Home
.. About WSUS Wiki

WSUS
.. WSUS FAQ
.. WSUS on SBS
.. WSUS Troubleshooting
.. WSUS News Groups
.. Known WSUS Issues
.. WSUS Links
.. WSUS Wish List

WSUS Documents
.. WSUS Deployment Guide
.. WSUS Installation Guide
.. WSUS Release Notes
.. WSUS Best Practice

SUS
.. SUS FAQ
.. What Is SUS
.. SUS Troubleshooting
.. SUS Links
.. SUS Known Issues
.. SUS FAQ
.. What Is SUS
.. SUS Troubleshooting
.. SUS Links
.. SUS Known Issues

This is a list of what's new, over and beyond SUS, in WSUS (based on RC1).

1. WSUS provides you with the the ability to target updates to a group of computers, known as target group. A Target Group can either be specified purely at the WSUS server or based on client policy (i.e. the name of the target group is a policy setting). For more about Target Groups, see the page Target Groups.
   
2. WSUS can automatically approve and distribute critical updates without requiring manual approval. You can setup WSUS to automatically approve certain classes of updates. See Approve Updates for more information on approving updates. You can also get WSUS to automatically approve and distribute any update that is WSUS related.
   
3. WSUS offers improved reporting features, including the ability to see a client's last-contact, OS version, BIOS and other machine details, as well as updates installed, needed or failed. You can view this information on a per-machine, per-update basis. Reporting features do not require third-party software. See WSUS Reporting for more information on WSUS Reports.
   
   Reports are filterable by group and approval action. Users can view the status per machine.
   
4. Administrators can create auto-approval rules for specific target groups which enble certain types of updates to be automaticlaly approved and disttributed when received by the WSUS Server. Deployments or other updates, or to other taget groups happens at an administrator's discretion.
   WSUS supports Office XP and Office 2003, as well as Exchange and SQL Server.
   
5. Automatic Update Options - WSUS has an option, "Allow local administrator to choose setting" which enabled the local administrators to use the Automatic Updates control panel to select a configuration option of their choice, but Local administrators are not allowed to disable Automatic Updates. The setting Allow local administrator to choose setting only appears if Automatic Updates has updated itself to the version compatible with WSUS.
   
6. The Update Aproval process is much improved and include features associated with approving updates, like setting deadlines and uninstalling updates.
   
7. WSUS Stores all it's service information in a WSUS Data base. For more information on the WSUS Database, see WSUS Database
8. A migration tool, Working with WSUSUTIL, is provided to migrate from SUS to WSUS and to help you to manage WSUS from the command line.

Bandwidth Considerations

WSUS offers features that allow you to shape the deployment to best fit your organization’s needs. For example

Deferring the download of updates:

WSUS offers you the ability to download update metadata at a different time from the update itself during synchronizations. In this configuration, approving an update triggers the download of all the files used to install that particular update on a computer. This saves bandwidth and WSUS server disk space, because only updates that you approve are downloaded to the WSUS server. This setting is the default one.

Filtering updates:

WSUS offers you the ability to choose the update by language, product and type of update.

Express installation files:

The express installation files feature is a way of identifying the exact bytes that change between different versions of files, creating and distributing updates that include just these differences, and then merging the original file with the update on the client computer. Sometimes this is called delta delivery because it downloads only the difference, or delta, between two versions of a file.

When you distribute updates by using this method, it requires an initial investment in bandwidth, but it reduces the overall bandwidth usage between the client machines and the WSUS server. Express installation files are larger than the updates they are meant to distribute. This is because the express installation file must contain all the possible variations of each file it is meant to update.

FYI, WSUS uses Background Intelligent Transfer Service (BITS) 2.0 to perform downloads of updates.

Networks Disconnected from the Internet:

After you download updates to the Upstream server, you can hand-carry media to disconnected servers running WSUS, using the export/import feature.

IIS considerations:

By default, WSUS uses the default Web site in IIS. WSSUS Setup also gives you the option of creating a Web site on a custom port. You can allow WSUS to use the default Web site or create a custom Web site. If the IIS service (W3SVC) is stopped during WSUS install, WSUS Setup starts the service. Likewise if you install WSUS to the default Web site and the site is stopped, WSUS Setup starts it.

If you already have a Web site on the computer where you intend to install WSUS, you should use the setup option for creating a custom Web site. This option puts the WSUS Web site on port 8530. If you install WSUS to port 8530, you have to manually set up the folder structure like, selfupdate virtual directory on port 80 to enable client self update using InstallSelfupdateOnPort80.vbs from installation folder.

Firewall considerations:

If there is a firewall between your network and the Internet, remember to open port 80 for HTTP protocol and port 443 for HTTPS protocol.

If your organization does not allow those ports and protocols open to all addresses, you can allow access to only the following domains and WSUS and Automatic Updates can communicate with Microsoft Update:

http://windowsupdate.microsoft.com
http://*.windowsupdate.microsoft.com
https://*.windowsupdate.microsoft.com
http://download.windowsupdate.com
http://*.download.windowsupdate.com
http://*.windowsupdate.com
http://wustat.windows.com
http://ntservicepack.microsoft.com

Accessing the WSUS administration console:

1. http://WSUS server name:port number/WSusAdmin/
2. On your WSUS server, click Start, point to All Programs, point to Administrative Tools, and then click Microsoft Server Windows Update Services.

***If you do not add http://WSUS Web site name to the list of sites in the Local Intranet zone in Internet Explorer on Windows Server 2003, you might be prompted for credentials each time you open the WSUS console.

Migrating from a SUS server to a WSUS server:

If you have SUS in your network, there is a migration tool WSUSUTIL which will migrate your approvals and updates from SUS to the new WSUS server so that you need not download the whole content. You cannot migrate anything else, like proxy or IIS settings.Migration is a one-way process; you cannot migrate from WSUS back to SUS.

Migration Considerations:

WSUSUTIL.EXE is available in WSUS install drive:Program Files\Update Services\Tools

You must be a member of the local Administrators group on the WSUS server to import approvals or content from SUS.

These operations can only be run from the WSUS server itself. You can only run WSUSUTIL.EXE on a 32-bit platform - there is no 64-bit version currently.

WSUSUTIL.EXE uses HTTP to get approvals and SMB to copy updates from a remote SUS installation. To copy updates from a remote computer, this tool requires Read share permissions on the Content folder and all its subfolders.

The command lines are discussed in the WSUS Deployment Guide.

NOTES:

***WSUS RC supports English and Japanese clients only.

***Updates to install at a scheduled time which has no associated balloon alert.

***Active scripting must be enabled in order to access the WSUS console.

***WSUS is not supported on a Terminal Services server.

***Issue with the IWAM_ account on Windows 2000 Domain Controller, SP# 4. More on WUS B2 on W2k SP4 Domain Controlers

***Do not deploy WSUS outside your corporate firewall to distribute updates to clients directly connected to the Internet. The WSUS license agreement specifically disallows this scenario.

Comments:

From Athif - 12/13/04 9:54 AM

From Athif - 12/13/04 9:54 AM

From SebM - 12/12/04 5:11 AM

From tfl - 11/26/04 3:43 AM

From Athif - 11/24/04 6:36 AM