WSUS Step By Step – Installation, Deployment and troubleshooting


[tweetmeme source=”mrnitishkumar” only_single=”false”]

We all know that Windows updates are important for security and functionality of our Windows PCs and we all want to keep our systems updated. But at the same time, people on volume limited internet plans also blame these windows updates running in background for escalated data usages, specially if we are running many systems and want to keep all of them updated. Sometimes we think that why are we downloading the same updates for each of the PC separately? Or feel that its really hard to keep track of what’s got updated and what’s not? Windows Server Update Services (WSUS) is one of the best solution for your all such worries.

If you are running a setup of at least 50 PCs then you sure must be knowing about WSUS already and if you not or thought that its too hard to implement then its about time to take note of it. What’s next in my post is nothing special that most of smart admins might not been knowing about, but I thought to make a step by step guide over WSUS from the resources already available over internet.


Offline updates solution: Autopatcher:

When you talk about updating few PCs just built up and installed, then the best tool that strikes me is Autopatcher. This tool downloads all the patches as per your selection and stores in a folder, which will contain an executable to update any PC (XP, 2000, 2003, Vista, Windows 7) offline. Not only that before updating it also detects that what already had been updated and more of it, the tool downloads updates in incremental ways, so that every time the folder will keep on growing to catch up the new updates.

Give it a try, its a must tool for sysadmins for updating newly installed PC in most efficient and quickest way. But note that its not a Microsoft Product, though I could guarantee myself from my experience that its perfectly sane.

Why WSUS, when you have Autopatcher?

Autopatcher could be called as entry level solution and sure a great thing about preparing PCs without networks, but the problem is, its still manual work. I mean you might have flexibility to download the updates once and keep it on some Network share location, but still you need to install patches manually over PCs and manual works to keep track of what’s updated and what’s not.

WSUS is an amazing Microsoft tool to end all such worries and that’s totally free of cost, just you need a Windows 2003 Server license, that’s it. It’s a service you run inside your organization on one or more servers which you configure to serve software updates to one or more AU clients. You can configure a WSUS server to download updates either from Microsoft or from another WSUS server within your organization.

Once you approve an update for installation, WSUS downloads it from configured upstream partner, and can then issue these updates to clients that request it. You can approve any update for some, all, or none of your computers. Once an update is approved, the targeted WSUS clients download the update using the Windows AU client. WSUS also provides reports on which clients have, and have not, had which updates.

You administer WSUS from

Start –>All Programs –> Administrative Tools –> Microsoft Windows Server Update Services.

WSUS not only keep all Windows clients across the organization updated without providing internet on all of them, but also reduces the Internet Bandwidth requirements as the updates get downloaded once only, not separately for all the windows clients.

 

System Requirements:

Followings are the set of requirements for installing a WSUS server:

Server Hardware Requirements

WSUS requires a single server for basic operation, although you can scale your WSUS implementation to larger numbers of servers if you wish. For a basic implementation of up to 500 users, hardware requirements, per Microsoft, are:

1. 1GHz CPU

2. 1GB RAM

You also need a network card, and around free disk space (described below)

Server Software Requirements

You need the following software components:

1. A supported Windows Server operating system – Windows Server 2003 is the preferred OS, but Windows 2000 is also supported. WSUS is supported on all editions of Windows Server 2003, but there are some restrictions of you use the Web Edition (See [WUS Restritions With2k3 Web].

2. IIS – WUS is operated via IIS, so your WUS Server needs to have IIS loaded. You need at least IIS 5.0.

3. .NET Framework 1.1 SP1 – get this 7.982MB download from the Microsoft download site. The .NET Framework 1.1 SP1 is delivered as a hot fix installation file (see KB article KB867460 for details). This expands to 55.6 MB (58,335,654 bytes) on disk prior to installation. The installation of this hot fix alsos stop IIS, and requires a reboot.

4. Background Intelligent Transfer Service 2.0 (BITS 2.0 English.zip) – this is a new version of BITS, at present only available to beta testers, or those on the OEP. This is a 1.34MB download.

5. WSUS Setup (WSUSSetup.exe) – Like BITS V2, this is available only to beta testers or members of the OEP at present. This is download is over 100mb.

6. SQL Database server. For Windows Server 2003 MSDE is installed during setup. For Windows 2000 it is not and MSDE or SQL server must be installed prior WUS setup.

Client Software Requirements

There are no special requirements for WUS Clients. Supported clients include Windows 2000, Windows XP and Windows 2003 Server (including the R2 server).

Server Disk Space Requirements

WUS Server disk space requirements fall into three categories: the WUS service, WUS updates and the WUS data base.

Microsoft recommends that you must have at least 6GB free disk space to store WUS content. At present, typical usage is around 1-2GB/language, although this does depend on what updates you specify and is likely to grow over time. Typical storage with multiple Operating systems can be as large as 60 or 70Gb.

The WSUS service installs (by default) into C:\Program Files\Update Services\. This folder takes up 365MB (371MB on disk) after the initial installation.

The WSUS Database is managed by MDSE, and is installed by default into C:\WSUS\MSSQL$WSUS. This folder takes up 216 MB after the initial install, synchronize and with only 2 clients. The size of the DB grows as you add more computers, and as you manage more updates.


Checklist before WSUS Installation:

The following is a simple checklist of possible issues.

1. Do you have Minimum Free Disk Space? See the WSUS Deployment Guide for more information on free disk space requirements.

2. Is the Installation drive & system partition formatted with NTFS? WSUS requires both the WSUS Database and the WSUS content to be loaded onto NTFS volumes.

3. Do you have IIS installed? IIS is required to setup, configure and manage (and use) WSUS.

4. Do you have Microsoft Internet Explorer 6.0 Service Pack 1 installed? This is required on your WSUS server.

5. Do you have Microsoft .NET Framework 1.1 Service Pack 1 installed? This is required, and WSUS server checks for it’s presence. NB: Installing the SP requires a reboot.

6. Do you have BITS 2.0 installed? This is required.

7. Do you have Database – SQL Server 2000/WMSDE/MSDE installed? A database is required, but WSUS will install WMSDE if no database service is found on the WSUS server.


