WSUSOperations Guide

Microsoft Windows Server Update
Services Operations Guide

Microsoft Corporation
Published: January 16, 200
Abstract
This paper documents the major tasks involved in administering and troubleshooting
Microsoft® Windows Server™ Update Services.
The information contained in this document represents the current view of Microsoft
Corporation on the issues discussed as of the date of publication. Because Microsoft
must respond to changing market conditions, it should not be interpreted to be a
commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any
information presented after the date of publication.
This White Paper is for informational purposes only. MICROSOFT MAKES NO

WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN
THIS DOCUMENT.
Complying with all applicable copyright laws is the responsibility of the user. Without
limiting the rights under copyright, no part of this document may be reproduced, stored in
or introduced into a retrieval system, or transmitted in any form or by any means
(electronic, mechanical, photocopying, recording, or otherwise), or for any purpose,
without the express written permission of Microsoft Corporation.
Microsoft may have patents, patent applications, trademarks, copyrights, or other

intellectual property rights covering subject matter in this document. Except as expressly
provided in any written license agreement from Microsoft, the furnishing of this document
does not give you any license to these patents, trademarks, copyrights, or other
intellectual property.
Unless otherwise noted, the example companies, organizations, products, domain

names, e-mail addresses, logos, people, places, and events depicted herein are
fictitious, and no association with any real company, organization, product, domain name,
e-mail address, logo, person, place, or event is intended or should be inferred.
© 2005 Microsoft Corporation. All rights reserved.
Microsoft, SQL Server, Windows, and Windows Server are either registered trademarks
or trademarks of Microsoft Corporation in the United States and/or other countries.
The names of actual companies and products mentioned herein may be the trademarks
of their respective owners.
Contents
Microsoft Windows Server Update Services Operations Guide.........................................1
Abstract.......................................................................................................................1
Contents.............................................................................................................................3
Microsoft Windows Server Update Services Operations Guide ............................6
Administering Windows Server Update Services ..................................................6

Overview of Windows Server Update Services ..............................................6
How WSUS works....................................................................................................7
Managing Windows Server Update Services .....................................................7
Setting Up and Running Synchronizations .....................................................7
Synchronizing Updates by Product and Classification.............................................8
Configuring Proxy-server Settings............................................................................9
Configuring the Update Source..............................................................................10
Specifying Where to Store Updates.......................................................................11
Synchronizing Manually or Automatically...............................................................11
Managing Computers and Computer Groups ...............................................12
Managing Client Computers ......................................................................12
Managing Computer Groups .....................................................................14
Managing Updates .......................................................................................17
Updates Overview .....................................................................................17
Viewing Updates .......................................................................................20
Approving Updates ....................................................................................22
Testing Updates ........................................................................................32
Storing Updates ........................................................................................33
Running in Replica Mode ..............................................................................47
Backing Up Windows Server Update Services .............................................47
Best Practices with Windows Server Update Services .................................51
Use Group Policy to Update Multiple Computers...................................................51
Schedule Update Installations when there is Little Chance for Lost Productivity. . .53
For maximum control over when your servers are restarted as necessitated by an
update installation, set Group Policy to Download the updates automatically and
notify when they are ready to be installed, and then create a script that enables
to you accept and install the updates and then restart the computer on demand
............................................................................................................................54
Managing WSUS from the Command Line ...................................................55
Running WSUSutil.exe...........................................................................................55
Monitoring Windows Server Update Services ..................................................64
Update Status Terminology ...........................................................................64
Running Reports ...........................................................................................67
Using the Reports Page.........................................................................................67
Running Compliance Status Reports.....................................................................77
Securing Windows Server Update Services ....................................................78
Troubleshooting Windows Server Update Services ............................................78

Verifying WSUS Server Settings ......................................................................78
Settings for Update File Synchronization and Download...........................................78
Registry settings.....................................................................................................79
Configuration settings............................................................................................79
IIS settings.................................................................................................................81
Permissions...........................................................................................................83
WSUS Server Administration Issues ................................................................84
Setup Issues .................................................................................................84
Check for required software and hardware............................................................85
In some cases, setup might fail if you choose the WMSDE database....................85
If the Server service is not running when you install WSUS, the WSUS installation
fails.....................................................................................................................85
Upgrade Issues ............................................................................................85
When an upgrade fails, WSUS might be uninstalled..............................................85
Uninstalling WSUS from SQL Server ............................................................86
Uninstalling might leave some WSUS configurations on computers running SQL
server..................................................................................................................86
Cannot access the WSUS console ...............................................................86
Grant users permissions for WSUS console access..............................................86
You cannot access the WSUS console with an IP address when WSUS is
configured to use a proxy server.........................................................................87
Cannot access the WSUS console and a timeout error message appears............87
Cannot access the WSUS console on a Windows 2000 server after applying the
hisec server.inf security template........................................................................87
Promoting the WSUS server to a domain controller might disrupt your ability to
access the WSUS console..................................................................................88
Cannot access the WSUS console on Windows 2000 Server configured as a
domain controller................................................................................................89
Update storage issues ..................................................................................89
The updates listed in the WSUS console do not match the updates listed in your
local folder..........................................................................................................90
Synchronization issues .................................................................................90
Check proxy-server settings by using the WSUS console.....................................90
Check the name of the upstream WSUS server.....................................................91
Check update storage options................................................................................91
Verify that users and the network service have Read permissions to the local
update storage directory.....................................................................................92
On a downstream WSUS server, check that the updates are available on the
upstream WSUS server......................................................................................92
Restart the BITS service........................................................................................93
If you are unable to download update files to your local WSUS server, your server
might not support the necessary HTTP protocol.................................................93
The number of updates that are approved on a parent upstream server does not
match the number of approved updates on a replica server...............................94
Update approval issues ................................................................................94
If IIS Lockdown is installed on WSUS and client computers, do not download
updates stored on the WSUS server..................................................................94
New approvals can take up to one minute to take effect........................................95
Remote computers accessed by using Terminal Services cannot be restarted by
non-administrators..............................................................................................95
The number of updates that are approved on a parent upstream server does not
match the number of approved updates on a replica server...............................95
Client computers do not appear in the WSUS console .................................95
Problem with client self-update..............................................................................95
Backup and restore issues ...........................................................................96
If you cannot access WSUS data after restoring the database, check the WSUS
server name and user permissions for the database..........................................96
General error messages ...............................................................................96
…some services are not running. Check the following services….........................96
Client Computer Administration Issues ............................................................97
Automatic Updates must be updated ............................................................97
Troubleshooting client self-update issues..............................................................98
Computers are not appearing in the correct computer groups ....................105
Verify that the WSUS console is set to use client-side targeting..........................105
Verify that target computer group names match groups on the WSUS server.....105
Wait an hour for changes to take effect................................................................106
Additional Resources for Windows Server Update Services .............................106

Windows Server Update Services Communities.........................................................106
More Documentation..................................................................................................106
6
Microsoft Windows Server Update

Services Operations Guide
This guide describes the major tasks involved in administering and troubleshooting
Windows Server Update Services.
Note
A downloadable copy of this document is available at
http://go.microsoft.com/fwlink/?LinkId=58310
In this guide
• Administering Windows Server Update Services
• Troubleshooting Windows Server Update Services
• Additional Resources for Windows Server Update Services
Administering Windows Server Update

Services
This section contains background information and procedures for performing the major
tasks involved in administering Windows Server Update Services.
In this guide
• Overview of Windows Server Update Services
• Managing Windows Server Update Services
• Monitoring Windows Server Update Services
• Securing Windows Server Update Services
Overview of Windows Server Update Services

By using Windows Server Update Services (WSUS), you can fully manage the process of
getting software updates that are released through Microsoft Update, and then distribute
them to servers and client computers in your network.
7
How WSUS works
WSUS provides a management infrastructure consisting of the following:
• Microsoft Update: the Microsoft Web site that WSUS components connect to for
updates to Microsoft products.
• Windows Server Update Services server: the server component that is

installed on a computer running a Microsoft Windows 2000 Server with Service Pack
4 (SP4) or a Microsoft Windows Server 2003 operating system inside the corporate
firewall. WSUS server software enables administrators to manage and distribute
updates through a Web-based tool, which can be accessed from Internet Explorer on
any computer running a Windows operating system in the corporate network. In
addition, a WSUS server can be the update source for other WSUS servers. In a
WSUS implementation, at least one WSUS server in the network must connect to
Microsoft Update to get available updates. The administrator can determine, based
on network security and configuration, how many other servers connect directly to
Microsoft Update.
• Automatic Updates: the client computer component built into Windows 2000
with SP3, Microsoft Windows XP, and Windows Server 2003 operating systems.
Automatic Updates enables both server and client computers to receive updates from
Microsoft Update or from a server running WSUS.
Managing Windows Server Update Services

In this section
• Setting Up and Running Synchronizations
• Managing Computers and Computer Groups
• Managing Updates
• Running in Replica Mode
• Backing Up Windows Server Update Services
• Managing WSUS from the Command Line
Setting Up and Running Synchronizations

During synchronization, your server running Windows Server Update Services (WSUS)
downloads updates (update metadata and files) from an update source. When your
WSUS server synchronizes for the first time, it will download all of the updates you
specified when you configured synchronization options. After the first synchronization,
8
your WSUS server determines if any new updates have been made available since the
last time it made contact with the update source, and then downloads only new updates.
The Synchronization Options page is the central access point in the WSUS console for
customizing how your WSUS server synchronizes updates. On this page, you can specify
which updates are synchronized automatically, where your server gets updates,
connection settings, and the synchronization schedule.
After you synchronize updates to your WSUS server, you must then approve them before
the WSUS server can perform any action for them. The exceptions to this are updates
classified as Critical Updates and Security Updates, which are automatically approved
for detection. For more information, see "Approving updates for detection in Approving
Updates.
Note
Because WSUS initiates all its network traffic, there is no need to configure
Windows Firewall on a WSUS server connected directly to Microsoft update.
Synchronizing Updates by Product and Classification

Your WSUS server downloads updates based on the products or product families (for
example, Windows, or Windows Server 2003, Datacenter Edition) and classifications (for
example, Critical Updates or Security Updates) that you specify. At the first
synchronization, your WSUS server downloads all of the updates available in the
categories you have specified. At subsequent synchronizations, your WSUS server
downloads only the newest updates (or changes to the updates already available on your
WSUS server) in the categories you specified.
You specify update products and classifications on the Synchronization Options page
under Products and Classifications. Products are grouped in a hierarchy, by product
family. For example, if you select Windows, you automatically select every product that
falls under that product hierarchy. By selecting the parent check box you not only select
all items under it, but all future releases too. Selecting the child check boxes will not
select the parent check boxes. The default setting for Products is All Windows Products,
and for Update classifications, the default setting is Critical Updates and Security
Updates. You must specify update classifications individually.
If your WSUS server is running in replica mode, you will not be able to perform this task.
For more information about replica mode, see Running in Replica Mode.
To specify update products and classifications for synchronization

1. On the WSUS console toolbar, click Options, and then click
9
Synchronization Options.
2. Under Products and Classifications, under Products, click Change.
3. In the Add/Remove Products dialog box, under Products, select the

products or product families for the updates you want your WSUS server to
synchronize, and then click OK.
4. Under Products and Classifications, under Update classifications, click

Change.
5. In the Add/Remove Classifications dialog box, in Classifications, select

the update classifications for the updates you want your WSUS server to
synchronize, and then click OK.
6. Under Tasks, click Save settings, and then click OK.
Note
If you want to stop synchronizing updates for one or more specific products
or product families, clear the appropriate check boxes in the Add/Remove
Products dialog box, and then click OK. Your WSUS server will stop
synchronizing new updates for the products you have cleared. However,
updates that were synchronized for those products before you cleared them
will remain on your WSUS server and will be available on the Updates page.
Configuring Proxy-server Settings

You can configure your WSUS server to use a proxy server during synchronization with
an upstream server or Microsoft Update. In addition, you can specify a port number and
whether you want your server to connect to the proxy server by using specific user
credentials.
You specify proxy-server settings on the Synchronization Options page under Proxy
server. This setting will apply only when your WSUS server runs synchronizations. By
default this option is not enabled, and your WSUS server will connect directly to the
upstream server or Microsoft Update. By default, the proxy-server option is not selected,
which means that your WSUS server will attempt to connect directly to another WSUS
server or Microsoft Update during synchronization.
Because WSUS initiates all of its network traffic, you do not need to configure Windows
Firewall on a WSUS server connected directly to Microsoft Update.
To specify a proxy server for synchronization

10
2. Under Proxy server, select the Use a proxy server when synchronizing
check box, and then type the server name and port number (port 80 is the
default) of the proxy server.
• If you want to connect to the proxy server by using specific user

credentials, select the Use user credentials to connect to the proxy
server check box, and then enter the user name, domain, and password of
the user in the corresponding boxes.
• If you want to enable basic authentication for the user connecting to the
proxy server, select the Allow basic authentication (password in clear
text) check box.
Configuring the Update Source

The update source is the location from which your WSUS server gets its updates and
update information (metadata). You can specify that the update source be either
Microsoft Update or another WSUS server (in this scenario, the WSUS server that acts
as the update source is the upstream server, and your server is the downstream server).
Options for customizing how your WSUS server synchronizes with the update source
include the following:
• You can specify a custom port for synchronization. For general information about
configuring ports, see Deploying Microsoft Windows Server Update Services at
http://go.microsoft.com/fwlink/?linkid=41777&clcid=0x409.
• You can use SSL to secure synchronization of update information between

WSUS servers. For more information about using SSL, see Securing Windows
Server Update Services.
To specify the update source for your WSUS server

2. Under Update Source, do one of the following:
• If you want your WSUS server to synchronize directly from Microsoft

Update, click Synchronize from Microsoft Update. If your server is running
in replica mode, this option will is disabled. For more information, see
Running in Replica Mode.
11
• If you want to synchronize from another WSUS server in your network,

click Synchronize from an upstream Windows Server Update Services
server, and then type the server name and port number in the corresponding
boxes.
• If you want to use Secure Socket Layers (SSL) when synchronizing

update information (metadata) synchronization, type the port number that the
upstream server uses for SSL connections, and then select the Use SSL
when synchronizing update information check box. For more information
about using SSL during synchronization, see Securing Windows Server
Update Services.
• If your WSUS server is running in replica mode, you just need to type the
server name in the Server name box. The upstream server does not have to
be the administration server (for example, it can be another replica mode
server). For more information about replica mode, see Running in Replica
Mode.
Specifying Where to Store Updates

For more information, see Specifying Where to Store Updates.
Synchronizing Manually or Automatically

You can either synchronize your WSUS server manually or specify a time for it to
synchronize automatically on a daily basis.
To synchronize your server manually

2. Under Schedule, click Synchronize manually.
To synchronize your WSUS server immediately

2. Under Tasks, click Synchronize now.

12
To set up an automatic synchronization schedule

2. Under Schedule, click Synchronize daily at, and then in the list select the
time you want synchronization to start each day.
Managing Computers and Computer Groups

In this section
• Managing Client Computers
• Managing Computer Groups
Managing Client Computers

WSUS enables you to manage the entire process of updating your computers, including
manually and automatically determining which updates they need and receive, specifying
when the updates are installed, and monitoring the status of update deployment on your
computers.
The central access point in the WSUS console for managing computers is the
Computers page, which displays a list of computers that have been configured to get
updates from the WSUS server. The computers are displayed by computer group, and
you can filter the computer list to a specific computer group. By selecting a computer in
the list, you can view its properties, which include general details about the computer and
the status of updates for it—for example, the installation or detection status of an update
for a particular computer.
You can also manage computer groups on the Computers page, which includes creating
the groups and assigning computers to them. For more information about managing
computer groups, see Managing Computer Groups.
Important
You must first set up a client computer to contact the WSUS server before you
can manage it from that server. Until you perform this task, your WSUS server
will not recognize your client computer, and will not display it in the computer list
on the Computers page. For more information about setting up a client
13
computer, see Deploying Microsoft Windows Server Update Services at
A client computer can only be set to communicate with one WSUS server at a
time. If you later change this setting and specify a different WSUS server, the
client computer stops contacting the WSUS server specified earlier. However, the
client computer will remain on the list of computers and in the computer groups
specified on that earlier WSUS server. In addition, the original WSUS server will
report the last time the client computer contacted it (which will be accurate—it will
be before the client computer stopped connecting to it). To stop the client
computer from displaying on the earlier specified WSUS server, you must
remove the computer from the WSUS server.
Managing Computers on the Computers Page

The following are common tasks you can perform on the Computers page. Before you
can add a computer to a computer group, you must have created a computer group. For
more information about creating computer groups, see Managing Computer Groups.
To view the properties for a computer

1. On the WSUS console toolbar, click Computers.
2. In Groups, click the computer group to which the computer currently belongs
to.
3. In the list of computers, click the computer for which you want to view
properties.
4. In the properties pane, do either of the following:

• Click the Details tab for general information about the computer.
• Click the Status tab for approval and update status for the computer.
To add a computer to a computer group

2. In Groups, click the computer group to which the computer currently

belongs.
3. In the list of computers, click the computer that you want to move.
4. Under Tasks, click Move selected computer.

