Step-by-Step Guide to Getting Started with

Microsoft Windows Server Update Services

Step-by Step Guide to Getting Started with Microsoft Windows Server Update Services

Step 1: Review WSUS Installation Requirements:

Hardware recommendations for a server with up to 500 clients are as follows:

 1 gigahertz (GHz) processor

 1 gigabyte (GB) RAM

Software Requirements:

 Microsoft Internet Information Services (IIS) 6.0

 Microsoft .NET Framework 1.1 Service Pack 1 for Windows Server 2003.
 Background Intelligent Transfer Service (BITS) 2.0

Disk Requirements:

 A minimum of 1 GB free space is required for the system partition.

 A minimum of 6 GB free space is required for the volume where WSUS stores content; 30 GB is
recommended.
 A minimum of 2 GB free space is required on the volume where WSUS Setup installs Windows SQL
Server 2000 Desktop Engine (WMSDE).
Automatic Updates Requirements:
Automatic Updates is the client component of WSUS. Automatic Updates has no hardware requirements
other than being connected to the network. You can use Automatic Updates with WSUS on computers
running any of the following operating systems:

 Microsoft Windows 2000 Professional with Service Pack 3 (SP3) or Service Pack 4 (SP4),
Windows 2000 Server with SP3 or SP4, or Windows 2000 Advanced Server with SP3 or SP4.
 Microsoft Windows XP Professional, with or without Service Pack 1 or Service Pack 2.
 Microsoft Windows Server 2003, Standard Edition; Windows Server 2003, Enterprise Edition;
Windows Server 2003, Datacenter Edition; or Windows Server 2003, Web Edition.

Step 2: Install WSUS on Your Server

To install WSUS on Windows Server 2003

1. Double-click the installer file WSUSSetup.exe.

Note:
The latest version of WSUSSetup.exe is available on the Microsoft Web site for
Windows Server Update Services at http://go.microsoft.com/fwlink/?LinkId=47374.
2. On the Welcome page of the wizard, click Next.
3. Read the terms of the license agreement carefully, click I accept the terms of the License
Agreement, and then click Next.
4. On the Select Update Source page, you can specify where clients get updates. If you select
the Store updates locally check box, updates are stored on the WSUS server and you select a
location in the file system to store updates. If you do not store updates locally, client computers
connect to Microsoft Update to get approved updates.
Keep the default options, and click Next.
 Select Update Source Page

5. On the Database Options page, you select the software used to manage the WSUS database.
By default, WSUS Setup offers to install WMSDE if the computer you are installing to runs
Windows Server 2003.
If you cannot use WMSDE, you must provide a SQL Server instance for WSUS to use, by
clicking Use an existing database server on this computer and typing the instance name in
the SQL instance name box. For more information about database software options besides
WMSDE, see the “Deploying Microsoft Windows Server Update Services” white paper.
Keep the default options, and click Next.
 Database Options Page

6. On the Web Site Selection page, you specify the Web site that WSUS will use. This page also
lists two important URLs based on this selection: the URL to which you will point WSUS client
computers to get updates, and the URL for the WSUS console where you will configure WSUS.

If you already have a Web site on port 80, you may need to create the WSUS Web site on a
custom port. For more information about running WSUS on a custom port, see the “Deploying
Microsoft Windows Server Update Services” white paper.
Keep the default option and click Next.
 Web Site Selection Page

7. On the Mirror Update Settings page, you can specify the management role for this WSUS
server. If this is the first WSUS server on your network or you want a distributed management
topology, skip this screen.
If you want a central management topology, and this is not the first WSUS server on your
network, select the check box, and type the name of an additional WSUS server in the Server
name box. For more information about management roles, see the “Deploying Microsoft
Windows Server Update Services” white paper.
Keep the default option and click Next.
 Mirror Update Settings Page

8. On the Ready to Install Windows Server Update Services page, review the selections and
click Next.
 Ready to Install Windows Server Update Services Page

9. If the final page of the wizard confirms that WSUS installation was successfully completed, click
Finish.
Step 3: Configure the Network Connection

After installing WSUS, you are ready to access the WSUS console in order to configure WSUS and get
started. By default, WSUS is configured to use Microsoft Update as the location to obtain updates. If you
have a proxy server on your network, use the WSUS console to configure WSUS to use the proxy server.
If there is a corporate firewall between WSUS and the Internet, you might need to configure the firewall
to ensure that WSUS can obtain updates.