Installing WSUS with in-built Local Database (SQL/MSDE):

Installing WUS with local database is pretty straight forward where, you have 2 Scenarios as given below:

· Installing WSUS on Default Website, with port 80.

· Installing WSUS on Custom Website, with port 8530.

Installing WSUS on Default Website, with port 80: This is the simplest installation with clicking over the WSUS Installation exe and following the instruction provided by the wizard.

Installing WSUS on Custom Website, with port 8530: Installing WSUS on custom Port 8530 is little different from the normal setup. You have to manually configure the client self update feature.

But, this kind of setup has many advantages including

· You can shut down port 80 to avoid malicious programs that target port 80.

· If you already have a website on port 80 like the Antivirus Applications, this kind of setup will help the functioning of both the sites independently.

Things to consider if you plan to install on custom port

· In this case, you have to manually set up up the selfupdate virtual directory on port 80 to enable client self update.

· You can use %\program\Update Services\Setup\InstallSelfupdateOnPort80.vbs script in order to allow those clients to self-update.

· To access the WSUS admin page, you have to include the custom port with the website like http://wsusserver:8350

· This port in not configurable during WSUSsetup, but can be changed later using IISADMIN.


Installation Overview:

As discussed earlier, WSUS Server holds the WSUS Software setup with IIS installed. Installation is very simple shown in these Steps:

Install WSUS on Server

· You need to setup WUSSETUP.exe

· Follow the wizard to specify content Folder & Administration Site.

· Take a note of Content folder which is needed while setting up the back End Server.



Initial WSUS Configuration

To setup, configure and manage your WUS server, you need to gain access to the WSUS Admin site on your WSUS Server:

From here you should do the following:

1. SET Server Options

This includes:

· Schedule – when to synchronize this WSUS Server

· Products and Classifications – define which patched to download. In particular, which products to download patches for (e.g. Windows 2000, Windows XP Pro, etc) and what type of updates to download (this includes security updates, driver updates, DDKs, tools, guidance, Feature Packs etc).

· Proxy Server Settings – you can specify a specific proxy server to use for updates,along with credentials if needed.

· Update Source – where this WSUS server should get it’s updates: from Microsoft, or an upstream WSUS server

· Languages – allows you to get language specific patches. NB: By Default, WSUS RC is set to download ALL languages. This is potentially harmful to your disk subsystem.

After you complete the configuration, ensure you save your options.

2. Perform Initial Synchronization

By default, WSUS is set to be synchronized manually. Once you configure your WSUS server, you should perform an initial synchronization. Depending on how many products, classifications and languages you have selected, and the speed of your internet connection, this could take a considerable amount of time.


 

WSUS Deployment:

There are a number of options available for deployment of WSUS like Group Policy based, Replica and Offline updates.

The following is the option that we use across our organization:

Group Policy based deployment

The following are a basic example setting that needs to apply over workstations for WSUS deployment:

Autopatcher

The fact to notice is that this policy needs to be applied over the OU of workstations not the OU of Users and so the settings are under computer settings not the user settings

Offline Updates:

If your environment demands a network segment be disconnected from the Internet, or disconnected from the rest of your network altogether, don’t think you need to resort to the “sneaker net” method of patch distribution. Simply build a stand-alone WSUS server and import updates from removable media such as tape or DVD-ROM.

The process of exporting the updates from an Internet-connected server, and then importing them into your disconnected one is well documented in the WSUS Deployment Guide. However, here are the steps at a high level to give you an idea of the process.

1. Build your stand-alone WSUS server and configure its language and express installation options to match that of the Internet-connected WSUS server that will provide updates.

2. Copy the update content directory from the Internet-connected WSUS server to removable media. Remember that this content directory may be quite large (multi-gigabytes) so you may need to resort to tape, dual-layer DVD, or external USB hard drive.

3. Export and copy the update metadata from the Internet-connected WUS server’s database to removable media.

4. Copy the update content from removable media onto the disconnected WSUS server.

5. Import the update metadata from removable media into the disconnected WUS server’s database.

Again, please refer to the documentation for full export/import procedures, including command-line tool options and correct file system paths to back up.

Replica Mode:

Another option for advanced deployments is replica mode. Much like WSUS server chains, replica servers inherit settings and updates from their upstream master server. However, unlike server chains, replica servers are designed for environments where a central administrator controls computer groups and update approval for the entire enterprise.

The only information that isn’t synchronized between the master server and its replica servers is the content of the computer groups themselves. For instance, an administrator might create four computer groups on the master server named Branch A through Branch D. While all replica servers will receive these group names, they will not contain any members. The idea behind this design is that the WSUS administrator will create enough computer groups to cover the entire enterprise. Then, a WSUS replica server at a branch office will add the local PCs and servers to a group (say, Branch B) and the centrally approved patches for that group will be installed. It sounds complicated, but it really isn’t once you get wrap your brain around it. For more detailed information on replicas, refer to the WSUS Deployment Guide.


General Approaches to Patching with WSUS

There are a couple of approaches you can take to using WSUS:

1. Detect and deploy required patches This is a simple approach to using WSUS. The idea is you approve all patches for detection, then approve for installation any updates shown as being needed.

2. Investigate and authorize each patch individually In this approach, you examine, and hopefully test, each update for suitability in your organization as part of an overall change management process. Once you are satisfied the update is appropriate, you approve it for installation for the appropriate target groups. This patch management strategy is more time consuming, but should provide greater stability. This approach is probably more appropriate for larger organizations, or where you have a diverse network and multiple target groups.


Maintenance:

Disk Space concerns

As mentioned in requirements section, WSUS requires huge disk space for storing patches, which could be overgrown anytime, if you do not choose the products to be updated wisely.

Better to choose only those updates that are required and skip other ones even if recommended. Like if your scenario doesn’t has Windows 7 PCs, then no need of downloading updates related to that, same with 64 bit OS’s, Itanium processor based updated and device drivers.

Once the disk space is full, it stops getting more updates, but it keeps on updating workstations with existing updates, but one has to clear up the space. That’s why its recommended “Not to keep the updates storage in OS drive (c:) otherwise, it may critical for the server.”