14
5. In the Computer group dialog box, click the computer group that you want
to move the computer to, and then click OK.
Note
If your computer already belongs to a computer group, then after you perform
this task it will belong to the new computer group you specify and not to the
earlier computer group. However, it will remain a member of the All
Computers group.
To remove a computer from a WSUS server

2. In Groups, click the computer group to which the computer currently belongs
to.
3. In the list of computers, click the computer you want to remove.
4. Under Tasks, click Remove the selected computer, and then click OK.
Note
After you perform this task, you will not be able to manage update distribution
for the client computer on the WSUS console, nor will the client computer will
not be able to receive updates from the WSUS server.
Managing Computer Groups

WSUS enables you to target updates to groups of client computers. This capability can
help you ensure that specific computers get the right updates at the most convenient
times on an ongoing basis. For example, if all computers in one department of your
organization have a specific configuration (such as all computers in the Accounting
team), you can determine what updates those computers get, at what time, and then use
WSUS reporting features to evaluate the success of update activity for that computer
group.
By default, each computer is already assigned to the All Computers group. Computers
will also be assigned to the Unassigned Computers group until you assign them to
another group. Regardless of the group you assign a computer to, it will also remain in
the All Computers group. A computer can be in only one other group in addition to the All
Computers group.
15
You can assign computers to computer groups by using one of two methods, server-side
or client-side targeting, depending on whether or not you want to automate the process.
With server-side targeting, you use the Move the selected computer task on the
Computers page to move one or more client computers to one computer group at a time.
With client-side targeting, you use Group Policy or edit the registry settings on client
computers to enable those computers to automatically add themselves into the computer
groups. You must specify which method you will use by selecting one of the two options
on the Computers Options page.
Note
If your WSUS server is running in replica mode, you will not be able to create
computer groups on that server, you will only inherit the computer groups created
on the administration server from which your server inherits its settings. For more
information about replica mode, see Running in Replica Mode.
Server-side Targeting
With server-side targeting, you use the WSUS console to both create groups and then
assign computers to the groups. Server-side targeting is an excellent option if you do not
have many client computers to update and you want to move client computers into
computer groups manually.
To enable server-side targeting on your WSUS server, click the Use the Move
computers task in Windows Server Update Services option on the Computers
Options page.
Client-side Targeting
With client-side targeting, you enable client-computers to add themselves to the
computer groups you create in the WSUS console. You can enable client-side targeting
through Group Policy (in an Active Directory network environment) or by editing registry
entries (in a non-Active Directory network environment) for the client computers. When
the client computers connect to the WSUS server, they will add themselves into the
correct computer group. Client-side targeting is an excellent option if you have many
client computers and want to automate the process of assigning them to computer
groups.
To enable client-side targeting on your WSUS server, click the Use Group Policy or
registry settings on client computers option on the Computers Options page.
To specify the method for assigning computers to groups

1. On the WSUS console toolbar, click Options, and then click Computer
16
Options.
2. In Computer Options, do one of the following:
• If you want to create groups and assign computers through the WSUS
console (server-side targeting), click Use the Move computers task in
Windows Server Update Services.
• If you want to create groups and assign computers by using Group Policy
or by editing registry settings on the client computer (client-side targeting),
click Use Group Policy or registry settings on computers.
Managing Computer Groups on Your WSUS Server
Regardless of the method you use to assign client computers to computer groups, you
must also create the computer groups in the WSUS console. In you use the client-side
targeting method, you must create the computer groups in the WSUS console before
your client computers can add themselves to them.
To create a computer group in the WSUS console

2. Under Tasks, click Create a computer group.
3. In Group name, type a name for your new computer group, and then click
OK.
To remove a computer group

2. In Groups, click the computer group you want to remove.
3. Under Tasks, click Delete the selected group, and then click OK.
Note
You cannot remove the Unassigned Computers or All Computers group.
Every client computer remains a member of the All Computers group in
addition to any group you assign it to. Client computers are members of the
Unassigned Computers group only until you assign them to a computer
group.
17
Managing Updates
In this section
• Updates Overview
• Viewing Updates
• Approving Updates
• Testing Updates
• Storing Updates
Updates Overview
Updates are used for patching or providing a full file replacement for software that is
installed on a computer. Every update that is available on Microsoft Update is made up of
two components:
• Metadata provides information about the update. For example, metadata

supplies information for the properties of an update, thus enabling you to find out
what the update is useful for. Metadata also includes end-user license agreements
(EULAs). The metadata package downloaded for an update is typically much smaller
than the actual update file package.
• Update files are the actual files required to install an update on a computer.
How WSUS Stores Updates

When updates are synchronized to your WSUS server, the metadata and update files are
stored in two separate locations. Metadata is stored in the WSUS database. Update files
can be stored either on your WSUS server or on Microsoft Update servers, depending on
how you have configured your synchronization options. If you choose to store update files
on Microsoft Update servers, only metadata is downloaded at the time of synchronization;
you approve the updates through the WSUS console, and then client computers get the
update files directly from Microsoft Update at the time of installation. For more information
about your options for storing updates, see Deploying Microsoft Windows Server Update
Services at http://go.microsoft.com/fwlink/?linkid=41777&clcid=0x409.
Managing Updates by Using WSUS

Whether you have just deployed WSUS or are performing daily tasks, you will be setting
up or (reconfiguring) and running synchronizations, adding computers and computer
groups, and deploying updates on a regular basis. The order in which you perform any of
these general tasks might change, depending on a number of circumstances—for
18
example, you might change your client computer configurations, (such as adding new
computers, upgrading software).
Although the order you might need to perform the following general tasks might be
different, necessitated by your organizational needs, the following is an example of the
order of general tasks you might undertake in updating computers by using WSUS.
1. Before configuring options in the WSUS console, determine an overall update

management plan based on your network capabilities, company needs, and layout.
Considerations might include the following:
• If and how you want to set up a hierarchy of WSUS servers
• Which database to use to store update metadata (for example, MSDE,

WMSDE, SQL Server 2000)
• What computer groups you want to create, and the method you will use to
assign computers to them (for example, server-side or client-side targeting)
• Whether you want updates to synchronize automatically at a specific time
2. Set synchronization options on the Options page, such as update source,

product and update classification, language, connection settings, storage location,
and automatic synchronization schedule.
3. Get the updates and associated metadata on your WSUS server through
synchronization from either Microsoft Update or an upstream WSUS server,
depending on the location you have specified for your update source.
4. Approve or decline updates by group from the Updates page. You can approve
updates for either installation or detection only. For detection only, WSUS does not
install updates but instead checks computers in the groups you specified, to see if a
specific update is needed. To get the result of the detection (or, in other words, to find
out if the update is needed), check the Status of Updates report. You can set a
deadline for automatic installation or detection. For installation, you have the option of
allowing users to install the updates themselves (if they are local administrators on
their client computers).
5. Configure automatic approvals for either installation or detection (by classification

and groups) in Options, on the Automatic Approvals page. If the installation and
detection rules conflict, WSUS will use the installation rule. On this page, you can
also configure whether you want to enable automatic approval of revisions to existing
updates or approve revisions manually. If you choose to approve manually, then your
WSUS server will continue using the older version until you manually approve the
revision.
19
6. Check status of the updates on the Updates page or in the Status of Updates
report.
Update Products and Classifications

Updates available on Microsoft Update are differentiated by product (or product family)
and classification.
Products Updated by WSUS
A product is a specific edition of an operating system or application, for example

Microsoft Windows Server 2003, Datacenter Edition. A product family is the base
operating system or application from which the products are derived. An example of a
product family is Microsoft Windows, of which Microsoft Windows Server 2003,
Datacenter Edition is a member. On the Synchronization Options page under Products
and Classifications, products are displayed in a hierarchy, under their product family. At
this location on the WSUS console, you can select the products or product families for
which you want your server to automatically synchronize updates. You can specify many
products at once if they belong to the same product family, because by selecting a parent
check box you also select all items under it. Selecting the child check boxes will not
select the parent check boxes. For every selection, you also are automatically selecting
future releases.
Update Classifications
Update classifications represent the type of update. For any given product or product
family, updates could be available among multiple classifications (for example,
Windows XP family Critical Updates and Security Updates). The following table lists
examples of update classifications.
Update Classification Description
Connectors Software components designed to support

connection between software
Critical Updates Broadly released fixes for specific problems

addressing critical, non-security related
bugs
Development Kits Software to aid the writing of new

applications that usually includes a visual
builder, an editor, and a compiler
Drivers Software components designed to support

new hardware
20
Update Classification Description
Feature Packs New product functionality usually included

in the next full product release
Guidance Scripts, sample code, and technical

guidance designed to help in the
deployment and use of a product or
technology
Security Updates Broadly released fixes for specific products,

addressing security issues
Service Packs Cumulative sets of all hotfixes, security

updates, critical updates, and updates
created since the release of the product
Service packs might also contain a limited

number of customer requested design
changes or features.
Tools Utilities or features that aid in accomplishing

a task or set of tasks
Update Rollups Cumulative set of hotfixes, security

updates, critical updates, and updates
packaged together for easy deployment
A rollup generally targets a specific area,

such as security, or a specific component,
such as Internet Information Services (IIS).
Updates Broadly released fixes for specific problems

addressing a non-critical, non-security
related bugs
Viewing Updates
On the Updates page, you can do the following:
• View the list of updates. The list of updates displays updates that have been
synchronized from the update source to your server running Windows Server Update
Services (WSUS) and are available for approval. You can filter the list of updates by
using criteria such as classifications and products, approval status, synchronization
21
date, and text string. In addition, you can sort the list of updates by clicking the
appropriate column heading in the list of updates title bar
• View details, status, and revision history for each update.
• Approve updates for installation.
• Approve updates for detection.
• Decline updates.
To open the Updates page

• On the WSUS console toolbar, click Updates.
To view updates
1. On the WSUS console toolbar, click Updates. Updates are displayed in the
list of updates.
2. To sort by additional information, download status, title, classification, release

date, or approval status, click the appropriate column heading.
To filter the list of updates displayed on the Updates page

1. On the WSUS console toolbar, click Updates.
2. Under View, select the appropriate criteria for your filter in the list boxes, and
then click Apply. The list of updates will reflect your chosen criteria. The
Contains Text box, under View, enables you to enter text to search on the
following criteria for an update: Title, Description, and Microsoft Knowledge
Base (KB) article number. Each of these items is a property listed on the
Details tab in the update properties.
To view the properties for an update

2. In the list of updates, click the update for which you want to view properties.
3. In the properties pane, click one of the tabs for the following:
• The Details tab displays both general properties (for example, title,
description, and release date) and installation information (for example,
requirements for installation, including whether the update is uninstallable)
about the update. In addition, the Details tab indicates if the update
supersedes or is superseded by another update.
22
• The Status tab displays download, approval, and installation status for
the update by computer group. You can further expand computer groups to
see update status by computer.
• The Revisions tab displays revision information about the update,

including general properties about the revision and approval status.
Note
You can perform this procedure on only one update at a time. If you select
multiple updates, the first update selected will be displayed in the properties
pane.
Approving Updates
After updates have been synchronized to your WSUS server, you must approve them to
initiate a deployment action. When you approve an update, you are essentially telling
WSUS what to do with it (for example, your choices are Install, Detect only, Remove, or
Decline update). When approving an update, you specify a default approval setting for
the All Computers group, and any necessary settings for each computer group in the
Approve Updates dialog box. If you do not approve an update, its approval status
remains Not approved and your WSUS server performs no action for the update. The
exceptions to this are in the Critical Updates and Security Updates classifications,
which by default are automatically approved for detection after they are synchronized.
The Updates page is the central access point in the WSUS console for approving
updates. On the Updates page, you can specify the action you want WSUS to exercise
for the update by computer group. You do this by selecting one of the options under
Tasks. The following provides more information about the different approvals you can
enable on the Updates page.
If your WSUS server is running in replica mode, you will not be able to approve updates
on your WSUS server. For more information about replica mode, see Running in Replica
Mode.
Approving Updates for Detection

When you approve an update for detection, the update is not installed. Instead, WSUS
checks whether the update is compliant with or needed by computers in the groups you
specify for the Detect only approval option in the Approve Updates dialog box. The
detection occurs at the scheduled time that the client computer communicates with the
WSUS server. You can see the result of the detection either in the Status of Updates
report or on the Updates page, by clicking the Status tab for a specific update. In either
23
case, the information you need will appear in the Needed column, which represents the
number of computers that have been detected as needing a particular update. If the client
computer does not need the update, the number in Needed is zero.
By default, Critical Updates and Security Updates are automatically approved for
detection.
To approve updates for detection

2. In the list of updates, click one or more updates that you want to approve for
detection.
3. Under Update Tasks, click Change approval.
4. In the Approve Updates dialog box, verify that Approval is set to Detect
only for the All Computers group.
5. If you want to set a different default approval setting for one or more groups,
under Group approval settings for the selected updates, find the group(s) for
which you want to set the special approval setting, and then, in the Approval
column, select an approval setting.
Approving Updates for Installation

You can select one or multiple updates; if you select multiple updates, you can approve
them for installation at once; you can also approve installation by computer group. This
would be the Install approval option in the Approve Updates dialog box. In addition,
when you specify this approval action, you can do one of the following:
• Use the settings on the client computers to determine when to install updates.
When you select this option, users in the targeted computer group will receive a
notification dialog box and an Automatic Updates icon on their taskbar when
updates are ready to be installed on their computers. They can then install the
updates immediately, or at a later time, by clicking the Automatic Updates icon. If
you have configured Automatic Updates, either by Group Policy or locally, to notify
the user before installation, these notifications will be offered to any non-administrator
who logs onto the computer in the targeted computer group.
• Set a deadline for automatic installation. When you select this option, you set
specific times and dates to install updates, overriding any settings on the client
computers. In addition, you can specify a past date for the deadline if you want to run
an approval action immediately (that is, when the client computers next contact the
WSUS server).
24
Important
You cannot set a deadline for automatic installation for an update if user input is
required (for example, accepting a license agreement or specifying a setting
relevant to the update). If you set a deadline for such an installation
synchronization will fail. To determine whether an update will require user input,
look at the May request user input field in the update properties for an update
displayed on the Updates page. Also check for a message in the Approve
Updates box which says "The selected update requires user input and does
not support and installation deadline."
To approve updates for installation

installation.
4. In the Approve Updates dialog box, verify that Approval is set to Install for
the All Computers group.
5. To specify how and when the update will be installed for computers in the
computer group, next to Deadline, click None, and then click one of the following
options:
• If you want to enable users to determine when to install the updates, click
Use client settings to determine update installation time, and then click
OK. If you have configured Automatic Updates, either by domain-based or
local Group Policy, to notify the user before installation, these notifications
will be offered to any non-administrator who logs onto the computer in the
targeted computer group.
• If you want the update to be installed automatically, click Install the
update by the selected date and time, specify the date and time of the
deadline, and then click OK. If you want the install to occur immediately (that
is, when the client computers next contact the WSUS server), you can
specify a past date for the deadline.
column, click an approval setting.
25
Note
For more information about downloading and installing updates, see Best
Practices with Windows Server Update Services.
Declining Updates
This option is available as a task under Update Tasks on the Updates page. If you select
this option, the update is removed from the list of available updates. Declined updates will
appear in the updates list only if you select either Declined or All updates in the
Approval list when specifying the filter for the update list under View.
To decline updates
2. In the list of updates, click one or more updates that you want to decline.
3. In Update Tasks, click Decline update or Decline selected updates,

depending on whether you have selected one or multiple updates to decline.
Approving Updates for Removal

You can approve an update for removal (that is, approve uninstalling the update). This
option is only available if the update supports uninstalling, and you would choose the
Remove approval option in the Approve Updates dialog box. You can specify a
deadline for the update to be uninstalled, as well as specify a past date for the deadline if
you want to run an approval action immediately (that is, when the client computers next
contact the WSUS server).
To approve updates for removal

removal.
4. In the Approve Updates dialog box, verify that Approve is set to Remove
for the All Computers group.
5. If you want to set a deadline for the update(s) to be automatically removed,

next to Deadline, click None, specify the date and time for the deadline, and
then click OK. If you want the update removal to occur immediately (that is, when
26
the client computers next contact the WSUS server), you can specify a past date
for the deadline.
column, click an approval setting.
Approving Updates Automatically

On the Automatic Approval Options page, you can configure your WSUS server to
automatically approve installation or detection for updates and associated metadata
when they are downloaded to the WSUS server during synchronization. This is different
from approving updates on the Updates page, where, by default, updates are approved
for detection.
You can configure automatic approval for updates by update classifications and groups. If
the installation and detection rules you set conflict, your WSUS server will follow the
installation rules.
On the Automatic Approval Options page, you can also select an option to
automatically approve revisions to existing updates as they become available. This option
is selected by default. A revision is a version of an update that has had changes made to
it (for example, it might have expired, or UI text, the EULA, or applicability rules for
computers might have changed). If you do not choose to automatically approve the
revised version of an update, WSUS will use the older version, and you must manually
approve the update revision.
Automatically Approving Updates for Detection

When you select this option, you can create a rule that your WSUS server will
automatically apply during synchronization. For the rule, you specify what updates you
want to automatically approve for detection, by update classification and by computer
group. This applies only to new updates, as opposed to revised updates. This setting is
available on the Automatic Approval Options page.
On this page, you can also set a rule for automatically approving updates for installation.
In the event that rules conflict (for example, you have specified the same update
classification and same computer group combination in both the rule to automatically
approve for detection and automatically approve for installation), then your WSUS server
applies the rule to automatically approve for installation.
27
To automatically approve updates for detection

1. On the WSUS console toolbar, click Options, and then click Automatic
Approval Options.
2. In Updates, under Approve for Detection, select the Automatically

approve updates for detection by using the following rule check box (if it is
not already selected).
3. If you want to specify update classifications to automatically approve during

synchronization, do the following:
• Next to Classifications, click Add/Remove Classifications.
• In the Add/Remove Classifications dialog box, select the update

classifications that you want to automatically approve, and then click OK.
4. If you want to specify the computer groups for which to automatically approve
updates during synchronization:
• Next to Computer groups, click Add/Remove Computer Groups.
• In the Add/Remove Computer Groups dialog box, select the computer

groups for which you want to automatically approve updates, and then click
OK.
Automatically Approve Updates for Installation

When you select this option, you can create a rule that your WSUS server will
automatically apply during synchronization. For the rule, you specify what updates you
want to automatically approve for installation, by update classification and by computer
group. This applies only to new updates, as opposed to revised updates. This setting is
available on the Automatic Approval Options page.
On this page, you can also set a rule for automatically approving updates for detection. In
the event that rules conflict (for example, you have specified the same update
classification and same computer group combination in both the rule to automatically
approve for installation and automatically approve for detection), then your WSUS server
applies the rule to automatically approve for installation.
To automatically approve updates installation

Approval Options.
2. In Updates, under Approve for Installation, select the Automatically

28
approve updates for installation by using the following rule check box (if it is
not already selected).
3. If you want to specify update classifications to automatically approve during

synchronization, do the following:
• Next to Classifications, click Add/Remove Classifications.
• In the Add/Remove Classifications dialog box, select the update

classifications that you want to automatically approve, and then click OK.
4. If you want to specify the computer groups for which to automatically approve
updates during synchronization:
• Next to Computer groups, click Add/Remove Computer Groups.

