tatus The status %ill be one of the follo%in":
@ailed : The do%nload, installation,
or remo!al action for the update on this
computer %as not completed)
Meeded : The update is applicable
but not installed) 1f an update reCuires a
restart, then a computer that has
installed the update %ill continue to be
counted as needed until it is restarted)
Mot needed : The update is not
applicable)
1nstalled : The update has been
installed)
(nno%n : Mo action has been
performed on the computer)
To see details for an e!ent, clic the result in
the Status column)
1rinting the report
Bou can print the report in update summary, computer "roup, or computer !ie%,
dependin" on ho% you ha!e e<panded the &tatus of (pdates report)
2o print the Status of Updates report
1) ;<pand your report into update summary, computer "roup, or computer !ie%,
dependin" on the information you %ant to print)
2) (nder 2as"s, clic 1rint report)
Note
Bou cannot use the 1rint report tas to print a dialo" bo<, and the 1rint report
tas is not enabled if a dialo" bo< is open)
Status of Coputers -eport
The &tatus of Computers report pro!ides both a cumulati!e and indi!idual update status
summary for computers in the computer "roup and for the update status results you
3*
specify) The follo%in" table pro!ides more information about the status pro!ided for each
update)
:escription of Status :isp!a.ed in Status of Coputers -eport
&tatus 5escription
1nstalled The update %as installed on the computer)
Meeded . detection %as performed on the computer
for the update, %hich determined that the
update should be installed on the computer)
Mot needed ;ither the update is already installed on the
computer, or the update does not belon" to
a product or classification you specified
%hen confi"urin" synchroni>ation options)
(nno%n Typically, this means that since the time that
the update %as synchroni>ed to the $&(&
ser!er, the computer has not yet contacted
the $&(& ser!er)
@ailed .n error occurred %hen either a detection or
an installation %as attempted on the
computer for the update)
?ast contacted This is the date on %hich the computer last
contacted the $&(& ser!er)
Bou can also print the report, includin" the list of indi!idual updates %ith status for
indi!idual computers, if you ha!e e<panded the computers 7cliced the X symbol8)
Do%e!er, you cannot print the dialo" bo< that appears %hen you clic indi!idual updates
in the list or %hen you clic the status for an indi!idual update)
2o run a status report for coputers
1) *n the $&(& console toolbar, clic -eports, and then clic Status of
Coputers)
2) (nder >iew, select the criteria you %ant to use to filter the report, and then
clic App!.) The report displays a cumulati!e update status summary for all of
the computers in the computer "roup and for the status you specified)
,) 1f you %ant more information about a specific computer, you can do the
3;
follo%in":
To !ie% the status of indi!idual updates for the computer, e<pand the
computer 7clic the X si"n ne<t to the computer8) 1n addition, you can see the
properties of an indi!idual update by clicin" the title of the update)
To !ie% more information about the specific status result of an update 7or,
the e!ent details8, clic the status for the update)
9) To print the report, under 2as"s, clic 1rint report)
S.nchroni/ation -esu!ts -eport
The &ynchroni>ation 4esults report enables you to see synchroni>ation information for
your ser!er for a "i!en time period, includin" errors that occurred durin" synchroni>ation
and a list of ne% updates) 1n addition, you can "et "eneral, status, and re!ision
information for each ne% update)
2o run a S.nchroni/ation -esu!ts report
2) *n the -eports pa"e, clic S.nchroni/ation -esu!ts) 6y default, the report
displays synchroni>ation results for the last ,0 days)
,) To chan"e the synchroni>ation period for the report, under >iew, select
another synchroni>ation period in the list, and then clic App!.)
9) To print the report, under 2as"s, clic 1rint report)
Note
The 1rint report tas is not enabled if you ha!e a dialo" bo< open) Bou
cannot use the 1rint report tas to print a dialo" bo<)
The report has four components, %hich are described in the follo%in" table)
Coponents of S.nchroni/ation -esu!ts -eport
Component Mame Purpose
?ast &ynchroni>ation 5isplays information about the last time the
$&(& ser!er synchroni>ed %ith Microsoft
(pdate or another $&(& ser!er, and if it
%as a successful synchroni>ation)
3)
&ynchroni>ation &ummary 5isplays summary information about ne%
updates and errors that occurred durin"
synchroni>ation)
;rrors @or each error, displays the date of the
error, a description of the error, and the
update 15 associated %ith the error)
Me% (pdates 5isplays the updates that ha!e been
synchroni>ed to the $&(& ser!er for the
"i!en time period)
Bou can !ie% the properties for each ne%
update by clicin" the update in the New
Updates list) The update properties dialo"
bo< that appears contains details, status,
and re!ision for the update) 1t is identical to
the update properties bo< that appears in
the &tatus of (pdates report %hen you clic
an update in the list) 1t is also identical to
the properties tabs associated %ith each
update on the Updates pa"e)
Settings Suar. -eport
The &ettin"s &ummary report enables you to !ie% and print a summary of all of the
settin"s that can be specified on the Options pa"e)
2o run a Settings Suar. report
2) *n the -eports pa"e, clic Settings Suar.)
The follo%in" table describes the components of the Settings Suar. report)
Coponents of Settings Suar. -eport
&ynchroni>ation &chedule The time that your $&(& ser!er
automatically synchroni>es to the update
source)
3<
2o print a Settings Suar. report
(nder 2as"s, clic 1rint report)
-unning Cop!iance Status -eports
Bou can !ie% or print t%o types of compliance status reports, one for indi!idual computers
and one for indi!idual updates:
The computer compliance status report summari>es information for a specific
computer, includin" basic soft%are and hard%are information, the success status of
the computerNs last contact %ith the $&(& ser!er, and cumulati!e and indi!idual
update status for the computer) 1n addition, you can "et more information about a
specific update by clicin" the update title)
The update compliance status report summari>es information for a specific
update, includin" the update properties, and status for each computer "roup) Bou can
run this report from the Updates pa"e as described in the follo%in" procedureJ
ho%e!er, this report is also a!ailable on e!ery update property dialo" bo<)
2o run a coputer cop!iance status report
1) *n the $&(& console toolbar, clic Coputers, and then clic the computer
for %hich you %ant to produce the compliance status report)
2) Clic 1rint status report)
,) 1f you %ant more information about a specific update under Update Status,
you can do the follo%in":
To !ie% the properties of an indi!idual update, clic the title of the update)
