WSUS

How to install WSUS 3.
0 SP1
The guide requires you to download the WSUS package from
http://www.microsoft.com/downloads/details.aspx?familyid=F87B4C5E-4161-48AF-9FF8A96993C688DF&displaylang=en#top
and you must also download the Microsoft Report viewer redistributable
http://www.microsoft.com/downloads/details.aspx?familyid=CC96C246-61E5-4D9E-BB5F416D75A1B9EF&displaylang=en
This guide also assumes that you have setup and installed IIS in Windows 2008 and that you have
configured and installed SQL 2008 or SQL 2005.
Overview
WSUS 3.0 SP1 delivers important customer-requested management, stability, and performance
improvements. Some of the features and improvements include:
* Support for Windows Server 2008.
* Support for SQL Server 2008.
* Enhanced bulk approval capability, preserving existing approvals.
* Support for separate proxy servers and ports for SSL and non-SSL traffic.
* Office Excel report export.
WSUS 3.0 SP1 can be installed alone, or as an upgrade of either WSUS 3.0 RTM or WSUS 2.0 SP1.
This package installs both the WSUS 3.0 SP1 Server and WSUS 3.0 SP1 Administration Console
components, for all Windows Server 2003 SP1 supported languages. Additionally, the WSUS 3.0 SP1
client is included in all supported client platform languages. You must install the server components on a
computer running Windows Server 2008 or Windows Server 2003 SP1 or later. You may install the
Administration Console on a remote computer running Windows Server 2008, Windows Vista, Windows
Server 2003 SP1, or Windows XP SP2.
WSUS 3.0 SP1 Server Installation on Windows Small Business Server 2003
If you are installing the WSUS 3.0 SP1 product on Windows Small Business Server 2003, follow the
instructions in Installing Windows Server Update Services 3.0 on Windows Small Business Server 2003.
There are 4 common methods of deploying WSUS:

* Single WSUS server
* Multiple independant WSUS servers
* Multiple Internally synchronised WSUS servers
* Disconnected WSUS servers
A Single Wsus server would be suitable for a small or simple network. It will synchronise with Microsoft
update and then distribute its updates to your servers/clients.
Multiple independant WSUS servers could be setup to synchronise with microsoft Update and
configured to for example, update only one specific type of client, eg: XP clients or Vista, then another
WSUS server in your organisation could be setup just to update your Server 2008 servers.
Multiple Internally synchronised WSUS servers is where you have multiple WSUS servers in your
organisation but only one connects to Microsoft Update, this is called the Upstream WSUS server and
all other WSUS servers (called the Downstream WSUS servers) synchronise via this WSUS server. The
synchronisation methods can be either Autonomous or Replica.
Disconnected WSUS servers are not connected to the internet at all. You would typically utilise this
setup in an organisation that doesn't have or allow internet access. The Microsoft Updates would have
to be pulled down from another internet conencted WSUS server and then burned to cd or dvd and
copied to the disconnected WSUS server.
Installation
Install the Report Viewer first
Double-click on the Report viewer exe, choose next to continue at the welcome screen
[attachment=2027:200908/post_10189_1249309226_48ae6a471790f20b64f0d14f2528f8fc.attach]
accept the license terms
[attachment=2028:200908/post_10189_1249309229_dabadc8d710d2b7eb160dd5ec0e8d007.attach]
click Install to install
once done click finish.

[attachment=2029:200908/post_10189_1249309233_dbfdc43465e1a3719e788c7335df180d.attach]
Install WSUS
Double click on the WSUS exe, choose next at the welcome screen
[attachment=2030:200908/post_10189_1249309237_5c638b18bae0a20ef2c06c0528fa48b2.attach]
choose the Full Server installation
[attachment=2031:200908/post_10189_1249309241_a929d5b7abab49e5532dbc50e118d2c2.attach]
accept the license agreement
[attachment=2032:200908/post_10189_1249309246_2cfbfe26bef290695d0c6d781a508c6f.attach]
Select your update source (local or on windowsupdate)
[attachment=2033:200908/post_10189_1249309250_2b13ee1679ee8cf76141dc034d52b65a.attach]
now if you havn't installed SQL 2008 yet, then please do so as the next screen will allow us to pick
between an internal windows database (first option) or to connect to our MSSQL database (default)
second option.
Choose use existing database as below in the screenshot
[attachment=2034:200908/post_10189_1249309257_e5f5f42001aedb7491c0b5d3c108486a.attach]
it will hopefully successfully connect to your database, click next to continue
[attachment=2035:200908/post_10189_1249309261_17b6090ca9a5631742c2966f3bcc6f7c.attach]
when prompted what IIS website to use, choose the default option (use the existing IIS website)
[attachment=2036:200908/post_10189_1249309269_c1791063433985bdfe9af6179578c809.attach]
you'll see a summary click next to continue

[attachment=2037:200908/post_10189_1249309273_2502269795fd7cbcf6c00c22757c7b1f.attach]
that's it, all done, click Finish.
[attachment=2038:200908/post_10189_1249309277_2072a9c112a57e1cf27c594af13f4c72.attach]
Note: if you are going to use SCCM to manage patch management then do NOT run
the WSUS configuration wizard below
The WSUS configuration wizard automatically starts after the Setup wizard completes. Because
Configuration Manager 2007 SP1 manages the WSUS settings, you should exit the configuration wizard
after it opens.
Like This
Back to top
Quote
MultiQuote
Report
Thanked by 1 Member:
#2 CCDE10
CCDE10
Junior Member
Members
2 posts
0 thanks
puli.sysadmin
Posted 12 December 2009 - 05:18 PM

any help ?
Like This
Back to top
Quote
MultiQuote
Thanks
Report
Thanked by 1 Member:
Back to Windows Server Update Service (WSUS)
Reply to this topic
Rich Text Editor
Post
More Reply Options
1 user(s) are reading this topic
1 members, 0 guests, 0 anonymous users
puli.sysadmin
1.
2.
3.
4.
5.
6.
IT Certification Forum
MICROSOFT TECHNICAL SECTION
Microsoft Servers
Windows Server Update Service (WSUS)
Quick Nav
Privacy Policy
Organization
About Us
Advertising
Contact Us
Follow us on Twitter
Community
Forums
Blogs
Downloads
Privacy Statement
Downloads
Apple
Cisco
Citrix
CompTIA
Microsoft
Test Providers
Pearson VUE
Prometric
Exin-Exams
Site Info
2008 - 2011 CertCollection IT Certification Forum
Community Forum Software by IP.Board
Go to top
Adding workgroup computer into WSUS

server
Domain Computer can be added into WSUS console by using Group Policy. But how about
workgroup computer !
You can add workgroup computer into WSUS console by using registry.
I have created two scripts to simplify the task to add computer into WSUS server.
1. File: wsus.bat
@echo off
::
Pause
net stop "wuauserv"
Echo importing wsus.reg
%windir%regedit.exe /s c:wsus.reg
echo wsus.reg imported successfully
net start "wuauserv"
echo forcing update detection
wuauclt /detectnow
pause
Note: Stop the Windows Update Service, execute wsus.reg and start Windows Update Service.
Perform manual detection by using the command wuauclt /detectnow
2. File:wsus.reg
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftWindowsWindowsUpdate]
"WUServer"="http://wsussvr01"
"WUStatusServer"="http://wsussvr01"
[HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftWindowsWindowsUpdateAU]
"NoAutoUpdate"=dword:00000000
"AUOptions"=dword:00000004
"ScheduledInstallDay"=dword:00000000
"ScheduledInstallTime"=dword:0000000d
"UseWUServer"=dword:00000001
"NoAutoRebootWithLoggedOnUsers"=dword:00000001
Note:a) WUServer and WUStatusServer - specify your WSUS server using the following format
http://wsus server name
Value: NoAutoUpdate
0 - Enable Automatic Updates (Default)
1 - Disable Automatic Updates
c) Value: AUOptions
2 - Notify for download and notify for install
3 - Auto download and notify for install
4 - Auto download and schedule the install
d) Value: ScheduledInstallDay
0 - Install every day
1 to 7 - Install on specific day of the week from Sunday (1) to Saturday (7).
e) Value: ScheduledInstallTime
0 to 23 - Install time of day in 24-hour format
f) UseWUServer - Enabled Automatic Update.
g) NoAutoRebootWithLoggedOnUsers -NoAutoRebootWithLoggedOnUsers is enabled which
Specifies that to complete a scheduled installation, Automatic Updates will wait for the computer
to be restarted by any user who is logged on, instead of causing the computer to restart
automatically in 5 minutes to complete the installation.
Note: Copy both files into C: drive and run wsus.bat
For more detail, please refer to
http://technet.microsoft.com/en-us/library/cc708449(WS.10).aspx
BITS Peer cashing (in WSUS 3.0)

BITS Peer cashing (in WSUS 3.0)
BITS (Background Intelligent Transfer Service) Peer caching is a new feature of BITS 3.0 supported on
Vista platforms, that allows peers to share files on the same subnet.
When a BITS job is created to download the files for an update, the Automatic Update agent instructs
BITS to make the downloaded files available to Peers.
When the files have been downloaded, BITS caches the downloaded files and makes them available to
other computers. When another computer tries to download the same update, BITS sends a multicast
request to peers on the same subnet.
If one or more of the peers responds that it has the update, BITS will download the file from the peer
rather than the WSUS server. Should the download from the peer fail or take too long, BITS will fall back
to the WSUS server and continue the download.
This feature of BITS can:

Decrease the amount of data transferred from the WSUS server. Computers in the same subnet will
tend to download the updates from each other.
Decrease the amount of data transferred across the WAN in branch office scenarios where no local
WSUS server is located.
Decrease the amount of data transferred across the internet in the scenarios where several WSUS
clients in the same subnet are configured to download update files directly from Microsoft update.
Remember: The use of BITS Peercaching requires computers to be running Windows Vista or Windows
Codename Longhorn, and be part of an Active Directory Domain.
To enable BITS Peercaching:

Within Group Policy Object Editor (gpedit.msc), under Computer ConfigurationAdministrative
TemplatesNetworkBackground Intelligent Transfer Service (BITS), set the Allow BITS Peercaching policy
to Enabled.
There are some other related settings to limit the BITS Peercache size (default: 1% of disk), limit the age
of items in the BITS Peercache (default: 14 days), ...
To verify that BITS Peercaching is enabled or disabled, run from an command prompt:
bitsadmin /peercaching /getconfigurationflags
There are a couple of new BITSADMIN (ships with Vista) commands that allow you to see into the cache
etc, and these are:
BITSADMIN /PEERCACHING /? - Prints the list of commands to manage Peercaching
BITSADMIN /CACHE /? - Prints the list of cache management commands
BITSADMIN /PEERS /? - Prints the list of peer management commands
Remove SUSClientID for clone workstation

By default when you clone the workstation, the workstation will consist the same SUSClientID.
This will cause a problem whereby the workstation will not report status/detected on WSUS
server. To verify you can compare both machine by go to the registry
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionWindowsUpdateSUSClien
tId
In order to fix this problem, i have created two script file

1. File:- clonewsus.reg
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionWindowsUpdate]
"SusClientId"=-
2. File:-clonewsus.bat
@echo off
::
Pause
net stop "wuauserv"
Echo importing clonewsus.reg
%windir%regedit.exe /s c:clonewsus.reg
echo wsus.reg imported successfully
net start "wuauserv"
echo forcing update detection
wuauclt /detectnow
pause
Copy both files to C:drive. Execute file clonewsus.bat.

The script will stop the Windows Update services, go to registry and remove SusClientID and
start back the Windows Update services. A new SusClientID entry will obtained. Command
wuauclt /detectnow will trigger manual detection using the new SusClientId.
Wait 10-15 minute, Client should be visible in WSUS console
Deploy MSP updates via WSUS
Part 1 - Configuration
As already mentioned in my article Adobe Reader X (10.0) deployment with Group Policy
mentioned, I would like to introduce a method in the today's blog post, with which you product
updates in the * .msp format using a WSUS server can distribute. Distributed in this format as
Adobe updates for the well-known Adobe Reader.Of pages of Microsoft's, the use of System
Center Configuration Manager 2007 R2 (SCCM) is intended for such action. This makes it
possible to distribute such updates using a WSUS server to clients and others.
As the SCCM is a very complex product, makes the use alone to distribute by * .msp update no
sense. In the event that you have this product already in use, you should use this then also.
In particular for small and medium-sized environments, for which the use of a SCCMs would
just be simply oversized due to its complexity, a powerful is Deployment Tools, and all without
the use of costly software with the described in the following scenario from the WSUS server.
In our environment, the WSUS has now become the central deployment method. Any software
which does not have Group Policy software installation (GPSI) can be installed, can be
distributed with the help of the described approach here. This represents a significantly better
and above all less error-prone method as the unfortunately still all too often used and really
hopelessly obsolete Startup scripts.
WSUS provides the functionality of the WSUS API in principle available to create even updates
to sign them, in the WSUS to import and to manage them. This interface is used by the SCCM.
The open-source project Local updates Publisher has written a freeware tool to provide a GUI
for these functions to set. With the local updates Publisher can in addition to the one described
here * .msp files also * .msi and * .exe files are distributed.
At this point I would like to point out that there are third-party software, and for this reason,
using this tool from the ESCde, nor Microsoft is even supported! All practices described in this
article are of course at your own risk and should be tested extensively in a lab environment prior
to implementation in a production environment!
In this first part, I will be all of the initial configuration of the server and the clients describe
steps. In the second part I will one then the creation and distribution * .msp update explain the
Pact.
For this Szanario you need:
a WSUS server
.Net 3.5 on the computer, the local updates Publisher is installed on the
If this machine not the WSUS server itself, so is the WSUS remote console is unusual
there
a certificate authority (CA), in this scenario uses a Windows CA
The local updates Publisher, for the latest version at SourceForge
Starting we initially with the installation of local updates Publisher, this is actually selfexplanatory.
The update packages that are distributed through a WSUS must always be digitally signed. In the
case of updates for Microsoft products, which are usually distributed with the WSUS, they are
signed by Microsoft itself. Each Windows machine receiving the root certificate from Microsoft
included, always trust this signature. Internally generated packages must be also signed,
otherwise you can be distributed with the WSUS. To do this, we need the CA which, we create a
code-signing certificate. We must distribute then this on the clients so that they trust the
signature of the custom certificates.
We start first with the exhibition of the WSUS certificate, for this we must first create a new
template, because from the with the standard Codesigning template the private export key not
displaying certificate.
To do this, we open the CA Managementconsole, click on certificate templates-> manage->
duplicate template:
If you use a pure Server 2008 CA infrastructure, so you can choose 2008 version, otherwise also
version is sufficient in 2003. In the General tab we should name awarded a descriptive template,
I have chosen Code Signing WSUS .
In the Request Handling tab, uncheck when allow private key to be exported must be set in any
case:
Now we can save the duplicate template with a click on OK .

On right click-> new-> certificate template to issue , then, we publish the template you just
created:
The necessary steps at the CA we have now completed and can request a certificate using the
newly designed template.
To do this, open we on any machine, in my case on the WSUS server the Certificate MMC on
Start-> run-> MMC-> add/remove snap-in-> Certificates-> my user account. In the folder staff
> certificates we ask about right click-> all tasks-> request new certificate a certificate on the
basis of the just created template:
We export this just fresh created certificate now on right click-> all tasks-> export. Is very
important to export the private key with:
Also, you should protect the private key with a strong password, because should get into the
wrong hands, the exported certificate so malicious code could be infiltrated allow any unnoticed
to all clients served by the WSUS.
Now we can begin to configure the local updates Publisher , to do this, we start it as an
administrator. On the first screen, we must now join us on the server, and to do this, specify the
server name. If you want to connect as I this example on the local server, you can simply leave
the name field and connect with connect to the server, otherwise you must specify where the
server name.
When you click the server name in the left menu, the following message will appear:
At this point, we confirm with Yes , and now add the previously created certificate import
certificate . Here, it would be also possible to Create Certificate to create a self signed
certificate, in this case you would however in the event of a server change issue a new certificate
and re-sign all packages. Because in most cases anyway one CA is available, the scenario
described by me provides a significantly better alternative because in my opinion.
After successfully importing the message that the certificate should now be distributed to the
clients is done, we will do so now. With a click on Tools-> certificate info-> export CERT we
exportthe certificate again, and it save under a unique name.
Now we open the Certificate MMC, again but this time for the Local Computer account. There,
we would like to open the folder of Trusted Publishers , and import the just exported client
certificate.
Then we open the group policy management and create a new group policy. Now we open it via
right-click-> edit. With this group policy, we need to distribute the certificate on the client on the
one hand, we find this setting under Computer configuration-> policies-> security settings->
public key policies-> trusted publishers :
About right click-> import , we now insert the previously exported certificate which does not
contain the private key.
The second setting, which we must do is allowed to install the client updates, which are signed
by Microsoft itself. We find this setting under computer configuration-> policies->
administrative templates-> Windows components-> Windows updates-> allow signed updates
from an intranet Microsoft update service location.After we have put this setting to enabled , we
have completed the configuration of local updates publishers and clients.
Part 2 - Package creation for Adobe Reader X