• In the Add/Remove Computer Groups dialog box, select the computer
groups for which you want to automatically approve updates, and then click
OK.
Automatically Approving Revisions to Updates

The Automatic Approval Options page contains an option to automatically approve
revisions to existing updates as they become available. This option is selected by default.
A revision is a version of an update that has changes (for example, it might have expired,
or have an updated EULA, UI text, or applicability rules for computers). If you configure
your WSUS server to automatically approve new revisions of an update but an expired
revision for the update is synchronized, your WSUS server will automatically decline the
update. If you choose not to automatically approve the revised version of an update, your
WSUS server will use the older revision, and you must manually approve the update
revision.
To automatically approve revisions to updates

Approval Options.
2. Under Revisions to Updates, click Automatically approve the latest

revision of the update.
Approving Superseding or Superseded Updates

Typically, an update that supersedes other updates does one or more of the following:
29
• Enhances, improves, and/or adds to the fix provided by one or more previously
released updates.
• Improves the efficiency of its update file package, which is installed on client
computers if the update is approved for installation. For example, the superseded
update might contain files that are no longer relevant to the fix, or to the operating
systems now supported by the new update, so those files are not included in the
superseding update's file package.
• Updates newer versions of operating systems. It is also important to note that the
superseding update might not support earlier versions of operating systems.
Conversely, an update that is superseded by another update does the following:

• Fixes a similar vulnerability to the update that supersedes it. However, the update
that supersedes it might enhance the fix that the superseded update provides.
• Updates earlier versions of operating systems—in some cases these versions of

operating systems are no longer updated by the superseding update.
In the list of updates on the Updates page, an icon next to the update indicates that it
has a supersedure relationship to another update. The Details tab in the properties for
the update tells you whether the update supersedes or is superseded by another update.
In addition, you can determine which updates supersede or are superseded by the
update by looking at the Supersedes and Superseded by entries. The properties box for
the update is available at various locations in the WSUS console (for example, on the
Updates page, on the Computers page).
WSUS does not automatically decline superseded updates, and it is recommended that
you do not assume that superseded updates should be declined in favor of the new,
superseding update. Before declining a superseded update, make sure that it is no longer
needed by any of your client computers. Following are examples of scenarios where you
might need to install a superseded update:
• If a superseding update supports only newer versions of an operating system,

and some of your client computers run earlier versions of the operating system.
• If a superseding update has more restricted applicability than the update it

supersedes, which would make it inappropriate for some client computers.
• If an update no longer supersedes a previously released update due to new

changes. It is possible that through changes at each release, an update no longer
supersedes an update it previously superseded in an earlier version. In this scenario,
you will still see a message on the Details tab for the superseded update that it has
been superseded, even though the update that supersedes it has been replaced by
an update that does not.
30
Recommended Process for Approving a Superseding Update
Because a superseding update typically enhances a fix provided by a previously

released, superseded update, it is recommended that you first see how many client
computers will be compliant with the new update, and work backward from there. Use the
following process.
To approve a superseding update

1. Approve the superseding update for Install on all computers where the fix
provided by the update is appropriate.
2. Check the resulting status of the approval action on your computers. Note
which computers show status as Not needed for the update, and then compare
the properties of those computers with the properties of the update.
3. Use the information available in the update properties to help you determine
which previously released version of the updates are available. For example,
look under Supersedes on the Details tab, and check the Description and KB
article number entries if appropriate.
4. Get information about the superseded, previously released versions of the

updates; for example, view their properties.
5. When you find a superseded update that seems appropriate for the
remaining client computers, approve the update for installation.
6. Repeat this process until all of your client computers are updated with the
intended fix.
Approving Office Updates

If you use WSUS to update Microsoft Office on your network computers, consider the
following:
• If you have purchased a "per user" license agreement for Office, you must
ensure that each user's installation of Office is updated (for example, there might be
two users who run individually licensed copies of Microsoft Office on the same
computer). This means a particular user has to be logged on to the computer for that
specific copy of Office to be updated. For example, if two people both have accounts
on a computer that is running Microsoft Office, then each of them has to log on and
update his or her Office installation, otherwise one of them will not have an updated
version of Office.
31
• Users can access the public Microsoft Office Online Web site and can look for
updates to their Office installation through the Microsoft Office Update wizard. Using
Group Policy, you might want to create policies that prevent users from getting their
own Office updates from Microsoft Office Online.
• Unlike Windows Update or Microsoft Office Online, which are public Web sites
that users can visit directly, Microsoft Update is accessed only by WSUS servers. It is
currently in beta release and makes security updates available only for Office XP and
Office 2003. Some critical updates are not available through Microsoft Update.
Therefore, some updates might appear on the Microsoft Office Online Web site that
are not available on Microsoft Update.
Approving SQL Server and Exchange Server Updates
Updating Microsoft SQL Server Instances
Your installations (instances) of Microsoft SQL Server on one computer can possibly get
complex, because you can enable any of the following SQL Server scenarios:
• Multiple instances of SQL server on the computer at the same time.
• Multiple versions (releases) of SQL.
• SQL Server instances in multiple languages on the same computer.
• Typically, there is nothing extra you have to do to update these multiple

instances; you just need to make sure that when you specify your synchronization
options (for example, product, update classifications, and language options), you
account for requirements for the versions of the SQL Server instances you have on
the computer. For more information about configuring synchronization options, see
Setting Up and Running Synchronizations.
Updating Microsoft SQL Server and Microsoft Exchange Servers That Are Part of a
Cluster
Both Microsoft SQL Server and Microsoft Exchange Server can be installed in a
clustered environment. If there is an update available for servers in a cluster that are
running these programs, each server in the cluster must be updated individually.
Microsoft recommends that you update passive cluster nodes individually (for example,
stop the cluster service for the server while you update it) until all cluster nodes are
updated.
Note
You can have both a stand-alone instance and a cluster instance of SQL Server
on the same server. If you are updating a server that is running both a stand-
alone instance and a cluster instance of SQL server, both SQL Server instances
32
will be updated if you have specified the correct synchronization options (product,
update classification, and language). For more information about setting
synchronization options, see Setting Up and Running Synchronizations.
Testing Updates
Until you install an update, you cannot be certain about the impact it will have on the
existing code running on your systems. By installing an update in a test environment
before deploying it to your production environment, you can analyze and assess its
impact before it has the opportunity to harm your production systems. This can prevent
unplanned downtime and lost productivity.
WSUS enables you to create custom computer groups, which you can use to test
updates. For example, the following figure depicts three computer groups: two custom
groups created by the administrator (Test and Accounting), as well as the built-in All
Computers group.
In this example, the Test group contains a small number of computers representative of
all the computers contained in the Accounting group. This creates a virtual test lab. The
administrator can first approve updates for the Test group. If the testing goes well, the
administrator can roll out the updates to the Accounting group.
You can expand this basic scenario to fit testing needs for your organization. For
example, you can create multiple test computer groups that resemble actual computer
groups containing computers with different configurations.
33
Storing Updates
In this section
• Specifying Where to Store Updates
• Managing the Databases
Specifying Where to Store Updates

You can specify whether you want to store update files on your local WSUS server or on
Microsoft Update. If you choose to store the updates locally, you can limit the updates
downloaded to your server by language. If you choose to store the update files on
Microsoft Update, then your WSUS server obtains only update information (metadata) for
the criteria you have specified on the Synchronization Options page. In this scenario,
the update files come directly from Microsoft Update and are downloaded at the time of
installation on the client computers receiving updates. You will need to make sure your
client computers have direct access to Microsoft Update in this scenario.
Local Storage Considerations
If you decide to store update files on your server, the recommended minimum disk size is
30 GB. However, depending on the synchronization options you specify, you might need
to use a larger disk. For example, when specifying advanced synchronization options, as
in the following procedure, if you select options to download multiple languages and/or
the option to download express installation files, your server disk can easily reach 30 GB.
Therefore if you choose any of these options, install a larger disk (for example, 100 GB).
If your disk gets full, you can install a new, larger disk and then move the update files to
the new location. To do this, after you create the new disk drive, you will need to run the
WSUSutil.exe tool (with the movecontent command) to move the update files to the new
disk. For this procedure, see Managing WSUS from the Command Line.
About Express Installation Files
Express installation files download in a package that is usually multiple times larger than
a regular update package. The express installation file package contains the different
versions of the update that will apply to specific client computer configurations. If you
select this option, the package containing all multiple versions of update files is
downloaded to your WSUS server. However, when your client computers connect to the
server, they will download only the update files they need, which are the files that are
compliant for the specific computer. You might have selected the express installation file
option if you are less concerned with external bandwidth than internal bandwidth usage.
Besides bandwidth, another consideration when choosing to download express

installation files, as mentioned earlier, is disk space. If you choose to download express
34
installation files, they will take more disk space. Therefore, use a larger disk (more than
30 GB) if you select this option.
The option to download and store express installation files is in covered in step 3 in the
following procedure.
To specify where to store downloaded update files

2. Under Update Files and Languages, click Advanced.
3. Under Update Files, select whether to store update files on the server
running Windows Server Update Services (WSUS) or on Microsoft Update. If you
choose to store update files on your server, you can choose either to download
update files only when they are approved, or to download express installation
files.
4. If you selected to store the files on the WSUS server, under Languages,
select whether you want to limit the updates downloaded to your WSUS server
by language, and then click OK. Note that if you select to download all languages
(which is selected by default) that this will take more disk space. If possible,
consider limiting the languages you download if you are also choosing to store
update files on your WSUS server.
5. In Tasks, click Save settings, and then click OK.
Note
If your WSUS server is running in replica mode, you will not be able to
perform this task. For more information about replica mode, see Running in
Replica Mode.
Changing the Location where You Store Update Files Locally
You might need to change the location where WSUS stores updates locally. This might
be required if the disk becomes full and there is no longer any room for new updates. You
might also have to do this if the disk where updates are stored fails and the replacement
disk uses a new drive letter.
You accomplish this move with the movecontent command of WSUSutil.exe, a

command-line tool that is copied to the file system of the WSUS server during WSUS
Setup. By default, Setup copies WSUSutil.exe to the following location:
WSUSInstallationDrive:\Program Files\Microsoft Windows Server Update Services\Tools\

35
You must be a member of the local Administrators group on the WSUS server to use the
movecontent command of WSUSutil.exe. These operations can only be run from the
WSUS server itself, which must be a 32-bit platform.
You must create the new path for local WSUS update storage prior to using
WSUSutil.exe. The movecontent command takes an optional -skipcopy parameter. The
-skipcopy parameter enables you to change the location of local WSUS update storage
without copying any files. For more information about WSUSutil.exe, see Deploying
Microsoft Windows Server Update Services at http://go.microsoft.com/fwlink/?
linkid=41777&clcid=0x409.
To change the location of local WSUS update storage

1. Click Start, and then click Run.
2. In the Open box, type cmd, and then click OK.
3. At the command prompt, navigate to the directory that contains

WSUSutil.exe.
4. Type the following, and then press ENTER:
wsusutil.exe movecontent contentpath logfile [-skipcopy]
For example, type:
wsusutil.exe movecontent D:\WSUS1\ D:\move.log
where D:\WSUS1 is the new path for local WSUS update storage, and
D:\move.log is the path to the log file.
Note
If you do not want to use WSUSutil.exe to change the location of local WSUS
update storage, you can also use NTFS functionality to add a partition to the
current location of local WSUS update storage. For more information about
NTFS, go to Help and Support Center in Windows Server 2003.
Managing the Databases

The WSUS database is a required component of WSUS (which is configured during
setup) that stores the following types of information:
• WSUS server configuration information
• Metadata that describes what each update is useful for

36
Aside from the actual update files, the metadata is the second part of every update
available on Microsoft Update. Update files are stored separately, either on Microsoft
Update, or on your WSUS server. For more information, see Specifying Where to Store
Updates.
• Information about client computers, updates, and client interaction with updates
Depending on your server and network configurations, you are running an MSDE,
WMSDE, or SQL Server 2000 database for your WSUS installation (for more information
about your database options when installing WSUS, see "Choose the Database Used for
WSUS" in Deploying Microsoft Windows Server Update Services at
The following table describes non-deployment tasks you might have to perform as part of
regular operations.
Database management tasks
Database Tasks
MSDE • Make space in the database when

the 2-GB limit is reached. For more
information, see Managing WSUS from
the Command Line.
• Backup / restore. For more

information, see Backing Up Windows
• Move data to a SQL Server 2000

database (for example, if you are
upgrading the database from MSDE to
SQL Server 2000).
WMSDE • Backup / restore. For more

information, see Backing Up Windows
• Move data to a SQL Server 2000

database (for example, if you are
upgrading the database from WMSDE
to SQL Server 2000). See
37
Database Tasks
SQL Server 2000 • Backup / restore.
• Move data to another SQL Server

2000 database (for example, if you
move WSUS to another server and you
will again use SQL Server 2000 for the
database).
In this section
• Migrating the database from MSDE or WMSDE to SQL Server 2000
Migrating the database from MSDE or WMDSE to SQL Server 2000

This topic discusses how to migrate the WSUS database (SUSDB) from an MSDE or
WMSDE instance (which is installed during WSUS Setup) to a full version of Microsoft
SQL Server 2000.
Reasons to migrate the WSUS database to SQL Server 2000
If you chose to use the MSDE or WMSDE to host the WSUS database when you set up
your WSUS server and have been running WSUS for some time, you might be
considering upgrading the database engine to a full installation of SQL Server 2000.
Using SQL Server 2000 can provide the following:
• More storage capacity - For example, the MSDE can store a maximum of 2 GB
of data. Depending on the types of updates you synchronize regularly, you might find
that the 2 GB gets filled up quickly, and you need to frequently manage the space in
your database.
• Ability to administer the WSUS database directly - you can utilize the
management capabilities provided by SQL Server 2000 through the Enterprise
Manager.
Database Requirements
• WSUS requires SQL Server 2000 with Service Pack 3a. If you use the full
version of SQL Server, the SQL server administrator should first verify that the nested
triggers option on the SQL server is turned on. Do this before setting up the WSUS
database.
• You cannot use SQL authentication. WSUS only supports Windows

authentication. WSUS Setup creates a database named SUSDB.
38
• You can use database software that is 100-percent compatible with Microsoft
SQL and not listed in "Remote SQL limitations. " Microsoft SQL Server 2000 has
been tested exclusively for use with remote SQL.
Scenarios
The following scenarios are presented in this topic:
• Migrating the MSDE or WMSDE to SQL Server 2000 running on the same server
• Migrating the MSDE or WMSDE to SQL Server 2000 running on another server
(remote SQL)
Migrating the WSUS database from a MSDE or WMSDE instance to SQL Server 2000
instance running on the same server
This procedure migrates the WSUS database to a SQL Server 2000 instance running on
the same server. Note that there might be some differences in the procedures if your
server is running Windows 2000, which are noted within the procedure.
To migrate the WSUS database from an MSDE or WMSDE instance to a SQL Server
2000 instance on the same server
1. Install SQL Server 2000a (with the Server and Client Tools option) and SQL
Server 2000a Service Pack 3 or higher on your WSUS server.
2. In SQL Server Enterprise Manger, add the MSDE or WMSDE instance to the
SQL Server Group. This enables you to manage the MSDE or WMSDE instance in
Enterprise Manager:
a. Click Start, point to Programs, point to Microsoft SQL Server, and then
click Enterprise Manager.
b. Under the Console Root, expand Microsoft SQL Servers, right-click SQL
Server Group and then click New SQL Server Registration.
c. Complete the Register SQL Server wizard, choosing the following options
when prompted:
• In the Select a SQL Server page, under Available Servers, type:

[ServerName]\WSUS, and then click Add.
• Under Connect Using, select The Windows account information I use to

log on to my computer (Windows Authentication).
3. Close any Internet browser that is connecting to the WSUS console.
4. Stop the IIS Admin service and the Update Services service:
39
a. Click Start, point to Programs, point to Administrative Tools, and then click
Services.
b. Right-click IIS Admin Service, and then click Stop.
c. Right-click Update Services, and then click Stop.
5. Detach the WSUS database (SUSDB) from the WMSDE or MSDE instance
a. In SQL Server Enterprise Manager, under the [ServerName\WSUS] node,

expand Databases.
b. Right-click SUSDB, point to All Tasks, and then click Detach Database.
Click OK, and then click OK, when the confirmation dialog boxes appear.
6. Attach SUSDB to the destination SQL instance. Note that the default instance is
(Local)(Windows NT).
a. Under the instance node, right-click Databases, point to All Tasks, and then
click Attach Database.
b. In the Attach Database box, under MDF file of database to attach, browse
to the location of the susdb.mdf file (by default this is C:\Program
Files\Microsoft SQL Server\MSSQL$WSUS\Data if you installed the MSDE,
and C:\WSUS\MSSQL$WSUS\Data if you installed WMSDE), and then click OK.
(Note that SUSDB includes both SUSDB.mdf and SUSDB_log.ldf, which is the
master log file. SQL will add both for you.) Click OK again when the confirmation
dialog box appears.
7. In the destination SQL instance, add two new logins: [ServerName]\ASPNET and
NT AUTHORITY\NETWORK SERVICE (the NT AUTHORITY\NETWORK SERVICE
login is not required if the WSUS server is running Windows 2000 Server).
a. Under the instance name (for example, (Local)(Windows NT)) click

Security, right-click Logins, and then click New Login.
b. In the SQL Server Login Properties – New Login dialog box, in the Name
box, type: [ServerName]\ASPNET.
c. Leave the defaults for Authentication (Windows Authentication) and

Domain ([ServerName]).
d. In the Database box, select SUSDB.
e. In the Database roles for SUSDB box, under Permit in Database Role,
select public, and select webService, and then click OK.
f. Close Enterprise Manager.