To !ie% more information about the specific status result of an update 7or
the e!ent details8, clic the status for the update)
9) To print the report, clic the Ci!e menu, and then clic 1rint)
2o run an update cop!iance status report
1) *n the $&(& console toolbar, clic Updates, and then clic the update for
%hich you %ant to produce the compliance report)
2) Clic 1rint status report)
,) To print the report, clic the Ci!e menu, and then clic 1rint)
3'
Securing Windows Server Update Services
@or synchroni>ation %ith upstream $&(& ser!ers, you can use &ecure &ocets ?ayer
7&&?8 protocol to secure the update metadata portion of the synchroni>ation) $&(& can
use &&? to:
;nable client computers and do%nstream $&(& ser!ers to authenticate an
upstream $&(& ser!er)
;ncrypt metadata passed on to client computers and do%nstream $&(&
ser!ers)
@or more information about confi"urin" your $&(& ser!er to use &&?, see 5eployin"
2roub!eshooting Windows Server Update
Services
This "uide pro!ides troubleshootin" information for $indo%s &er!er (pdate &er!ices)
%n this guide
$&(& &er!er .dministration 1ssues
Client Computer .dministration 1ssues
>erif.ing WSUS Server Settings
This topic co!ers typical $&(& &er!er settin"s)
Settings for Update Ci!e S.nchroni/ation and :own!oad
This section co!ers the follo%in" issues %hich affect update file synchroni>ation and
do%nload:
4e"istry settin"s
Confi"uration settin"s
11& settin"s
30
Permissions
%portant
These settin"s are confi"ured durin" $&(& setup by default) They are listed
here as a reference, to use as checpoints %hen troubleshootin") $hen
troubleshootin", you can !erify that these settin"s are in place)
-egistr. settings
@ollo%in" are re"istry settin"s confi"ured durin" setup on the $&(& ser!er) These
settin"s do not store ser!er confi"uration information) .ll confi"uration information is
stored in the $&(& database 7&(&56)mdf8)
.ll of the follo%in" 4e"istry entries are %ithin the D,4$MDSoftwareDMicrosoftDUpdate
ServicesDServerDSetup 4e"istry ey:
Content:ir Y the location under %hich update binaries and end user license
a"reement files are stored) 1f the user chose to install $M&5; durin" setup, this
location also contains the database stora"e files and lo" filesJ for e<ample, C:O$&(&)
Mote the follo%in":
JContent:irKDWsusContent contains the update files
JContent:irKDMSSA$GWSUS contains the database files 7if $M&5;8
2arget:ir Y the product installation locationJ for e<ample, C:OPro"ram
@ilesO(pdate &er!ices
Wsde%nsta!!ed Y this entry specifies %hether or not $M&5; %as used in the
ori"inal installationJ for e<ample, 1Gyes, 0Gno) Mote: This ey does not "et modified if
your later mi"rate the $M&5; database to a full &K? &er!er database)
S@!ServerNae Y The main re"istry ey used under re"ular ser!er operation)
This is used to bootstrap the ser!er components %ith the database ser!er %here the
rest of data and ser!er confi"uration is used) ;<: RcomputernameRO$&(& for
$M&5;) (se this ey to Cuicly fi"ure out %hich &K? ser!er the $&(& ser!er is
usin" 7especially in the remote &K? case8)
S@!:atabaseNae Y the name of the database) @or $&(& 2)0, this is al%ays
&(&56)
S@!AuthenticationMode Y the authentication mode $&(& uses to tal to the
database ser!er) @or $&(& 2)0, this is al%ays $indo%s.uthentication)
33
Configuration settings
.ll of the follo%in" ser!er confi"uration settin"s are stored inside the $&(& database
7&(&56)mdf8)
$hat is
confi"ured
5atabase stora"e location 5escription
(pdate
&tora"e
tbConfiguration%.#yncToMu
tbConfiguration%.,pstream#erver(ame
The first database
location specifies
the update source
for client computers)
The !alues possible
are:
0 Y $&(& ser!er
1 Y Microsoft
(pdate
The second
database location
specifies the name
of the upstream
$&(& ser!er, if you
ha!e chosen one as
the update source)
3(
$hat is
confi"ured
;<press 7P&@8
file do%nload
tbConfigurationC.+ownload'1pressPackages This settin" controls
%hether or not
e<press installation
files are
do%nloaded) The
!alues possible are:
0 Y 5o not
do%nload e<press
files 7default8 option)
1 Y 5o%nload
e<press files)
*n the $&(&
console, this is
confi"ured on the
.d!anced
&ynchroni>ation
*ptions bo<)
?an"ua"e
options
tb*anguage.'nabled This settin" controls
%hich lan"ua"e
binaries are to be
do%nloaded) 6y
default, all
lan"ua"es are
enabled)
*n the $&(&
console this is
confi"ured on the
.d!anced
&ynchroni>ation
*ptions bo<)
39
$hat is
confi"ured
61T&
do%nload
priority
tbConfigurationC.Bits+ownloadPriority$oregroun
d
This internal settin"
specifies %hether or
not to use
fore"round priority
for 61T& do%nloads)
The default is to use
throttled do%nloads)
This settin" %as
added to handle
issues %ith certain
pro<y ser!ers that
did not correctly
handle DTTP 1)1
restartable
do%nloads)
%%S settings
The follo%in" !irtual directories 7!roots8 are created in 11& 7in the 5efault $eb &ite by
default8 for client to ser!er synchroni>ation, ser!er to ser!er synchroni>ation, reportin",
and client self:update)
0root in 11& Properties
Client$eb&er!ice 5irectory: RPro"ram@ilesR(pdate
&er!icesO$eb&er!icesOClient$eb&er!ice
.pplication Pool: $susPool
&ecurity: .nonymous .ccess ;nabled)
;<ecute Permissions: &cripts *nly
Content 5irectory: e:O%susO%suscontent
&ecurity: .nonymous .ccess ;nabled
;<ecute Permissions: Mone
(+
5ss.uth$eb&er!ice 5irectory: RPro"ram@ilesR(pdate
&er!icesO$eb&er!icesO5ss.uth$eb&er!ice
4eportin"$eb&er!ice 5irectory: RPro"ram@ilesR(pdate
&er!icesO$eb&er!icesO4eportin"$eb&er!ice
&er!er&ync$eb&er!ice 5irectory: RPro"ram@ilesR(pdate
&er!icesO$eb&er!icesO&er!er&ync$eb&er!ice
&impth.uth$eb&er!ice 5irectory: RPro"ram@ilesR(pdate
&er!icesO$eb&er!icesO&imple.uth$eb&er!ice
$&(&.dmin 5irectory: RPro"ram@ilesR(pdate
&er!icesO.dministration
&ecurity: 1nte"rated $indo%s .uthentication)
(*
&elf(pdate 5irectory: RPro"ram@ilesR(pdate
&er!icesO&elf(pdate
&ecurity: .nonymous .ccess ;nabled,
1nte"rated $indo%s .uthentication)
1erissions
The follo%in" lists permissions necessary for specific folders on the $&(& ser!er dis
and re"istry permissions)
:is"
The follo%in" permissions are confi"ured durin" $&(& setup, and are important for 61T&
do%nloads to %or:
The root folder on the dri!e %here the WSUSContent folder resides 7for
e<ample, JMwindirMKO$&(&O$&(&Content8 must ha!e -ead permissions for
either the Users account or the N2 Authorit.DNetwor" Service account 7on
$indo%s 200,8) 1f this permission is not set, 61T& do%nloads %ill fail) Mote: this is the
permission that $&(& setup does not confi"ure, so mae sure the permissions are
set as described here
The $&(& content directory, usually JMwindirMKDWSUSDWSUSContent must
ha!e Cu!! Contro! permission "ranted to the N2 Authorit.DNetwor" Service
account) This permission is set by $&(& ser!er setup %hen it creates the directory,
but it is possible that your security soft%are mi"ht reset this) permission) Mot ha!in"
this permission set %ill also cause 61T& do%nloads to fail)
The N2 Authorit.DNetwor" Service account 7on $indo%s 200,8 must ha!e Cu!!