Step 3 contains the following procedures:

 Configure your firewall so that WSUS can obtain updates.

 Open the WSUS console.
 Configure proxy-server settings so that WSUS can obtain updates.

To configure your firewall

 If there is a corporate firewall between WSUS and the Internet, you might need to configure that
firewall to ensure that WSUS can obtain updates. To obtain updates from Microsoft Update, the
WSUS server uses port 80 for HTTP protocol and port 443 for HTTPS protocol. This is not
configurable.
 If your organization does not allow those ports and protocols open to all addresses, you can restrict
access to only the following domains so that WSUS and Automatic Updates can communicate with
Microsoft Update:
 http://windowsupdate.microsoft.com
 http://*.windowsupdate.microsoft.com
 https://*.windowsupdate.microsoft.com
 http://*.update.microsoft.com
 https://*.update.microsoft.com
 http://*.windowsupdate.com
 http://download.windowsupdate.com
  http://download.microsoft.com
 http://*.download.windowsupdate.com
 http://wustat.windows.com
 http://ntservicepack.microsoft.com

Although the connection between Microsoft Update and WSUS requires ports 80 and 443 to be open,
you can configure multiple WSUS servers to synchronize with a custom port

To open the WSUS console

 On your WSUS server, click Start, point to All Programs, point to Administrative Tools, and
then click Microsoft Windows Server Update Services

Note:
You must be a member of either the WSUS Administrators or the local Administrators security
groups on the server on which WSUS is installed in order to use the WSUS console.
If you do not add http://<WSUS Web site name> to the list of sites in the Local Intranet zone in
Internet Explorer on Windows Server 2003, you might be prompted for credentials each time you
open the WSUS console.

You can also open the WSUS console from Internet Explorer on any server or computer on your
network by entering the following URL: http://WSUSservername/WSUSAdmin.

To specify a proxy server

1. On the WSUS console toolbar, click Options, and then click Synchronization Options.
2. In the Proxy server box, select the Use a proxy server when synchronizing check box, and
then type the proxy server name and port number (port 80 by default) in the corresponding
boxes.
3. If you want to connect to the proxy server by using specific user credentials, select the Use
user credentials to connect to the proxy server check box, and then type the user name,
domain, and password of the user in the corresponding boxes. If you want to enable basic
authentication for the user connecting to the proxy server, select the Allow basic
authentication (password in clear text) check box.
4. Under Tasks, click Save settings, and then click OK in the confirmation dialog box.

Step 4: Synchronize the Server

By default, WSUS is configured to download Critical and Security Updates for all Microsoft products. To
get updates, you must synchronize the WSUS server.
Synchronization involves the WSUS server contacting Microsoft Update. After making contact, WSUS
determines if any new updates have been made available since the last time you synchronized. Because
this is the first time you are synchronizing the WSUS server, all of the updates are available and are
ready for your approval for installation.

To synchronize your WSUS server

1. On the WSUS console toolbar, click Options, and then click Synchronization Options.
2. Under Tasks, click Synchronize now

After the synchronization finishes, click Updates on the WSUS console toolbar to view the list of updates

Step 5: Update and Configure Automatic Updates

WSUS client computers require a compatible version of Automatic Updates. WSUS Setup automatically
configures IIS to distribute the latest version of Automatic Updates to each client computer that
contacts the WSUS server.

The best way to configure Automatic Updates depends upon your network environment. In an Active
Directory environment, you can use an Active Directory-based Group Policy object (GPO). In a non-
Active Directory environment, use the Local Group Policy object. Whether you use the Local Group
Policy object or a GPO stored on a domain controller, you must point your client computers to the WSUS
server, and then configure Automatic Updates.

Step 5 contains the following procedures:

 Load the WSUS Administrative Template.

 Configure Automatic Updates.
 Point client computers to your WSUS server.
 manually initiate detection on the client computer.

To add the WSUS Administrative Template

1. In Group Policy Object Editor, click either of the Administrative Templates nodes.
2. On the Action menu, click Add/Remove Templates.
3. Click Add.
4. In the Policy Templates dialog box, click wuau.adm, and then click Open.
5. In the Add/Remove Templates dialog box, click Close.