To do this we must first download this package us, at the moment is the version 10.01. As already
mentioned in the article Adobe Reader X (10.0) deployment with Group Policy mentioned several times,
these downloads can be the easiest way on the Public FTP server Adobe found. The somewhat cryptic
name AdbeRdrUpd1001_Tier1.msp behind the MUI version of the update, so the version that is suitable
for all languages.
Now we can start the local updates Publisher , as always as an administrator. We would like to start the
Create Update Wizard via Tools-> create update and type the path to the * .msp file:
The next page appears after clicking on Next , here at least the fields which are marked with a red
asterisk must be completed. The remaining fields can be used for documentation purposes as well:
After two more clicks on Next , we arrive to the Installable Rulespage, here can very granular after a
variety of parameters conditions be formulated, under which the update should be installed. Here it
offers to create, which checks whether the Adobe Reader version 10 at all is installed on a rule. To this
for example can use the following Registrykey: HKLM\SOFTWARE\Wow6432Node\Adobe\Acrobat
Reader\10. 0 . Thus, we create the following rule:
If desired you can create very complex conditions, in particular with WMI queries, virtually any scenario
is conceivable. Very complex rules can be necessary here, depending on the requirements in terms of
the future. This would blow up the scope of this article but why I no longer will comment on this.
The next two sides, we get even, you can manually edit the source of the Pact. After clicking Finish , the
package is created and signed:
To release the package now for specific groups of computers, we need to use also the local updates
Publisher . The updates be imported directly into the WSUS server, also the approvals are stored as all
Microsoft update in the SUS-DB, however, the management of the custom updates using the WSUS
console is not possible, because it shows the updates not in the GUI. The control of the custom packages
is WSUS API just about possible, which is also used by the local updates Publisher . We navigate in the
local updates Publisher to the newly created package to so the custom package to approven and open
about right click > approve menu:
Now, we can, as usual set the approvals for the package from the WSUS console:
Hereby, we have completed all the steps required for the package creation. The custom update package
to install should be offered now at the next update check on the applicable clients:
Move WSUS 3.0 to a new server
In this article I will outline how to migrate WSUS 3.0 to a new server using a local SQL Express instance
and without downloading all of the updates again.
1. Install WSUS on new server with local express database.
2. During configuration wizard choose "Synchronize from another WSUS server", enter the name of
the existing WSUS instance you are migrating from, and then choose the replica option.
3. Complete the configuration wizard (some options will be skipped due to being a replica server)
4. Wait for initial synchronisation to complete. This will synchronise update files, approvals, and
computer groups, but not other server settings. This step saves you having to download your approved
updates from the internet again.
5. Change the new server from a replica to standalone.
6. Download the WSUS API Samples and Tools from Microsoft and install it on each of the servers.
7. On the old server open a command prompt and navigate to the C:\Program Files\Update Services 3.0
API Samples and Tools\WsusMigrate\WsusMigrationExport folder.
8. Run "wsusmigrationexport.exe settings.xml" to export the settings. This will backup your approvals
and target groups to an XML file.
9. Copy the XML file to the new server.
10. On the new server open a command prompt and navigate to C:\Program Files\Update Services 3.0
API Samples and Tools\WsusMigrate\WsusMigrationImport folder. Run "wsusmigrationimport.exe
settings.xml All None".
11. Configure your server settings (products and classifications, auto-approvals, email alerts, etc) on the
new server to match the old server.
12. Update your GPOs to direct clients to the new WSUS server. If you are using GPOs to assign
computers to Computer Groups in WSUS then no further action is required. If you are manually
assigning computers to Computer Groups in WSUS then all clients will initially end up in Unassigned
Computers when they report in to the new WSUS server and need to be manually assigned to their
correct group.
Moving WSUS Server Updates Folder

If youre using Microsoft Windows Server Update Services (WSUS), there may come a day
when you need to move the updates to another drive. Once WSUS has been installed, the WSUS
Administration tool doesnt let you do this, but you can do it using a command line tool called
wsusutil found in C:\Program Files\Update Services\Tools. Im running version 3.0 SP1.
The command is:
wsusutil movecontent logfile.log x:\WSUS
(where x: is the new destination)

If you have already copied the content (make sure youve set the correct permissions), you can
run:
wsusutil movecontent logfile.log f:\WSUS -skipcopy
Migrate WSUS 3.0 from SQL Express to a

remote SQL Server
In this article I will demonstrate how to migrate an existing WSUS 3.0 SP1 server from a local
SQL Express instance to a remote SQL Server 2005 Database Services instance.
Firstly be aware of these limitations when deploying WSUS with a remote SQL Server instance.
You cannot use a server configured as a domain controller for either the front end (FE) or
the back end (BE) of the remote SQL pair.
You cannot use a server running as a Terminal Services server for the front end of the
remote SQL pair.
You cannot use Windows Internal Database for database software on the back-end server.
Both the front-end and the back-end servers must be joined to an Active Directory
domain.
1. Download and install the SQLCmd tool on the WSUS server.
2. Install SQL Server 2005 "Client Tools Only" on the WSUS server so that you have access to
the SQL Management Studio console.
3. Stop the IISAdmin and Update Services services in Computer Management. Note the other
services that IISAdmin will stop, usually the World Wide Web service and the HTTP SSL
service.
4. Use SQLCmd to detach the SUSDB.
C:\>sqlcmd -S np:\\.\pipe\MSSQL$MICROSOFT##SSEE\sql\query
1> use master
2> alter database SUSDB set single_user with rollback immediate
3> go
Changed database context to 'master'
Nonqualified transactions are being rolled back. Estimated rollback
completion
100%
1> sp_detach_db 'SUSDB'
2> go
1> exit
5. Copy the SUSDB.mdf and SUSDB_Log.ldf files from the WSUS server to the remote SQL
server. Place them in the default locations for MDF and LDF files on the SQL server.
6. Attach the SUSDB to the remote SQL server.
7. Grant the WSUS server computer account permissions to the SUSDB on the remote SQL
server.
8. Configure the WSUS server to use the remote SQL server for SUSDB by modifying the
HKLM\Software\Microsoft\Update Services\Server\Setup\SQLServerName registry key.
9. Start the IISAdmin, World Wide Web Publishing Service, HTTP SSL, and Update Services
services. Or you can just reboot the server.
10. Launch the WSUS administration console to verify the WSUS server is connecting to the
database successfully. If WSUS is not working properly double-check the services in the
previous step or try restarting the server. You can also review the Application event log for
WSUS errors
Selective install Windows updates via WSUS

This script triggers the WUA API, loads all required updates from the WSUS server to the client,
and installs it. This also updates, which together should be installed, or those that build on each
other are grouped together in groups. Also, the script detects whether a reboot is required and
executes on demand also this.
We have the original script changed so that it, if it has found updates, solution stops our antivirus (line 22-25 - that accelerated the update on our POS systems by factor of 10) and
automatically performs the reboot without asking or the AV program starts again (line 98-100),
if not a reboot will be needed.
The script is following locally run:
cscript WUA_SearchDownloadInstall.vbs
or remote via PsExec:

"PsExec.exe \\RECHNERNAME -u DOMAIN\USER -p PASSWORD -e cscript
\\SERVER\SHARE\WUA_SearchDownloadInstall.vbs"
Trigger multiple computers from a remote machine, you might be the @ file-use option of
PsExec - unfortunately they are executed one at a time, which is much too time consuming.
A quick and dirty solution is to incorporate these in a batch for a manageable number of clients:
start c:\windows\system32\cmd /c "PsExec.exe \\PCNAME1 -u DOMAIN\USER -p
PASSWORD -e cscript \\SERVER\SHARE\WUA_SearchDownloadInstall.vbs"
PASSWORD -e cscript \\SERVER\SHARE\WUA_SearchDownloadInstall.vbs"
Here a CMD window now opens for each computer.

If you want to still see the result you can command to a & break supplement:
PASSWORD -e cscript \\SERVER\SHARE\WUA_SearchDownloadInstall.vbs & pause"
Tested under Windows XP 32 bit SP3, Windows 7 32 bit SP1, Windows Server 2008 32/64 bit
including R2
WUA_SearchDownloadInstall.vbs
Set updateSession = CreateObject("Microsoft.Update.Session")
Set updateSearcher = updateSession.CreateupdateSearcher()[/color]
WScript.Echo "Searching for updates..." & vbCRLF
Set searchResult = _
updateSearcher.Search("IsInstalled=0 and Type='Software'")
WScript.Echo "List of applicable items on the machine:"
For I = 0 To searchResult.Updates.Count-1
Set update = searchResult.Updates.Item(I)
WScript.Echo I + 1 & "> " & update.Title
Next
If searchResult.Updates.Count = 0 Then
WScript.Echo "There are no applicable updates."
WScript.Quit
Else
Set WSHShell = WScript.CreateObject("WScript.Shell")
WScript.Echo "STOP Sophos AV..." & vbCRLF
WshShell.Run "net stop SAVService", TRUE
WshShell.Run "net stop 'Sophos AutoUpdate Service'", TRUE
WScript.Sleep 10000
End If
WScript.Echo vbCRLF & "Creating collection of updates to download:"
Set updatesToDownload = CreateObject("Microsoft.Update.UpdateColl")
For I = 0 to searchResult.Updates.Count-1
WScript.Echo I + 1 & "> adding: " & update.Title
updatesToDownload.Add(update)
Next
WScript.Echo vbCRLF & "Downloading updates..."
Set downloader = updateSession.CreateUpdateDownloader()
downloader.Updates = updatesToDownload
downloader.Download()
WScript.Echo vbCRLF & "List of downloaded updates:"
If update.IsDownloaded Then
WScript.Echo I + 1 & "> " & update.Title
End If
Next
Set updatesToInstall = CreateObject("Microsoft.Update.UpdateColl")
WScript.Echo vbCRLF & _
"Creating collection of downloaded updates to install:"
set update = searchResult.Updates.Item(I)
If update.IsDownloaded = true Then
WScript.Echo I + 1 & "> adding: " & update.Title
updatesToInstall.Add(update)
End If
Next
WScript.Echo "Installing updates..."
Set installer = updateSession.CreateUpdateInstaller()
installer.Updates = updatesToInstall
Set installationResult = installer.Install()
'Output results of install
WScript.Echo "Installation Result: " & _
installationResult.ResultCode
WScript.Echo "Reboot Required: " & _
installationResult.RebootRequired & vbCRLF
WScript.Echo "Listing of updates installed " & _
"and individual installation results:"
For I = 0 to updatesToInstall.Count - 1
WScript.Echo I + 1 & "> " & _
updatesToInstall.Item(i).Title & _
": " & installationResult.GetUpdateResult(i).ResultCode
Next
If installationResult.RebootRequired = true Then
WScript.Echo "" & vbCRLF
WScript.Echo "System reboot now" & vbCRLF

WshShell.Run "wuauclt /reportnow"
WScript.Sleep 10000
WshShell.Run "C:\WINDOWS\system32\shutdown.exe -r -t 10"
Else
WScript.Echo "" & vbCRLF
WScript.Echo "No reboot needed" & vbCRLF
WScript.Echo "START Sophos AV" & vbCRLF
WshShell.Run "net start SAVService", TRUE
WshShell.Run "net start 'Sophos AutoUpdate Service'", TRUE
WshShell.Run "wuauclt /reportnow", TRUE
End If
Installing and configuring WSUS clients