40
g. Repeat steps a through f to add the NT AUTHORITY\NETWORK SERVICE
account. Note: this is not required if the WSUS server is running Windows Server
2000.
8. Edit the registry to point WSUS to the SQL instance that now holds SUSDB.
a. Click Start, click Run, type: regedit, and then click OK.
b. Find the following key:

HKLM\SOFTWARE\Microsoft\UpdateServices\Server\Setup\SqlServerName,
and in the Value data box, type: [ServerName]\[InstanceName] and then click
OK. If the instance name is the default instance, then simply type: [ServerName].
9. Use Add or Remove Programs in Control Panel to uninstall the WMSDE or

MSDE instance. The name of the MSDE or WMSDE instance to remove is
Microsoft SQL Server Desktop Engine (WSUS).
10. Open Services and then start the IIS Admin service and Update Services
service.
a. Click Start, point to Programs, point to Administrative Tools, and then click
Services.
b. Right-click IIS Admin Service, and then click Start.
c. Right-click Update Services, and then click Start.
11. Verify that the database migration has been successful by opening the WSUS
console from Internet Explorer (in the Address box, type: http://
[ServerName]/WSUSAdmin).
Note
You might have to restart the server for these settings to take effect.
Migrating the WSUS database from an MSDE or WMSDE instance to a SQL Server 2000
instance on another server
The goal of this scenario is to take the WSUS database (SUSDB) running in a MSDE or
WMSDE instance (which you can choose to install during WSUS Setup) and to move and
upgrade it to a SQL Server 2000 instance running on a remote server. By upgrading the
WSUS database you are able to manage it using all of the features provided by SQL
Server 2000.
At the completion of this scenario, you will have a WSUS implementation consisting of a
front-end server through which you access the WSUS console and administer WSUS,
and a back-end sever running SQL Server 2000, which will host the WSUS database.
Remote SQL Scenario Limitations

41
• You cannot use Windows 2000 Server on the front-end server in a remote SQL
pair.
• You cannot use a server configured as a domain controller for either the front end
or the back end of the remote SQL pair.
• You cannot use WMSDE or MSDE for database software on the back-end server.
• Both the front-end and the back-end servers must be joined to an Active
Directory domain.
About this procedure
There are 11 steps that make up this procedure. Some of the steps require a number of
sub-procedures.
For ease of explanation, Server1 and Server2 are used to indicate the front-end and
back-end servers respectively. Note that in each step, where appropriate, it is noted on
which server you must perform the procedures. More information about Server1 and
Server2:
Server1
• This will the front-end server at the completion of this scenario.
• Starting configuration: Windows Server 2000 or 2003 operating system running

WSUS using MSDE or WMSDE to host the WSUS database.
Server2
• This will be the back-end server at the completion of this scenario.
• Starting configuration: Windows 2000 or 2000 Server operating system running

full version of SQL Server 2000 sp3 or higher. Note: Verify that nested triggers are
turned on.
To migrate the WSUS database from an MSDE or WMSDE instance to a SQL Server
2000 instance on another server
Step 1 [On Server2]: Install WSUS with the /b option.
Completion of this step requires the following procedures:
• Install WSUS on the back-end server
• Identify how update storage is being managed on the front-end server
• Set permissions on the back-end server
Notes:
42
• You must run WSUS Setup from a command line so that you can use command-
line options. Use the /b command-line option.
• You do not need to have IIS installed on the back-end server. Except for IIS, all
other prerequisites for a normal WSUS installation are required.
To install WSUS on the back-end server
1. Download the WSUS setup files to the server. At the Run command or at a command
line, navigate to the folder containing the WSUS setup files you downloaded and type
the following command: wsussetup.exe /b
2. Complete the WSUS Setup wizard, selecting the following options:
• On the Database Options page, in the Select SQL instance name box,
select the SQL Server instance where you want to install the WSUS database.
Note that <Default> will be the only instance available if you decide not to create
any new instances.
• On the Connecting to SQL Server Instance page, wait to be prompted with

for a successful connection to the SQL server, and then click Next.
To identify how update storage is being managed on the front-end server
You must run a SQL script to identify how update storage is being managed on the front-
end server. Depending on whether client computers are getting updates locally from the
front-end server or are downloading updates directly from Microsoft, you will use one of
the following scripts. Note that you established where clients obtain updates when you
originally installed WSUS on the front-end server.
If you cannot remember how you configured the front-end server, you can find out by
reading the log file located on the front-end server by typing the following at a command
prompt:
%drive%\Program Files\Update Services\Logfiles\WSUSSetup_[InstallDate].log
Where [InstallDate] is the date you installed WSUS. From this file you need the value for
two keys: HostOnMu, and LocalContentCacheLocation.
• If you chose local storage on the front-end server, at a command prompt type:
"[%drive%]\program files\update services\tools\osql\osql.exe" -S

[SQLServerName\InstanceName] -E -b -n -Q "USE SUSDB UPDATE
dbo.tbConfigurationA SET HostOnMu='0' UPDATE dbo.tbConfigurationB SET
LocalContentCacheLocation=N'[LocalContentCacheLocationValue]'"
Where
43
• [%drive%]\program files\update services\tools\osql\osql.exe is the default
location of the osql.exe tool on Server2.
• [SQLServerName\InstaceName] is the name of the SQL Server instance that

holds the SUSDB database on Server2. Note that \InstanceName is not necessary if
you are using the default instance.
• [LocalContentCacheLocationValue] is the path to the folder on Server1 where

update files are stored. For example, C:\WSUS\WSUSContent.
Note
Do not use a network location or a UNC path. Do not add a trailing backslash (\).
• If you chose remote storage on Microsoft Update, at a command prompt, type:

"[%drive%]\program files\update services\tools\osql\osql.exe" -S
[SQLServerName\InstanceName] -E -b -n -Q "USE SUSDB UPDATE
dbo.tbConfigurationA SET HostOnMu='1' UPDATE dbo.tbConfigurationB SET
LocalContentCacheLocation=N'[%Server1Drive]\program files\Update
Services\WsusContent'"
Where
• [%drive%]\program files\update services\tools\osql\osql.exe is the default

location of the osql.exe tool on Server2.
• [SQLServerName\InstanceName] is the name of the SQL Server instance on

Server2. Note that \InstanceName is not necessary if you are using the default
instance.
• [%Server1Drive%]\program files\update services is the location of the Update

Services folder on Server1
To set permissions on the back-end server
• If the back-end server is running Windows Server 2003:
a. On the Server2, click Start, point to Administrative Tools, and then click
Computer Management.
b. In the tree, expand Local Users and Groups, and then click Groups.
c. In the details pane, double-click WSUS Administrators.
d. In the WSUS Administrators Properties dialog box, click Add.
e. In Select Users, Computers or Groups, click Object Types.
f. In Object Types, click Computers, and then click OK.

44
g. In Select Users, Computers, or Groups, enter the name of the front-end
server, and then click OK.
h. In the WSUS Administrators Properties dialog box, click OK.
• If the back-end server is running Windows 2000 Server
This procedure has two parts--if Server2 is running Windows 2000 Server, you must first
create a global security group and add Server1 as a member, then configure permissions
on Server2.
Part 1: Create a global security group and add the front-end server as a member
1. On a computer with Active Directory Administrative Tools installed, click Start,
point to Administrative Tools, and then click Active Directory Users and Computers.
2. In the tree, right-click the folder in which you want to create the new group.
3. Point to New, and then click Group.
4. Type the name of the new group.
5. In Group Scope, click Global.
6. In Group Type, click Security, and then click OK. A global security group is
created.
7. Double-click the global security group you just created.
8. In the group properties dialog box, click the Members tab.
9. Click Add.
10. In Select Users, Contacts, or Computers, click Object Types.
11. In Object Types, click Computers, and then click OK.
12. In Enter the Object names to select (examples), enter the name of Server1, and
then click OK.
13. In the global security group properties dialog box, click OK.
Part 2: Set permissions on the Windows 2000 Server back-end server
1. On Server2, click Start, point to Administrative Tools, and then click Computer
Management.
2. In the tree, expand Local Users and Groups, and then click Groups.
3. In the details pane, double-click WSUS Administrators.
4. In the WSUS Administrators Properties dialog box, click Add.

45
5. In Select Users or Groups, select your domain from the Look in drop-down list.
6. Double-click the global security group you created in the preceding procedure,
and then click OK.
7. In the WSUS Administrators Properties dialog box, click OK.
Step 2 [On Server2]: Detach the WSUS database (SUSDB).
1. In SQL Server Enterprise Manager, under the Server2Name\InstanceName

node, expand Databases.
2. Right-click SUSDB, point to All Tasks, and then click Detach Database. Click
OK, and then click OK, when the confirmation dialog boxes appear.
3. Locate and then rename the existing susdb.mdf and susdb_log.ldf files. It is
important to note where they are stored in the file system. You will be copying the
files of the same name from Server1 later in this process to the same location.
Step 3 [On Server1]: Install Microsoft SQL Server 2000 with "Client Tools Only" option.
This step will enable you to use the SQL Server Enterprise Manager on Server1.
Step 4 [On Server1]: Stop the IIS Admin service and the Update Services service, and
close any Internet browser that is connecting to the WSUS console.
1. Click Start, point to Programs, point to Administrative Tools, and then click
Services.
2. Right-click IIS Admin Service, and then click Stop.
3. Right-click Update Services, and then click Stop.
Step 5 [On Server1]: Detach the WSUS database.
1. In SQL Server Enterprise Manager, under the [Server1Name]\WSUS node,

expand Databases.
2. Right-click SUSDB, point to All Tasks, and then click Detach Database. Click
OK, and then click OK, when the confirmation dialog boxes appear.
3. Close Enterprise Manager.
Step 6: Copy the SUSDB.mdf and SUSDB_log.ldf files from Server1 to Server2.
• In Step 2, you noted the folder location on Server2 where these files are stored.
Copy the files to this folder on Server2.
Step 7 [On Server2]: Attach the WSUS database to a SQL Server 2000 instance.
1. Under the [InstanceName] node, right-click Databases, point to All Tasks, and
then click Attach Database.
46
2. In the Attach Database box, under MDF file of database to attach, browse to
the location of the susdb.mdf file , and then click OK. (Note that SUSDB includes
both SUSDB.mdf and SUSDB_log.ldf, which is the master log file. SQL will add both
for you.) Click OK again when the confirmation dialog box appears.
Step 8 [On Server1]: Configure the front end computer to use the database on the
backend computer.
In this step, you edit the registry to point WSUS to destination SQL instance.
1. Click Start, click Run, type: regedit, and then click OK.
2. Find and double-click the following key:

HKLM\SOFTWARE\Microsoft\UpdateServices\Server\Setup\SqlServerName
3. In the Value data box, type: [Server2Name]\[InstanceName] and then click OK. If the
instance name is the default instance, then simply type: [Server2Name].
Note
When entering [Server2Name], do not add the domain name, such as [DomainName]\
[Server2Name].
Step 9 [On Server1]: Delete the WMSDE or MSDE instance.
Use Add or Remove Programs in Control Panel to uninstall the WMSDE or MSDE
instance. The name of the MSDE or WMSDE instance to remove is Microsoft SQL
Server Desktop Engine (WSUS).
Step 10 [On Server1]: Start the IIS Admin service and the Update Services service.
1. Click Start, point to Programs, point to Administrative Tools, and then click
Services.
2. Right-click IIS Admin Service, and then click Start.
3. Right-click Update Services, and then click Start.
Step 11: Verify that the database migration was successful.
From any computer in your network, open an Internet Explorer browser and access the
WSUS console at http://[Server1 name]\WSUSadmin.
Note
You might need to restart Server1 in order for these settings to take effect.
See Also
Managing the Databases
Deploying Microsoft Windows Server Update Services

47
Running in Replica Mode

A WSUS server running in replica mode inherits the update approvals and computer
groups created on an administration server. In a scenario that uses replica mode, you
typically have a single administration server, and one or more subordinate replica WSUS
servers spread out throughout the organization, based on site or organizational
topography. You approve updates and create computer groups on the administration
server, which the replica mode servers will then mirror. Replica mode servers can be set
up only during WSUS Setup, and if you implemented this scenario, it is likely because it
is important in your organization that update approvals and computer groups are
managed centrally.
If your WSUS server is running in replica mode, you will be able to perform only limited
administration capabilities on the server, which will primarily consist of:
• Adding and removing computers from computer groups
• Computer group membership is not distributed to replica servers, only the

computer groups themselves. Therefore, on a replica mode server, you will inherit the
computer groups that you created on the administration server. However, the
computer groups will be empty. You must then assign the client computers that
connect to the replica server to the computer groups.
• Setting a synchronization schedule
• Specifying proxy-server settings
• Specifying the update source
• This can be a server other than the administration server.
• Viewing available updates
• Monitoring update, synchronization, and computer status, and monitoring WSUS

settings on the server
• All standard WSUS reports are available on replica mode servers.
For more information about setting up and running in replica mode, see Deploying
Backing Up Windows Server Update Services

Although WSUS does not provide a built-in backup tool, you can use the Backup Utility
that is available on all servers running Windows 2000 or Windows Server 2003 to easily
48
back up and restore both the WSUS database and update file storage folder. The Backup
Utility is also known as Ntbackup.exe.
Backing up WSUS involves backing up the following:
• The WSUS database, which contains:
• Update metadata, including information about updates (for example,

properties). Metadata is also where EULAs are stored.
• WSUS server configuration information, which includes all settings for your
WSUS server (that is, options you specified through the WSUS console and
settings configured by WSUS automatically during setup).
• Information about client computers, updates, and client interaction with

updates. You can access this information through the WSUS console when you
view status and run reports on update status and client computer status.
• The folder where the update files are stored. Update files are the actual files
required to install an update on a computer. By default, update files are stored in the
%systemdrive%\WSUS\WSUSContent folder on your WSUS server. If you have
chosen to store update files on Microsoft Update (either during setup or on the
Options page), you do not have to back up the update file storage folder on your
WSUS server.
If you are using a full version of Microsoft SQL Server 2000 for your database, which is
not installed by WSUS, you can use SQL Server Enterprise manager as an alternative to
the Backup Utility. For more information about SQL Server Enterprise Manager, refer to
your SQL Server documentation. For more information about database options and
configurations for WSUS, see Deploying Microsoft Windows Server Update Services at
To back up the update file storage folder

1. On your WSUS server, click Start, and then click Run.
2. In the Open box, type %systemdrive%\%windir%\system32\ntbackup.exe

and then click OK.
3. In the Backup or Restore Wizard, click Next.
4. Verify that Back up files and settings is selected, and then click Next.
5. Click Let me choose what to back up, and then click Next.
6. Select the WSUSContent folder (under %systemdrive%\WSUS\), and then

click Next.
49
7. Use the Browse button to choose a place to save your backup, type a name
for the backup, and then click Next.
8. If you want to set additional specifications for your backup, including whether
it will be an incremental backup, whether you want to verify the backup, set a
recurring schedule for the backup, or other options, click Advanced, and then
follow the instructions in the wizard.
9. When the wizard is finished, click Finish.
10. When the message appears that informs you that the backup is complete,
click Close.
To back up the WSUS database


and then click OK.
4. Verify that Back up files and settings is selected, and then click Next.
5. Click Let me choose what to back up, and then click Next.
6. Under %systemdrive%\WSUS\MSSQL$WSUS\, select the Data and LOG

folders, and then click Next.
7. Use the Browse button to choose a place to save your backup, type a name
for the backup, and then click Next.
8. If you want to set additional specifications for your backup, including whether
it will be an incremental backup, whether you want to verify the backup, set a
recurring schedule for the backup, or other options, click Advanced, and then
follow the prompts that appear in the wizard.
10. When the message appears that informs you that the backup is complete,
click Close.
To restore the update file storage folder


and then click OK.
50
4. Click Restore files and settings, and then click Next.
5. In the What to restore dialog box, under Items to restore, expand the file
that contains the WSUSContent folder (under %systemdrive%\WSUS\), and then
click Next.
• Alternatively, you can select a subset of the %systemdrive

%\WSUS\WSUSContent folder to restore. Within the %systemdrive
%\WSUS\WSUSContent folder, you can restore one, all, or a combination of
its subfolders and files.
6. If you want to set additional specifications for your restore, including whether
you want to restore the files or folders to a different location, replace existing
files, restore security settings, or specify other options, click Advanced, and then
8. When the message appears that informs you that restoring is complete, click
Close.
To restore the WSUS database


and then click OK.
4. Click Restore files and settings, and then click Next.