Contro! permissions to the follo%in" folders for the $&(& console to display the
pa"es correctly:
JMwindirMKDMicrosoft .NB2DCraewor"Dv*.*.<);;D2eporar. AS1.NB2
Ci!es
JMwindirMKD2ep
-egistr.
The follo%in" permissions are set for the 4e"istry durin" $&(& setup)
(;
The Users "roup must ha!e 4ead access to the
D,4$MDSoftwareDMicrosoftDUpdate ServicesDServer 4e"istry ey)
The follo%in" accounts must ha!e @ull Control permissions to the
D,4$MDSoftwareDMicrosoftDUpdate ServicesDServerDSetup 4e"istry ey:
AS1.NB2
Networ" Service 7for $indo%s &er!er 200,8
WSUS Adinistrators
WSUS Server Adinistration %ssues
%n this section
&etup 1ssues
(ninstallin" $&(& from &K? &er!er
Cannot access the $&(& console
(pdate stora"e issues
&ynchroni>ation issues
(pdate appro!al issues
Client computers do not appear in the $&(& console
6acup and restore issues
+eneral error messa"es
Setup %ssues
1f you are ha!in" trouble installin" $&(&, use the follo%in" information to troubleshoot
the problem)
Chec" for re@uired software and hardware
$&(& has a number of reCuirements that need to be met prior to installation) @or more
information, see 5eployin" Microsoft $indo%s &er!er (pdate &er!ices at
()
%n soe casesL setup ight fai! if .ou choose the WMS:B database
1n some cases, %hen you choose the $M&5; database, &etup tries to repair $M&5;
and falls into an infinite loop) This is a no%n issue %ith the 4C release of $&(&) (se
this Lno%led"e 6ase article at http:EE"o)microsoft)comEf%linEF?in1dG9200/ to reco!er
from this problem and install $&(& by usin" $M&5;)
%f the Server service is not running when .ou insta!! WSUSL the
WSUS insta!!ation fai!s
1f you select $M&5; for your database soft%are and the &er!er ser!ice is not runnin" on
the computer %here you intend to install $&(&, the $&(& installation fails) This is
because $M&5; reCuires the &er!er ser!ice to be runnin" to install, and if $M&5; fails
to be installed, the $&(& installation fails)
To %or around this issue, turn on the &er!er ser!ice, and run $&(& &etup a"ain) (se
the Lno%led"e 6ase article Bou cannot install M&5; 2000 if the &er!er ser!ice is not
runnin" at http:EE"o)microsoft)comEf%linEF?in1dG92003 to reco!er from this problem and
install $&(& by usin" $M&5;)
Bou cannot install M&5; 2000 if the &er!er ser!ice is not runnin"
Upgrade %ssues
When an upgrade fai!sL WSUS ight be uninsta!!ed
5ependin" on at %hat point an up"rade fails, you mi"ht lose your pre!ious $&(&
settin"s and data) Therefore, before attemptin" an up"rade, bac up the follo%in":
$&(& database
(pdate file stora"e folder
@or information about bacin" up and restorin" your e<istin" $&(& installation, see
6acin" (p $indo%s &er!er (pdate &er!ices)
Uninsta!!ing WSUS fro SA$ Server
1f you uninstall $&(&, read the follo%in" information)
(<
Uninsta!!ing ight !eave soe WSUS configurations on coputers
running SA$ server
?ocal &K? &er!er accounts that are created by $&(& &etup are not remo!ed by the
$&(& uninstall component) The $&(& uninstall component does not remo!e Met%or
&er!ice and .&P)M;T accounts from the local computer runnin" &K? ser!er) 1f some
other application or database is usin" these accounts, this ensures that these
applications or databases do not fail) 1f you are sure that no other application or database
reCuires the Met%or &er!ice or .&P)M;T accounts, you can manually remo!e them from
the computer runnin" &K? ser!er)
@or information about ho% to manually remo!e Met%or &er!ice or .&P)M;T accounts
from a computer runnin" &K? &er!er 2000 or M&5;, see &K? &er!er product
documentation) Bou can do%nload product documentation for &K? &er!er 2000 from the
&K? &er!er 2000 6oos *nline 7(pdated 20098 pa"e of the Microsoft $eb site at
http:EE"o)microsoft)comEf%linEF?in1dG1,3-3)
Cannot access the WSUS conso!e
1f you "et an error %hen usin" or tryin" to access the $&(& console, use the follo%in"
information to troubleshoot the problem)
Grant users perissions for WSUS conso!e access
1f users do not ha!e appropriate permissions for the $&(& console, they recei!e an
Aaccess deniedA messa"e %hen tryin" to access the $&(& console) Bou must be a
member of the .dministrators "roup or the $&(& .dministrators "roup on the ser!er on
%hich $&(& is installed in order to use the $&(& console)
Note
1f $&(& is installed on a domain controller, only a member of the 5omain
.dministrator "roup can use the $&(& console)
2o add a user to the WSUS Adinistrators group
1) *n the $&(& ser!er, clic Start, clic Adinistrative 2oo!s, and then clic
Coputer Manageent)
2) 1n Coputer Manageent, e<pand $oca! Users and Groups, clic
Groups, and then double:clic WSUS Adinistrators)
,) 1n the WSUS Adinistrators 1roperties dialo" bo<, clic Add)
9) 1n the Bnter the obNect naes to se!ect 7e5ap!es8 bo<, type the object
('
name, and then clic O4)
=ou cannot access the WSUS conso!e with an %1 address when
WSUS is configured to use a pro5. server
1f you ha!e $&(& confi"ured to use a pro<y ser!er, then you cannot access the $&(&
console by usin" an 1P address) To %or around this issue, use a domain name to access
the $&(& ser!er, for e<ample, for the user name, type: +omain(ame<user name for the
user name, %hen prompted to lo" in on the $&(& console)
Cannot access the WSUS conso!e and a tieout error essage
appears
1f you cannot access the $&(& console and a timeout error messa"e appears, the CP(
of the $&(& ser!er may be at, or !ery close to, ma<imum utili>ation, causin" the
database to time out) 1f the database soft%are times out, the $&(& console cannot be
displayed)
*ne %ay of inad!ertently o!erta<in" your $&(& ser!er is to ha!e anti!irus soft%are
installed on it, %hich is monitorin" the $&(& content directory) 5urin" synchroni>ation,
the anti!irus soft%are can o!erload out the CP() Bou can %or around this situation by
settin" the anti!irus soft%are to i"nore %here $&(& content is stored)
Cannot access the WSUS conso!e on a Windows ;+++ server after
app!.ing the hisec server.inf securit. tep!ate
This issue applies only to $indo%s 2000 ser!ers) 1f you cannot access the $&(&
administrati!e console after applyin" the hisec ser!er)inf security template, you need to
rela< security permissions for .&P)M;T and 1$.M local machine accounts in order for
the $&(& console to function)
The %oraround is to "i!e read access for 1$.M and .&P)M;T accounts to the follo%in"
re"istry ey)
,4B=H$OCA$HMAC,%NBDsoftwareDicrosoftDupdate services
2o give read access for the %WAM account on Windows ;+++ Server configured
as a doain contro!!er
1) Clic Start, and then clic -un)
2) 1n the Open bo<, type regedit.e5e and then clic O4)
,) 1n 4e"istry ;ditor, na!i"ate to the follo%in" ey:
(0
,4B=H$OCA$HMAC,%NB DSoftwareDMicrosoftDUpdate Services
9) Point to Bdit, and then clic 1erissions)
-) 1n the 1erissions for Microsoft Windows Server Update Services
properties dialo" bo<, clic Add)
6) 1n the Se!ect UsersL CoputersL or Groups bo<, clic $ocations)
/) 1n the $ocations dialo" bo<, select the local computer, and then clic O4)
2) 1n the Se!ect UsersL CoputersL or Groups bo5, type
computer=nameDAS1NB2 and computer=nameD%WAMHcomputer=name in the
Bnter the obNect nae to se!ect 7e5ap!es8 bo<) (se a semicolon to separate
names) @or e<ample, type
computer=nameDAS1NB2Ocomputer=nameD%WAMHcomputer=name
%here computer=name is the name of the computer)
3) &elect computer=nameDAS1NB2, and clic the -ead bo< in the A!!ow
column)
10) &elect computer=nameD%WAMHcomputer=name, and clic the -ead bo< in
the A!!ow column, and then clic O4)
1rooting the WSUS server to a doain contro!!er ight disrupt
.our abi!it. to access the WSUS conso!e
$hen you promote a $&(& ser!er to a domain controller and then try to access the
$&(& console, you mi"ht recei!e a messa"e similar to the follo%in":
Server Error in '/' Application.