Goal
This article aims to demonstrate how to install and configure WSUS customers quickly and
easily.
Applies to:
Windows XP Professional RTM, SP1, SP2 or later versions;

Windows Vista;
Windows 7;
Windows Small Business Server 2003, 2005 or 2008;
Windows Server 2003 SP2 or later versions;
Windows Server 2008 R2.
Introduction
WSUS client computers must have a compatible version of Automatic Updates (automatic
updates) to communicate with the WSUS server. WSUS Setup automatically configures IIS to
distribute the latest version of Automatic Updates (automatic updates) for each client computer
that connects to the WSUS server.
The recommendation is to configure Automatic Updates the (automatic updates) through Active
Directory. You can use a Group Policy Object (GPO) to configure client computers to get
security updates and patches on the WSUS server automatically. If you do not already have
Active Directory in your environment will need to manually configure a Local GPO on each
client computer.
In this article you will configure walkthrough a GPO to configure WSUS clients through Active
Directory:
1 Start, click All Programs, Administrative Tools, Group Policy Management. Will load
the window as shown in Figure 1.1.
Figure 1.1
2 Select the location where client computer accounts are located, so that you can configure a
GPO, which you will configure WSUS clients. In this article we will create one or Lab name and
below it were created the other two OUs, one with Customers name, which contains client
computer accounts and the other with Servers name, which contains server computer accounts.
There are several ways to configure WSUS clients, choose the one that best suits your
environment. In this article I'm separating client computers to servers to create different policies
for the distribution of security updates, patches and installation time.
3 select Customers, OU and right-click and choose the option Create a GPO in this domain,
and Link it here. Will loads the dialog box as shown in Figure 1.2.
Figure 1.2
4 in the New GPO dialog in the field New type the name of the GPO, as for example WSUS
Clients , and click OK button. The window of the Group Policy Management will be as shown
in Figure 1.3.
Figure 1.3
5 Select WSUS Clients the GPO and right-click and choose Edit option. Will load the window
as shown in Figure 1.4.
Figure 1.4
6 expand the Computer Configuration node, Policies, Administrative Templates, Windows

Components, Windows Update. Will loads the window as shown in Figure 1.5.
Figure 1.5
Note
Depending on the version of Administrative Template of your server, the options may be different
from display weight below, but basically all they will configure the WSUS client as the options
available in each template.
7 in the right pane, double click on the option Do not display ' Install Updates and Shut
Down ' option in Shut Down Windows dialog box. Will loads the dialog box as shown in
Figure 1.6.
Figure 1.6
This policy setting allows you to control whether the option Install Updates and Shut Down
will be shown in the dialog box Shut Down Windows.
If you select Enabled option will enable this policy setting and the option Install Updates and
Shut Down will not appear in the dialog box Shut Down Windows, even if the update is
available to be installed when the user selects the Shut Down option in the menu Start.
If you select Disabled option or Not Configured to disable this policy setting, the option Install
Updates and Shut Down will be available in the dialog box Shut Down Windows if the update
is available when the user selects the Shut Down option in the menu Start.
8 select Disabled option, and click Apply button, and then click Next Setting button to go to
next policy. Will loads the dialog box as shown in Figure 1.7.
Figure 1.7
This policy setting allows you to control whether the option Install Updates and Shut Down is
allowed to be the default option within the dialog box Shut Down Windows.
If you select Enabled option to enable this policy setting, the user to choose the Shut Down,
option is the default option within the dialog box Shut Down Windows without taking into
account if the option Install Updates and Shut Down is available inside the list What do you
want the computer to do?
If you select Disabled option or Not Configured to disable this policy setting, the option Install
Updates and Shut Down will be the default option within the dialog box Shut Down Windows,
if the update is available for installation at the time that the user selects the Shut Down option in
the menu Start.
Note
This policy setting has no impact if Do not display ' Install Updates and Shut Down is
configured with Enabled option.
9 select Disabled option, click Apply button, and then click Next Setting button to go to next
policy. Will loads the dialog box as shown in Figure 1.8.
Figure 1.8
This policy setting specifies whether Windows Update will use the Windows power management
to automatically wake the system from hibernation, if there are scheduled for installation.
Windows Update will only automatically wake up the system if Windows Update is configured
to install updates automatically. If the system is in hibernation when the scheduled install time
occurs and there is to be applied, then Windows Update will use the Windows power
management to enable the system to automatically install updates.
Windows update also activates the system and install an update installation if a time limit occurs.
The system will not wake up, unless there is to be installed. If the system is with the battery,
when Windows Update wakes it, it will not install updates and the system automatically returns
to hibernation in 2 minutes.
10-Select Enabled option, click Apply button, and then click Next Setting button to go to next
policy. Will loads the dialog box as shown in Figure 1.9.
Figure 1.9
This policy setting allows you to configure automatic updating, set the type of update, and what
day and time that will be executed on updates.
If this policy setting is enabled you can choose between the four types of updates that are
available in this policy. The options are as follows:
2-Notify for download and notify for install -if you select this option, the client must be
notified before downloading any updates and notify before installation.
3-Auto download and notify for install -if you select this option, will allow the update
automatically to client computers, only being notified before installation.
4-Auto download and schedule the install -if you select this option, all approved
updates will be executed and installed on client computers without user intervention.
5-Allow local admin to choose setting -if you select this option, local administrators can
use the Automatic Updates through Control Panel to select the configuration option of
their choice.
In the Schedule install day option, you set the day of the week that the installation of updates is
scheduled to be installed.
In Scheduled install time option, you set the time that the installation of updates is scheduled to
be installed.
11 in this article we will select the option 4-Auto download and schedule the install, which
will be performed every day 20:00to, but you can choose between any of the other options to
best suit your needs. Click Apply button, and then click Next Setting button to go to next policy.
Will loads the dialog box as shown in Figure 1.10.
Figure 1.10
This policy setting allows you to specify the name of the WSUS server in your domain, which
customers will download the security updates and patches.
12 select Enabled option to enable the policy, and then in the field Set the intranet update
service for detecting updates, type the name of the WSUS server, as for example, http://srv12/ .
This is the NETBIOS name of my server, type the NETBIOS name of your server. In the field
Set the intranet statistics server, type the name of the server on which the stations will update
the statistics of installations, as for example, http://srv12/ .
13 Click Apply button, and then click Next Setting button to go to next policy. Will loads the
dialog box as shown in Figure 1.11.
Figure 1.11
This policy setting specifies the hours that Windows will use to determine how long it will wait
before checking for available updates. The exact wait time is determined by using the hours
specified here. For example, if this policy is used to specify a frequency of detection of 8:0 pm,
then all clients to which this policy is applied will check for updates anywhere between 16 and
8:0 pm.
If the status Enabled is set, Windows will check for available updates at the specified range.
If the status is Disabled or defined as Not Configured, Windows will check for available
updates at the default interval of 10:0 pm.
Note: the policy "Specify intranet Microsoft update service location" must be enabled for this
policy to take effect.
Note: If the policy "Configure Automatic Updates" is disabled, this policy has no effect.
14-Select Enabled option to enable the policy, and then in interval (hours) choose the interval
in hours to verify the upgrade. In this article we will choose 12:0. Click Apply button, and then
click Next Setting button to go to next policy. Will loads the dialog box as shown in Figure 1.12.
Figure 1.12
References
http://technet.microsoft.com/en-us/windowsserver/bb332157.aspx
How to install WSUS on Windows Server

2008
WSUS allows administrators to control and distribute Windows updates from a central location.
This free patch management solution can be installed on Server 2003 SP1 or Server 2008.
WSUS Prerequisites
Server 2008 or Server 2003 SP1
BITS (Background Intelligent Transfer Service)
IIS (Internet Information Services)
MSDE database or SQL 2005 Database
.NET Framework 2.0 or higher
Install WSUS on Windows Server 2008

Open Server Manager > Add Roles
Install Windows Server Update Services Role
Configure on Windows Server 2008

On Select Update Source screen, check Store updates locally (ensure you have enough space
to store large amounts of updates)
Use existing SQL 2005 Server or choose Windows Internal Database
Use the existing IIS site, click Next
Click Finish
Now you can further configure WSUS by using WSUS MMC. WSUS MMC can be accessed
from Administrative Tools or Server manager.
Configure Automatic Update client via Group Policy

Use Group Policy to configure Automatic Update client to download from WSUS server.
Create a new Domain Policy on Computers OU
Expand to Computer Configuration>Administrative Templates>Windows
Components>Windows Update
Click on Configure Automatic Updates setting, here configure Automatic Updates as you
desire. Click OK
Click on Specify intranet Microsoft update service location, choose Enabled , Configure
intranet server in this format: http://WSUSSERVER
Once this Group Policy is propagated to the clients, clients will start to download from the
WSUS server
Installing WSUS 3.0 SP2

http://certcollection.org/forum/topic/140819-installing-wsus-30-sp2/
Important
1- Windows Server 2008 R2 requires WSUS 3.0 SP2. If you install Windows Server 2008 R2,
you should install WSUS 3.0 SP2. Do not install the WSUS 3.0 SP1 on Windows Server 2008
R2.
2- WSUS 3.0 SP2 is not supported for use on remote servers running SQL Server on the frontend server.
Configuring WSUS 3.0 SP2