Cleanup activities

There is already a wizard in WSUS console for cleanup, which takes care of the following:

  • Unused updates and update revisions
  • Computers not contacting the server
  • Unneeded update files
  • Expired updates
  • Superseded updates

There are also ways for claiming disk space by removing some updates manually (wizard or console doesn’t remove updates from disk), but most of those procedures are messy and prone to error as of now. So, its recommended to use the wizard only and be wise while selecting the updates as once marked, the update will sure get downloaded, no matter you marked it as denied later.


WSUS Reports

For accessing reporting feature of WSUS, you are required to install report viewer from Microsoft

http://www.microsoft.com/downloads/details.aspx?FamilyID=a941c6b2-64dd-4d03-9ca7-4017a0d164fd&displaylang=en

After the same WSUS console provides excellent options of generating reports with graphs, lists and tables in CSV, XLS or even PDF formats.

Although reporting tool of WSUS already provides plenty of options, but we are yet to find some option that could report in the way that when the update got released and when got downloaded.

Currently, we are going with manual ways by importing lists of all updates and finding the dates from the Microsoft Updates Download site itself. A tedious job for the first time, but later on you have to use excel tips like vlookup etc for avoiding the work for already reported updates and updating only those few updates that might be downloaded after the last report you prepared.

Note: As per Microsoft schedule, monthly updates arrive on second Tuesday of the month, though many updates arrive at the other days as well depending on severity.



 

WSUS deployment Troubleshooting

This is a topic of continuous learning with the issues and resolutions. Sharing here a few of known issues with WSUS Client configuration:

WSUS uses client-server architecture. The WSUS client, which runs on client computer, wakes up on a regular basis and queries a WSUS server to find applicable updates. The WSUS client is also designed to update itself, via what is known as self-update. The idea is that the client will look for, and download, both the OS and application updates, but also updates to the client itself. The latest version of the AU client is required for client computers to interact fully with the WSUS server.

In most cases this mechanism works ok, and clients get updated as needed and are able to check in with the WSUS server. But on some systems, client computers either do not properly check in with the WSUS server or do not self update. These problems are both fairly rare and easy to overcome.

There are a set of client configuration checks you can make on client computers that are not connecting to WSUS properly, and a set of know issues.

Client Configuration checks

1. The first thing to check is whether the client computer is using the latest Automatic Update client version.

The current version of the Windows Update Agent (the WSUS client component in AU) is determined by the version of the WUAUENG.DLL, located in %systemroot% \system32 folder. If the version of WUAUENG.DLL is 5.4.3790.1000 or greater, the WSUS client (or WUA) is installed. A version less than 5.4.3790.1000 indicates that SUS or earlier AU version 1.0 is installed.

If you have an earlier version of the AU client, it must be updated in order to work with WSUS. Computers running Windows XP with Service Pack 2 (SP2) already have the WSUS client installed.
The AU client, when contacting the WSUS server, will automatically update itself to the latest WSUS version if the self-update files are properly setup on the server. When connected to Windows Update or Microsoft Update, the AU client will also be able to self-update if it is not running the latest version. In addition, the AU client can also be updated by using a signed stand-alone, installation package that is available from Microsoft.

2. If you want AU clients to update from a WSUS server in your environment, be sure you have set anonymous access permissions on the virtual Self Update directory and that it is on a Web server running on port 80. WSUS uses IIS to automatically update client computers to the WSUS-compatible Automatic Updates software version. To do this, WSUS Setup creates a virtual directory named Self Update, under the Web site running on port 80 of the computer where you installed WSUS. This virtual directory, called the “self-update tree”, contains the WSUS-compatible Automatic Updates software. Earlier Automatic Updates client versions can only update if they find the self-update tree on a Web server running on port 80. The access permissions on this virtual directory must be set to allow anonymous access. This Automatic Updates version check is done every time the client checks-in with the server to detect new approved updates.

3. Be aware of GP replication time which may cause delay in your clients’ self-update process the first time a WSUS server and client are mapped. If clients have been mapped to WSUS servers using GP in an Active Directory environment, the timing of AU client check in with the WSUS server can be impacted by AD GP refresh timing (generally about every 90 to 120 minutes depending on environment). Clients mapped to servers in a non-Active Directory environment can be forced to check in and update right away by running wuauclt/detectnow from the command prompt.

4. Another variable that will impact client check-in behavior is the Automatic Updates detection frequency setting. By default, this value is set to the maximum of every 22 hours. This means that every 22 hours, minus a random offset, AU polls or checks in with the WSUS server for approved updates. Every time the client checks in, it also verifies it has the latest version of the client and if not, it self-updates from the server. This setting can be modified via policy or by directly editing the local policy or registry on the client. The minimum frequency is one hour. If clients have been mapped to a WSUS server via local policy or direct registry editing, without detection forced by running wuauclt/detectnow, it could be up to 22 hours until that client will self-update and appear in the WSUS Admin Console.

5. Imaged clients with a duplicate client ID will only appear once in the WSUS Admin Console. Each AU client must have a unique id which is created for each individual install. When imaging systems it is recommended always to use SysPrep. The WSUS admin console will only display one client for each unique ID. If you have multiple clients created from one image which are sharing the same ID, only one will appear in the WSUS admin console. All clients will check in and download updates, but only one will appear and display status in the WSUS admin console. In cases where clients are not checking in, and they were created from images without running SysPrep, the following steps will reset the existing duplicative client IDs.

a. Run regedit and go to

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate

b. Delete the PingID, SUSClientID and the AccountDomainSID values

c. Stop and start the Wuauserv Service

d. From the command prompt run: wuauclt /resetauthorization /detectnow

or-

From the command line, once you are sure the AU client is properly configured and not disabled, you could run a batch file (which might look something like this sample) and get the same results:

rem Fixes problem with client machines not showing up on the server due to imaging method

reg delete

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v

AccountDomainSid /f

reg delete

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v

PingID /f

reg delete

KLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v

SusClientId /f

cls
@echo Triggering detection after resetting WSUS client identity

net stop wuauserv

net start wuauserv

wuauclt /resetauthorization /detectnow

Additionally the following VBScript can be deployed via group policy to perform the above function automatically at logon. The script creates a registry key that will allow the script to check if it has been run on that client before. If it has it ends without performing any further changes.