Access to the path "C:\WIN!WS\"icrosoft.NE#\$ra%e&or'\v(.(.)*++\#e%porar, AS-.NE#
$iles\&susad%in\.c/(a012\0)/1+.1a\glo1al.asa3.3%l" is denied.
This occurs if 11& 6)0 and .&P)M;T are installed on the ser!er before the ser!er is
promoted to a domain controller) This is because the Met%or &er!ice "roup does not
ha!e sufficient permissions for the Temporary .&P)M;T @iles folder) To a!oid this
problem, mae sure that you promote the $&(& ser!er to a domain controller before you
install 11& 6)0 and .&P)M;T) To resol!e this issue, enable appropriate permissions for the
Met%or &er!ice "roup by usin" the follo%in" procedure)
(3
2o enab!e appropriate perissions for the Networ" Service group
,) .t the command prompt, type the follo%in", and then press ;MT;4:
drive>DwindowsDicrosoft .netDfraewor"Dv*.*.<);;DaspnetHregiis 6i
%here drive is the dri!e letter of the dis on %hich you installed $indo%s)
Cannot access the WSUS conso!e on Windows ;+++ Server
configured as a doain contro!!er
1f you cannot access the $&(& administrati!e console and you are usin" $indo%s 2000
&er!er confi"ured as a domain controller, you need to rela< security permissions for
.&P)M;T in order for the $&(& console to function) The %oraround is to "i!e read
access for 1$.M account to ;windir;Oassembly)
2o give read access for the %WAM account on Windows ;+++ Server configured
as a doain contro!!er
.t the command prompt, type the follo%in", and then press ;MT;4:
cac!s ;windir;Dasseb!. /e /t /p %WAMH1111:-
%here ;windir; is the $indo%s directory of the computer and %here
1$.MS1111 is the 1$.M computer account)
@or details, see the Lno%led"e 6ase article at http:EEsupport)microsoft)comEdefault)asp<F
scidGbJP?MQJ,1/012
Update storage issues
(pdates can be stored on the local $&(& ser!er or on Microsoft (pdate) (se this
section to troubleshoot problems %ith update stora"e)
2he updates !isted in the WSUS conso!e do not atch the updates
!isted in .our !oca! fo!der
This can happen under different circumstances) @or e<ample, if updates are stored on a
dis separate from the $&(& application itself, and that dis fails, %hen you replace the
((
failed dis %ith a ne% 7empty8 dis, the $&(& application %ill still sho% all of the updates
as do%nloaded)
To ha!e $&(& !erify %hich updates are stored on the dis, you must run the
$&(&util)e<e usin" the reset command)
Note
Performin" a reset causes the $&(& ser!er to be unresponsi!e for up to fi!e
minutes)
2o have WSUS verif. !oca!!. stored updates
,) .t the command prompt, na!i"ate to the directory that contains
$&(&util)e<e)
9) Type the follo%in", and then press ;MT;4: wsusuti!.e5e reset
S.nchroni/ation issues
&ynchroni>ation is the process in %hich the $&(& ser!er connects to Microsoft (pdate
or to another $&(& ser!er and do%nloads updates) 5urin" synchroni>ation, $&(&
determines if any ne% updates ha!e been made a!ailable since the last time you
synchroni>ed) 1f it is your first time synchroni>in" $&(&, all updates are made a!ailable
for appro!al) 1f synchroni>ations are failin", you can try the follo%in" procedures)
Chec" pro5.6server settings b. using the WSUS conso!e
1f your $&(& ser!er is connected to Microsoft (pdate !ia a pro<y ser!er, you must use
the $&(& console to allo% $&(& to access the 1nternet) @or basic instructions about
settin" up a pro<y ser!er, see 5eployin" Microsoft $indo%s &er!er (pdate &er!ices at
http:EE"o)microsoft)comEf%linEFlinidG91///HclcidG0<903) 1f your pro<y ser!er supports
authentication, mae sure you ha!e the correct user name, pass%ord, and domain) Mote
that if you use the $&(& console option for A!!ow basic authentication 7password in
c!ear te5t8, the pass%ord for the account is sent o!er the net%or in unencrypted te<t)
(9
Chec" the nae of the upstrea WSUS server
1f your $&(& uses another $&(& ser!er as its update source, mae sure you are usin"
the correct name for the upstream $&(& ser!er and that you ha!e spelled it correctly)
@or basic instruction about synchroni>in" t%o $&(& ser!ers, see 5eployin" Microsoft
$indo%s &er!er (pdate &er!ices at http:EE"o)microsoft)comEf%linEF
linidG91///HclcidG0<903) The name that you enter in the $&(& console on the
do%nstream $&(& ser!er must match the name of the upstream $&(& ser!er)
To determine if there is a problem %ith net%or name resolution ser!ices, use the ping
command from the do%nstream $&(& ser!er that cannot synchroni>e) Bou should use
the same namin" con!ention that is used in the $&(& console) @or e<ample, if you used
a Met61*& name in $&(& console, use the Met61*& name of the upstream ser!er %ith
the ping command) 1f you cannot pin" the upstream ser!er, you mi"ht ha!e a problem
%ith net%or name resolution ser!ices) To %or around this type of issue, you could use a
different name resolution ser!ice or the 1P address of the upstream ser!er)
2o ping an upstrea WSUS server b. using the ping coand
1) Clic Start, and then clic -un
,) Type the follo%in", and then press ;MT;4:
ping W#,##erver(name
%here W#,# server name is the name of the upstream $&(& ser!er you are
tryin" to synchroni>e %ith)
Chec" update storage options
1f you ha!e multiple $&(& ser!ers chained to"ether in a hierarchy, the entire hierarchy
must use the same update stora"e option or else synchroni>ations fail) @or e<ample, if
the upstream $&(& ser!er stores content locally, all the do%nstream $&(& ser!ers
must store content locally) Chec that each $&(& ser!er in the chain uses the same
update stora"e option) @or information about ho% to set $&(& update stora"e options,
see 5eployin" Microsoft $indo%s &er!er (pdate &er!ices at
>erif. that users and the networ" service have -ead perissions to
the !oca! update storage director.