5. In the What to restore dialog box, under Items to restore, expand the file
that contains the Data and LOG folders (under %systemdrive
%\WSUS\MSQL$WSUS), and then click Next.
• Alternatively, you can select a subset of the %systemdrive

%\WSUS\MSQL$WSUS\Data or %systemdrive%\WSUS\MSQL$WSUS\LOG
folders to restore. Within the %systemdrive%\WSUS\MSQL$WSUS\Data and
%systemdrive%\WSUS\MSQL$WSUS\LOG folders, you can restore one, all,
or a combination of their subfolders and files.
6. If you want to set additional specifications for your restore, including whether
you want to restore the files or folders to a different location, replace existing
files, restore security settings, or specify other options, click Advanced, and then
51
8. When the message appears that informs you that restoring is complete, click
Close.
Best Practices with Windows Server Update Services

This section provides best practices for managing updates through WSUS.
Use Group Policy to Update Multiple Computers

If you have set up Active Directory in your network, you can configure one or multiple
computers simultaneously, by including them in a Group Policy object (GPO), and then
configuring that GPO with WSUS settings. Microsoft recommends that you create a new
Group Policy object (GPO) that contains only WSUS settings. Link this WSUS GPO to an
Active Directory container appropriate for your environment. In a simple environment, you
might link a single WSUS GPO to the domain. In a more complex environment, you might
link multiple WSUS GPOs to several organizational units (OUs), which will enable you to
apply different WSUS policy settings to different types of computers.
Important
Microsoft recommends that you do not edit the Default Domain or Default
Domain Controller GPOs.
Typically, when you configure WSUS through Group Policy (in an Active Directory
network environment), you set up your client computers to connect to a WSUS server
and download updates once a day. By default, this is every 22 hours (minus a random
time offset, described later in this topic) at which time the approval actions you specified
for the new updates (for example, installation, detection, or removal) run on the client
computer.
However, if you are aware of and want to protect computers against immediate security
threats, you might want to set up more a more frequent schedule for computers to
contact the WSUS server, download, and install updates.
To specify how and when computers are updated through Group Policy
1. In Group Policy Object Editor, expand Computer Configuration, expand
Administrative Templates, expand Windows Components, and then click
Windows Update.
52
2. In the details pane of Group Policy Object Editor, configure the appropriate
policies. See the following table for examples of the policies you might want to
set.
Policies for Configuring Automatic Updates Behavior
Policy Description
Configure Automatic Updates By enabling this setting you enable your

computer to receive updates through
Automatic Updates on a computer or
computer group. To complete this setting,
you must then select one of the following
four options:
• Notify before downloading any

updates and notify again before
installing them.
• Download the updates

automatically and notify when they are
ready to be installed (default setting)
• Automatically download updates

and install them on the schedule
specified below
• Allow local administrators to select

the configuration mode that Automatic
Updates should notify and install
updates
No auto-restart for scheduled Automatic Specifies that to complete a scheduled

Updates installations installation, Automatic Updates will wait for
the computer to be restarted by any user
who is logged on, instead of causing the
computer to restart automatically.
53
Policy Description
Automatic Updates detection frequency Configures the frequency with which

computers contact the WSUS server. The
exact time between contact will actually be
the number of hours you specify here,
minus zero to twenty percent of the hours
specified. For example, if this policy is used
to specify a 20-hour contact frequency, then
all client computers to which this policy is
applied will check for updates anywhere
between 16 and 20 hours. If you leave this
policy set to Disabled or Not Configured,
Windows will check for available updates at
the default interval of 22 hours.
Allow Automatic Updates immediate Specifies whether Automatic Updates

installation should automatically install certain updates
that neither interrupt Windows services nor
restart Windows.
It will take a few minutes before the new policies you have configured take effect. It will
be about 20 minutes after Group Policy refreshes (applies any new settings to the client
computer). By default, computer Group Policy refreshes in the background every 90
minutes, with a random offset of 0 to 30 minutes. If you want to refresh Group Policy
sooner, you can go to a command prompt on the client computer and type:
gpupdate /force.
For more information about Group Policy, see Group Policy at

http://go.microsoft.com/fwlink/?LinkID=14232. For more information about options for
setting up and configuring your client computers in both Active Directory and non-Active
Directory network environments, see Deploying Microsoft Windows Server Update
Services at http://go.microsoft.com/fwlink/?LinkID=41777.
Schedule Update Installations when there is Little Chance for Lost

Productivity
In managing the process of updating computers (which includes WSUS servers), one of
your main goals is to have any planned downtime occur when there is little chance for
lost productivity. The following are suggestions for accomplishing this:
54
• To update WSUS servers or specific computers efficiently, put the WSUS servers
or computers in their own computer group, and deploy to that group with a deadline
set for a time when it is feasible for the WSUS servers or computers to be down (for
example, on Sunday at 3:00 A.M).
• Deploy updates by using a deadline in the future. For example, set the WSUS
servers or computers with a scheduled installation at a time when it is feasible for
them to be briefly offline (for example, on Sunday at 3:00 A.M).
• Configure client computers or WSUS servers through Group Policy to

immediately install updates that do not require a restart. (Before you approve an
update for installation, you can read the Description field in the properties for an
update in order to determine whether the update will require restarting the computer.
You can view the properties for an update by selecting it in the list of updates on the
Updates page in the WSUS console.) Enable the policy to install immediately any
updates that do not require a computer restart, so that they are installed every day.
Computers can then install any updates that do not interrupt service when they are
ready to install (that is, scheduling for Sunday morning installation would be
unnecessary). The tile of this policy is Allow Automatic Updates immediate
installation (see the table earlier in this topic for more information).
For maximum control over when your servers are restarted as

necessitated by an update installation, set Group Policy to
Download the updates automatically and notify when they are
ready to be installed, and then create a script that enables to
you accept and install the updates and then restart the
computer on demand
Some updates require a computer restart after they are installed (and, by default, will
restart computers 5 minutes after they are installed.) By not restarting your servers after
installing these updates, you leave them at risk. [benag] However, depending on your
network configuration, it might also risky to restart your servers automatically, since many
other resources in your network could depend on a single server. In this case, it might not
be feasible to schedule automatic scheduled restarts of your server.
There are a couple of Group Policies that enable you to configure when a computer is
restarted. However, when talking about servers, these policies have some limitations over
control:
• No auto-restart for scheduled Automatic Updates installations—this policy will

prevent automatic restarts of your server, and will enable manual restart—however,
you have to log on to the server and then initiate the restart. This might not be
practical if your server is typically unattended.
55
• Delay restart for scheduled installations—this policy can delay the time between
the update installation and the computer restart, however, the maximum time you can
set here is 30 minutes.
If these are issues for you, consider the following procedure:
1. Use Group Policy to configure automatic download, and manual installation of

the updates. To do this, you would enable the Configure Automatic Updates Group
Policy setting by selecting the Download the updates automatically and notify when
they are ready to be installed option.
2. Create a script to automate installing the updates and then restarting of your
server. This script would have the effect of a “button” you would push to initiate all
this, therefore the updates install and the server restarts when you run the script. You
can do this at the most appropriate time. For more information about creating scripts
to automate Automatic Updates tasks (for example downloading and installing
updates on server and client computers), see Windows Update Agent Software
Developer's Kit (http://go.microsoft.com/fwlink/?LinkID=43101)
Managing WSUS from the Command Line

This topic does the following
• Summarizes the purpose and functionality of WSUSutil.exe and its parameters.
• Provides and defines the syntax you would use to run specific tasks.
• Links to "Deploying Microsoft Windows Server Update Services" where more

information (for example, scenarios) is available.
Running WSUSutil.exe
WSUSutil.exe is a tool that you can use to manage your WSUS server from the
command line. WSUSutil.exe is located in the %drive%\Program Files\Update
Services\Tools folder on your WSUS server. You can run specific commands with
WSUSutil.exe to perform specific functions, as summarized in the following table. The
syntax you would use to run WSUSutil.exe with specific commands follows the table.
56
Summary of Commands You Can Use with WSUSutil
Command What it enables you to When you might use it

do
export The first of the two • On an ongoing basis, if

parts that make up you are running a network
the export / import with limited or restricted
process. Internet connectivity
The export
command enables
you to export update
metadata to an
export package file.
You cannot use this
parameter to export
update files, update
approvals, or server
settings.
import The second of the • On an ongoing basis, if

two parts that make you are running a network
up the export/import with limited or restricted
process. connectivity
The import
command imports
update metadata to a
server from an export
package file created
on another WSUS
server. This
synchronizes the
destination WSUS
server without using
a network
connection.
migratesus This command • If you are upgrading

migrates update your implementation SUS
approvals from a 1.0 to WSUS.
SUS 1.0 server to a
WSUS server.
57

do
movecontent Changes the file • Hard drive is full

system location
• Disk fails
where the WSUS
server stores update
files, and optionally
copies any update
files from the old
location to the new
location
reset Checks that every • After restoring the

update metadata row WSUS database.
in the database has
• When troubleshooting
corresponding update
files stored in the file
system. If update files
are missing or have
been corrupted,
WSUS downloads
the update files
again.
deleteunneededrevisions Purges the update • To free up space when

metadata for an MSDE is full
unnecessary update
revisions from the
database.
58

do
listinactiveapprovals Returns a list of • When you change

update titles with language settings on an
approvals that are in upstream server (that is the
a permanently parent to a replica server)
inactive state and want to see which
because of a change updates are no longer
in server language active because they are not
settings. in the new languages you
have specified. You can run
this command if you want to
see a list of inactive
approvals (for example, to
help you decide if you want
to remove the inactive
approvals). You do not have
to run this command before
running the
removeinactiveapprovals
command.
removeinactiveapprovals Removes approvals • When you change

for updates that are language settings on an
in a permanently upstream server (that is the
inactive state parent to a replica server)
because of a change and want to remove
in WSUS server updates that are no longer
language settings. active because they are not
in the new languages you
have specified. This would
fix the resulting mismatch in
the number of updates
displayed on the parent and
replica servers in this
scenario. You do not have
to run the
listinactiveapprovals
command before running
this command.
59
Export
For background and procedural information about exporting and importing updates, see
"Set Up a Disconnected Network (Import and Export Updates)" in Deploying Microsoft
Windows Server Update Services at http://go.microsoft.com/fwlink/?linkid=41777.
Syntax
At the command line %drive%\Program Files\Update Services\Tools>, type:
wsusutil export package logfile
The parameters are defined in the following table.
Parameter Definition
package The path and file name of the package .cab

to create.
logfile The path and file name of the log file to

create.
/help or /? Displays command-line help for export

command.
Import
For background and procedural information about exporting and importing updates, see
"Set Up a Disconnected Network (Import and Export Updates)" in Deploying Microsoft
Windows Server Update Services at http://go.microsoft.com/fwlink/?linkid=41777.
Syntax
wsusutil import package logfile
The parameters are defined in the following table:
package The path and file name of the package .cab

to import.

create.
60
/help or /? Displays command-line help for import

command.
Migratesus
SUS 1.0 to WSUS migration scenarios and related procedures are covered extensively in
the "Migrate from a SUS Server to a WSUS Server" topic in Deploying Microsoft
Windows Update Services at http://go.microsoft.com/fwlink/?LinkID=41777.
Syntax
wsusutil migratesus [/content contentshare] [/approvals servername [computergroup]]

[/log logfile] [/?]
The parameters are defined in the following table:
/content contentshare Migrates content from a SUS 1.0, where

contentshare is the path to the folder that
contains SUS 1.0 content.
/approvals servername Migrates approvals from the SUS 1.0

server, where servername is the name of
the SUS 1.0 server.
computergroup Computer group for which you want to

apply the approvals.
/help or /? Displays command-line help for the

migratesus parameter.
/log logfile File in which migration activities are

logged.
Movecontent
When you run this command, WSUSutil.exe does the following:
• Copies the update files from the old location into the new location.
• Updates the WSUS database to refer to the new location of the update files.
61
The destination folder where update files are moved to must be on an NTFS partition.
The content move tool will not try to copy update files if they already exist in the
destination folder. WSUSutil.exe sets the same permissions on the destination folder that
were set on the original folder.
Note
You can use xcopy, the Backup utility, or other non-WSUS specific methods to
copy update files from the old location into the new one. If you copy the files by
using a method other than WSUSutil.exe, you still need to run WSUSutil.exe to
perform the second part of the move. In this case you would use the skipcopy
parameter when running WSUSutil.exe. See "Syntax" below for more
information.
There are two scenarios in which you might move update files from one WSUS drive to
another:
• If the drive is full
• If the hard disk fails
If the drive is full
If the drive where WSUS stores update files is full, you can do one of the following:
• Add more space to your current drive by using NTFS functionality. This is done
without using WSUSutil.exe. This method does not affect WSUS configuration or
operation.
• Install a new drive, and then move the update files from the old drive to the new
location by using Wsusutil.exe.
If the hard disk fails
If the hard disk that stores update files fails, you must do the following:
1. Install the new disk on your computer, and then restore the update files from your
backup files. Note: If you have not backed up your update files, WSUSutil.exe
downloads the missing files at the end of the content move operation.
2. Run the content move operation, specifying the location for the new disk. In
addition, you specify the skipcopy parameter, because you are either putting the
files in the new folder through the Backup utility or the source folder does not exist;
the update files will be downloaded at the end of this process.
3. When the move operation is complete, all the missing files are downloaded.
Syntax
62
wsusutil movecontent contentpath logfile -skipcopy [/?]
The parameters are defined in the following table.
contentpath The new root for content files. The path

must exist.

create.
-skipcopy Indicates that only the server configuration

should be changed, and that the content
files should not be copied.
/help or /? Displays command-line help for

movecontent command.
Reset
You use this command if you store updates locally on your WSUS server and want to
ensure that the metadata information stored in your WSUS database is accurate. With
this command, you verify that every update metadata row in the WSUS database
corresponds to update files stored in the local update file storage location on your WSUS
server. If update files are missing or have been corrupted, WSUS downloads the update
files again. This command might be useful to run after you restore your database, or as a
first step when troubleshooting update approvals.
Syntax
wsusutil reset
Deleteunneededrevisions
If you use an MSDE database in your WSUS implementation (for example, if you are
using WSUS on a server running Windows 2000), you might need to run this command
periodically when the database reaches its 2-GB limit because once the database is full,
you cannot synchronize new updates to your server, add new computers, or import
events from existing client computers.
63
With regular use, it is possible that the 2 GB will be reached quickly, as updates can be
very large, and update publishers typically create multiple revisions of each update,
which your server will synchronize automatically for the products and update
classifications you specify. In addition, event information for client computers also
populates the database. When your MSDE database is close to reaching its limit, you will
receive a notification on the WSUS console Home page alerting you to run this command
soon. When you run this command, unneeded revisions and the events associated with
those revisions are deleted from the database.
Unneeded revisions are revisions to software or drivers updates that have not been
deployed to a computer group in at least one month; they are also the latest revisions to
expired driver updates that have not been deployed to a computer group for at least one
month. The one-month time period in both of these cases can be changed, indirectly. It
automatically gets reduced by 7 to 15 days if you reduce the size of a database that is
larger than 1 GB by less than 25 percent in the process of running this command.
Note
For more information about the databases you can use with WSUS, see the
"Choose the Database Used for WSUS" topic in Deploying Microsoft Windows
Update Services at http://go.microsoft.com/fwlink/?LinkID=41777.
Syntax
wsusutil deleteunneededrevisions
Important
Before running this command, you must stop the World Wide Web publishing
service in IIS. You must restart it only after you have finished running this
command. To stop or start the IIS service, open IIS, navigate to and then right-
click the Web site where WSUS is is installed (by default this is the Default Web
Site), and then click Stop or Start.
Listinactiveapprovals
If you change language options on an upstream WSUS server, you can create a situation
where the number of updates approved on a parent upstream server does not match the
number of approved updates on a replica server.
Here is a scenario where this might occur:
You have configured your upstream parent server to synchronize from Microsoft Update
and have left the language setting set to All Languages (the default). You then run
synchronization and approve 300 updates, of which 50 are not English language
64
updates. You then change the language setting on the server to English only. After this,
a replica server synchronizes from the parent upstream server and downloads only the
"active" approvals, which now are only the English language ones (replica servers always
only synchronize active approvals). At this point, if you look on the WSUS console on the
parent server, you will see that 300 updates are approved. If you do the same on the
replica server, you will see that only 250 are approved. You would use
listinactiveapprovals to see a list of the updates on the parent upstream server that are
permanently inactive—in this case, you would see the 50 updates that are not English.
You can run this command if you want to see a list of the inactive approvals (for example,
to help you decide if you want to remove the inactive approvals). You do not have to run
this command before running the removeinactiveapprovals command.
Syntax
wsusutil listinactiveapprovals
Removeinactiveapprovals
The scenario in which you would use this command is the same as the one described for
listinactiveapprovals. However, while you use listinactiveapprovals to list the inactive
approvals on the parent upstream server, you use removeinactiveapprovals to remove
them. You do not have to run the listinactiveapprovals command before running this
command.
Syntax
wsusutil removeinactiveapprovals
Monitoring Windows Server Update Services

In this section
• Update Status Terminology
• Running Reports
Update Status Terminology

You can access update status from various locations in the WSUS console. The following
table defines each possible status that can be reported by WSUS for an update. Typically,
WSUS presents update status for a particular computer (for example, the status of an
65
update on one computer) or computer group (for example, status for the five computers
in Computer Group X on which the update has been installed).
Update Status Definitions
Status Description
Installed The update was installed on the computer.