Goal
This article aims to demonstrate how to configure the Windows Server Update Services
(WSUS) 3.0 SP2 quickly and easily.
Applies to:
Windows Server Update Services (WSUS) 3.0 SP2.
Installing WSUS 3.0 SP2 , will be charged a window as shown in Figure 1.1.
Figure 1.1
1 in the window Before You Begin Next, click to continue. Will load the window as shown
in Figure 1.2.
Figure 1.2
2 in the window the Join Microsoft Update Improvement Program, you can choose to
help Microsoft improve the next WSUS product. Select the check box Yes, I would like to
join the Microsoft Update Improvement Program and in Next then click to continue. Will
load the window as shown in Figure 1.3.
Figure 1.3
3 in the window Choose Upstream Server, you can configure whether WSUS will
synchronize with Microsoft Update or another WSUS Server. If you choose to synchronize
with another WSUS Server, you need to specify the server name and port, in which this
server will communicate with the upstream server. If this is your first WSUS Server choose
Synchronize from Microsoft Update. Next click to continue. Will load the window as shown
in Figure 1.4.
Figure 1.4
Note
If this server requires a Proxy Server to access an upstream server, you can configure a Proxy
Server. If your WSUS server has direct access to the Internet without the need to go through a
Proxy Server you can skip the steps below and follow the wizard.
4 In Specify Proxy Serverwindow, select the check box Use a Proxy server when
synchronizing, and then type the Proxy Server name and port number (port 80 is default)
in the corresponding boxes.
5 If you want to connect to a Proxy Server by using a credential for a particular user,
select the check box Use user credentials to connect to the Proxy server, and enter the user
name, domain and the user's password in the corresponding boxes. Choose the options you
want Next and click to continue. Will load the window as shown in Figure 1.5.
Figure 1.5
6 on page Connect to Upstream Server, click Start Connecting button to save your Proxy
Server information and download the upstream server. After the download is completed
successfully, click Next button to continue. Will load the window as shown in Figure 1.6.
Note
While the connection is being held, the Stop Connecting button will be available. If there is
any problem with the connection, click the Stop Connectingbutton, resolve the problem, and
restart the connection.
Figure 1.6
7 Choose Languageswindow, allows you to download all languages or a subset of
languages. Select only the languages that corresponds to your WSUS clients to save disk
space on the WSUS server and Internet bandwidth. Select the desired languages and click
Next button to continue. Will load the window as shown in Figure 1.7.
Figure 1.7
8 Choose Productswindow, allows you to specify the products for which you want to
distribute the updates. You can select products by categories, such as for example,
Windows, or by a specific product, such as Exchange Server. Select all products you want
to distribute updates and click Next button to continue. Will load the window as shown in
Figure 1.8.
Figure 1.8
9 Choose Classificationswindow, allows you to choose the updates you want to get. You
can choose all the classifications or a subset of them. Select the options you want and click
Next button to continue. Will load the window as shown in Figure 1.9.
Figure 1.9
10 in the window Set Sync Schedule, allows you to configure the synchronization to occur
manually or automatically. If you choose the manual synchronization on this server, you
must start the synchronization process through the WSUS administration console every
time you wish to consult the Windows Update to see if there are new updates available. If
you choose automatic synchronization, WSUS will synchronize in the specified range. In
First synchronization field you define the time that will occur on the first synchronization.
In the field Synchoronization per day you define how many times per day the
synchronization will occur. For example, if you specify that should occur four
synchronizations per day, being that the first synchronization 03:00 am, occurs on the
synchronizations will occur at , 03:00 am 09:00 am 03:00 pm,, 09:00 pm. Select the options
you want and click Next button to continue. Will load the window as shown in Figure 1.10.
Figure 1.10
11 After you have completed all the steps of setting up Finishedwindow, you can run the
WSUS administration console by leaving the check box Launch the Windows Server
Update Services Administrations Console selected, and you can start the first
synchronization by leaving the check box Begin initial synchronization, select. Select the
options you want and click Next button to continue. Will load the window as shown in
Figure 1.11.
Figure 1.11
12 on page What s Next, explore the topics listed above to integrate WSUS server in
your environment. Click Finish button to complete the configuration.
References
<p style="text-align:justify;">
Installing WSUS 3.0 SP2

Goal
This article aims to demonstrate how to install the Windows Server Update Services (WSUS)
3.0 SP2 quickly and easily.
Applies to:
Windows Small Business Server 2003;

Windows Server 2003 SP1 or higher;
Windows Server 2008 SP1 or higher;
What's New In This Release
Integration with Windows Server 2008 R2.

Support for the BranchCache feature in Windows Server 2008 R2.
Support for Windows 7.
New features:
o Automatic approval rules now include the ability to specify the date and time of
the deadline for approval of all computers or specific computer groups.
o Improved handling of language selection in downstream servers includes a new
warning dialog that is displayed when you decide to download updates only for
specified languages.
o The new Update and computer Status reports allow filtering on approved updates
to install. You can run these reports from the WSUS console or use the API to
incorporate this functionality into your own reports.
The user interface is compatible between Service Pack 1 and Service Pack 2 from WSUS
3.0 on the client and server.
Updates of the software.
Known issues with the Windows Update Agent that were resolved in this release:
a. the WSUS 3.0 SP2 and Windows 7 include a new version of Windows Update Agent (to
Windows XP, Vista, Windows Server 2000, Windows Server 2003 and Windows Server
2008). This version fixes the following issue: APIs called by nonlocal system callers in a
noninteractive session will fail.
b. the problem was fixed by version 7.2.6001.788 of the Windows Update Agent. This
update fixes the following issue: when you try to install 80 or more updates at the same
time the Web page of the Windows Update or Microsoft Update Web page, you may
receive the error code 0x80070057.
c. enhancements and issues that are fixed by version 7.2.6001.784 of the Windows Update
Agent. This update fixes the following issue: improves Windows Update check time,
improves the speed at which signature updates are delivered, enables support for Windows
Installer reinstallation functionality and enhances the error messages.
Prerequisites for WSUS Server Software
One of the following supported operating systems:
Windows Server 2008 R2;

Note that additional prerequisites apply to the Windows Small Business Server. See the section
"prerequisites for Windows Small Business Server" for more information.
IIS 6.0 or later versions;

The Microsoft.NET Framework 2.0 or later versions;
One of the following supported databases:
o Microsoft SQL Server 2008 Express, Standard or Enterprise Edition
o SQL Server 2005 SP2
o Windows internal database
Note
If none of the supported versions of SQL Server is installed, the WSUS 3.0 installation wizard
will install SP2 from Windows internal database.
Microsoft Management Console 3.0

Microsoft Report Viewer Redistributable 2008
Important
Windows Server 2008 R2 requires WSUS 3.0 SP2. If you install Windows Server 2008 R2, you
should install WSUS 3.0 SP2. Do not install the WSUS 3.0 SP1 on Windows Server 2008 R2.
WSUS 3.0 SP2 is not supported for use on remote servers running SQL Server on the front-end
server.
Software prerequisites of the WSUS Administration Console
One of the following supported operating systems: Windows Server 2008 R2, Windows
Server 2008, Windows Server 2003 SP2 or later versions, Windows Small Business
Server 2003 or 2008, Windows Vista or Windows XP SP2.
Microsoft.NET Framework 2.0 or later versions.
Microsoft Management Console 3.0.
Microsoft Report Viewer Redistributable 2008.
Configuration Prerequisites and best practice recommendations for the