1f you store update files on your $&(& ser!er, you need to ensure that the folder to
%hich you do%nload update files has at least 4ead permissions for the net%or ser!ice
9+
and for users) This is true %hether the ser!er you do%nload the update files to is an
upstream or do%nstream $&(& ser!er) The folder %here update files are stored if you
ha!e chosen to store them locally 7as opposed to storin" them on Microsoft (pdate
ser!ers8 is ;systemdrive;O(pdate &er!icesO(& content)
On a downstrea WSUS serverL chec" that the updates are avai!ab!e
on the upstrea WSUS server
There are number of situations %here the updates on the upstream ser!er no lon"er
match the updates bein" reCuested at synchroni>ation by the do%nstream ser!er) &ome
of the follo%in" are e<amples of %hen this mi"ht occur:
.n upstream $&(& ser!er is re:installed and the list of classifications and
products the administrator selects is a reduced number than pre!iously selected on
the earlier installation of the $&(& upstream ser!er) The do%nstream ser!er7s8
mi"ht then attempt to synchroni>e updates that the ne%ly rebuilt upstream ser!er has
no no%led"e of) Therefore the synchroni>ation %ould fail for those updates that do
not e<ist on the upstream ser!er)
1f you confi"ure a do%nstream ser!er to "et updates from a different upstream
ser!er %ith different products and classifications selected)
To troubleshoot this issue, on the do%nstream ser!er, mae a note of the title of the
updates for %hich do%nload failed) These %ill be !isible on the (pdates pa"e, and
mared %ith a red =) Then, chec if these updates e<ist on the upstream ser!er 7loo at
the (pdates pa"e) 1f they do not match, do one of the follo%in", dependin" on %hich
updates you need:
&pecify the missin" updates on the upstream ser!er, and then synchroni>e from
the update source)
*n the do%nstream ser!er, cancel the updates that are not on the upstream
ser!er, if these updates are no lon"er needed) Then decline the old updates on the
do%nstream ser!er)
1f the missin" updates 7accordin" to the do%nstream ser!er8 are actually
a!ailable on the upstream ser!er, then the error is transient, meanin" the update
mi"ht ha!e been do%nloaded to the upstream ser!er after it %as reCuested by the
do%nstream ser!er) This issue %ill resol!e itself the ne<t time the do%nstream ser!er
synchroni>es to the upstream ser!er)
9*
-estart the ?%2S service
1f the 61T& ser!ice %as disabled durin" synchroni>ation, synchroni>ation %ill fail) To
ensure that the 61T& ser!ices is properly enabled, restart both the 61T& ser!ice and
restart the $&(& ser!ice)
2o restart the ?%2S service and the WSUS service
1) *n the $&(& ser!er, clic Start, point to Adinistrative 2oo!s, and then
clic Services)
2) 4i"ht:clic ?ac"ground %nte!!igent 2ransfer Service, and then clic
-estart, or clic Start if the 61T& ser!ice is not runnin" or has been disabled)
,) 4i"ht:clic Windows Update Service, and then clic -estart)
9) 4etry synchroni>ation: in the $&(& console, clic Options, clic
S.nchroni/ation Options, and then under 2as"s, clic S.nchroni/e now)
%f .ou are unab!e to down!oad update fi!es to .our !oca! WSUS serverL
.our server ight not support the necessar. ,221 protoco!
1f synchroni>ation of update files to your $&(& ser!er fails, you mi"ht see the follo%in"
messa"e in the correspondin" e!ent lo":
Content file do&nload failed. 4eason: #he server does not support the necessar,
5##- protocol. 6ac'ground Intelligent #ransfer Service 76I#S8 re9uires that the
server support the 4ange protocol header.Source $ile: /%sdo&nload/update/v*:
(///;2(./ca1pool/&indo&s+;;;:'1.<***/:3.0:
enu=2;;e)0201)f;ca*)*(2020*(/./;/;11ee1<)1cc.e3e estination $ile: >drive
>\&sus\WsusContent\WsusContent\CC\2;;E)0206)$;CA*)*(2020*(/./;/;66EE6<)6CC.E?E.
This problem occurs if your pro<y en!ironment doesnZt support DTTP 1)1 Protocol) Bou
can manually %or around this by runnin" the follo%in" commands at the command
prompt to confi"ure 61T&)
2o reso!ve this issue:
1) Type: net stop WSUSService, and then press ;MT;4)
2) Type the follo%in" and then press ;MT;4:
P;programfiles;DUpdate ServicesDtoo!sDos@!Dos@!.e5eP
6S #9*=nstance(ame
6B 6b 6n IA PUSB SUS:? update tbConfigurationC
9;
set ?its:own!oad1riorit.Coreground&*P
,) Type: net start WSUSService)
9) Close the command prompt %indo% and retry synchroni>ation: in the $&(&
console, clic Options, clic S.nchroni/ation Options, and then under 2as"s,
clic S.nchroni/e now)
2he nuber of updates that are approved on a parent upstrea
server does not atch the nuber of approved updates on a
rep!ica server
This mi"ht occur if you ha!e chan"ed lan"ua"e settin"s on the parent upstream ser!er
after first synchroni>in" %ith the old lan"ua"e settin"s) @or more information see
A?istinacti!eappro!alsA in Mana"in" $&(& from the Command ?ine)
Update approva! issues
1f you are ha!in" problems %ith appro!als, use the follo%in" sections to troubleshoot the
problem)
%f %%S $oc"down is insta!!ed on WSUS and c!ient coputersL do not
down!oad updates stored on the WSUS server
1f you are usin" the 11& ?ocdo%n $i>ard and ha!e installed the (4?&can tool, ensure
that you edit the (rlscan)ini file to allo% [)e<e reCuests)
.fter you edit this file, you must restart both 11& and the $&(& ser!er) Bou can find the
(rlscan)ini file in theO$1MMTO&ystem,2O1netser!O(rlscan directory on the boot dri!e of
your computer)
2o edit the Ur!scan.ini fi!e
1) *pen (rlscan)ini in a te<t editor)
2) 4emo!e A)e<eA from the P5eny;<tensionsQ section)
,) Mae sure the follo%in" settin"s appear under the P.llo%0erbsQ section:
+;T
D;.5
P*&T
*PT1*M&
9)
New approva!s can ta"e up to one inute to ta"e effect
1f you appro!e an update on the $&(& console and there are client computers runnin"
detection at that e<act moment, those computers mi"ht not "et the appro!ed update until
they "o throu"h another detection cycle) The $&(& ser!er reCuires appro<imately one
minute to be"in offerin" ne%ly appro!ed updates to client computers)
-eote coputers accessed b. using 2erina! Services cannot be
restarted b. non6adinistrators
Mon:administrators usin" terminal ser!ices computers %ill not be able to restart their
computers remotely) Therefore, if a remote computer on %hich an update is installed
needs to be restarted for the update to tae effect, users %ithout administrati!e
permissions %ill be unable to complete the updatin" of their remote computer)
2he nuber of updates that are approved on a parent upstrea
server does not atch the nuber of approved updates on a
rep!ica server
This mi"ht occur if you ha!e chan"ed lan"ua"e settin"s on the parent upstream ser!er
after first synchroni>in" %ith the old lan"ua"e settin"s) @or more information see
A?istinacti!eappro!als,A in Mana"in" $&(& from the Command ?ine)
C!ient coputers do not appear in the WSUS conso!e
1f you are ha!in" problems %ith client computers not appearin" on the Coputers pa"e
in $&(& console, use the follo%in" sections to troubleshoot the problem)
1rob!e with c!ient se!f6update
1f you cannot "et clients to appear on the Coputers pa"e in the $&(& console, it is
almost al%ays a problem %ith client self:update, %hich is the mechanism that $&(&
uses to update the &(& client to the $&(& client 7.utomatic (pdates8 soft%are) @or
more information about client:self update, see .utomatic (pdates must be updated)
9<
?ac"up and restore issues
%f .ou cannot access WSUS data after restoring the databaseL chec"
the WSUS server nae and user perissions for the
database