To configure the behavior of Automatic Updates

1. In Group Policy Object Editor, expand Computer Configuration, expand Administrative
Templates, expand Windows Components, and then click Windows Update.
2. In the details pane, double-click Configure Automatic Updates.
3. Click Enabled, and then click one of the following options:
 Notify for download and notify for install. This option notifies a logged-on administrative
user prior to the download and prior to the installation of the updates.
 Auto download and notify for install. This option automatically begins downloading
updates and then notifies a logged-on administrative user prior to installing the updates.
 Auto download and schedule the install. If Automatic Updates is configured to perform a
scheduled installation, you must also set the day and time for the recurring scheduled
installation.
 Allow local admin to choose setting. With this option, the local administrators are allowed
to use Automatic Updates in Control Panel to select a configuration option of their choice.
For example, they can choose their own scheduled installation time. Local administrators
are not allowed to disable Automatic Updates.
4. Click OK.

Note:
The setting Allow local admin to choose setting only appears if Automatic Updates has
updated itself to the version compatible with WSUS.

To point the client computer to your WSUS server

1. In Group Policy Object Editor, expand Computer Configuration, expand Administrative
Templates, expand Windows Components, and then click Windows Update.

2. In the details pane, double-click Specify intranet Microsoft update service location.

3. Click Enabled, and type the HTTP URL of the same WSUS server in the Set the intranet
update service for detecting updates box and in the Set the intranet statistics server box.
For example, type http://servername in both boxes.

4. Click OK.

Note:
If you are using the Local Group Policy object to point this computer to WSUS, this setting
takes effect immediately and this computer should appear in the WSUS administrative
console in about 20 minutes. You can speed this process up by manually initiating a
detection cycle.
If you want to refresh Group Policy sooner, you can go to a command prompt on the client computer
and type: gpupdate /force.

For client computers configured with the Local GPO, Group Policy is applied immediately and it will take
about 20 minutes.

Once Group Policy is applied, you can initiate detection manually. If you perform this step, you do not
have to wait 20 minutes for the client computer to contact WSUS.

To manually initiate detection by the WSUS server

1. On the client computer click Start, and then click Run.
2. Type cmd, and then click OK.
3. At the command prompt, type wuauclt.exe /detectnow. This command-line option instructs
Automatic Updates to contact the WSUS server immediately.

Step 6: Create a Computer Group

Computer groups are an important part of WSUS deployments, even a basic deployment. Computer
groups enable you to target updates to specific computers. There are two default computer groups: All
Computers and Unassigned Computers. By default, when each client computer initially contacts the
WSUS server, the server adds it to both these groups

Setting up computer groups is a three-step process. First, you specify how you are going to assign
computers to the computer groups. There are two options: server-side targeting and client-side
targeting. Server-side targeting involves manually adding each computer to its group by using WSUS.
Client-side targeting involves automatically adding the clients by using either Group Policy or registry
keys. Second, you create the computer group on WSUS. Third, you move the computers into groups by
using whichever method you chose in the first step.

You can use Step 6 to set up a test group that contains at least one test computer.

This step contains the following procedures:

 Specify server-side targeting.

 Create a group.
Move computers to the group

To specify the method for assigning computers to groups

1. On the WSUS console toolbar, click Options, and then click Computer Options.
2. In the Computer Options box, click Use the Move computers task in Windows Server
 Update Services.
3. Under Tasks, click Save settings, and then click OK when the confirmation dialog box
appears.

To create a group
1. On the WSUS console toolbar, click Computers.
2. Under Tasks, click Create a computer group.
3. In the Group name box, type Test, and then click OK.

To manually add a computer to the Test group

1. On the WSUS console toolbar, click Computers.
2. In the Groups box, click the group of the computer you want to move.
3. In the list of computers, click the computer you want to move.
4. Under Tasks, click Move the selected computer.
5. In the Computer group list, select the group you want to move the computer to, and then click
OK.

Step 7: Approve and Deploy Updates

In this step you approve an update for any test client computers in the Test group. Computers in the
group will check in with the WSUS server over the next 24 hours. After this period, you can use the
WSUS reporting feature to determine if those updates have been deployed to the computers. If testing
goes well, you can then approve the same update for the rest of the computers in your organization

Step 7 contains the following procedures:

 Approve and deploy an update.