WSUS server
Make sure you have completed the applicable tasks in this section before installing WSUS 3.0
SP2.
Installing IIS 7 on Windows Server 2008 (en) .
Permissions
The following permissions are required for users and directories specified:
1. the NT Authority\Network Service must have Full Control permission for the following
folders so that the snap-in of the WSUS Administration appears correctly:
%windir%\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files.
%windir%\Temp.
2. confirm that the account that you plan to use to install WSUS 3.0 SP2 is a member of the local
Administrators group.
Proxy Servers
WSUS 3.0 SP2 allows a proxy server supports only the HTTP. As a best practice, configure a
second proxy server that runs HTTPS by using the command line (wsusutil configuresslproxy)
before configuring the WSUS Server Configuration Wizard or the Administration Console.
Antivirus Programs
When installing WSUS 3.0 SP2, you may need to disable antivirus programs before you can run
Setup successfully. After you disable the antivirus software, restart the computer before
installing WSUS. Restarting the computer prevents files from being locked when the installation
process needs to access them. After the installation is complete, be sure to re-enable your
antivirus software. Visit the antivirus software vendor for the exact steps to disable and re-enable
the anti-virus software and version.
Nested triggers option in SQL Server
If you plan to use a SQL Server database as the data store of the Windows Server Update
Services, the SQL Server administrator should verify that the nested triggers option is enabled on
the server before the WSUS administrator installs WSUS 3.0 SP2. The nested triggers option is
enabled by default; However, it can be disabled by the administrator of the SQL Server. WSUS
3.0 SP2 Setup turns on the RECURSIVE_TRIGGERS option, which is specific to the database.
However, it does not turn on the nested triggers option, which is global to the server.
Remote SQL limitations and requirements
WSUS 3.0 SP2 supports running a compatible version of SQL Server software on a separate
computer from the computer on which the WSUS 3.0 SP2 application is running. The following
requirements apply to a SQL Remote installation.
You cannot use a server configured as a domain controller for the back end of the remote
SQL pair.
Cannot run Terminal Server on the computer that will be the front-end server of a SQL
Remote installation.
Front-end computers and back-end servers must be joined to an Active Directory domain.
If the front-end computers and back-end servers are in different domains, establish a trust
between the domains before running WSUS Setup.
If WSUS 2.0 is already installed on a remote SQL configuration and you want to upgrade
to WSUS 3.0 SP2, perform the following steps before you install WSUS:
a. uninstall WSUS 2.0 (using Add or remove programs in Control Panel) and make sure that the
existing database remains intact.
b. install SQL Server 2005 SP2 or SQL Server 2008 and update the existing database.
Prerequisites for Windows Small Business Server
If you are installing WSUS 3.0 SP2 on a Windows Small Business Server, the following
prerequisites apply.
If the IIS Virtual root is Restricted to certain IP addresses or domain names
Some installations of Windows Small Business Server may have the default IIS Web site
configured for IP address restrictions, and domain names. If this is the case, the Windows Update
client on the server may not be able to update itself. Remove the constraint before you install
WSUS 3.0 SP2.
If You Are Using An ISA Proxy Server
If Windows Small Business Server uses an ISA proxy server to access the Internet, type the
proxy server settings, proxy server name, port, in the settings user interface.
If ISA is using Windows authentication, type the proxy server credentials in the form
domain\user. The user must be a member of the Group of Internet users.
If you have added a subnet to your network and you have not used the Windows Small
Business Server Wizards
The installation process from the WSUS Server installs two IIS vroots on the server: SelfUpdate
and ClientWebService. Setup also places some files in the root directory of the default Web site
(on port 80), which allows client computers to autoatualizarem through the default Web site. By
default, the default Web site is configured to deny access to any IP address other than localhost
or specific subnets connected to the server. Therefore, client computers that are not on localhost
or on those specific subnets cannot auto refresh. If you have added a subnet to your network
without using the wizards in Microsoft Windows Small Business Server, follow this procedure:
1. In Server Management, expand advanced management, expand Internet information services,
Web Sites, expand default Web Site, right-click the Selfupdate virtual directory and click
Properties.
2. click Directory security.
3. Restrictions On IP address and domain name, click Edit, and then click granted access.
4. click OK, right-click the ClientWebService virtual directory and click Properties.
5. click Directory security.
6. Restrictions On IP address and domain name, click Edit, and then click granted access.
System requirements for installing WSUS 3.0 SP2 Remote Console
The WSUS 3.0 SP2 Remote Console can be installed on any of the following operating systems:
Windows XP Professional SP2 or later versions;

Windows Vista;
Windows Small Business Server 2003, 2005 or 2008;
Windows Server 2008 R2;
Upgrade requirements and recommendations
The following versions of WSUS can be upgraded to WSUS 3.0 SP2 and do not
require uninstalling the previous version:
WSUS 2.0 SP1, 2.0, 3.0 and 3.0 SP1.
There is no support for upgrades from version 1.0 to version 3.0 SP2. Uninstall
SUS 1.0 before installing WSUS 3.0 SP2.
Windows Server 2008 R2 requires WSUS 3.0 SP2. If you install Windows Server
2008 R2, you should install WSUS 3.0 SP2. Do not install the WSUS 3.0 SP1 on
How to recover from a failed Upgrade

If you are upgrading from a previous version of WSUS to WSUS 3.0 SP2 and
the upgrade fails (for any reason other than trying an unsupported upgrade
from SUS 1.0), perform the following tasks.
1. reinstall the previous version of WSUS.
2. restore the database from the backup done before attempting to upgrade.
Unable to successfully complete an upgrade if there is a database of WSUS 3.0
SP2 exists from a previous installation. In most cases, WSUS also automatically
creates a backup. See the file WSUSSetup.log for the location.
3. review the logs to determine the cause of the failure and resolve the
problem.
4. install the WSUS 3.0 SP2.
If you have migrated from MSDE to SQL Server 2008 or SQL Server 2005 on WSUS 2.0, you
must modify a registry value
If you have an installation of WSUS 2.0 and have migrated to SQL Server 2008
or SQL Server 2005, you need to change the
HKLM\SOFTWARE\Microsoft\Update Services\Server\Setup\WmsdeInstalled
value from 1 to 0. If this is not done prior to upgrading to WSUS 3.0 SP2, the
upgrade will fail.
If you uninstall WSUS 3.0 SP2 and leave the log files, they may not have the appropriate
permissions after reinstallation
If you uninstall WSUS 3.0 SP2, you have the option to keep the Setup log files.
When you reinstall WSUS 3.0 SP2, the old log files may lose their permissions
(usually for WSUS administrators only). As a best practice, confirm the
permissions on these log files after installation.
<a name="Instalando_o_WSUS_3_0_SP2">Installing WSUS 3.0 SP2
1 after verifying software and hardware requirements to install WSUS 3.0

SP2 as mentioned, the next step is to download the WSUS 3.0 SP2, which is
available on the website below:
http://www.microsoft.com/download/en/details.aspx?displaylang=en&id=521
6
Note
In this article we will install WSUS 3.0 SP2 on Windows Server 2008 R2, then in
that case we will download the file WSUS30-KB972455-x64.exe installation.
2 After the download is complete, double-click on the file WSUS30KB972455-x64.exe to start the installation. Will load the installation wizard as
shown in Figure 1.1.
Figure 1.1
3 click Next button to continue. Will load the page as shown in Figure 1.2.
Figure 1.2
4 on page Installation Mode Selection, click Full server installation
including Administration Console if you want to install WSUS 3.0 SP2 on this
server, or click Administration Console only if you want to install only the
Administration console. In this article we will install WSUS 3.0 SP2 on the
server. Select the option Full server installation including Administration
Console Nextand click. Will load the page as shown in Figure 1.3.
Figure 1.3
5 License Agreementpage, select the option I accept the terms of the
License agreement, and click Next button to continue. Will load the page as
Figure 1.4
6 In Select Update Sourcepage, you can inform where to store updates. If
you select the check box Store updates locally, updates are stored on WSUS
3.0 SP2 server where you will select a location in the file system to store
updates. If you do not store updates locally, client computers will connect to
Microsoft Update to get approved updates. Select the option Store updates
locally and click Next button to continue. Will load the page as shown in
Figure 1.5.
Figure 1.5
7 Database Optionspage, select the software used to manage the WSUS
database 3.0 SP2. By default, the WSUS 3.0 SP2 Setup offers to install the
Windows Internal Database if the computer on which you are installing
WSUS 3.0 SP2 is running one of the supported operating systems. If you do
not intend to use the Windows Internal Database, you must provide a SQL
Server instance for WSUS to use, clicking Using an existing database server
on this computer and typing the instance name in the text box. The name of
the instance <serverName>\<instanceName>should appear as, where
serverName is the name of the server and instanceName is the name of the
instance of SQL. In this article as we are using the Windows Server 2008 R2, we
will use Windows Internal Database database to manage the WSUS 3.0 SP2.
Click Next button to continue. Will load the page as shown in Figure 1.6.
Figure 1.6
8 on page Web Site Selection, specify the site that will be used by the
WSUS 3.0 SP2. If you want to use the IIS default Web site on port 80, select the
option Use the existing IIS Default Web site (recommended). If you already
have a Web site on port 80, you can create an alternate site on port 8530 by
selecting the second option. In this article, we will use the option Use the
existing IIS Default Web site (recommended). Click Next button to
continue. Will load the page as shown in Figure 1.7.
Figure 1.7
9 on page Ready to Install Windows Server Update Services 3.0 SP2,
review the selected options and click Nextbutton. Will load the page as shown
in Figure 1.8.
Figure 1.8
10 Click Finish button to complete the installation.
References
Exploring the WSUS 3.0 SP2 Console