1f you restore a $&(& database but cannot access the restored from the $&(& console
chec for the follo%in":
1f you ha!e chan"ed the $&(& ser!er name since the bacup, you must add the
correspondin" users to the database to enable the $&(& console to access the
data)
1f you restore the bacup to a $&(& ser!er other than the one from %hich you
baced up the database, you %ill ha!e the same result and must also add the
correspondin" users)
1n either case, the users need to be "ranted permissions for public and $eb
ser!ice)
Genera! error essages
This topic co!ers "eneral error messa"es displayed on the ,oe pa"e or in dialo" bo<es
that open from the $&(& console)
Qsoe services are not running. Chec" the fo!!owing servicesQ
*n the ,oe pa"e, you mi"ht recei!e a messa"e tellin" you to chec specific ser!ices)
The follo%in" briefly co!ers the ser!ices)
Se!fupdate
&ee .utomatic (pdates must be updated for information about troubleshootin" the
&elfupdate ser!ice)
WSUSService.e5e
This ser!ice facilitates synchroni>ation) 1f you ha!e problems %ith synchroni>ation,
access $&(&&er!ice)e<e by clicin" the Start button, pointin" to Adinistrative 2oo!s,
clicin" Services, and then findin" Windows Server Update Service in the list of
ser!ices) 5o the follo%in":
0erify that this ser!ice is runnin") Clic Start if it is stopped or -estart to refresh
the ser!ice)
9'
Bou can also use ;!ent 0ie%er to chec the App!ication, Securit., and S.ste
e!ent lo"s to see if there are any e!ents that mi"ht indicate a problem)
Bou can also chec the &oft%are5istribution)lo" to see if there are e!ents that
mi"ht indicate a problem)
Web services
$eb ser!ices are hosted in 11&) 1f they are not runnin", ensure that 11& is runnin" 7or
started8) Bou can also try resettin" the $eb ser!ice by typin" iisreset at a command
prompt)
SA$ service
;!ery ser!ice e<cept for the selfupdate ser!ice reCuires that the &K? ser!ice is runnin") 1f
any of the lo" files indicate &K? connection problems, chec the &K? ser!ice first) To
access the &K? ser!ice, clic the Start button, point to Adinistrative 2oo!s, clic
Services, and then loo for one of the follo%in":
MSSA$SB->B- 7if you are usin" $M&5; or M&5;, or if you are usin" &K?
&er!er and are usin" the default instance name for the instance name8
MSSA$GWSUS 7if you are usin" a &K? &er!er database and ha!e named your
database instance A$&(&A8
4i"ht:clic the ser!ice, and then clic Start if the ser!ice is not runnin" or -estart to
refresh the ser!ice if it is runnin")
C!ient Coputer Adinistration %ssues
%n this section
.utomatic (pdates must be updated
Computers are not appearin" in the correct computer "roups
Autoatic Updates ust be updated
$&(& uses 11& to automatically update most computers to the $&(&:compatible
.utomatic (pdates 7W#,# client8) This process is called client self4update) To
accomplish client self:update, $&(& &etup creates a !irtual directory under the $&(&
$eb site named &elfupdate) This !irtual directory holds the $&(&:compatible .utomatic
(pdates) This is called the selfupdate tree)
(sin" +roup Policy to point client computers to your $&(& ser!er should e!entually
cause an .utomatic (pdates detection and client self:update) @or more information about
90
this process, see 5eployin" Microsoft $indo%s &er!er (pdate &er!ices at
2roub!eshooting c!ient se!f6update issues
1f the client self:update does not %or automatically, use the follo%in" su""estions to
troubleshoot the problem)
,ow to differentiate between the SUS c!ient and WSUS c!ient
(se the .utomatic (pdates user interface 7(18 to differentiate bet%een the &(& and
$&(& clients) The follo%in" illustrations sho% the user interface of the &(& and $&(&
clients)
SUS C!ient
93
WSUS C!ient
>erif. that the c!ient software in .our organi/ation can se!f6update
&ome computers mi"ht already ha!e the $&(& client installed) *ther computers mi"ht
ha!e a !ersion of .utomatic (pdates that is incapable of performin" self:update) @or
more information see 5eployin" Microsoft $indo%s &er!er (pdate &er!ices at
http:EE"o)microsoft)comEf%linEFlinidG91///HclcidG0<903) 1f the clients in your
or"ani>ation are capable of and reCuire self:update but are still not self:updatin", see the
ne<t section)
>erif. that the SUS c!ients are pointed to the WSUS server
1f you ha!e the $&(& client installed but the client computer is pointed to a &(& ser!er,
.utomatic (pdates falls into le"acy mode and the client computer uses the &(& client
user interface) 1n this case you need to redirect the computer a%ay from the &(& ser!er
to "et the $&(& client to function) $hen you point .utomatic (pdates a%ay from the
9(
&(& ser!er, it automatically comes out of le"acy mode and the ne% client user interface
appears)
1f your client computers are pointed to the $&(& ser!er and you do not see the $&(&
client user interface sho%n abo!e, see the ne<t section)
Chec" for the se!fupdate tree on the WSUS server
$&(& uses 11& to automatically update most client computers to the $&(&:compatible
.utomatic (pdates) To accomplish this, $&(& &etup creates a !irtual directory named
&elfupdate, under the $eb site runnin" on port 20 of the computer %here you install
$&(&) This !irtual directory, called the self4update tree, holds the latest $&(& client)
@or this reason, you must ha!e a $eb site runnin" on port 20, e!en if you put the $&(&
$eb site on a custom port) The $eb site on port 20 does not ha!e to be dedicated to
$&(&) 1n fact, $&(& only uses the site on port 20 to host the self:update tree)
To ensure that the self:update tree is %orin" properly, first mae sure there is a $eb site
set up on port 20 of the $&(& ser!er) Me<t, type the follo%in" at the command prompt of
the $&(& ser!er:
cscript W#,#nstallation+rive:Dprogra fi!esDicrosoft windows server update
servicesDsetupD%nsta!!Se!fupdateOn1ort(+.vbs
1f you ha!e $&(& client self:update runnin" on port 20 of the $&(& ser!er, see the ne<t
section)
Chec" %%S !ogs on the WSUS Server
Chec the 11& lo"s on the $&(& ser!er) 11& lo"s are typically located in ;windir
;Osystem,2O?o"@ilesO$,&0C1 for the default $eb site) 1f you copied the $utrac)bin file
to the O1netPubO%%%root folder on the $&(& ser!er %hen you set up client self:update,
you can open the 11& lo"s and search for $utrac)bin to attempt to locate error messa"es
about %hy self:update is failin") Typical errors mi"ht be 909 7file not found8 901E90,
7authenticationEaccess8, and -00 71nternal ser!er error8) (se 11& Delp to troubleshoot any
problems found in the 11& lo"s)
%f .ou have insta!!ed WindowsR Share1ointR Services on the defau!t Web site in
%%SL configure it to not interfere with Se!f6update
1f you install Microsoft $indo%s &harepoint &er!ices on the same ser!er that is runnin"
$&(&, you mi"ht "et the follo%in" issues:
.n A.ccess deniedA messa"e appears %hen .utomatic (pdates tries to update
itself, and the latest .utomatic (pdates %ill not be runnin")
99
*n the ,oe pa"e, you a messa"e appears %arnin" you that the &elf(pdate
ser!ice is not a!ailable)
1f client computers are not runnin" the $&(&:compatible !ersion of .utomatic (pdates,
they %ill not be able to recei!e updates throu"h $&(&)
2o reso!ve this issue
1) +rant .nonymous access 7.nonymous .uth8 to the 5efault $eb site,
Client$eb&er!ice and &elfupdate !:roots in 11&)
2) ;<clude specific reCuests from bein" intercepted by the $indo%s &harepoint
&er!ices 1&.P1 5?? by doin" the follo%in":
a) *pen the $indo%s &harepoint &er!ices Central .dministration &ite 7clic
Start, point to Adinistrative 2oo!s, and then clic Sharepoint Centra!