66
Status Description
Needed This is the positive result of a Detect only

approval. When referring to the status of
one computer, Needed means the update is
compliant with (and should be installed on)
the computer. When referring to status for a
computer group, the Needed column
displays the number of computers in the
group with which the update is compliant.
Additionally, a positive Needed result
means, technically, that as of the last time
client computers made contact with the
WSUS server, the update was determined
to be compliant, but has not been installed.
Therefore, it is possible that any of the
following could be true when the status for
an update is Needed:
You have approved the update for

installation but the client computers have
not yet contacted the WSUS server since
you made this change.
You have not yet approved the update for

installation, although the Detect only action
has been performed.
The update has already been downloaded

and installed, but the client computer has
not contacted the WSUS server since the
update was installed.
The update has already been downloaded

and installed but the update requires that
the client computer be restarted before
changes go into effect, and the client
computer has not yet been restarted.
The update has been downloaded to the

computer but not installed.
The update has been neither downloaded

nor installed on the computer.
67
Status Description
Not needed This is the negative result of a Detect only

approval. When referring to the status of
one computer, Not needed means the
update is not compliant with or required by
that computer. When referring to the status
for a computer group, the Not needed
column displays the number of computers in
the group for which the update is not
compliant or required.
Unknown Typically, this means that since the time that

the update was synchronized to the WSUS
server, the computer has not contacted the
WSUS server.
Failed An error occurred when either a detection or

an installation was attempted on the
computer for the update.
Last contacted This is the date on which the computer last

contacted the WSUS server.
Running Reports
Reports enable you to monitor the components of your Windows Server Update Services
implementation.
Using the Reports Page

You can generate three main reports from the Reports page, as described in the
following table, and in the sections that follow.
Reports Available on Reports Page
Report Name Function
Status of Updates View the status of all approved updates by

computer group and computer.
68
Report Name Function
Status of Computers View the status of client computers and the

status of updates on those computers (for
example, a summary of updates that have
been installed or are needed for a particular
computer).
Synchronization Results View a list of new updates, update

revisions, and errors that occurred during
synchronization.
Settings Summary View or print a summary of the settings

configured through the Options page.
Status of Updates Report

The Status of Updates report enables you to view the status for all of your approved
updates. You can view the report in three ways: you can view the status of an update at a
high level, by computer group, and by computer.
The report displays information resulting from the most recent contact between client
computers and the WSUS server. The frequency with which client computers contact the
WSUS server is configured through Group Policy. By default, this is every 22 hours.
Unless you want to change the contact frequency for your client computers, generate this
report the day after you approve updates, so that it reflects your latest approvals. For
more information about configuring Group Policy, see Deploying Microsoft Windows
Server Updates Services at http://go.microsoft.com/fwlink/?linkid=41777&clcid=0x409.
Note
You can use a command-line tool on client computers that are running the WSUS
client software (Automatic Updates) in order to initiate contact between the client
computer and WSUS server. This can be useful if you want to get immediate
update status for a particular computer—you can run this tool to force connection
and then generate a Status of Updates report.
To initiate immediate contact between a client computer and WSUS server

• On the client computer, at the command prompt, type wuauclt.exe
/detectnow, and then press ENTER.
69
To run a Status of Updates report

1. On the WSUS console toolbar, click Reports.
2. On the Reports page, click Status of Updates.
Update summary view
The update summary view is the default view that appears when you run a Status of
Updates report. By default, the report displays an alphabetical list of approved updates.
You can filter the display by both approval action and computer group by making
appropriate selections under View and then clicking Apply. Your filter is reset to the
default list of all updates when you close the Status of Updates report.
The columns displayed in the update summary view are described in the following table.
Description of Columns Displayed in Update Summary View
Column Name Description
Title The name of the update.
To view the properties for an update, click

an update in this column. The update
properties box provides the following
information:
The Details tab contains general

information about the update.
The Status tab contains status information

for the update by computer group. This is
also what you see in computer group view.
You can also expand this view into computer
view by expanding a computer group.
The Revisions tab displays information

about changes to the update.
Installed The number of computers on which the

update has been installed.
70
Needed The number of computers for which the

update is applicable but not installed. For
these computers, a detect-only action has
been performed for the update. If an update
requires a restart, then a computer that has
installed the update will continue to appear
in the Needed column until it is restarted.
Failed The number of computers that last reported

a failed download, installation, or removal
(uninstallation).
Last Updated The date that the latest action for this
update occurred.
Computer group view
The computer group view displays the status of an update by computer group. To use this
view, expand any update that is listed in update summary view.
The columns displayed in the computer group view are described in the following table.
Description of Columns Displayed in Computer Group View
Computer Group The name of the computer group to which

the update has been targeted.
Approval The action that this update has been

approved for, specific to the group.
Deadline The deadline for the action, if you have set

a deadline.
Installed The number of computers on which the

update has been installed.
71
Needed The number of computers for which the

update is applicable but not installed. For
these computers, a detect-only action has
been performed for the update. If an update
requires a restart, then a computer that has
installed the update will continue to appear
in the Needed column until it is restarted.
Failed The number of computers that last reported

a failed download, installation, or removal
(uninstallation).
Computer view
The computer view displays the status of each computer in a computer group. To use the
computer view, expand a computer group.
The columns displayed in this view are described in the following table.
Description of Columns Displayed in Computer View
Computer Name Name of the computer
To see the properties for the computer, click

the computer name. The computer
properties dialog box that appears displays
details and status for the computer. The
Status tab displays the result of the last
communication between the WSUS server
and the computer, and the status of updates
for which an action has been approved on
the computer.
72
Status The status will be one of the following:
• Failed - The download, installation,

or removal action for the update on this
computer was not completed.
• Needed - The update is applicable

but not installed. If an update requires a
restart, then a computer that has
installed the update will continue to be
counted as needed until it is restarted.
• Not needed - The update is not
applicable.
• Installed - The update has been

installed.
• Unknown - No action has been

performed on the computer.
To see details for an event, click the result in

the Status column.
Printing the report
You can print the report in update summary, computer group, or computer view,
depending on how you have expanded the Status of Updates report.
To print the Status of Updates report

1. Expand your report into update summary, computer group, or computer view,
depending on the information you want to print.
2. Under Tasks, click Print report.
Note
You cannot use the Print report task to print a dialog box, and the Print report
task is not enabled if a dialog box is open.
Status of Computers Report

The Status of Computers report provides both a cumulative and individual update status
summary for computers in the computer group and for the update status results you
73
specify. The following table provides more information about the status provided for each
update.
Description of Status Displayed in Status of Computers Report
Status Description
Installed The update was installed on the computer.
Needed A detection was performed on the computer

for the update, which determined that the
update should be installed on the computer.
Not needed Either the update is already installed on the

computer, or the update does not belong to
a product or classification you specified
when configuring synchronization options.
Unknown Typically, this means that since the time that

the update was synchronized to the WSUS
server, the computer has not yet contacted
the WSUS server.
Failed An error occurred when either a detection or

an installation was attempted on the
computer for the update.
Last contacted This is the date on which the computer last

contacted the WSUS server.
You can also print the report, including the list of individual updates with status for
individual computers, if you have expanded the computers (clicked the + symbol).
However, you cannot print the dialog box that appears when you click individual updates
in the list or when you click the status for an individual update.
To run a status report for computers

1. On the WSUS console toolbar, click Reports, and then click Status of
Computers.
2. Under View, select the criteria you want to use to filter the report, and then
click Apply. The report displays a cumulative update status summary for all of
the computers in the computer group and for the status you specified.
3. If you want more information about a specific computer, you can do the
74
following:
• To view the status of individual updates for the computer, expand the
computer (click the + sign next to the computer). In addition, you can see the
properties of an individual update by clicking the title of the update.
• To view more information about the specific status result of an update (or,
the event details), click the status for the update.
4. To print the report, under Tasks, click Print report.
Synchronization Results Report

The Synchronization Results report enables you to see synchronization information for
your server for a given time period, including errors that occurred during synchronization
and a list of new updates. In addition, you can get general, status, and revision
information for each new update.
To run a Synchronization Results report

2. On the Reports page, click Synchronization Results. By default, the report

displays synchronization results for the last 30 days.
3. To change the synchronization period for the report, under View, select
another synchronization period in the list, and then click Apply.
4. To print the report, under Tasks, click Print report.
Note
The Print report task is not enabled if you have a dialog box open. You
cannot use the Print report task to print a dialog box.
The report has four components, which are described in the following table.
Components of Synchronization Results Report
Component Name Purpose
Last Synchronization Displays information about the last time the

WSUS server synchronized with Microsoft
Update or another WSUS server, and if it
was a successful synchronization.
75
Synchronization Summary Displays summary information about new

updates and errors that occurred during
synchronization.
Errors For each error, displays the date of the

error, a description of the error, and the
update ID associated with the error.
New Updates Displays the updates that have been

synchronized to the WSUS server for the
given time period.
You can view the properties for each new
update by clicking the update in the New
Updates list. The update properties dialog
box that appears contains details, status,
and revision for the update. It is identical to
the update properties box that appears in
the Status of Updates report when you click
an update in the list. It is also identical to
the properties tabs associated with each
update on the Updates page.
Settings Summary Report

The Settings Summary report enables you to view and print a summary of all of the
settings that can be specified on the Options page.
To run a Settings Summary report

2. On the Reports page, click Settings Summary.
The following table describes the components of the Settings Summary report.
Components of Settings Summary Report
Synchronization Schedule The time that your WSUS server

automatically synchronizes to the update
source.
76
Products and Classifications The update products and classifications that

you want to synchronize with your server.
Update source The location from which the server

synchronizes.
Proxy server The proxy server used during

synchronization.
Update Files The location where update files are stored

(on the WSUS server or on Microsoft
Update). Also, the download options you
have selected.
Languages The languages for the updates that

synchronize to the server. Only updates
available in the languages specified are
synchronized with the WSUS server.
Automatic Approval The automatic approval settings for specific

update classifications, targeted by computer
group.
Revisions to Updates The approval action that your WSUS server

will perform when revisions to existing
updates are available; whether update
revisions are automatically approved by
your server, or whether they must be
manually approved.
Downstream servers The servers which receive updates from the

WSUS server.
Client computer Options The method you have selected for

assigning computers to groups.
Database The name of the database used by the

WSUS server.
To print a Settings Summary report

• Under Tasks, click Print report.
77
Running Compliance Status Reports
You can view or print two types of compliance status reports, one for individual computers
and one for individual updates:
• The computer compliance status report summarizes information for a specific

computer, including basic software and hardware information, the success status of
the computer's last contact with the WSUS server, and cumulative and individual
update status for the computer. In addition, you can get more information about a
specific update by clicking the update title.
• The update compliance status report summarizes information for a specific

update, including the update properties, and status for each computer group. You can
run this report from the Updates page as described in the following procedure;
however, this report is also available on every update property dialog box.
To run a computer compliance status report

1. On the WSUS console toolbar, click Computers, and then click the computer
for which you want to produce the compliance status report.
2. Click Print status report.
3. If you want more information about a specific update under Update Status,
you can do the following:
• To view the properties of an individual update, click the title of the update.
• To view more information about the specific status result of an update (or
the event details), click the status for the update.
4. To print the report, click the File menu, and then click Print.
To run an update compliance status report

1. On the WSUS console toolbar, click Updates, and then click the update for
which you want to produce the compliance report.
2. Click Print status report.
3. To print the report, click the File menu, and then click Print.
78
Securing Windows Server Update Services

For synchronization with upstream WSUS servers, you can use Secure Sockets Layer
(SSL) protocol to secure the update metadata portion of the synchronization. WSUS can
use SSL to:
• Enable client computers and downstream WSUS servers to authenticate an

upstream WSUS server.
• Encrypt metadata passed on to client computers and downstream WSUS

servers.
For more information about configuring your WSUS server to use SSL, see Deploying
Troubleshooting Windows Server Update

Services
This guide provides troubleshooting information for Windows Server Update Services.
In this guide
• WSUS Server Administration Issues
• Client Computer Administration Issues
Verifying WSUS Server Settings

This topic covers typical WSUS Server settings.
Settings for Update File Synchronization and Download

This section covers the following issues which affect update file synchronization and
download:
• Registry settings
• Configuration settings
• IIS settings
• Permissions
79
Important
These settings are configured during WSUS setup by default. They are listed
here as a reference, to use as checkpoints when troubleshooting. When
troubleshooting, you can verify that these settings are in place.
Registry settings
Following are registry settings configured during setup on the WSUS server. These
settings do not store server configuration information. All configuration information is
stored in the WSUS database (SUSDB.mdf).
All of the following Registry entries are within the \HKLM\Software\Microsoft\Update

Services\Server\Setup Registry key:
• ContentDir – the location under which update binaries and end user license
agreement files are stored. If the user chose to install WMSDE during setup, this
location also contains the database storage files and log files; for example, C:\WSUS.
Note the following:
• <ContentDir>\WsusContent contains the update files
• <ContentDir>\MSSQL$WSUS contains the database files (if WMSDE)
• TargetDir – the product installation location; for example, C:\Program

Files\Update Services
• WmsdeInstalled – this entry specifies whether or not WMSDE was used in the
original installation; for example, 1=yes, 0=no. Note: This key does not get modified if
your later migrate the WMSDE database to a full SQL Server database.
• SqlServerName – The main registry key used under regular server operation.
This is used to bootstrap the server components with the database server where the
rest of data and server configuration is used. Ex: %computername%\WSUS for
WMSDE. Use this key to quickly figure out which SQL server the WSUS server is
using (especially in the remote SQL case).
• SqlDatabaseName – the name of the database. For WSUS 2.0, this is always
SUSDB.
• SqlAuthenticationMode – the authentication mode WSUS uses to talk to the

database server. For WSUS 2.0, this is always WindowsAuthentication.
Configuration settings
All of the following server configuration settings are stored inside the WSUS database
(SUSDB.mdf).
80
What is Database storage location Description

configured
Update tbConfigurationA.SyncToMu The first database

Storage location specifies
tbConfigurationA.UpstreamServerName
the update source
for client computers.
The values possible
are:
0 – WSUS server
1 – Microsoft
Update
The second
database location
specifies the name
of the upstream
WSUS server, if you
have chosen one as
the update source.
Express (PSF) tbConfigurationC.DownloadExpressPackages This setting controls

file download whether or not
express installation
files are
downloaded. The
values possible are:
0 – Do not
download express
files (default) option.
1 – Download
express files.
On the WSUS
console, this is
configured on the
Advanced
Synchronization
Options box.
81
What is Database storage location Description

configured
Language tbLanguage.Enabled This setting controls

options which language
binaries are to be
downloaded. By
default, all
languages are
enabled.
On the WSUS
console this is
configured on the
Advanced
Synchronization
Options box.
BITS tbConfigurationC.BitsDownloadPriorityForegroun This internal setting

download d specifies whether or
priority not to use
foreground priority
for BITS downloads.
The default is to use
throttled downloads.
This setting was
added to handle
issues with certain
proxy servers that
did not correctly
handle HTTP 1.1
restartable
downloads.
IIS settings
The following virtual directories (vroots) are created in IIS (in the Default Web Site by
default) for client to server synchronization, server to server synchronization, reporting,
and client self-update.
82
Vroot in IIS Properties
ClientWebService Directory: %ProgramFiles%Update

Services\WebServices\ClientWebService
Application Pool: WsusPool
Security: Anonymous Access Enabled.
Execute Permissions: Scripts Only
Content Directory: e:\wsus\wsuscontent
Security: Anonymous Access Enabled
Execute Permissions: None
DssAuthWebService Directory: %ProgramFiles%Update

Services\WebServices\DssAuthWebService
ReportingWebService Directory: %ProgramFiles%Update

Services\WebServices\ReportingWebService
ServerSyncWebService Directory: %ProgramFiles%Update

Services\WebServices\ServerSyncWebService
SimpthAuthWebService Directory: %ProgramFiles%Update

Services\WebServices\SimpleAuthWebService

83
Vroot in IIS Properties
WSUSAdmin Directory: %ProgramFiles%Update

Services\Administration
Security: Integrated Windows Authentication.
SelfUpdate Directory: %ProgramFiles%Update

Services\SelfUpdate
Security: Anonymous Access Enabled,

Integrated Windows Authentication.
Permissions
The following lists permissions necessary for specific folders on the WSUS server disk
and registry permissions.
Disk
The following permissions are configured during WSUS setup, and are important for BITS
downloads to work:
• The root folder on the drive where the WSUSContent folder resides (for
example, <%windir%>\WSUS\WSUSContent) must have Read permissions for
either the Users account or the NT Authority\Network Service account (on
Windows 2003). If this permission is not set, BITS downloads will fail. Note: this is the
permission that WSUS setup does not configure, so make sure the permissions are
set as described here
• The WSUS content directory, usually <%windir%>\WSUS\WSUSContent must

have Full Control permission granted to the NT Authority\Network Service
account. This permission is set by WSUS server setup when it creates the directory,
but it is possible that your security software might reset this. permission. Not having
this permission set will also cause BITS downloads to fail.
• The NT Authority\Network Service account (on Windows 2003) must have Full
Control permissions to the following folders for the WSUS console to display the
pages correctly:
84
• <%windir%>\Microsoft .NET\Framework\v1.1.4322\Temporary ASP.NET
Files
• <%windir%>\Temp
Registry
The following permissions are set for the Registry during WSUS setup.
• The Users group must have Read access to the