Goal
This article aims to explore the console Windows Server Update Services (WSUS) 3.0 SP2
quickly and easily.
Applies to:
Windows Server Update Services (WSUS) 3.0 SP2.
Exploring the WSUS 3.0 SP2 Console
1- Start, click All Programs, Administrative Tools, and then click Windows Server Update
Services. Will load the window as shown in Figure 1.1.
Figure 1.1
2-Expand SRV12 node (SRV12 is the name of my WSUS server) and then Updatesthe node. Will
load the window as shown in Figure 1.2.
Figure 1.2
Updatesto node, as shown in Figure 1.2, in the center pane you will see the All
Updatesupdates:, Critical Updates, Security Updates and WSUS Updates.
3- Updates click on node in All Updates and subnode in the center pane change Status field to
Any Refreshand click. Will load the window as shown in Figure 1.3.
Figure 1.3
In All Updatessubnode, as shown in Figure 1.3, you view all critical updates, security updates,
and WSUS updates regardless of their classification. You can filter the display of updates by
selecting from the available options Approval in and Status. Approvaloption, you can filter by
the type approval of updates by selecting between Unapprovedoptions:, Approved, Declined,
Any Except Declined. You can also Status filter by selecting updates from the following
options: Failed or Needed, Installed/Not Applicable or No Status, Failed, Needed,
Installed/Not Applicable, in the Status and Any.
Tip
To approve or disapprove an update, select the update that you want, and then right-click and
Approve or choice between Decline. 4- Updates click on node in Critical Updates and subnode
in the center pane change Status field to Any Refreshand click. Will load the window as shown in Figure
1.4.
Figure 1.4
In Critical Updatessubnode, as shown in Figure 1.4, you see only the critical updates. You can
filter the display of updates by selecting from the available options Approval in and Status.
Approvaloption, you can filter by the type approval of updates by selecting between
Unapprovedoptions:, Approved, Declined, Any Except Declined. You can also filter by Status
updates by selecting from the following options: Failed or Needed, Installed/Not Applicable
or No Status, Failed, Needed, Installed/Not Applicable, in the Status and Any. 5- Updates
click on node in Security Updates and subnode in the center pane change Status field to Any
Refreshand click. Will load the window as shown in Figure 1.5.
Figure 1.5
In Security Updatessubnode, as shown in Figure 1.5, you will see only security updates. You
can filter the display of updates by selecting from the available options Approval in and Status.
Unapprovedoptions:, Approved, Declined, Any Except Declined. You can also Status filter
by selecting updates from the following options: Failed or Needed, Installed/Not Applicable
or No Status, Failed, Needed, Installed/Not Applicable, in the Status and Any. 6- Updates
click on node in WSUS Updates and subnode in the center pane change Status field to Any
Refreshand click. Will load the window as shown in Figure 1.6.
Figure 1.6
In WSUS Updatessubnode, as shown in Figure 1.6, you see only the updates from WSUS. You
can filter the display of updates by selecting from the available options Approval in and Status.
Unapprovedoptions:, Approved, Declined, Any Except Declined. You can also Status filter
by selecting updates from the following options: Failed or Needed, Installed/Not Applicable
or No Status, Failed, Needed, Installed/Not Applicable, in the Status and Any. 7Computers Click on node and expand it. Will load the window as shown in Figure 1.7.
Figure 1.7
Computerson node, as shown in Figure 1.7, you will see a summary of the status of computers
per group. Once you start configuring WSUS clients to receive updates from the WSUS Server,
you can follow the progress of its implementation in that node. 8- Computers click on node in
All Computers and subnode in the center pane change Status field to Any Refreshand click.
Will load the window as shown in Figure 1.8.
Figure 1.8
In All Computerssubnode, as shown in Figure 1.8, by default, all computers are assigned to All
Computersgroup. You will view all computers that are configured as clients of the WSUS
server WSUS Server. In the center pane as you select the WSUS client, at the bottom you have
an overview of the WSUS client, which includes: the status of updates with errors, updates
required, installed updates applied or not, which groups the WSUS client belongs, the operating
system version, etc. 9- Computers click on node in Unassigned Computers and subnode in the
center pane change Status field to Any Refreshand click. Will load the window as shown in Figure 1.9.
Figure 1.9
In Unassigned Computerssubnode, as shown in Figure 1.9, all computers will also be assigned
to Unassigned Computers group until you assign them to another group. A computer can be a
member of several groups and you can create a hierarchy of groups of computers. 10-click the
Downstream Serversnode. Will load the window as shown in Figure 1.10.
Figure 1.10
Downstream Serverson node, as shown in Figure 1.10, you view the WSUS servers that
connect to your WSUS server. A downstream WSUS server is a server that receives the update
files, and other approvals metadatas, WSUS server, which is called an upstream server. 11-Click
Synchronizationson node. Will load the window as shown in Figure 1.11.
Figure 1.11
Synchronizationson node, as shown in Figure 1.11, in the center pane, you see the status of the
synchronization performed by your WSUS server to the upstream server, for example, the
Windows Update. During synchronization, your WSUS server downloads files and metadatas of
server updates configured as the upstream. When the WSUS server synchronizes for the first
time, it downloads all metadatas of updates that have been configured on the WSUS Setup
Wizard. After the first synchronization, your WSUS server will download only new metadatas of
updates that are available since it was last made contact with the upstream server. The weekly
updates will only be performed after its adoption. 12-Click Reportson node. Will load the window as
Figure 1.12
Reportson node, as shown in Figure 1.12, allows you to generate reports to monitor updates,
computers, and the results of synchronizations for WSUS servers and computers that are
managed by your server. You can access the status of computers and updates from multiple
locations in the WSUS console. In the WSUS console you can select one or more computers or
updates, click with the right, and click Status Report. The report will show the status of the
selected items, and also allow you to select one or more items, or filter the result. 13-Click
Optionsto node. Will load the window as shown in Figure 1.13.
Figure 1.13
Optionsto node, as shown in Figure 1.13, you can set up dozens of options available to best meet
your needs. In this node, you can configure the following items:
Update Source and Proxy Server you can configure the WSUS server to synchronize
with Microsoft Update or another WSUS server. You also have the option to configure a
Proxy Server to the WSUS server.
Products and Classifications you can specify the products for which you want to get
the updates and the types of updates.
Update Files and Languages you can specify where to store the update files and select
the languages that you want to distribute updates to your WSUS clients.
Synchronization Schedule you can synchronize updates manually or configure a
specific time for synchronization to occur automatically.
Automatic Approvals you can specify the rules to automatically approve new updates
when they are synchronized.
Computers you can specify whether the computers are assigned to groups through the
WSUS console or through Group Policy/registry.
Server Cleanup Wizard you can remove update files that are no longer in use, updates
with old revisions, expired updates and computers that have not contacted the WSUS
server for 30 days or more.
Reporting Rollup you can have a replica downstream server and update rollup status
and computers for this server.
Email Notifications you can receive email notifications of new WSUS updates and
status reports.
Microsoft Update Improvement Program you can join Microsoft Update
Improvement Program, which will help Microsoft improve the next WSUS product.
Personalization you can choose how the data from downstream servers are shown,
which items are shown in the To Do List.
WSUS Server Configuration Wizard you can rerun the WSUS Setup Wizard, which
will allow you to adjust most of the basic settings of WSUS.
References
How to Move WSUS from One Server to

Another
Sometimes you may find that its necessary to move your WSUS server from one machine to
another. If this is you then here are the steps to get this done:
1. Install WSUS on the new Server just as you had installed before.
For more information on installing WSUS please check the following link for more information:
http://technet.microsoft.com/en-in/library/cc708445(en-us).aspx
2. Match the Advanced Options on the old WSUS Server & the new WSUS Server
Ensure that the advanced synchronization options for express installation files and languages on
the old server match the settings on the new server by following the steps below:
In the WSUS console of the old WSUS server, click the Options tab, and then click
Advanced in the Update Files and Languages section.
In the Advanced Synchronization Settings dialog box, check the status of the settings for
Download express installation files and Languages options.
In the WSUS console of the new server, click the Options tab, and then click Advanced
in the Update Files and Languages section.
In the Advanced Synchronization Settings dialog box, make sure the settings for
Download express installation files and Languages options match the selections on the
old server.
3. Copy Updates from File System of the old WSUS Server to the new WSUS server*
To back up updates from file system of old WSUS server to a file, follow these steps:
On your old WSUS server, click Start, and then click Run.
In the Run dialog box, type ntbackup. The Backup or Restore Wizard starts by default,
unless it is disabled. You can use this wizard or click the link to work in Advanced Mode
and use the following steps.
Click the Backup tab, and then specify the folder where updates are stored on the old
WSUS server. By default, WSUS stores updates at
WSUSInstallationDrive:\WSUS\WSUSContent\.
In Backup media or file name, type a path and file name for the backup (.bkf) file.
Click Start Backup. The Backup Job Information dialog box appears.
Click Advanced. Under Backup Type, click Incremental.
From the Backup Job Information dialog box, click Start Backup to start the backup
operation.
Once completed, move the backup file you just created to the new WSUS server.
To restore updates from a file to the file system of the new server, follow these steps:
On your new WSUS server, click Start, and then click Run.
In the Run dialog box, type ntbackup. The Backup or Restore Wizard starts by default,
unless it is disabled. You can use this wizard or click the link to work in Advanced Mode
and use the following steps.
Click the Restore and Manage Media tab, and select the backup file you created on the
old WSUS server. If the file does not appear, right-click File, and then click Catalog File
to add the location of the file.
In Restore files to, click Alternate location. This option preserves the folder structure of
the updates; all folders and subfolders will appear in the folder you designate. You must
maintain the directory structure for all folders under \WSUSContent.
Under Alternate location, specify the folder where updates are stored on the new WSUS
server. By default, WSUS stores updates at
WSUSInstallationDrive:\WSUS\WSUSContent\. Updates must appear in the folder on
the new WSUS server designated to hold updates; this is typically done during
installation.
Click Start Restore. When the Confirm Restore dialog box appears, click OK to start the
restore operation.
4. Copy Metadata from the Database on the old WSUS Server to the new WSUS Server **
Note: The WSUS Setup program copies WSUSutil.exe to the file system of the WSUS server
during installation. You must be a member of the local Administrators group on the WSUS server
to export or import metadata; both operations can only be run from the WSUS server itself and
during the import or export process, the Update Service is shut down.
To export metadata from the database of the old Microsoft Windows Server Update Services
Server, follow these steps:
At a command prompt on the old Microsoft Windows Server Update Services Server,
navigate to the folder that contains WSUSutil.exe. (usually located at c:\Program Files\
Update Services\tools\).
Type the following: wsusutil.exe export packagename logfile ...(For example:
wsusutil.exe export export.cab export.log) The package (.cab file) and log file name
must be unique. WSUSutil.exe creates these two files as it exports metadata from the
WSUS database.
Move the export package you just created to the new Microsoft Windows Server Update
Services Server.
To import metadata into the database of the new Microsoft Windows Server Update Services
Server, follow these steps:.
Note: It can take from 3 to 4 hours for the database to validate content that has just been
imported. Please be patient.
At a command prompt on the new WSUS server, navigate to the directory that contains
WSUSutil.exe. Type the following: wsusutil.exe import packagename logfile (For
example: wsusutil.exe import export.cab import.log).
WSUSutil.exe imports the metadata from the old WSUS server and creates a log file of
the operation.
5. Point your Clients to the new WSUS Server.