Adinistration8)
b) Clic >irtua! Server Configuration, and then clic Configure >irtua!
Server Settings)
c) Clic :efau!t Web Site)
d) Clic >irtua! Server Manageent, and then clic :efine anaged
paths)
e) 1n the Add a new pathbo<, set the type to e<cluded path) (nder 1ath,
type the follo%in":
P/iuident.cabP
P/wutrac".binP
P/c!ientwebserviceP
P/Se!fupdateP
Chec" networ" connectivit. on the WSUS c!ient coputer
Chec net%or connecti!ity on the $&(& client computer) (se 1nternet ;<plorer to
determine if self:update files on the $&(& ser!er are accessible to the client computer) 1f
you perform the follo%in" procedure and are prompted to do%nload or open the files, you
ha!e !erified net%or connecti!ity) 1t is not necessary to sa!e or open the files) Bou
cannot self:update .utomatic (pdates this %ay) 1f you do not ha!e access to these files,
troubleshoot net%or connecti!ity bet%een the $&(& client computer and the $&(&
ser!er)
*++
2o chec" networ" connectivit. on the WSUS c!ient coputer
1) Clic Start, and then clic -un)
2) 1n the Open bo<, type ie5p!ore and then press ;MT;4
,) 1n the 1nternet ;<plorer Address bar, type:
http://W#,##erver(ame/iuident.cab
%here W#,# server name is the name of your $&(& ser!er) ;nsure that you are
prompted to do%nload or open 1uident)cab) This !erifies net%or connecti!ity from the
$&(& client and the a!ailability of the 1uident)cab file on the $&(& ser!er)
9) 1f there are any bo<es promptin" you to do%nload or sa!e, clic Cance!) 1n 1nternet
;<plorer Address bar, type:
http://W#,##erver(ame/se!fupdate/AU/5(0/osvariable/languagevariable/wuaucop.cab
%here W#,##erver(ame is the name of your $&(& ser!er and %here osvariable is a
!ariable indicatin" the operatin" system of the client computer) The possible !ariables for
osvariableare Met&er!er, $2L or =P, and %here languagevariable is a !ariable indicatin"
the lan"ua"e of the operatin" system of the client computer) The possible !ariables for
oslanguage are based on the standard 2: to 9:letter lan"ua"e abbre!iations) @or e<ample,
here is a (4? for a client computer runnin" an ;n"lish !ersion of $indo%s =P:
http:EEW#,##erver(ameEselfupdateE.(E<26E=PE;ME%uaucomp)cab
;nsure that you are prompted to do%nload or sa!e $uaucomp)cab) This !erifies net%or
connecti!ity from the $&(& client and the a!ailability of the 1uident)cab file on the $&(&
ser!er)
1f you are prompted to sa!e or do%nload both of these files, see the ne<t section)
Chec" !ogs on the SUS c!ient coputer
Chec the ;windir;O%indo%s update)lo" on the client computer to see if there has been
any acti!ity or any attempts to contact the ser!er) Chec the ;systemdrive;Opro"ram
filesO%indo%supdateO!9Ourllo")dat file on the client computer for cached ser!er pin"bacs
if the client computer has not been able to communicate %ith the ser!er)
These files are hidden by default) (se the follo%in" procedure to display hidden files and
folders in $indo%s &er!er 200,)
2o disp!a. hidden fi!es and fo!ders on Windows Server ;++)
1) 1n Control Panel, open Co!der Options)
2) *n the >iew tab, under ,idden fi!es and fo!ders, clic Show hidden fi!es
*+*
and fo!ders)
1f you can find no problem %ith the lo"s on the $&(& client, see the ne<t section)
Manipu!ate registr. settings on the SUS c!ient coputer
1f all else has failed, you can attempt to manually manipulate re"istry settin"s to "et the
client computer to self:update to the $&(& client)
2o anua!!. anipu!ate registr. settings on the SUS c!ient coputer
2) 1n the Open bo<, type regedit and then clic O4)
,) 1n 4e"istry ;ditor, na!i"ate to the WindowsUpdate ey by e<pandin" the follo%in":
,4B=H$OCA$HMAC,%NBDSoftwareD1o!iciesDMicrosoftDWindowsD
1f the WindowsUpdate ey does not e<ist, do the follo%in":
9) *n the menu, clic Bdit, point to New, and then clic 4e.)
-) Type WindowsUpdate as the name for the ne% ey)
6) 5ouble:clic the WUServer settin", type the (4? to your $&(& ser!er, and then press
;MT;4)
1f the WUServer settin" does not e<ist, do the follo%in":
*n the menu, clic Bdit, point to New, and then clic String >a!ue)
/) Type WUServer as the settin" name)
2) 5ouble:clic the WUStatusServer settin", type the (4? to your $&(& ser!er, and then press
;MT;4)
1f the WUStatusServer settin" does not e<ist, do the follo%in":
*n the menu, clic Bdit, point to New, and then clic String >a!ue)
3) Type WUStatusServer as the settin" name)
10) Ma!i"ate to the follo%in":
,4B=H$OCA$HMAC,%NBDSoftwareD1o!iciesDMicrosoftDWindowsDWindowsUpdateDAU
1f the AU ey does not e<ist, do the follo%in":
*n the menu, clic Bdit, point to New, and then clic 4e.)