\HKLM\Software\Microsoft\Update Services\Server Registry key.
• The following accounts must have Full Control permissions to the

\HKLM\Software\Microsoft\Update Services\Server\Setup Registry key:
• ASP.NET
• Network Service (for Windows Server 2003)
• WSUS Administrators
WSUS Server Administration Issues

In this section
• Setup Issues
• Uninstalling WSUS from SQL Server
• Cannot access the WSUS console
• Update storage issues
• Synchronization issues
• Update approval issues
• Client computers do not appear in the WSUS console
• Backup and restore issues
• General error messages
Setup Issues
If you are having trouble installing WSUS, use the following information to troubleshoot
the problem.
85
Check for required software and hardware
WSUS has a number of requirements that need to be met prior to installation. For more
information, see Deploying Microsoft Windows Server Update Services at
In some cases, setup might fail if you choose the WMSDE database
In some cases, when you choose the WMSDE database, Setup tries to repair WMSDE
and falls into an infinite loop. This is a known issue with the RC release of WSUS. Use
this Knowledge Base article at http://go.microsoft.com/fwlink/?LinkId=48007 to recover
from this problem and install WSUS by using WMSDE.
If the Server service is not running when you install WSUS, the
WSUS installation fails
If you select WMSDE for your database software and the Server service is not running on
the computer where you intend to install WSUS, the WSUS installation fails. This is
because WMSDE requires the Server service to be running to install, and if WMSDE fails
to be installed, the WSUS installation fails.
To work around this issue, turn on the Server service, and run WSUS Setup again. Use
the Knowledge Base article You cannot install MSDE 2000 if the Server service is not
running at http://go.microsoft.com/fwlink/?LinkId=48009 to recover from this problem and
install WSUS by using WMSDE.
You cannot install MSDE 2000 if the Server service is not running
Upgrade Issues
When an upgrade fails, WSUS might be uninstalled

Depending on at what point an upgrade fails, you might lose your previous WSUS
settings and data. Therefore, before attempting an upgrade, back up the following:
• WSUS database
• Update file storage folder
For information about backing up and restoring your existing WSUS installation, see
Backing Up Windows Server Update Services.
86
Uninstalling WSUS from SQL Server

If you uninstall WSUS, read the following information.
Uninstalling might leave some WSUS configurations on computers

running SQL server
Local SQL Server accounts that are created by WSUS Setup are not removed by the
WSUS uninstall component. The WSUS uninstall component does not remove Network
Service and ASP.NET accounts from the local computer running SQL server. If some
other application or database is using these accounts, this ensures that these
applications or databases do not fail. If you are sure that no other application or database
requires the Network Service or ASP.NET accounts, you can manually remove them from
the computer running SQL server.
For information about how to manually remove Network Service or ASP.NET accounts
from a computer running SQL Server 2000 or MSDE, see SQL Server product
documentation. You can download product documentation for SQL Server 2000 from the
SQL Server 2000 Books Online (Updated 2004) page of the Microsoft Web site at
http://go.microsoft.com/fwlink/?LinkId=13959.
Cannot access the WSUS console

If you get an error when using or trying to access the WSUS console, use the following
information to troubleshoot the problem.
Grant users permissions for WSUS console access

If users do not have appropriate permissions for the WSUS console, they receive an
"access denied" message when trying to access the WSUS console. You must be a
member of the Administrators group or the WSUS Administrators group on the server on
which WSUS is installed in order to use the WSUS console.
Note
If WSUS is installed on a domain controller, only a member of the Domain
Administrator group can use the WSUS console.
To add a user to the WSUS Administrators group

1. On the WSUS server, click Start, click Administrative Tools, and then click
Computer Management.
2. In Computer Management, expand Local Users and Groups, click

87
Groups, and then double-click WSUS Administrators.
3. In the WSUS Administrators Properties dialog box, click Add.
4. In the Enter the object names to select (examples) box, type the object
name, and then click OK.
You cannot access the WSUS console with an IP address when

WSUS is configured to use a proxy server
If you have WSUS configured to use a proxy server, then you cannot access the WSUS
console by using an IP address. To work around this issue, use a domain name to access
the WSUS server, for example, for the user name, type: DomainName\user name for the
user name, when prompted to log in on the WSUS console.
Cannot access the WSUS console and a timeout error message

appears
If you cannot access the WSUS console and a timeout error message appears, the CPU
of the WSUS server may be at, or very close to, maximum utilization, causing the
database to time out. If the database software times out, the WSUS console cannot be
displayed.
One way of inadvertently overtaxing your WSUS server is to have antivirus software
installed on it, which is monitoring the WSUS content directory. During synchronization,
the antivirus software can overload out the CPU. You can work around this situation by
setting the antivirus software to ignore where WSUS content is stored.
Cannot access the WSUS console on a Windows 2000 server after

applying the hisec server.inf security template
This issue applies only to Windows 2000 servers. If you cannot access the WSUS
administrative console after applying the hisec server.inf security template, you need to
relax security permissions for ASP.NET and IWAM local machine accounts in order for
the WSUS console to function.
The workaround is to give read access for IWAM and ASP.NET accounts to the following
registry key.
HKEY_LOCAL_MACHINE\software\microsoft\update services
88
To give read access for the IWAM account on Windows 2000 Server configured
as a domain controller
2. In the Open box, type regedit.exe and then click OK.
3. In Registry Editor, navigate to the following key:
HKEY_LOCAL_MACHINE \Software\Microsoft\Update Services
4. Point to Edit, and then click Permissions.
5. In the Permissions for Microsoft Windows Server Update Services

properties dialog box, click Add.
6. In the Select Users, Computers, or Groups box, click Locations.
7. In the Locations dialog box, select the local computer, and then click OK.
8. In the Select Users, Computers, or Groups box, type

computer_name\ASPNET and computer_name\IWAM_computer_name in the
Enter the object name to select (examples) box. Use a semicolon to separate
names. For example, type
computer_name\ASPNET;computer_name\IWAM_computer_name
where computer_name is the name of the computer.
9. Select computer_name\ASPNET, and click the Read box in the Allow

column.
10. Select computer_name\IWAM_computer_name, and click the Read box in

the Allow column, and then click OK.
Promoting the WSUS server to a domain controller might disrupt

your ability to access the WSUS console
When you promote a WSUS server to a domain controller and then try to access the
WSUS console, you might receive a message similar to the following:
Server Error in '/' Application.
Access to the path "C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Temporary ASP.NET

Files\wsusadmin\8c91a6b5\649b28ba\global.asax.xml" is denied.
89
This occurs if IIS 6.0 and ASP.NET are installed on the server before the server is
promoted to a domain controller. This is because the Network Service group does not
have sufficient permissions for the Temporary ASP.NET Files folder. To avoid this
problem, make sure that you promote the WSUS server to a domain controller before you
install IIS 6.0 and ASP.NET. To resolve this issue, enable appropriate permissions for the
Network Service group by using the following procedure.
To enable appropriate permissions for the Network Service group

3. At the command prompt, type the following, and then press ENTER:
drive:\windows\microsoft .net\framework\v1.1.4322\aspnet_regiis -i
where drive is the drive letter of the disk on which you installed Windows.
Cannot access the WSUS console on Windows 2000 Server

configured as a domain controller
If you cannot access the WSUS administrative console and you are using Windows 2000
Server configured as a domain controller, you need to relax security permissions for
ASP.NET in order for the WSUS console to function. The workaround is to give read
access for IWAM account to %windir%\assembly.
To give read access for the IWAM account on Windows 2000 Server configured
as a domain controller
• At the command prompt, type the following, and then press ENTER:
cacls %windir%\assembly /e /t /p IWAM_xxxx:R
where %windir% is the Windows directory of the computer and where

IWAM_xxxx is the IWAM computer account.
For details, see the Knowledge Base article at http://support.microsoft.com/default.aspx?

scid=kb;[LN];317012
Update storage issues

Updates can be stored on the local WSUS server or on Microsoft Update. Use this
section to troubleshoot problems with update storage.
90
The updates listed in the WSUS console do not match the updates
listed in your local folder
This can happen under different circumstances. For example, if updates are stored on a
disk separate from the WSUS application itself, and that disk fails, when you replace the
failed disk with a new (empty) disk, the WSUS application will still show all of the updates
as downloaded.
To have WSUS verify which updates are stored on the disk, you must run the
WSUSutil.exe using the reset command.
Note
Performing a reset causes the WSUS server to be unresponsive for up to five
minutes.
To have WSUS verify locally stored updates

3. At the command prompt, navigate to the directory that contains

WSUSutil.exe.
4. Type the following, and then press ENTER: wsusutil.exe reset
Synchronization issues
Synchronization is the process in which the WSUS server connects to Microsoft Update
or to another WSUS server and downloads updates. During synchronization, WSUS
determines if any new updates have been made available since the last time you
synchronized. If it is your first time synchronizing WSUS, all updates are made available
for approval. If synchronizations are failing, you can try the following procedures.
Check proxy-server settings by using the WSUS console

If your WSUS server is connected to Microsoft Update via a proxy server, you must use
the WSUS console to allow WSUS to access the Internet. For basic instructions about
setting up a proxy server, see Deploying Microsoft Windows Server Update Services at
http://go.microsoft.com/fwlink/?linkid=41777&clcid=0x409. If your proxy server supports
authentication, make sure you have the correct user name, password, and domain. Note
91
that if you use the WSUS console option for Allow basic authentication (password in
clear text), the password for the account is sent over the network in unencrypted text.
Check the name of the upstream WSUS server

If your WSUS uses another WSUS server as its update source, make sure you are using
the correct name for the upstream WSUS server and that you have spelled it correctly.
For basic instruction about synchronizing two WSUS servers, see Deploying Microsoft
Windows Server Update Services at http://go.microsoft.com/fwlink/?
linkid=41777&clcid=0x409. The name that you enter in the WSUS console on the
downstream WSUS server must match the name of the upstream WSUS server.
To determine if there is a problem with network name resolution services, use the ping
command from the downstream WSUS server that cannot synchronize. You should use
the same naming convention that is used in the WSUS console. For example, if you used
a NetBIOS name in WSUS console, use the NetBIOS name of the upstream server with
the ping command. If you cannot ping the upstream server, you might have a problem
with network name resolution services. To work around this type of issue, you could use a
different name resolution service or the IP address of the upstream server.
To ping an upstream WSUS server by using the ping command

1. Click Start, and then click Run
3. Type the following, and then press ENTER:
ping WSUSServerNname
where WSUS server name is the name of the upstream WSUS server you are
trying to synchronize with.
Check update storage options

If you have multiple WSUS servers chained together in a hierarchy, the entire hierarchy
must use the same update storage option or else synchronizations fail. For example, if
the upstream WSUS server stores content locally, all the downstream WSUS servers
must store content locally. Check that each WSUS server in the chain uses the same
update storage option. For information about how to set WSUS update storage options,
see Deploying Microsoft Windows Server Update Services at
92
Verify that users and the network service have Read permissions to
the local update storage directory
If you store update files on your WSUS server, you need to ensure that the folder to
which you download update files has at least Read permissions for the network service
and for users. This is true whether the server you download the update files to is an
upstream or downstream WSUS server. The folder where update files are stored if you
have chosen to store them locally (as opposed to storing them on Microsoft Update
servers) is %systemdrive%\Update Services\US content.
On a downstream WSUS server, check that the updates are available

on the upstream WSUS server
There are number of situations where the updates on the upstream server no longer
match the updates being requested at synchronization by the downstream server. Some
of the following are examples of when this might occur:
• An upstream WSUS server is re-installed and the list of classifications and

products the administrator selects is a reduced number than previously selected on
the earlier installation of the WSUS upstream server. The downstream server(s)
might then attempt to synchronize updates that the newly rebuilt upstream server has
no knowledge of. Therefore the synchronization would fail for those updates that do
not exist on the upstream server.
• If you configure a downstream server to get updates from a different upstream

server with different products and classifications selected.
To troubleshoot this issue, on the downstream server, make a note of the title of the
updates for which download failed. These will be visible on the Updates page, and
marked with a red X. Then, check if these updates exist on the upstream server (look at
the Updates page. If they do not match, do one of the following, depending on which
updates you need:
• Specify the missing updates on the upstream server, and then synchronize from
the update source.
• On the downstream server, cancel the updates that are not on the upstream
server, if these updates are no longer needed. Then decline the old updates on the
downstream server.
• If the missing updates (according to the downstream server) are actually

available on the upstream server, then the error is transient, meaning the update
might have been downloaded to the upstream server after it was requested by the
downstream server. This issue will resolve itself the next time the downstream server
synchronizes to the upstream server.
93
Restart the BITS service
If the BITS service was disabled during synchronization, synchronization will fail. To
ensure that the BITS services is properly enabled, restart both the BITS service and
restart the WSUS service.
To restart the BITS service and the WSUS service

1. On the WSUS server, click Start, point to Administrative Tools, and then
click Services.
2. Right-click Background Intelligent Transfer Service, and then click

Restart, or click Start if the BITS service is not running or has been disabled.
3. Right-click Windows Update Service, and then click Restart.
4. Retry synchronization: in the WSUS console, click Options, click

Synchronization Options, and then under Tasks, click Synchronize now.
If you are unable to download update files to your local WSUS server,
your server might not support the necessary HTTP protocol
If synchronization of update files to your WSUS server fails, you might see the following
message in the corresponding event log:
Content file download failed. Reason: The server does not support the necessary
HTTP protocol. Background Intelligent Transfer Service (BITS) requires that the
server support the Range protocol header.Source File: /msdownload/update/v3-
19990518/cabpool/windows2000-kb873339-x86-
enu_500e4656b4f0ca3431565631989090bbeeb74bcc.exe Destination File: %drive
%\wsus\WsusContent\WsusContent\CC\500E4656B4F0CA3431565631989090BBEEB74BCC.EXE.
This problem occurs if your proxy environment doesn’t support HTTP 1.1 Protocol. You
can manually work around this by running the following commands at the command
prompt to configure BITS.
To resolve this issue:

1. Type: net stop WSUSService, and then press ENTER.
2. Type the following and then press ENTER:
"%programfiles%\Update Services\tools\osql\osql.exe"
-S SQL_InstanceName
-E -b -n –Q "USE SUSDB update tbConfigurationC

94
set BitsDownloadPriorityForeground=1"
3. Type: net start WSUSService.
4. Close the command prompt window and retry synchronization: in the WSUS
console, click Options, click Synchronization Options, and then under Tasks,
click Synchronize now.
The number of updates that are approved on a parent upstream

server does not match the number of approved updates on a
replica server
This might occur if you have changed language settings on the parent upstream server
after first synchronizing with the old language settings. For more information see
"Listinactiveapprovals" in Managing WSUS from the Command Line.
Update approval issues

If you are having problems with approvals, use the following sections to troubleshoot the
problem.
If IIS Lockdown is installed on WSUS and client computers, do not

download updates stored on the WSUS server
If you are using the IIS Lockdown Wizard and have installed the URLScan tool, ensure
that you edit the Urlscan.ini file to allow *.exe requests.
After you edit this file, you must restart both IIS and the WSUS server. You can find the
Urlscan.ini file in the\WINNT\System32\Inetserv\Urlscan directory on the boot drive of
your computer.
To edit the Urlscan.ini file

1. Open Urlscan.ini in a text editor.
2. Remove ".exe" from the [DenyExtensions] section.
3. Make sure the following settings appear under the [AllowVerbs] section:
• GET
• HEAD
• POST
• OPTIONS
95
New approvals can take up to one minute to take effect
If you approve an update on the WSUS console and there are client computers running
detection at that exact moment, those computers might not get the approved update until
they go through another detection cycle. The WSUS server requires approximately one
minute to begin offering newly approved updates to client computers.
Remote computers accessed by using Terminal Services cannot be

restarted by non-administrators
Non-administrators using terminal services computers will not be able to restart their
computers remotely. Therefore, if a remote computer on which an update is installed

needs to be restarted for the update to take effect, users without administrative
permissions will be unable to complete the updating of their remote computer.
The number of updates that are approved on a parent upstream

server does not match the number of approved updates on a
replica server
This might occur if you have changed language settings on the parent upstream server
after first synchronizing with the old language settings. For more information see
"Listinactiveapprovals," in Managing WSUS from the Command Line.
Client computers do not appear in the WSUS console

If you are having problems with client computers not appearing on the Computers page
in WSUS console, use the following sections to troubleshoot the problem.
Problem with client self-update

If you cannot get clients to appear on the Computers page in the WSUS console, it is
almost always a problem with client self-update, which is the mechanism that WSUS
uses to update the SUS client to the WSUS client (Automatic Updates) software. For
more information about client-self update, see Automatic Updates must be updated.
96
Backup and restore issues
If you cannot access WSUS data after restoring the database, check
the WSUS server name and user permissions for the
database
If you restore a WSUS database but cannot access the restored from the WSUS console
check for the following:
• If you have changed the WSUS server name since the backup, you must add the
corresponding users to the database to enable the WSUS console to access the
data.
• If you restore the backup to a WSUS server other than the one from which you
backed up the database, you will have the same result and must also add the
corresponding users.
• In either case, the users need to be granted permissions for public and Web
service.
General error messages