Check the Status of Updates report

To approve and deploy an update

1. On the WSUS console toolbar, click Updates. By default, the list of updates is filtered to show
only Critical and Security Updates that have been approved for detection on client computers.
Use the default filter for this procedure.
2. On the list of updates, select the updates you want to approve for installation. Information about
a selected update is available on the Details tab. To select multiple contiguous updates, press
and hold down the SHIFT key while selecting; to select multiple non-contiguous updates, press
and hold down the CTRL key while selecting.
3. Under Update Tasks, click Change approval. The Approve Updates dialog box appears.
4. In the Group approval settings for the selected updates list, click Install from the list in the
Approval column for the Test group, and then click OK.
After 24 hours, you can use the WSUS reporting feature to determine if those updates have been
deployed to the computers

To check Status of Updates report

1. On the WSUS console toolbar, click Reports.
2. On the Reports page, click Status of Updates.
3. If you want to filter the list of updates, under View, select the criteria you want to use, and then
click Apply.
4. If you want to see the status of an update by computer group and then by computer, expand the
view of the update as necessary.
5. If you want to print the Status of Updates report, under Tasks, click Print report.
If the updates were successfully deployed to the Test group, you can approve the same updates for the
rest of the computers in your organization.

Microsoft Windows Server Update Services

Operations Guide

Managing Windows Server Update Services :

Setting Up and Running Synchronizations

The Synchronization Options page is the central access point in the WSUS console for customizing how
your WSUS server synchronizes updates. On this page, you can specify which updates are synchronized
automatically, where your server gets updates, connection settings, and the synchronization schedule.

After you synchronize updates to your WSUS server, you must then approve them before the WSUS
server can perform any action for them. The exceptions to this are updates classified as Critical
Updates and Security Updates, which are automatically approved for detection.

Synchronizing Updates by Product and Classification

Your WSUS server downloads updates based on the products or product families (for example,
Windows, or Windows Server 2003, Datacenter Edition) and classifications (for example, Critical Updates
or Security Updates) that you specify. At the first synchronization, your WSUS server downloads all of
the updates available in the categories you have specified. At subsequent synchronizations, your WSUS
server downloads only the newest updates (or changes to the updates already available on your WSUS
server) in the categories you specified.

You specify update products and classifications on the Synchronization Options page under Products
and Classifications. Products are grouped in a hierarchy, by product family.

The default setting for Products is All Windows Products, and for Update classifications, the default
setting is Critical Updates and Security Updates. You must specify update classifications individually.

To specify update products and classifications for synchronization

1. On the WSUS console toolbar, click Options, and then click Synchronization Options.
2. Under Products and Classifications, under Products, click Change.
3. In the Add/Remove Products dialog box, under Products, select the products or product
families for the updates you want your WSUS server to synchronize, and then click OK.
4. Under Products and Classifications, under Update classifications, click Change.
5. In the Add/Remove Classifications dialog box, in Classifications, select the update
classifications for the updates you want your WSUS server to synchronize, and then click OK.
6. Under Tasks, click Save settings, and then click OK.

Note
  If you want to stop synchronizing updates for one or more specific products or product
families, clear the appropriate check boxes in the Add/Remove Products dialog box,
and then click OK. Your WSUS server will stop synchronizing new updates for the
products you have cleared. However, updates that were synchronized for those products
before you cleared them will remain on your WSUS server and will be available on the
Updates page.

Configuring the Update Source:

The update source is the location from which your WSUS server gets its updates and update information
(metadata). You can specify that the update source be either Microsoft Update or another WSUS server
(in this scenario, the WSUS server that acts as the update source is the upstream server, and your server
is the downstream server).

To specify the update source for your WSUS server

1. On the WSUS console toolbar, click Options, and then click Synchronization Options.
2. Under Update Source, do one of the following:
 If you want your WSUS server to synchronize directly from Microsoft Update, click
Synchronize from Microsoft Update. If your server is running in replica mode, this
option will is disabled. For more information, see Running in Replica Mode.
 If you want to synchronize from another WSUS server in your network, click
Synchronize from an upstream Windows Server Update Services server, and then
type the server name and port number in the corresponding boxes.
 If you want to use Secure Socket Layers (SSL) when synchronizing update information
(metadata) synchronization, type the port number that the upstream server uses for SSL
 connections, and then select the Use SSL when synchronizing update information
check box. For more information about using SSL during synchronization, see Securing
Windows Server Update Services.
 If your WSUS server is running in replica mode, you just need to type the server name in
the Server name box. The upstream server does not have to be the administration server
(for example, it can be another replica mode server). For more information about replica
mode, see Running in Replica Mode.
3. Under Tasks, click Save settings, and then click OK.