Dim objShell, strKeyPath, strValueName,strComputer

set objShell = wscript.createObject("wscript.shell")

const HKEY_LOCAL_MACHINE = &H80000002

strComputer = "."

Set objWMIService = GetObject("winmgmts:\\" & strComputer & "\root\cimv2")
Set objRegistry = GetObject("winmgmts:\\" & strComputer & "\root\default:StdRegProv")

strKeyPath = "SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate"
strValueName = "SUSClientIdReset"

objRegistry.GetStringValue HKEY_LOCAL_MACHINE, strKeyPath, strValueName, dwValue
IF (dwValue = "1") THEN
            ‘do nothing
      ELSE
            ‘Fixes problem with client machines not showing up on the server due to imaging method
            objRegistry.DeleteValue HKEY_LOCAL_MACHINE,strKeyPath,"SusClientId"
            objRegistry.DeleteValue HKEY_LOCAL_MACHINE,strKeyPath,"SusClientIdValidation"

   Set colServiceList = objWMIService.ExecQuery ("Select * from Win32_Service where Name = ‘wuauserv’")

   For Each objService in colServiceList
    If objService.State = "Running" Then
    objService.StopService()
    Wscript.Sleep 10000
    objService.StartService()
    End If
   Next
            objShell.Run("wuauclt /resetauthorization /detectnow ")
   Wscript.Sleep 10000   
            objShell.Run("wuauclt /r /reportnow")

            ‘Set reg value for SUSClientIdReset for checking against later.
   dwValue = "1"
            objRegistry.SetStringValue HKEY_LOCAL_MACHINE, strKeyPath, strValueName, dwValue
End If


Just save the above scipt as a *.vbs.

Though the above troubleshooting steps might be required in rare cases and if group policy updates are happening in proper manner then that solves the issue.



 

So, that’s all about starting up and working with WSUS, a must have tool to work with, for any IT Administrator or Sys Admin guy. Hoping to see some new faces on this side of table.

Advertisements

Author: Nitish Kumar

I love to write and raising voice, sharing thought and heated debate is a kind of passion for me. Jobwise I am just another Computer professional handling Infra and designing solutions for a big Indian Media house but I love to write, sketch, photography and a lot more.

100 thoughts on “WSUS Step By Step – Installation, Deployment and troubleshooting”

  1. Dear,
    I’ve a problem in the WSUS Configuration Wizard, when I try to synchronize, thw message is “the synchronization with the upstream server or Microsoft Update was canceled”. I checked the proxy settings and the WinHTTP configuration, the permissons on Temp folder.
    Could you help me?
    Tks.
    PS: I’m sorry for my english.

    1. As per one forum..

      Here are the correct permissions for the “Network Service” account on
      %windir%\temp:

      Permissions are not inherited from the parent.

      For “This folder and subfolders”, the account requires:
      Traverse Files/ Execute Files
      List Folder / Read Data
      Read Attributes
      Delete
      Read Permissions

      For “Files only”
      List Folder / Read Data
      Delete

          1. I’ve ISA 2006. I can browse without problem, I can check and download the Updates from de WindowsUpdate. I run proxycfg -u and WinHTTP has the same settings as IE.
            I unistalled WSUS, Internal Database, and I deleted the Site from IIS, and I installed WSUS again, but the problem is the same.
            I’ve other server (in other client) with the same configuration, and Its working ok.
            Its is driving me crazy. 🙂

  2. This is all great info!

    I am setting up several new WSUS servers using win2008r2 and I am experiencing heavy initial file download from these servers. They are downloading roughly 15GB of data to each server. Is this normal? The whole point of setting up the WSUS servers is to save 100 machines from getting updates, by using one maching to download and distrobute them locally.
    There is also no seemingly good way to schedule the WSUS updates other than once a day at a certain time. Do you have any suggestions on how to schedule syncs for, say… Fri 8pm – Sun 11pm ?

    Thanks

    1. Nate,
      15 Gb is perfectly normal. Think its the size of download that you are doing for one time, moreover, it includes updates for multiple version of windows. Though you can minimize the download size by carefully choosing the downloads one by one.

      As about schedules, they you might call it a little manual efforts but one way is to make a separate group for pushing the updates and putting the computers in that group only when you want to update them and remove after confirming that updates are over. Using deadline setting might be a way to force it.

      Note that usually Microsoft monthly release schedule is second Tuesday of every month

      1. Thank you for the reply. I assumed it was a normal first download size for a fresh WSUS server, but when we saw that in the traffic logs we thought maybe we are creating more trouble than we are fixing!

        I considered using a .bat file to start and stop the wsusservice.exe at the correct times every friday and sunday, but I am running into permission issues saying access denied on the service. Any tips?

        I mostly want to avoid machines downloading any updates from windows update directly, and I want to make sure WSUS is only downloading during the set 1am sync. The GPO on the workstations are doing their part, so it seems that once the first couple big syncs are over, it should resume a fairly “boring” routine.

        Could you also shed some light on the “download update files to the server only when updates are approved” setting.
        Here are my two thoughts.
        If I have that off, every time it syncs (mine is 1am), it will download all the needed updates that it finds across the network whether they are approved or not.

        If I have it checked, then it will only download the updates that are already approved and not already downloaded.

        But, what happens when I approve an update that is not already downloaded? Will it download on demand when it is approved, or will it wait until the next sync cycle to download those updates?

        Thank you!

  3. Dear Nitish,
    i require some help from you regading wsus.
    i have installed wsus 3.0 on windows 2k3 server. now i want to move to windows 2008 R2 server with wsus 3 sp 2. i want all my database will remain same as it in windows 2k3.
    so, please guide me for these same.

  4. Hello,
    thanks for this great article.
    I have one question.
    It is possible to find on network computers, that are not currently managed by WSUS server?
    Thanks for your help.

  5. I already have wsus 3.2 running happily on a windows server 2003 enterprise edition sp2. I have a need to move this facility over to a new windows server 2008 R2 Enterprise 64bit. My questions are:

    Can I install using your step-by step method to install wsus 3.2 on this new server using the same updates database while leaving the old wsus running?When succesfully installed decommision the old wsus on Server2003 and just leave the new copy running on server2008. I am planning to use the same AD policy etc. Can you please advice what do I have to watch out for and what new steps should I take if any or can I just follow your guide any problems?

