Home
.. About WSUS Wiki

RSS

WSUS
.. WSUS FAQ
.. WSUS on SBS
.. WSUS Troubleshooting
.. WSUS News Groups
.. Known WSUS Issues
.. WSUS Links
.. WSUS Wish List

WSUS Documents
.. WSUS Deployment Guide
.. WSUS Installation Guide
.. WSUS Release Notes
.. WSUS Best Practice

SUS
.. SUS FAQ
.. What Is SUS
.. SUS Troubleshooting
.. SUS Links
.. SUS Known Issues
.. SUS FAQ
.. What Is SUS
.. SUS Troubleshooting
.. SUS Links
.. SUS Known Issues

Wiki Community
.. Wiki Contributors
.. I Love WSUS
.. WSUS Wiki Diary
.. Wiki Statistics
.. To Do Page

Miscellaneous Stuff
.. Other Resources
.. Do You Know?

Site Meter

Terms of Use
Trademarks
Privacy Statement

 

What Is Windows Server Update Services (WSUS)?

This page provides an overview to Windows Server Update Services (WSUS), based on WSUS Release Candidate. For information on the new features in WSUS, see What's New In WSUS.

Index

  • WSUS Overview
  • WSUS Updates
  • WSUS Database
  • Client Targeting
  • Update Approval
  • Bandwidth Conservation
  • Firewall Considerations
  • IIS Considerations
  • Mobile Clients
  • Migration From SUS to WSUS
WSUS Overview

Windows Software Update Services (WSUS), is Microsoft's upcoming free patch management tool. WSUS is essentially the next version of Microsoft's free patch management tool, replacing Software Update Services or SUS. WSUS provides a number of new features including targeting of patches to specific groups of machines, support for more produts (e.g Office), and improved reporting.

In beta for over a year, RC of WSUS released on 22 March 2005. WSUS RTM is expected to be released during the first half of 2005 (e.g. by end June 2005).  Service Pack1 for WSUS, which provides support for Windows Vista, new versions of the database and performance increases was released at the beginning of June 2006. More details on this release are available here. For more information on the background to WSUS and Microsoft's approach to patch management see WSUS Background.

WSUS is a service you run inside your organisation - on one or more servers which you configure to serve software updates to one or more AU clients. You can configure a WSUS server to download updates either from Microsoft or from another WSUS server within your organisation. Once you approve an update for installation, WSUS downloads it from configured upstream partner, and can then issue these updates to clients that request it. You can approve any update for some, all, or none of your computers. Once an update is approved, the targeted WSUS clients download the update using the Windows AU client. WSUS also provides reports on which clients have, and have not, had which updates.

WSUS provides a capability that allows the Windows AU client to obtain and install updates. However, it does not provide an internal version of the Windows Update site, thus your users can not navigate to your WSUS server and obtain updates (as they can when they navigate to Microsoft's Windows Update site).

You administer WSUS from the WSUS administration console: http://<WSUSServerName>:<port number>/WsusAdmin/. On your WSUS server you can also click Start, point to All Programs, point to Administrative Tools, and then click Microsoft Windows Server Update Services. Note that if you do not add your WSUS administration Web site name to the list of sites in the Local Intranet zone in Internet Explorer, you might be prompted for credentials each time you open the WSUS administration console.

WSUS also supports the option to Allow local administrator to use the Automatic Updates control panel applet to select a configuration option of their choice. Note that Local Administrators are not allowed to disable Automatic Updates. The setting Allow local administrator to choose setting only appears if Automatic Updates has updated itself to the version compatible with WSUS.

Q: Where does this option appear?

WSUS Updates

As noted above, WSUS enables you to download updates from Microsoft and distribute these to your clients. There is no support in WSUS for adding additional updates, e.g. for updates to 3rd party or your own applications, etc.

For WSUS, Microsoft intent to provice several different levels of updates (from crticial security patches to updated drivers). Support is provided for some, but not all, Microsoft products. For details on what products and levels of update are supported see WSUS Supported Updates

WSUS Database

The WSUS service makes use use of an SQL database, which is either supported by SQL Server or by MSDE/WMSDE (see WSUS Database for more details on the WSUS Database). Each WSUS server requries a separate database, thus if you plan to suppor multiple WSUS servers in your environment, you need to support multiple WSUS databases. If you are installing WSUS on Windows Server 2003 operating system or later, you can install WMSDE included in WSUS Setup. If you are installing WSUS on Windows 2000 Server operating system, install the MSDE database software prior to installing WSUS.

The WSUS database stores the following types of information:

  • WSUS server configuration information
  • Metadata that describes each update
  • Detailed Information about clients, updates, and client interaction with updates

The metadata for an update describes the update, lists the files required to install the update, and contains the relevant end user license agreement (EULA) for that update. Metadata is small, typically much smaller than the update itself, and is downloaded when you synchronise a WSUS server. An update, however, is only downloaded when it has been approved for installation.