Synchronizing Manually or Automatically

You can either synchronize your WSUS server manually or specify a time for it to synchronize
automatically on a daily basis.

To synchronize your server manually

1. On the WSUS console toolbar, click Options, and then click Synchronization Options.
2. Under Schedule, click Synchronize manually.
3. Under Tasks, click Save settings, and then click OK.

To synchronize your WSUS server immediately

1. On the WSUS console toolbar, click Options, and then click Synchronization Options.
2. Under Tasks, click Synchronize now.

To set up an automatic synchronization schedule

1. On the WSUS console toolbar, click Options, and then click Synchronization Options.
2. Under Schedule, click Synchronize daily at, and then in the list select the time you want
synchronization to start each day.
3. Under Tasks, click Save settings, and then click OK.

Managing Computers and Computer Groups :

The following are common tasks you can perform on the Computers page. Before you can add a
computer to a computer group,

To view the properties for a computer

1. On the WSUS console toolbar, click Computers.
2. In Groups, click the computer group to which the computer currently belongs to.
3. In the list of computers, click the computer for which you want to view properties.
4. In the properties pane, do either of the following:
 Click the Details tab for general information about the computer.
 Click the Status tab for approval and update status for the computer.

To add a computer to a computer group

1. On the WSUS console toolbar, click Computers.
2. In Groups, click the computer group to which the computer currently belongs.
 3. In the list of computers, click the computer that you want to move.
4. Under Tasks, click Move selected computer.
5. In the Computer group dialog box, click the computer group that you want to move the
computer to, and then click OK.

Note
If your computer already belongs to a computer group, then after you perform this task it
will belong to the new computer group you specify and not to the earlier computer group.
However, it will remain a member of the All Computers group.

To remove a computer from a WSUS server

1. On the WSUS console toolbar, click Computers.
2. In Groups, click the computer group to which the computer currently belongs to.
3. In the list of computers, click the computer you want to remove.
4. Under Tasks, click Remove the selected computer, and then click OK.

Note
After you perform this task, you will not be able to manage update distribution for the
client computer on the WSUS console, nor will the client computer will not be able to
receive updates from the WSUS server.

Managing Computer Groups

WSUS enables you to target updates to groups of client computers. This capability can help you ensure
that specific computers get the right updates at the most convenient times on an ongoing basis.

You can assign computers to computer groups by using one of two methods, server-side or client-side
targeting, depending on whether or not you want to automate the process. With server-side targeting,
you use the Move the selected computer task on the Computers page to move one or more client
computers to one computer group at a time. With client-side targeting, you use Group Policy or edit the
registry settings on client computers to enable those computers to automatically add themselves into
the computer groups. You must specify which method you will use by selecting one of the two options
on the Computers Options page.

Server-side Targeting
With server-side targeting, you use the WSUS console to both create groups and then assign computers
to the groups. Server-side targeting is an excellent option if you do not have many client computers to
update and you want to move client computers into computer groups manually.

To enable server-side targeting on your WSUS server, click the Use the Move computers task in
Windows Server Update Services option on the Computers Options page.

Client-side Targeting
With client-side targeting, you enable client-computers to add themselves to the computer groups you
create in the WSUS console. You can enable client-side targeting through Group Policy (in an Active
Directory network environment) or by editing registry entries (in a non-Active Directory network
environment) for the client computers. When the client computers connect to the WSUS server, they
will add themselves into the correct computer group. Client-side targeting is an excellent option if you
have many client computers and want to automate the process of assigning them to computer groups.

To enable client-side targeting on your WSUS server, click the Use Group Policy or registry settings
on client computers option on the Computers Options page.

To specify the method for assigning computers to groups

1. On the WSUS console toolbar, click Options, and then click Computer Options.
2. In Computer Options, do one of the following:
 If you want to create groups and assign computers through the WSUS console (server-
side targeting), click Use the Move computers task in Windows Server Update
Services.
 If you want to create groups and assign computers by using Group Policy or by editing
registry settings on the client computer (client-side targeting), click Use Group Policy or
registry settings on computers.
3. Under Tasks, click Save settings, and then click OK.

To create a computer group in the WSUS console

1. On the WSUS console toolbar, click Computers.
2. Under Tasks, click Create a computer group.
3. In Group name, type a name for your new computer group, and then click OK.