    Will appreciate any help?

    Reagrds
    Fiaz.

    1. You need to create a separate OU for computers and move all computers into it from default OU named “computers”, then apply group policy over this OU, not over any user. It should work otherwise any issue with your domain policies

  6. my clients are not updating from my wsus i have been configured group policy but it has not been done what should i do please send me complete information about wsus configuration and client updating configuration i will be very thank full to u please do as soon as posible thnx

    1. You have applied the group policies over OU of computers or users? Need to be applied over OU of Computers. Create a new OU, move all PCs to that and then apply the group policy over that OU.

      Will work

  7. My server is Windows 2003 R2 standard. It is configured to download patches from a WSUS server and let me choose to install. I click the notification button and find always only some patches (.Net framework, software removal tool) are downloaded. Those related to Windows 2003 patches are not downloaded. Strange that I check from WSUS status that they are not applicable. But actually I try to install one manually and is succeeded. It seems WSUS client can contact server. Any idea about it?

  8. I am truing to snyc AD OU with WSUS OU. Problem is some Computers are showing in WSUS OU but some are not? Can you please tell me what’s the problem?

  9. Hi Nitish,

    I need a help regarding WUSU Server

    can we pull the patch installation report through command line ?

    If it is possible please let me know.

    Thanks & Regards,
    Prasanna Kumar K S

    1. Check this. Might be helpful for your query.

      http://social.technet.microsoft.com/Forums/ar/winserverwsus/thread/c71616d2-7253-446a-8a72-f69504f3dee6 **

      On Fri, Sep 23, 2011 at 7:19 PM, Nitish Kumar wrote:

      > Its available via report viewer console though I need to check for exact > commands to pull reports via commandline. > > Its available via report viewer console though I need to check for exact > commands to pull reports via commandline. > >

  10. HI,

    we have 3 location wsus server client unable to get update in wsus server erro is evnt id 13002 13001 & 13042
    please help

  11. I need to setup WSUS as microsoft update site, but not to have GP or active directory thingy.
    Like the client browse to WSUS site and install the updates as required (similar to update.microsoft.com )

    So what should i follow.

  12. Dear Kumar,
    Can you please tell me how i can know that i have install WSUS client in my XP system and also tell me were WSUS updates are installed in XP client system folder.

    Waiting for your prompt response soon.

    Thanks.

  13. Hi Kumar,
    Can help with this.. after i remove WSUS on my 2003 server. My Internet wont work and will not run windows update. Also, the script to map all my share drive no longer works on this server.. Here’s the message “Restriction: This operation has been cancelled deu to restrictions in effect on this computer. Please contact your system administrator.” any ideas? I appreciate your response..

  14. Hi Kumar,

    I have a doubt….
    Would like to know if I can make wsus server to be configured on a Windows 7 Enterprise computer. I have a small Business and have 8 computers on my network. Plz Let me know if I can make Windows 7 os to use WSUS inorder to patch the updates to other computers.

  15. Hey.

    I have configured WSUS and Domain Controller in my windows server 2008 r2. i have added into the domain.it is showing my Active Directory Users. Please let me know how to push updates from my local update server

  16. I have configured WUS on Win2k8 R2, and all my machines that are member of the domain are configured as WUS clients through the Domain GP, the issue I am having is our location is mixed, Domain Computers and Stand-a-lone computers, do you know of an VB Script that will configure the registry so we do not have to manually configure all the stand-a-lone machines. Thanks this was a great post

  17. Dear Nitish,

    I have installed wsus on windows 2008 server. I have imported service pack into wsus through “Import Update” function using update catalog. It showed imported successfully to wsus but I couldnt trace it anywhere inside the wsus console in order to approve or deploy it. Can you help me where it could be found or is there something I am missing out or the way I am doing is wrong????

  18. Dear Nitish,

    Congratulation for your text.

    I work with Target Group in WSUS, but does not get put into correct group on WSUS Server, some computer stay in Unassigned Computers, but in register, there is key TargetGroup correct,

    GPO is correct

    Can you help me?

    Tks,

  19. I have 1 WSUS server to cover different localtions’ pcs, some locations’ time zone is not same as the WSUS servers, when I use option4 sheduled install e.g. Saturady 5am. to patch all pcs ,will the patch be installed follow WSUS time or local pc time ?

    thanks

    Michael

  20. Hi Nitish, I have a group of computers that are not connected to the internet and cannot be connected. To get updates now, I download the ISO’s from MS, burn them to cd, and run them on each machine. If I set up WSUS on a notebook/laptop, can I copy the files out of the ISO’s and use WSUS then to push them out to my network?

  21. I have a simple WSUS installation of a couple hundred machines, I use GPO to control roll out patch to each machine. Some of these machines are showing “No Status.” , and the details of ‘Last Status Report’ is ‘Not yet reported’, i have 2 questions ,thanks in advance!
    1 will this symptom affects WSUS server roll out patch to machine ?

    2 how to make the machine from ‘no status’ back to normal ?

    BR

    Michael

    1. Yes! Its a normal behavior. Many a times machines might not be connecting well with wsus server for a number of reasons or might have not reported completely.