11) Type AU as the name for the ne% ey)
*+;
12) 0erify that the UseWUServer settin" has a !alue of 1 70<18)1f it does not, modify it by double:
clicin" the settin" and then chan"in" the !alue)
1f the UseWUServer settin" does not e<ist, do the follo%in":
*n the menu, clic Bdit, point to New, and then clic :WO-: >a!ue)
1,) Type UseWUServer for the settin" name)
19) Ma!i"ate to the follo%in":
,4B=H$OCA$HMAC,%NBDSoftwareDMicrosoftDWindowsDCurrent>ersionDWindowsUpdateDAuto
Update
1-) ;nable and confi"ure .utomatic (pdates throu"h Control Panel:
Clic Start, clic Contro! 1ane!, and then double:clic Autoatic Updates)
16) 1n the Autoatic Updates dialo" bo<, specify do%nload and installation options, and then clic
O4) Mae sure that 2urn off Autoatic Updates is not selected)
1/) ;nsure that the AUState settin" has a !alue of 2 70<28) 1f it does not, modify it by double:
clicin" and chan"in" the !alue)
12) 1f the $astWait2ieout settin" e<ists, delete it)
13) 1f the :etectionStart2ie settin" e<ists, delete it)
20) .t the command prompt, type the follo%in", and then press ;MT;4 to stop the .utomatic
(pdates ser!ice:
net stop wuauserv
21) .t the command prompt, type the follo%in", and then press ;MT;4 to restart the .utomatic
(pdates ser!ice:
net start wuauserv
22) $ait appro<imately 6 to 10 minutes for the self:update to occur)
2o force the SUS c!ient coputer to chec" with the WSUS server
$ait appro<imately one minute, and then refresh the re"istry) Bou should
no% see the follo%in" settin"s and !alues:
:etectionStart2ie 7-BGHSS8 ====.MM.:: ,,.MM.SS. The
:etectionStart2ie !alue is %ritten in local time, but the detection actually
occurs - minutes after the time noted)
$astWait2ieout 7-BGHSS8 ====.MM.:: ,,.MM.SS. The
$astWait2ieout !alue is %ritten in +MT or (ni!ersal Time, and represents
*+)
the actual time that detection occurs)
.lthou"h these !alues refer to the time that detection is "oin" to start, the first phase of
detection is the process of checin" %hether a self:update is necessary) Therefore, these
!alues actually refer to %hen self:update from &(& client to the $&(& client should
occur)
1f the client soft%are has not self:updated after ten minutes, refresh the DAuto Update
re"istry ey) 1f the $astWait2ieout !alue has chan"ed and is no% 29 hours later than
its pre!ious !alue, that indicates that .utomatic (pdates %as not able to contact the
ser!er (4? that you specified in the WUServer !alue)
Coputers are not appearing in the correct coputer
groups
Client4side targeting is %hen you use +roup Policy or re"istry settin"s to mo!e computers
into tar"et "roups) @or more information about ho% to set up client:side tar"etin", see
5eployin" Microsoft $indo%s &er!er (pdate &er!ices at http:EE"o)microsoft)comEf%linEF
linidG91///HclcidG0<903) There are a number or reasons %hy computers mi"ht not
appear in "roups %hen you are usin" client:side tar"etin") (se the follo%in" information
to try to resol!e this problem)
>erif. that the WSUS conso!e is set to use c!ient6side targeting
6y default, the $&(& ser!er is set to use ser!er:side tar"etin") 1f you are usin" client:
side tar"etin", you need to set an option on the $&(& ser!er) @or more information
about ho% to set up client:side tar"etin", see 5eployin" Microsoft $indo%s &er!er
(pdate &er!ices at http:EE"o)microsoft)comEf%linEFlinidG91///HclcidG0<903)
>erif. that target coputer group naes atch groups on the WSUS
server
Mae sure the name of the tar"et computer "roup in +roup Policy matches the name of
the computer "roup on the $&(& ser!er) Chec the +roup Policy object 7+P*8 or the
re"istry settin" %here you enabled client:side tar"etin") Mae sure that there are no
discrepancies bet%een the name of the computer "roup used in +roup Policy and the
name of the "roup used on the ser!er) 1f $&(& cannot find a computer "roup on the
ser!er reported by a client computer, it loads the computer into the (nassi"ned
Computers "roup)
*+<
Wait an hour for changes to ta"e effect
1f you mae a chan"e to "roup membership by usin" client:side tar"etin" and the client
computer has already contacted the $&(& ser!er, it taes an hour for the ser!er to
chan"e the computerZs "roup membership) This is because $&(& uses cooies to
mana"e "roup membership %ith client:side tar"etin" and these cooies are set to e<pire
after one hour)
1f you cannot %ait an hour, use command:line options to reset the cooie and initiate
detection) @or information about ho% to use command:line options, see 5eployin"
Additiona! -esources for Windows
Server Update Services
@or more information and support, see the follo%in" resources)
Windows Server Update Services
Counities
Microsoft communities are "reat places to e<chan"e ideas %ith other users and discuss
common issues) Bou can read and %rite messa"es by usin" an MMTP:based ne%sreader
such as Microsoft *utloo ;<press) Bou can also use the $eb:based ne%sreader
pro!ided by Microsoft to access all of the ne%s"roups) To access the $&(&
Communities, "o to the follo%in":
$indo%s &er!er (pdate &er!ices Communities Domepa"e at
http:EE"o)microsoft)comEf%linEF?in15G9-21-
$indo%s &er!er (pdate &er!ices Public Me%s"roup at
http:EE"o)microsoft)comEf%linEF?in15G92,12)
More :ocuentation
@or hi"h:le!el information about %hatNs ne% and features of $&(&, see Microsoft
$indo%s &er!er (pdate &er!ices *!er!ie% at http:EE"o)microsoft)comEf%linEF
?in15G9221,)
*+'
@or step:by:step "uidance for "ettin" started, includin" installin" $&(&, settin"
up a client computer, and deployin" your first set of updates, see &tep:by:&tep +uide
to +ettin" &tarted %ith Microsoft $indo%s &er!er (pdate &er!ices at
http:EE"o)microsoft)comEf%linEF?in15G91//9)
@or information about plannin" for, installin", and then confi"urin" $&(&
components and infrastructure, see 5eployin" Microsoft $indo%s &er!er (pdate
&er!ices at http:EE"o)microsoft)comEf%linEFlinidG91///)
@or information that helps you automate tass or customi>e $&(&, see the
Microsoft $indo%s &er!er (pdate &er!ices &oft%are 5e!eloperNs Lit at
http:EE"o)microsoft)comEf%linEF?in15G9,033 and $indo%s (pdate ."ent &oft%are
5e!eloperNs Lit at http:EE"o)microsoft)comEf%linEF?in15G9,101) Mote that the
$indo%s (pdate ."ent is the .utomatic (pdates ser!ice) 6oth &5Ls contain
information about the application pro"rammin" interface 7.P18, as %ell as sample
scripts and ready:to:use tools for your $&(& deployment and implementation)
*+0

Microsoft Windows Server Update Services Operations Guide: Microsoft Corporation Published: January 16, 200

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Microsoft Windows Server Update Services Operations Guide: Microsoft Corporation Published: January 16, 200

Uploaded by

Copyright:

Available Formats

Microsoft Windows Server Update

Services Operations Guide

You might also like