To remove a computer group

1. On the WSUS console toolbar, click Computers.
2. In Groups, click the computer group you want to remove.
3. Under Tasks, click Delete the selected group, and then click OK.

Managing Updates
Updates Overview

Updates are used for patching or providing a full file replacement for software that is installed on a
computer. Every update that is available on Microsoft Update is made up of two components

 Metadata provides information about the update. For example, metadata supplies information for the
properties of an update, thus enabling you to find out what the update is useful for. Metadata also
includes end-user license agreements (EULAs). The metadata package downloaded for an update is
typically much smaller than the actual update file package.
 Update files are the actual files required to install an update on a computer.

How WSUS Stores Updates

When updates are synchronized to your WSUS server, the metadata and update files are stored in two
separate locations. Metadata is stored in the WSUS database. Update files can be stored either on your
WSUS server or on Microsoft Update servers, depending on how you have configured your
synchronization options. If you choose to store update files on Microsoft Update servers, only metadata
is downloaded at the time of synchronization; you approve the updates through the WSUS console, and
then client computers get the update files directly from Microsoft Update at the time of installation.

Viewing Updates
View the list of updates. The list of updates displays updates that have been synchronized from the
update source to your server running Windows Server Update Services (WSUS) and are available for
approval.

To open the Updates page

 On the WSUS console toolbar, click Updates.

To view updates
1. On the WSUS console toolbar, click Updates. Updates are displayed in the list of updates.
2. To sort by additional information, download status, title, classification, release date, or
approval status, click the appropriate column heading.

To filter the list of updates displayed on the Updates page

1. On the WSUS console toolbar, click Updates.
2. Under View, select the appropriate criteria for your filter in the list boxes, and then click
Apply. The list of updates will reflect your chosen criteria. The Contains Text box, under
View, enables you to enter text to search on the following criteria for an update: Title,
Description, and Microsoft Knowledge Base (KB) article number. Each of these items is a
property listed on the Details tab in the update properties.

Approving Updates
After updates have been synchronized to your WSUS server, you must approve them to initiate a
deployment action. When you approve an update, you are essentially telling WSUS what to do with it
(for example, your choices are Install, Detect only, Remove, or Decline update). When approving an
update, you specify a default approval setting for the All Computers group, and any necessary settings
for each computer group in the Approve Updates dialog box. If you do not approve an update, its
approval status remains Not approved and your WSUS server performs no action for the update. The
exceptions to this are in the Critical Updates and Security Updates classifications, which by default are
automatically approved for detection after they are synchronized.

To approve updates for detection

1. On the WSUS console toolbar, click Updates.
2. In the list of updates, click one or more updates that you want to approve for detection.
3. Under Update Tasks, click Change approval.
4. In the Approve Updates dialog box, verify that Approval is set to Detect only for the All
Computers group.
 5. If you want to set a different default approval setting for one or more groups, under Group
approval settings for the selected updates, find the group(s) for which you want to set the
special approval setting, and then, in the Approval column, select an approval setting.

Approving Updates for Installation

You can select one or multiple updates; if you select multiple updates, you can approve them for
installation at once; you can also approve installation by computer group. This would be the Install
approval option in the Approve Updates dialog box. In addition, when you specify this approval action,
you can do one of the following:

 When you select this option, users in the targeted computer group will receive a notification
dialog box and an Automatic Updates icon on their taskbar when updates are ready to be
installed on their computers. They can then install the updates immediately, or at a later time, by
clicking the Automatic Updates icon. If you have configured Automatic Updates, either by Group
Policy or locally, to notify the user before installation, these notifications will be offered to any
non-administrator who logs onto the computer in the targeted computer group

Important
 You cannot set a deadline for automatic installation for an update if user input is required (for
example, accepting a license agreement or specifying a setting relevant to the update). If you set
a deadline for such an installation synchronization will fail. To determine whether an update will
require user input, look at the May request user input field in the update properties for an
update displayed on the Updates page. Also check for a message in the Approve Updates box
which says "The selected update requires user input and does not support and installation
deadline."