      You can run the below commands to ensure a machine gets registered well with Wsus server

      Run the following chain of commands

      net stop wuauserv /Y net stop bits /Y net stop cryptsvc /Y

      REM Rename and Delete dircetories rd /s /Q %SystemRoot%\SoftwareDistribution ren %systemroot%\System32\Catroot2 Catroot2.old

      Rem Change Directory to System 32 CD /D %SystemRoot%\System32

      Rem Reregister files

      regsvr32 Actxprxy.dll /s regsvr32 Atl.dll /S regsvr32 Browseui.dll /s regsvr32 cryptdlg.dll /s regsvr32 dssenh.dll /s regsvr32 gpkcsp.dll /s regsvr32 initpki.dll /s regsvr32 jscript.dll /s regsvr32 Mshtml.dll /s regsvr32 Msjava.dll /s regsvr32 Mssip32.dll /s regsvr32 msxml.dll /s regsvr32 msxml2.dll /s regsvr32 Msxml3.dll /s regsvr32 Oleaut32.dll /s regsvr32 rsaenh.dll /s regsvr32 sccbase.dll /s regsvr32 shdocvw.dll /s regsvr32 shell32.dll /s regsvr32 slbcsp.dll /s regsvr32 softpub.dll /s regsvr32 Urlmon.dll /s regsvr32 vbscript.dll /s regsvr32 wintrust.dll /s regsvr32 wuapi.dll /s regsvr32 wuaueng.dll /s regsvr32 wuaueng1.dll /s regsvr32 wucltui.dll /s regsvr32 wups.dll /s regsvr32 wups2.dll /s regsvr32 wuweb.dll /s

      Rem Turn services back on

      net start wuauserv net start bits net start cryptsvc Wuauclt /detectnow

      After the same,check in c:\Windows\WindowsUpdate.log file if it points to any error.

  22. thanks for quick response.

    after run the commands on 2 machines ,there is no any new succes or error show up in the WindowsUpdate.log file.

    the machines still show ‘no status’ and ‘Not yet reproted ‘ on WSUS console.

  23. the machines are located in EU and apply with CET time

    1 machine

    2013-02-21 08:28:17:672 812 1914 AU ########### AU: Initializing Automatic Updates ###########
    2013-02-21 08:28:17:673 812 1914 AU # WSUS server: http://dkdc0srv135.nneas.net
    2013-02-21 08:28:17:673 812 1914 AU # Detection frequency: 22
    2013-02-21 08:28:17:673 812 1914 AU # Approval type: Scheduled (Policy)
    2013-02-21 08:28:17:673 812 1914 AU # Scheduled install day/time: Saturday at 1:00
    2013-02-21 08:28:17:673 812 1914 AU # Auto-install minor updates: Yes (User preference)
    2013-02-21 08:28:17:673 812 1914 AU # Will interact with non-admins (Non-admins are elevated (User preference))
    2013-02-21 08:28:17:673 812 1914 AU Setting AU scheduled install time to 2013-02-23 00:00:00
    2013-02-21 08:28:17:738 812 18c0 Report *********** Report: Initializing static reporting data ***********
    2013-02-21 08:28:17:738 812 18c0 Report * OS Version = 6.1.7601.1.0.196624
    2013-02-21 08:28:17:738 812 18c0 Report * OS Product Type = 0x00000007
    2013-02-21 08:28:17:749 812 18c0 Report * Computer Brand = VMware, Inc.
    2013-02-21 08:28:17:749 812 18c0 Report * Computer Model = VMware Virtual Platform
    2013-02-21 08:28:17:752 812 18c0 Report * Bios Revision = 6.00
    2013-02-21 08:28:17:752 812 18c0 Report * Bios Name = PhoenixBIOS 4.0 Release 6.0
    2013-02-21 08:28:17:752 812 18c0 Report * Bios Release Date = 2011-04-15T00:00:00
    2013-02-21 08:28:17:752 812 18c0 Report * Locale ID = 1030
    2013-02-21 08:28:17:754 812 1914 AU Successfully wrote event for AU health state:1
    2013-02-21 08:28:17:754 812 1914 AU Initializing featured updates
    2013-02-21 08:28:17:754 812 1914 AU Found 0 cached featured updates
    2013-02-21 08:28:17:754 812 1914 AU Successfully wrote event for AU health state:1
    2013-02-21 08:28:17:756 812 1914 AU Successfully wrote event for AU health state:1
    2013-02-21 08:28:17:756 812 1914 AU AU finished delayed initialization
    2013-02-21 08:28:17:756 812 1914 AU Triggering AU detection through DetectNow API
    2013-02-21 08:28:17:756 812 1914 AU Triggering Online detection (non-interactive)
    2013-02-21 08:28:17:757 812 18c0 AU #############
    2013-02-21 08:28:17:757 812 18c0 AU ## START ## AU: Search for updates
    2013-02-21 08:28:17:757 812 18c0 AU #########
    2013-02-21 08:28:17:759 812 18c0 AU <>## RESUMED ## AU: Search for updates [CallId = {BC83E776-8E17-49D0-A9A4-438876BDA9AA}]
    2013-02-21 08:28:20:038 812 16bc AU # WARNING: Search callback failed, result = 0x800B0001
    2013-02-21 08:28:20:038 812 16bc AU # WARNING: Failed to find updates with error code 800B0001
    2013-02-21 08:28:20:038 812 16bc AU #########
    2013-02-21 08:28:20:038 812 16bc AU ## END ## AU: Search for updates [CallId = {BC83E776-8E17-49D0-A9A4-438876BDA9AA}]
    2013-02-21 08:28:20:038 812 16bc AU #############
    2013-02-21 08:28:20:038 812 16bc AU Need to show Unable to Detect notification
    2013-02-21 08:28:20:038 812 16bc AU Successfully wrote event for AU health state:1
    2013-02-21 08:28:20:038 812 16bc AU AU setting next detection timeout to 2013-02-21 12:28:20
    2013-02-21 08:28:20:038 812 16bc AU Setting AU scheduled install time to 2013-02-23 00:00:00
    2013-02-21 08:28:20:039 812 16bc AU Successfully wrote event for AU health state:1
    2013-02-21 08:28:20:039 812 16bc AU Successfully wrote event for AU health state:1
    2013-02-21 08:28:22:754 812 115c Report REPORT EVENT: {CF50A922-26D0-4D10-AB38-445C616D6C6E} 2013-02-21 08:28:20:036+0100 1 148 101 {D67661EB-2423-451D-BF5D-13199E37DF28} 1 800b0001 SelfUpdate Failure Software Synchronization Windows Update Client failed to detect with error 0x800b0001.
    2013-02-21 08:28:22:799 812 115c Report CWERReporter::HandleEvents – WER report upload completed with status 0x8
    2013-02-21 08:28:22:799 812 115c Report WER Report sent: 7.6.7600.256 0x800b0001 D67661EB-2423-451D-BF5D-13199E37DF28 Scan 101 Managed
    2013-02-21 08:28:22:799 812 115c Report CWERReporter finishing event handling. (00000000)
    2013-02-21 08:34:13:871 812 115c Report Uploading 1 events using cached cookie, reporting URL = http://dkdc0srv135.nneas.net/ReportingWebService/ReportingWebService.asmx
    2013-02-21 08:34:13:881 812 115c Report Reporter successfully uploaded 1 events.