Client Targeting

A key feature in WSUS is the ability to target updates to specific computers. WSUS enables you to create one or more target groups, to populate the target group with appropriate computers, and then approve updates for each target group independently. There are two default target groups All Computers and Unassigned Computers but you can add as many target groups as needed to support your approach to client targeting.

Update Approval

WSUS offers a number of features associated with approving updates, including setting deadlines for updates to be completed and uninstalling updates. A WSUS server first downloads download metadata, which allows the administrator to choose which updates to approve either for detection or installation. Updates can also be declined. The actual update is only downloaded to the WSUS server when you approve the update for installation.

Once you have approved update to members of one more Target group, computers belonging to the groups check in with the WSUS server and either check or deploy the approved updates. You can subsequently use WSUS reporting to determine the status of those updates.

For more informaiton on Update Approval, see Approve Updates.

Bandwidth Conservation

Updates distributed via WSUS can be very large (Windows XP SP2 for example is over 200 MB). WSUS attempts to be as bandwidth friendly as possible. First WSUS downloads update metadata. This is done independently of the update itself, which is downloaded only after it has been approved for installation.

WSUS also uses the latest version of the Background Intellegent Transfer Service (BITS 2.0), which needs to be installed on all WSUS clients. This improves the task of downloading the update to the client.

And WSUS also provides supports servers that are not directly connected to the Internet. In this scenario, you first download updates to an Upstream server, then hand-carry media to disconnected servers running WSUS, and using the export/import feature to import the updates into your disconnected WSUS server.

For more information on how WSUS conserves bandwidth, see Bandwidth Considerations.

Firewall Considerations

If there is a firewall between the network you are running WSUS on and the Internet, you need to allow both HTTP and HTTPS traffic (port 80 for the HTTP protocol and port 443 for HTTPS) from your WSUS server to a limited set of sites, as follows:

Q: Where does this list come from? Is there a web link to this list that can be placed here to provide more authority?
A: see page 13 of Step-by-step guide to getting started with Microsoft Windows Update Services document from http://go.microsoft.com/fwlink?LinkId=39496

IIS Considerations

By default, WSUS installs into the default Web site in IIS (i.e on port 80). WSUS Setup gives you the option of creating a Web site on a custom port, the default being 8530. This allows you to run all WSUS traffic on a separate port, which may be helpful for internal firewalls.

During installation, WSUS stops, then starts the relevant web site. This includes the default default Web site if that was used. If you already have a Web site on the computer where you intend to install WSUS, use the setup option for creating a custom Web site. Note that if you install WSUS to port 8530, you have to manually set up the folder structure like, selfupdate virtual directory on port 80 to enable client self update using InstallSelfupdateOnPort80.vbs from installation folder.

Finally, ensure that the IWAM_ account is added to the Domain Administrators account on the WSUS Server. The IWAM account contains the ASPNET account used to start the WSUS service.

Mobile Clients

You can deploy an "internet facting" WSUS server outside your corporate firewall in order to distribute updates to mobile clients which are licensed to the same party as the WSUS server.  See Implementing WSUS with ISA Server 2004 to manage remote clients white paper on Microsoft's WSUS TechNet site.


You can, of course, enable the clients to create a VPN into the corporate network, and once connected use your WSUS server to receive update approvals that are then downloaded either from your WSUS server for from Micrososft's servers.

Migration From SUS to WSUS
If you have already deployed SUS in your network, WSUS has a migration tool, Working with WSUSUTIL, that you can use to migrate approvals and updates from SUS to your WSUS server. This avoids re-downloading the patch content.

You cannot migrate any of the WSUS Service settings or IIS settings. Additionally, migration is a one-way process - you cannot migrate from WSUS to SUS. If you plan to install the WSUS server on a server already running SUS, then the WSUS installation process sets up WSUS to use an alternate port.>

Comments:

From Athif - 6/13/06 3:38 AM

I can tell you - They (MS) are monitoring this wishlist.

Happy Patching,
Mohammed Athif Khaleel
http://msmvps.com/athif

From sghazzi - 6/12/06 1:45 PM

http://support.microsoft.com/?scid=kb;en-us;919004&spid=2097&sid=global

Microsoft launched the patch for the patch manager of the year.

 

The feature list is quite nice, but it seems they are not listening to the admins... Maybe someone could send them a copy of the wish list and see if they can release them into a fixup !

From vishwa - 5/24/06 5:17 PM

From Athif - 8/10/05 11:50 AM

Hi Jfigueroa,

See here http://www.wsuswiki.com/WishList

Good day,
Mohammed Athif Khaleel
MVP - WSUS
I Blog on http://msmvps.com/athif/

From jfigueroa - 6/24/05 5:34 PM

I do not see a place to add to the WSUS wish list? johnny.figueroa@bannerhealth.com

From Athif - 1/29/05 7:53 AM

Q: Where does this list come from? Is there a web link to this list that can be placed here to provide more authority?

A. I have seen this in the WUS Guides as well as in the News Groups too.

---Mohammed Athif Khaleel


Last Modified 6/13/06 9:19 AM

Hide Tools

Site
Changes
Index
Search

User
Log In
Register