To approve updates for installation

1. On the WSUS console toolbar, click Updates.
2. In the list of updates, click one or more updates that you want to approve for installation.
3. Under Update Tasks, click Change approval.
4. In the Approve Updates dialog box, verify that Approval is set to Install for the All
Computers group.
5. To specify how and when the update will be installed for computers in the computer group,
next to Deadline, click None, and then click one of the following options:
 If you want to enable users to determine when to install the updates, click Use client
settings to determine update installation time, and then click OK. If you have
configured Automatic Updates, either by domain-based or local Group Policy, to notify the
user before installation, these notifications will be offered to any non-administrator who
logs onto the computer in the targeted computer group.
 If you want the update to be installed automatically, click Install the update by the
selected date and time, specify the date and time of the deadline, and then click OK. If
you want the install to occur immediately (that is, when the client computers next contact
the WSUS server), you can specify a past date for the deadline.
6. If you want to set a different default approval setting for one or more groups, under Group
approval settings for the selected updates, find the group(s) for which you want to set the
special approval setting, and then, in the Approval column, click an approval setting.
Declining Updates
This option is available as a task under Update Tasks on the Updates page. If you select this
option, the update is removed from the list of available updates. Declined updates will appear in
the updates list only if you select either Declined or All updates in the Approval list when
specifying the filter for the update list under View.

To decline updates
1. On the WSUS console toolbar, click Updates.
2. In the list of updates, click one or more updates that you want to decline.
3. In Update Tasks, click Decline update or Decline selected updates, depending on
whether you have selected one or multiple updates to decline.

Approving Updates for Removal

You can approve an update for removal (that is, approve uninstalling the update). This option is
only available if the update supports uninstalling, and you would choose the Remove
approval option in the Approve Updates dialog box.

To approve updates for removal

1. On the WSUS console toolbar, click Updates.
2. In the list of updates, click one or more updates that you want to approve for removal.
3. Under Update Tasks, click Change approval.
4. In the Approve Updates dialog box, verify that Approve is set to Remove for the All
Computers group.
5. If you want to set a deadline for the update(s) to be automatically removed, next to
Deadline, click None, specify the date and time for the deadline, and then click OK. If
you want the update removal to occur immediately (that is, when the client computers
next contact the WSUS server), you can specify a past date for the deadline.
6. If you want to set a different default approval setting for one or more groups, under
Group approval settings for the selected updates, find the group(s) for which you
want to set the special approval setting, and then, in the Approval column, click an
approval setting.

Approving Updates Automatically

On the Automatic Approval Options page, you can configure your WSUS server to
automatically approve installation or detection for updates and associated metadata when
they are downloaded to the WSUS server during synchronization. This is different from
approving

To automatically approve updates for detection

1. On the WSUS console toolbar, click Options, and then click Automatic Approval Options.
2. In Updates, under Approve for Detection, select the Automatically approve updates for
detection by using the following rule check box (if it is not already selected).
3. If you want to specify update classifications to automatically approve during synchronization,
do the following:
 Next to Classifications, click Add/Remove Classifications.
 In the Add/Remove Classifications dialog box, select the update classifications that you
want to automatically approve, and then click OK.
 4. If you want to specify the computer groups for which to automatically approve updates during
synchronization:
 Next to Computer groups, click Add/Remove Computer Groups.
 In the Add/Remove Computer Groups dialog box, select the computer groups for which
you want to automatically approve updates, and then click OK.
5. Under Tasks, click Save settings, and then click OK.

To automatically approve updates installation

1. On the WSUS console toolbar, click Options, and then click Automatic Approval Options.
2. In Updates, under Approve for Installation, select the Automatically approve updates for
installation by using the following rule check box (if it is not already selected).
3. If you want to specify update classifications to automatically approve during synchronization,
do the following:
 Next to Classifications, click Add/Remove Classifications.
 In the Add/Remove Classifications dialog box, select the update classifications that you
want to automatically approve, and then click OK.
4. If you want to specify the computer groups for which to automatically approve updates during
synchronization:
 Next to Computer groups, click Add/Remove Computer Groups.
 In the Add/Remove Computer Groups dialog box, select the computer groups for which
you want to automatically approve updates, and then click OK.
5. Under Tasks, click Save settings, and then click OK.

Automatically Approving Revisions to Updates

The Automatic Approval Options page contains an option to automatically approve revisions to
existing updates as they become available. This option is selected by default. A revision is a version of an
update that has changes (for example, it might have expired, or have an updated EULA, UI text, or
applicability rules for computers). If you configure your WSUS server to automatically approve new
revisions of an update but an expired revision for the update is synchronized, your WSUS server will
automatically decline the update. If you choose not to automatically approve the revised version of an
update, your WSUS server will use the older revision, and you must manually approve the update
revision.