  24. another machine
    2013-02-21 03:28:20:723 792 ed4 PT Server URL = http://dkdc0srv135.nneas.net/SimpleAuthWebService/SimpleAuth.asmx
    2013-02-21 03:28:20:782 792 ed4 Report Uploading 1 events using cached cookie, reporting URL = http://dkdc0srv135.nneas.net/ReportingWebService/ReportingWebService.asmx
    2013-02-21 03:28:20:786 792 ed4 Report Reporter successfully uploaded 1 events.
    2013-02-21 06:07:22:943 792 ce8 AU AU was unable to detect updates for more than 48 hours
    2013-02-21 06:07:27:943 792 e9c Report REPORT EVENT: {CB669BDC-CF98-4F5C-8773-72C84BE6FB7C} 2013-02-21 06:07:22:943+0100 1 149 102 {00000000-0000-0000-0000-000000000000} 0 0 AutomaticUpdates Failure Software Synchronization Unable to Connect: Windows is unable to connect to the automatic updates service and therefore cannot download and install updates according to the set schedule. Windows will continue to try to establish a connection.
    2013-02-21 06:07:27:944 792 e9c Report CWERReporter finishing event handling. (00000000)
    2013-02-21 06:21:42:226 792 ce8 AU AU setting next sqm report timeout to 2013-02-22 05:21:42
    2013-02-21 08:16:59:916 792 ce8 AU #############
    2013-02-21 08:16:59:916 792 ce8 AU ## START ## AU: Search for updates
    2013-02-21 08:16:59:916 792 ce8 AU #########
    2013-02-21 08:16:59:954 792 ce8 AU <>## RESUMED ## AU: Search for updates [CallId = {6190E376-86A5-432D-993B-28E6337EFB07}]
    2013-02-21 08:17:02:755 792 d9c AU # WARNING: Search callback failed, result = 0x800B0001
    2013-02-21 08:17:02:755 792 d9c AU # WARNING: Failed to find updates with error code 800B0001
    2013-02-21 08:17:02:755 792 d9c AU #########
    2013-02-21 08:17:02:755 792 d9c AU ## END ## AU: Search for updates [CallId = {6190E376-86A5-432D-993B-28E6337EFB07}]
    2013-02-21 08:17:02:755 792 d9c AU #############
    2013-02-21 08:17:02:755 792 d9c AU Need to show Unable to Detect notification
    2013-02-21 08:17:02:755 792 d9c AU Successfully wrote event for AU health state:1
    2013-02-21 08:17:02:756 792 d9c AU AU setting next detection timeout to 2013-02-21 12:17:02
    2013-02-21 08:17:02:756 792 d9c AU Setting AU scheduled install time to 2013-02-23 00:00:00
    2013-02-21 08:17:02:756 792 d9c AU Successfully wrote event for AU health state:1
    2013-02-21 08:17:02:761 792 d9c AU Successfully wrote event for AU health state:1
    2013-02-21 08:17:07:739 792 103c Report REPORT EVENT: {A1BBF9D9-C78C-47D0-88BE-FF26AC6BFCFF} 2013-02-21 08:17:02:739+0100 1 148 101 {D67661EB-2423-451D-BF5D-13199E37DF28} 1 800b0001 SelfUpdate Failure Software Synchronization Windows Update Client failed to detect with error 0x800b0001.
    2013-02-21 08:17:07:753 792 103c Report CWERReporter::HandleEvents – WER report upload completed with status 0x8
    2013-02-21 08:17:07:753 792 103c Report WER Report sent: 7.6.7600.256 0x800b0001 D67661EB-2423-451D-BF5D-13199E37DF28 Scan 101 Managed
    2013-02-21 08:17:07:753 792 103c Report CWERReporter finishing event handling. (00000000)
    2013-02-21 08:28:22:958 792 103c PT WARNING: Cached cookie has expired or new PID is available
    2013-02-21 08:28:22:958 792 103c PT Initializing simple targeting cookie, clientId = faf01d5e-91f7-49ce-87ef-79bd505e1ea6, target group = , DNS name = dkdc0srv018.nneas.net
    2013-02-21 08:28:22:958 792 103c PT Server URL = http://dkdc0srv135.nneas.net/SimpleAuthWebService/SimpleAuth.asmx
    2013-02-21 08:28:23:013 792 103c Report Uploading 1 events using cached cookie, reporting URL = http://dkdc0srv135.nneas.net/ReportingWebService/ReportingWebService.asmx
    2013-02-21 08:28:23:017 792 103c Report Reporter successfully uploaded 1 events.

    1. Two things can be done about it. First run system update readiness tool on the mentioned machine and see the results in WindowsUpdate.log file after it.

      If that doesn’t work then do the following on WSUS server side

      Download and run Update for Windows Server Update Services 3.0 SP2 for x64-based Systems (KB2720211)
      After the hotfix is complete, Stop your WWW Service
      Stop you UPDATE SERVICES Service
      Perform an IISRESET (which seemed redundant to me, but it does start the WWW service)
      Start your UPDATE SERVICES

  25. If you are required reinstalling the Windows 7 edition of Microsoft but unable to trace windows key then you can easily trace it on the backside of your PC or underside, in the case of laptop. Windows 7 key is generally sited on a yellow decal. Sometimes, the decal will be sited within the CD coat of the software product, or you can also trace it in the manual of particular software. If you find yourself unable to trace the product key, it means you have lost the license of the valuable Windows 7 software. One may also mislay a great contract of time annoying to track the product key down, or probing various PC mediums for a way out.’

    Latest short article straight from our own internet site
    <.http://www.prettygoddess.com/

  26. This gives me the security of knowing that we have enough for
    a period of time if we break down. We can survive a long time without food, but a much shorter
    time without water. Even much better, you can make certain that
    every doable contingency you can envision from a purely natural
    catastrophe is covered by the supplies you know will be in your kit.