This topic covers general error messages displayed on the Home page or in dialog boxes
that open from the WSUS console.
…some services are not running. Check the following services…

On the Home page, you might receive a message telling you to check specific services.
The following briefly covers the services.
Selfupdate
See Automatic Updates must be updated for information about troubleshooting the
Selfupdate service.
WSUSService.exe
This service facilitates synchronization. If you have problems with synchronization,
access WSUSService.exe by clicking the Start button, pointing to Administrative Tools,
clicking Services, and then finding Windows Server Update Service in the list of
services. Do the following:
• Verify that this service is running. Click Start if it is stopped or Restart to refresh
the service.
97
• You can also use Event Viewer to check the Application, Security, and System
event logs to see if there are any events that might indicate a problem.
• You can also check the SoftwareDistribution.log to see if there are events that
might indicate a problem.
Web services
Web services are hosted in IIS. If they are not running, ensure that IIS is running (or
started). You can also try resetting the Web service by typing iisreset at a command
prompt.
SQL service
Every service except for the selfupdate service requires that the SQL service is running. If
any of the log files indicate SQL connection problems, check the SQL service first. To
access the SQL service, click the Start button, point to Administrative Tools, click
Services, and then look for one of the following:
• MSSQLSERVER (if you are using WMSDE or MSDE, or if you are using SQL
Server and are using the default instance name for the instance name)
• MSSQL$WSUS (if you are using a SQL Server database and have named your
database instance "WSUS")
Right-click the service, and then click Start if the service is not running or Restart to
refresh the service if it is running.
Client Computer Administration Issues

In this section
• Automatic Updates must be updated
• Computers are not appearing in the correct computer groups
Automatic Updates must be updated

WSUS uses IIS to automatically update most computers to the WSUS-compatible
Automatic Updates (WSUS client). This process is called client self-update. To
accomplish client self-update, WSUS Setup creates a virtual directory under the WSUS
Web site named Selfupdate. This virtual directory holds the WSUS-compatible Automatic
Updates. This is called the selfupdate tree.
Using Group Policy to point client computers to your WSUS server should eventually
cause an Automatic Updates detection and client self-update. For more information about
98
this process, see Deploying Microsoft Windows Server Update Services at
Troubleshooting client self-update issues

If the client self-update does not work automatically, use the following suggestions to
troubleshoot the problem.
How to differentiate between the SUS client and WSUS client

Use the Automatic Updates user interface (UI) to differentiate between the SUS and
WSUS clients. The following illustrations show the user interface of the SUS and WSUS
clients.
SUS Client
99
WSUS Client
Verify that the client software in your organization can self-update

Some computers might already have the WSUS client installed. Other computers might
have a version of Automatic Updates that is incapable of performing self-update. For
more information see Deploying Microsoft Windows Server Update Services at
http://go.microsoft.com/fwlink/?linkid=41777&clcid=0x409. If the clients in your
organization are capable of and require self-update but are still not self-updating, see the
next section.
Verify that the SUS clients are pointed to the WSUS server
If you have the WSUS client installed but the client computer is pointed to a SUS server,
Automatic Updates falls into legacy mode and the client computer uses the SUS client
user interface. In this case you need to redirect the computer away from the SUS server
to get the WSUS client to function. When you point Automatic Updates away from the
100
SUS server, it automatically comes out of legacy mode and the new client user interface
appears.
If your client computers are pointed to the WSUS server and you do not see the WSUS
client user interface shown above, see the next section.
Check for the selfupdate tree on the WSUS server

WSUS uses IIS to automatically update most client computers to the WSUS-compatible
Automatic Updates. To accomplish this, WSUS Setup creates a virtual directory named
Selfupdate, under the Web site running on port 80 of the computer where you install
WSUS. This virtual directory, called the self-update tree, holds the latest WSUS client.
For this reason, you must have a Web site running on port 80, even if you put the WSUS
Web site on a custom port. The Web site on port 80 does not have to be dedicated to
WSUS. In fact, WSUS only uses the site on port 80 to host the self-update tree.
To ensure that the self-update tree is working properly, first make sure there is a Web site
set up on port 80 of the WSUS server. Next, type the following at the command prompt of
the WSUS server:
cscript WSUSInstallationDrive:\program files\microsoft windows server update

services\setup\InstallSelfupdateOnPort80.vbs
If you have WSUS client self-update running on port 80 of the WSUS server, see the next
section.
Check IIS logs on the WSUS Server

Check the IIS logs on the WSUS server. IIS logs are typically located in %windir
%\system32\LogFiles\W3SVC1 for the default Web site. If you copied the Wutrack.bin file
to the \InetPub\wwwroot folder on the WSUS server when you set up client self-update,
you can open the IIS logs and search for Wutrack.bin to attempt to locate error messages
about why self-update is failing. Typical errors might be 404 (file not found) 401/403
(authentication/access), and 500 (Internal server error). Use IIS Help to troubleshoot any
problems found in the IIS logs.
If you have installed Windows® SharePoint® Services on the default Web site in
IIS, configure it to not interfere with Self-update
If you install Microsoft Windows Sharepoint Services on the same server that is running
WSUS, you might get the following issues:
• An "Access denied" message appears when Automatic Updates tries to update

itself, and the latest Automatic Updates will not be running.
101
• On the Home page, you a message appears warning you that the SelfUpdate
service is not available.
If client computers are not running the WSUS-compatible version of Automatic Updates,
they will not be able to receive updates through WSUS.
To resolve this issue

1. Grant Anonymous access (Anonymous Auth) to the Default Web site,
ClientWebService and Selfupdate v-roots in IIS.
2. Exclude specific requests from being intercepted by the Windows Sharepoint

Services ISAPI DLL by doing the following:
a. Open the Windows Sharepoint Services Central Administration Site (click

Start, point to Administrative Tools, and then click Sharepoint Central
Administration).
b. Click Virtual Server Configuration, and then click Configure Virtual

Server Settings.
c. Click Default Web Site.
d. Click Virtual Server Management, and then click Define managed

paths.
e. In the Add a new pathbox, set the type to excluded path. Under Path,
type the following:
• "/iuident.cab"
• "/wutrack.bin"
• "/clientwebservice"
• "/Selfupdate"
Check network connectivity on the WSUS client computer

Check network connectivity on the WSUS client computer. Use Internet Explorer to
determine if self-update files on the WSUS server are accessible to the client computer. If
you perform the following procedure and are prompted to download or open the files, you
have verified network connectivity. It is not necessary to save or open the files. You
cannot self-update Automatic Updates this way. If you do not have access to these files,
troubleshoot network connectivity between the WSUS client computer and the WSUS
server.
102
To check network connectivity on the WSUS client computer

2. In the Open box, type iexplore and then press ENTER
3. In the Internet Explorer Address bar, type:
http://WSUSServerName/iuident.cab
where WSUS server name is the name of your WSUS server. Ensure that you are
prompted to download or open Iuident.cab. This verifies network connectivity from the
WSUS client and the availability of the Iuident.cab file on the WSUS server.
4. If there are any boxes prompting you to download or save, click Cancel. In Internet
Explorer Address bar, type:
http://WSUSServerName/selfupdate/AU/x86/osvariable/languagevariable/wuaucomp.cab
where WSUSServerName is the name of your WSUS server and where osvariable is a
variable indicating the operating system of the client computer. The possible variables for
osvariableare NetServer, W2K or XP, and where languagevariable is a variable indicating
the language of the operating system of the client computer. The possible variables for
oslanguage are based on the standard 2- to 4-letter language abbreviations. For example,
here is a URL for a client computer running an English version of Windows XP:
http://WSUSServerName/selfupdate/AU/x86/XP/EN/wuaucomp.cab
Ensure that you are prompted to download or save Wuaucomp.cab. This verifies network
connectivity from the WSUS client and the availability of the Iuident.cab file on the WSUS
server.
If you are prompted to save or download both of these files, see the next section.
Check logs on the SUS client computer

Check the %windir%\windows update.log on the client computer to see if there has been
any activity or any attempts to contact the server. Check the %systemdrive%\program
files\windowsupdate\v4\urllog.dat file on the client computer for cached server pingbacks
if the client computer has not been able to communicate with the server.
These files are hidden by default. Use the following procedure to display hidden files and
folders in Windows Server 2003.
To display hidden files and folders on Windows Server 2003

1. In Control Panel, open Folder Options.
2. On the View tab, under Hidden files and folders, click Show hidden files
103
and folders.
If you can find no problem with the logs on the WSUS client, see the next section.
Manipulate registry settings on the SUS client computer

If all else has failed, you can attempt to manually manipulate registry settings to get the
client computer to self-update to the WSUS client.
To manually manipulate registry settings on the SUS client computer

2. In the Open box, type regedit and then click OK.
3. In Registry Editor, navigate to the WindowsUpdate key by expanding the following:
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\
If the WindowsUpdate key does not exist, do the following:
4. On the menu, click Edit, point to New, and then click Key.
5. Type WindowsUpdate as the name for the new key.
6. Double-click the WUServer setting, type the URL to your WSUS server, and then press
ENTER.
If the WUServer setting does not exist, do the following:
On the menu, click Edit, point to New, and then click String Value.
7. Type WUServer as the setting name.
8. Double-click the WUStatusServer setting, type the URL to your WSUS server, and then press
ENTER.
If the WUStatusServer setting does not exist, do the following:
On the menu, click Edit, point to New, and then click String Value.
9. Type WUStatusServer as the setting name.
10. Navigate to the following:
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate\AU
If the AU key does not exist, do the following:
On the menu, click Edit, point to New, and then click Key.
11. Type AU as the name for the new key.

104
12. Verify that the UseWUServer setting has a value of 1 (0x1).If it does not, modify it by double-
clicking the setting and then changing the value.
If the UseWUServer setting does not exist, do the following:
On the menu, click Edit, point to New, and then click DWORD Value.
13. Type UseWUServer for the setting name.
14. Navigate to the following:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto
Update
15. Enable and configure Automatic Updates through Control Panel:

Click Start, click Control Panel, and then double-click Automatic Updates.
16. In the Automatic Updates dialog box, specify download and installation options, and then click
OK. Make sure that Turn off Automatic Updates is not selected.
17. Ensure that the AUState setting has a value of 2 (0x2). If it does not, modify it by double-
clicking and changing the value.
18. If the LastWaitTimeout setting exists, delete it.
19. If the DetectionStartTime setting exists, delete it.
20. At the command prompt, type the following, and then press ENTER to stop the Automatic
Updates service:
net stop wuauserv
21. At the command prompt, type the following, and then press ENTER to restart the Automatic
Updates service:
net start wuauserv
22. Wait approximately 6 to 10 minutes for the self-update to occur.
To force the SUS client computer to check with the WSUS server
• Wait approximately one minute, and then refresh the registry. You should
now see the following settings and values:
• DetectionStartTime (REG_SZ) YYYY.MM.DD HH.MM.SS. The

DetectionStartTime value is written in local time, but the detection actually
occurs 5 minutes after the time noted.
• LastWaitTimeout (REG_SZ) YYYY.MM.DD HH.MM.SS. The

LastWaitTimeout value is written in GMT or Universal Time, and represents
105
the actual time that detection occurs.
Although these values refer to the time that detection is going to start, the first phase of
detection is the process of checking whether a self-update is necessary. Therefore, these
values actually refer to when self-update from SUS client to the WSUS client should
occur.
If the client software has not self-updated after ten minutes, refresh the \Auto Update
registry key. If the LastWaitTimeout value has changed and is now 24 hours later than
its previous value, that indicates that Automatic Updates was not able to contact the
server URL that you specified in the WUServer value.
Computers are not appearing in the correct computer

groups
Client-side targeting is when you use Group Policy or registry settings to move computers
into target groups. For more information about how to set up client-side targeting, see
Deploying Microsoft Windows Server Update Services at http://go.microsoft.com/fwlink/?
linkid=41777&clcid=0x409. There are a number or reasons why computers might not
appear in groups when you are using client-side targeting. Use the following information
to try to resolve this problem.
Verify that the WSUS console is set to use client-side targeting

By default, the WSUS server is set to use server-side targeting. If you are using client-
side targeting, you need to set an option on the WSUS server. For more information
about how to set up client-side targeting, see Deploying Microsoft Windows Server
Update Services at http://go.microsoft.com/fwlink/?linkid=41777&clcid=0x409.
Verify that target computer group names match groups on the WSUS
server
Make sure the name of the target computer group in Group Policy matches the name of
the computer group on the WSUS server. Check the Group Policy object (GPO) or the
registry setting where you enabled client-side targeting. Make sure that there are no
discrepancies between the name of the computer group used in Group Policy and the
name of the group used on the server. If WSUS cannot find a computer group on the
server reported by a client computer, it loads the computer into the Unassigned
Computers group.
106
Wait an hour for changes to take effect
If you make a change to group membership by using client-side targeting and the client
computer has already contacted the WSUS server, it takes an hour for the server to
change the computer’s group membership. This is because WSUS uses cookies to
manage group membership with client-side targeting and these cookies are set to expire
after one hour.
If you cannot wait an hour, use command-line options to reset the cookie and initiate
detection. For information about how to use command-line options, see Deploying
Additional Resources for Windows

Server Update Services
For more information and support, see the following resources.
Windows Server Update Services

Communities
Microsoft communities are great places to exchange ideas with other users and discuss
common issues. You can read and write messages by using an NNTP-based newsreader
such as Microsoft Outlook Express. You can also use the Web-based newsreader
provided by Microsoft to access all of the newsgroups. To access the WSUS
Communities, go to the following:
• Windows Server Update Services Communities Homepage at

http://go.microsoft.com/fwlink/?LinkID=45215
• Windows Server Update Services Public Newsgroup at

http://go.microsoft.com/fwlink/?LinkID=42318.
More Documentation
• For high-level information about what's new and features of WSUS, see Microsoft
Windows Server Update Services Overview at http://go.microsoft.com/fwlink/?
LinkID=42213.
107
• For step-by-step guidance for getting started, including installing WSUS, setting
up a client computer, and deploying your first set of updates, see Step-by-Step Guide
to Getting Started with Microsoft Windows Server Update Services at
http://go.microsoft.com/fwlink/?LinkID=41774.
• For information about planning for, installing, and then configuring WSUS
components and infrastructure, see Deploying Microsoft Windows Server Update
Services at http://go.microsoft.com/fwlink/?linkid=41777.
• For information that helps you automate tasks or customize WSUS, see the
Microsoft Windows Server Update Services Software Developer's Kit at
http://go.microsoft.com/fwlink/?LinkID=43099 and Windows Update Agent Software
Developer's Kit at http://go.microsoft.com/fwlink/?LinkID=43101. Note that the
Windows Update Agent is the Automatic Updates service. Both SDKs contain
information about the application programming interface (API), as well as sample
scripts and ready-to-use tools for your WSUS deployment and implementation.

WSUSOperations Guide

Uploaded by

Copyright:

Available Formats

WSUSOperations Guide

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

WSUSOperations Guide

Uploaded by

Copyright:

Available Formats

Microsoft Windows Server Update

Services Operations Guide

Published: January 16, 200

This White Paper is for informational purposes only. MICROSOFT MAKES NO

Microsoft may have patents, patent applications, trademarks, copyrights, or other

Unless otherwise noted, the example companies, organizations, products, domain

© 2005 Microsoft Corporation. All rights reserved.

Microsoft Windows Server Update Services Operations Guide ............................6

Administering Windows Server Update Services ..................................................6

Troubleshooting Windows Server Update Services ............................................78

Additional Resources for Windows Server Update Services .............................106

Microsoft Windows Server Update

• Administering Windows Server Update Services

• Troubleshooting Windows Server Update Services

• Additional Resources for Windows Server Update Services

Administering Windows Server Update

• Overview of Windows Server Update Services

• Managing Windows Server Update Services

• Monitoring Windows Server Update Services

• Securing Windows Server Update Services

Overview of Windows Server Update Services

• Windows Server Update Services server: the server component that is

Managing Windows Server Update Services

• Setting Up and Running Synchronizations

• Managing Computers and Computer Groups

• Running in Replica Mode

• Backing Up Windows Server Update Services

• Managing WSUS from the Command Line

Setting Up and Running Synchronizations

Synchronizing Updates by Product and Classification

To specify update products and classifications for synchronization

2. Under Products and Classifications, under Products, click Change.

3. In the Add/Remove Products dialog box, under Products, select the

4. Under Products and Classifications, under Update classifications, click

5. In the Add/Remove Classifications dialog box, in Classifications, select

Configuring Proxy-server Settings

To specify a proxy server for synchronization

• If you want to connect to the proxy server by using specific user

3. Under Tasks, click Save settings, and then click OK.

Configuring the Update Source

• You can use SSL to secure synchronization of update information between

To specify the update source for your WSUS server

2. Under Update Source, do one of the following:

• If you want your WSUS server to synchronize directly from Microsoft

• If you want to synchronize from another WSUS server in your network,

• If you want to use Secure Socket Layers (SSL) when synchronizing

3. Under Tasks, click Save settings, and then click OK.

Specifying Where to Store Updates

Synchronizing Manually or Automatically

To synchronize your server manually

2. Under Schedule, click Synchronize manually.

3. Under Tasks, click Save settings, and then click OK.

To synchronize your WSUS server immediately

2. Under Tasks, click Synchronize now.

To set up an automatic synchronization schedule

3. Under Tasks, click Save settings, and then click OK.

Managing Computers and Computer Groups

• Managing Client Computers

• Managing Computer Groups