To automatically approve revisions to updates

1. On the WSUS console toolbar, click Options, and then click Automatic Approval Options.
2. Under Revisions to Updates, click Automatically approve the latest revision of the
update.
3. Under Tasks, click Save settings, and then click OK.
Recommended Process for Approving a Superseding Update
Because a superseding update typically enhances a fix provided by a previously released, superseded
update, it is recommended that you first see how many client computers will be compliant with the new
update, and work backward from there. Use the following process.

To approve a superseding update

1. Approve the superseding update for Install on all computers where the fix provided by the
update is appropriate.
2. Check the resulting status of the approval action on your computers. Note which computers
show status as Not needed for the update, and then compare the properties of those
computers with the properties of the update.
3. Use the information available in the update properties to help you determine which previously
released version of the updates are available. For example, look under Supersedes on the
Details tab, and check the Description and KB article number entries if appropriate.
4. Get information about the superseded, previously released versions of the updates; for
example, view their properties.
5. When you find a superseded update that seems appropriate for the remaining client
computers, approve the update for installation.
6. Repeat this process until all of your client computers are updated with the intended fix.

Approving Office Updates

If you use WSUS to update Microsoft Office on your network computers, consider the following:

 If you have purchased a "per user" license agreement for Office, you must ensure that each user's
installation of Office is updated (for example, there might be two users who run individually licensed
copies of Microsoft Office on the same computer). This means a particular user has to be logged on
to the computer for that specific copy of Office to be updated. For example, if two people both have
accounts on a computer that is running Microsoft Office, then each of them has to log on and update
his or her Office installation, otherwise one of them will not have an updated version of Office.
 Users can access the public Microsoft Office Online Web site and can look for updates to their Office
installation through the Microsoft Office Update wizard. Using Group Policy, you might want to create
policies that prevent users from getting their own Office updates from Microsoft Office Online.
 Unlike Windows Update or Microsoft Office Online, which are public Web sites that users can visit
directly, Microsoft Update is accessed only by WSUS servers. It is currently in beta release and
makes security updates available only for Office XP and Office 2003. Some critical updates are not
available through Microsoft Update. Therefore, some updates might appear on the Microsoft Office
Online Web site that are not available on Microsoft Update.

Approving SQL Server and Exchange Server Updates

Updating Microsoft SQL Server Instances

Your installations (instances) of Microsoft SQL Server on one computer can possibly get complex,
because you can enable any of the following SQL Server scenarios:
 Multiple instances of SQL server on the computer at the same time.
 Multiple versions (releases) of SQL.
 SQL Server instances in multiple languages on the same computer.

 Typically, there is nothing extra you have to do to update these multiple instances; you just need
to make sure that when you specify your synchronization options (for example, product, update
classifications, and language options), you account for requirements for the versions of the SQL Server
instances you have on the computer.

Storing Updates

To specify where to store downloaded update files

1. On the WSUS console toolbar, click Options, and then click Synchronization Options.
2. Under Update Files and Languages, click Advanced.
3. Under Update Files, select whether to store update files on the server running Windows
Server Update Services (WSUS) or on Microsoft Update. If you choose to store update files
on your server, you can choose either to download update files only when they are approved,
or to download express installation files.
4. If you selected to store the files on the WSUS server, under Languages, select whether you
want to limit the updates downloaded to your WSUS server by language, and then click OK.
Note that if you select to download all languages (which is selected by default) that this will
take more disk space. If possible, consider limiting the languages you download if you are
also choosing to store update files on your WSUS server.
5. In Tasks, click Save settings, and then click OK.

Note
If your WSUS server is running in replica mode, you will not be able to perform this task.
For more information about replica mode, see Running in Replica Mode.

To change the location of local WSUS update storage

1. Click Start, and then click Run.
2. In the Open box, type cmd, and then click OK.
3. At the command prompt, navigate to the directory that contains WSUSutil.exe.
4. Type the following, and then press ENTER:
wsusutil.exe movecontent contentpath logfile [-skipcopy]
For example, type:
wsusutil.exe movecontent D:\WSUS1\ D:\move.log
where D:\WSUS1 is the new path for local WSUS update storage, and D:\move.log is the
path to the log file.

Managing the Databases