  27. Hi Nitish,

    I have a WSUS setup and all my clients showing up PROXY IP rather that their actual IP.

    Regards,
    Nirmal

    1. It’s a very common scenario when your router routing all the port 80 requests to your proxy server.

      You would require to add a rule in router to leave all the requests to port 80 which have WSUS server IP as destination means no redirection to any other port or server. Port 80 to port 80

        1. I am not sure if its related to threat management gateway. There should be a router or something which is capturing port 80 traffic and redirecting it to your proxy server. Can you explain how proxy server is implemented/working at your place?

          1. all clients (Desktop and laptops) are configured with proxy WPAD. So if a user try to browse the url directs it to the proxy servers and then firewall.. In this case we have WPAD for server subnets and not sure this is causing the issue.

              1. If i put WSUS IP address:8530 instead of hostname i am getting the actual IP address. Just checking how does this happens

  28. Hey Nitish,

    I just sent you a tweet. But i’ll leave a message here aswell. Our WSUS server is showing that several clients need 44 updates, yet when we look on the client it shows it is up to date. How can we fix/deal with this?

  29. hi nitish i have got a question regarding wsus well i am using windows 7 home premium 64 bit for some reason my pre-installed windows update function is not working when i researched i came to know that my background intelligence transfer service is not running in services which is some how linked with windows update program and than i decided to use wsus it worked good before using wsus my windows update program was showing 71 important updates and 37 optional updates now after using wsus my pre-installed windows update program is still showing 39 important updates available 37 optional updates available so my question is why wsus is not getting all important updates? let me tell you this also i never installed any service pack when i started wsus offline update generator i selected my OS and than in option i checked
    – clean up download directories
    – verify download updates
    -include windows defender definitions

    i didnt checked service pack , c++ runtime and .network frame and microsoft security essential is this is the reason why my pre installed update program is still showing important updates because they are linked with this things?

      1. no i don`t think so as far as i know those update which are still appearing in my windows pre installed update program is because wsus isnt getting those updates for some reason

  30. alrite well my bits background intelligence transfer service is not working anymore it got crash for some reason dont know this is why i decided to use wsus it worked brilliant though do you know any web where windows update files can easily be downloaded?

  31. Hi Nitish,

    I have installed WSUS role on a 2012R2 server [Update services ver 6.3.9600.16384]. I am trying to access the WSUS admin page through http://wsusservername:8530 but I am getting a blank page. It works fine through MMC snapin. But we really need to make it work through the web interface. Any help is much appreciated. Thanks.

  32. Hi Nitish

    I install WSUS service on windows 2012 R2 server ,for migrating servers from old WSUS server (OS is windows 2008) to new WSUS server get MS updates, and make a GPO to redirect servers.after checked the GPO is applied on the common servers but there is no any server show up in new WSUS console ?

    thanks

    /Michael

  33. Hi

    I have instaleld the WSUS Server on 2012 fine and it is synchronising but it is downloading 20,000+ updates.

    I dont have time to go through everyone individually so how do I choose which to approve and which not? The console does not seem to group them by Operating system/product even, just critcial/security etc.
    Thanks
    Kevin

    1. Search by names for individual products and selecting all then approaching by right clicking to approve should work. Sadly yes, it would be manual task for first time

  34. Nice blog! Is your theme custom made or did you download it from somewhere?
    A design like yours with a few simple adjustements would really make my
    blog stand out. Please let me know where you got your design. Appreciate
    it

  35. Hey there would you minmd letting me know which web host you’re using?
    I’ve loaded your blog in 3 completely different web browsers and I must saay this
    blog loass a lot faster then most. Can you recommend a
    good internet hosting provider at a hones price?

    Kudos, I appreciate it!

  36. If you are going for most excellent contents like myself, simply visit this
    website everyday because it offers quality contents, thanks

  37. Question-

    Hi All- Our existing enterprise has about 200 PCs. We have had a SUS server up for a while, but I think the database is fubar.

    I have already stood up a 2012 R2 server w/ the SUS role. I have a separate GPO pointing to the new test server, and this GPO is applied to my work desktop and work laptop. So far they have checked in OK.
    My question is (and I am a desktop support person trying to learn)- do I need to decline any of the superseded updates?

    On the brand new SUS server w/ only Windows 7 and Office 2010/2013 configured as Products, there are 1300 security updates and 1197 critical updates to be approved.

    As I said I’m new to SUS so I’m just trying to get a handle on it.
    Do you all decline superseded updates or do you approve all, let all the machines report in and sort it out one by one?

  38. Hi Nistish,

    Recently we have reinsralled ouR WSUS SEREVR[2008R2] configured as a fresh WSUS after that most of the windows8.1 clients not reporting on server[not reported yet] .Could you please help us

    1. This might have happen due to corrupted SoftwareDistribution folder.

      Use the following command at any one of the affected machine and check if it helps

      Net stop wuauserv

      rd /s %windir%\softwaredistribution\

      Net start wuauserv

  39. Hi Nitish,

    Many thanks for your tutorial. However, I do have a query.

    I have setup GPO’s for clients to the test WSUS initially and it all worked perfectly, but that was the only WSUS server we had for testing. In the GPO it was pointed to this test server with client-side-targeting.

    Now we have an upstream server in my Head Office and I have 4 downstream servers running in replica mode. We have 4 different OU’s for different branches with 4 different GPO’s at each branch.

    Now since we are planning to ease the network load off the HO server and get the clients to communicate to the respective branch replica server in the remote locations, how do we set the target for the clients in the GPO? Should I configure the GPO under ‘Specify intranet Microsoft update service for detecting updates’ to the branch replica servers for branch OU’s or should this be pointed to the head office? If this goes to the head office upstream server, how do I get the remote clients to download updates from the replica server in the remote branches and not from the head office?

    Thanks in advance.

    Damien

  40. after configuring WSUS 3.0 on server 2008 updates are not getting download on the server.
    but internet is working fine as i checked.
    can u pls suggest any specific port i need to check

  41. hi nitish,
    I have installed server 2012 and AD, DNS, Windows update server roles. Since my network was private network. How to updates are download and Install from civil Internet.

    Thanks for your guidelines

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s