Next well need to change the Group policy and make it point top the new server. To redirect
Automatic Updates to a WSUS server, follow these steps:
In Group Policy Object Editor, expand Computer Configuration, expand

Administrative Templates, expand Windows Components, and then click Windows
Update.
In the details pane, click Specify Intranet Microsoft update service location.
Set the intranet update service for detecting updates box and in the Set the intranet
statistics server box. With the new server details and port For example, type
http(s)://newservername :Port in both boxes.
Note: For more information check

http://technet.microsoft.com/en-us/library/cc720539.aspx
Thats it!
*Important:
The initial settings for access control lists differ between Windows 2000 Server and Windows
Server 2003. If you are copying content from Windows 2000 Server to Windows Server 2003,
you have to manually add the Network Service group to the access control list for the folder
where updates are stored. Give the Network Service group Full Control.
**Important:
Never import exported data from a source that you do not trust. Importing content from a source
you do not trust might compromise the security of your WSUS server.
SP1 for Windows Server 2008 R2 and Windows 7 x64 can not be distributed via WSUS
Scenario:
It distributes the updates using WSUS 3.0 which is installed on a Windows Server 2003 SP2.
KB976932 (x64) is approved for Windows Server 2008 R2 and Windows 7 x64 in the WSUS
console.
You expect now that 7 x64 get, but appears offered the SP1 to install the Windows Server 2008
R2 and Windows machines from the company in the Windows Update window of the following
error:
In the event log is the following entry:
In the WSUS log you will see:
# for decimal -2146762496 / hex 0x800b0100:

TRUST_E_NOSIGNATURE winerror.h
# No. signature was present in the subject.
Package from the WSUS content
(WsusContent\AB\74865EF2562006E51D7F9333B4A8D45B7A749DAB.exe) and a new
synchronization with Windows Update, the same error bring a delete of SP1.
When one calls the properties of the above file then you can see that it did not "digital
signatures" tab is.
Cause:
The WinVerifyTrust function in Windows Server 2003 can validate certificates for large files
(usually over 500 MB):
You cannot distribute or install a software package in Windows Server 2003 if the software
package contains a very large signed file
http://support.Microsoft.com/kb/938759
Solution:
You must be on the WSUS server the update KB938759 install which updated the Wintrust.dll
and the Crypt32.dll
How to create an Internet facing WSUS server that uses different internal and external names
This is about installing WSUS in an Internet facing scenario. When installing WSUS, often times
you want to have your WSUS server on the Internet but with a different name from the current
internal WSUS server name. For example, your domain name is wsus.contoso.com internally but
you want to publish the same WSUS to work on the Internet with a different name such as
wsus.fabrikan.com. This post will explain that process and how to configure your SSL
certificate.
When configuring WSUS, we will need a public or domain certificate that will be trusted by the
clients so that they can use SSL/HTTPS. This certificate will require a Subject that will include
the internal FQDN for the WSUS server as well as a Subject Alternative Name (SAN) for the
external FQDN that will be published outside. Note that even if you have to use only the
alternative (external) subject name for the certificate, the subject name still needs to have the
internal FQDN to be able to access the Management console (MMC).
After creating the certificate (domain or public cert), add the certificate to the binding for the
website in IIS:
Verify if the certificate is correct. The Subject field should contain your internal domain
information:
The Subject Alternative Name should contain your internal and external domain information:
Once youre sure that everything looks correct, test the connection in Internet Explorer to make
sure you get a secure website:
Then open a command prompt and navigate to C:\program files\update services\tools and run
the following command:
wsusutil configuressl <certificate name> <external FQDN>
You should see something like this:
Once youve created the certificate with the SAN (subject alternative name) and the subject
name properly populated, you can have your WSUS server facing Internet with a different name
than it uses internally.
When trying to connect to the WSUS console, you will see the reason to create a certificate with
both names (the internal one and the external one). The MMC uses the internal name to
authenticate to the console so the certificate must match the internal FQDN for the machine:
Have fun patching your clients on the Internet!

Article Writer: Joao Madureira | Senior Support Escalation Engineer
Increase WSUS 3 updates download speed

Ive been (and I think most of you did) through the WSUS configuration and waiting for days for
the download to finish.
Thats because the the BITS technologies that limits that foreground download, and enable the
background downloads to least impact the bandwidth.
We used to use this command in WSUS 2.0:
WsusDebugTool.exe /tool:setforegrounddownload
But in WSUS 3.0 its not applicable, and if you tried to execute it, it will get you with the below
error:
Running... SetForegroundDownload
Error processing node: SetForegroundDownload
System.Data.SqlClient.SqlException: A network-related or instance-specific
error occurred while establishing a connection to SQL Server. The server was
not found or was not accessible. Verify that the instance name is correct and
that SQL Server is configured to allow remote connections. (provider: SQL
Network Interfaces, error: 26 - Error Locating Server/Instance Specified)
at System.Data.SqlClient.SqlInternalConnection.onerror(SqlException
exception, Boolean breakConnection)
at
System.Data.SqlClient.TdsParser.ThrowExceptionAndWarning(TdsParserStateObject
stateObj)
at System.Data.SqlClient.TdsParser.Connect(ServerInfo serverInfo,
SqlInternalConnectionTds connHandler, Boolean ignoreSniOpenTimeout, Int64
timerExpire, Boolean encrypt, Boolean trustServerCert, Boolean
integratedSecurity, SqlConnection owningObject)
at
System.Data.SqlClient.SqlInternalConnectionTds.AttemptOneLogin(ServerInfo
serverInfo, String newPassword, Boolean ignoreSniOpenTimeout, Int64
timerExpire, SqlConnection owningObject)
at System.Data.SqlClient.SqlInternalConnectionTds.LoginNoFailover(String
host, String newPassword, Boolean redirectedUserInstance, SqlConnection
owningObject, SqlConnectionString connectionOptions, Int64 timerStart)
at
System.Data.SqlClient.SqlInternalConnectionTds.OpenLoginEnlist(SqlConnection
owningObject, SqlConnectionString connectionOptions, String newPassword,
Boolean redirectedUserInstance)
at
System.Data.SqlClient.SqlInternalConnectionTds..ctor(DbConnectionPoolIdentity
identity, SqlConnectionString connectionOptions, Object providerInfo, String

newPassword, SqlConnection owningObject, Boolean redirectedUserInstance)
at
System.Data.SqlClient.SqlConnectionFactory.CreateConnection(DbConnectionOptio
ns options, Object poolGroupProviderInfo, DbConnectionPool pool, DbConnection
owningConnection)
at
System.Data.ProviderBase.DbConnectionFactory.CreatePooledConnection(DbConnect
ion owningConnection, DbConnectionPool pool, DbConnectionOptions options)
at System.Data.ProviderBase.DbConnectionPool.CreateObject(DbConnection
owningObject)
at
System.Data.ProviderBase.DbConnectionPool.UserCreateRequest(DbConnection
owningObject)
at System.Data.ProviderBase.DbConnectionPool.GetConnection(DbConnection
owningObject)
at System.Data.ProviderBase.DbConnectionFactory.GetConnection(DbConnection
owningConnection)
at System.Data.ProviderBase.DbConnectionClosed.OpenConnection(DbConnection
outerConnection, DbConnectionFactory connectionFactory)
at System.Data.SqlClient.SqlConnection.Open()
at Microsoft.SoftwareDistribution.Tools.SqlHandler.HandleQuery(TextWriter
dataWriter, String baseDirectory, ArrayList sqlQueryList)
at Microsoft.SoftwareDistribution.Tools.SqlHandler.DumpData(String
baseDirectory, String nodeName, XmlNode infoXml)
at
Microsoft.SoftwareDistribution.Tools.SusServerTool.ProcessDumpNode(XmlNode
dumpNode)
In WSUS 3.0, in able to speed up the downloads (foreground mode), you need to run this
command:
"%programfiles%\Update Services\Setup\ExecuteSQL.exe" -S
%Computername%\MICROSOFT##SSEE -d "SUSDB" -Q "update tbConfigurationC set
BitsDownloadPriorityForeground=1"
To revert it back to normal, you can run the same command again and change the value to
0
"%programfiles%\Update Services\Setup\ExecuteSQL.exe" -S
%Computername%\MICROSOFT##SSEE -d "SUSDB" -Q "update tbConfigurationC set
BitsDownloadPriorityForeground=0"
Once you done that, you need to reset the update services service
WSUS 3.0: Adding Drivers for WSUS

Did you get the feeling that your WSUS was not downloading all the drivers that your clients
needed? Well, let me tell you if you have that feeling probably you are right. WSUS does not
automatically recognize or download all the drivers needed for all devices.
Why is this happening? Because by default WSUS only receives and distributes drivers that are
digitally signed by Microsoft (meaning that the driver was fully and properly tested by
Microsoft).
Ive recently had several problems with machines that are part of my domain, like the newer
IBM ThinkPad T60 and T61 models with Vista installations. Some of their drivers were missing
and I had to use IBM official site to download them because WSUS did not recognize any
updates on that machines.
But you actually dont have to worry, within a few steps you can configure your WSUS to
import all the drivers that you are requiring by your clients. The only thing that must be clear to
you first is the model of each device you need to update the driver (you can easily find out all the
details by accessing the manufacturers official site, like IBM Lenovo downloads and support
site).
http://www307.ibm.com/pc/support/site.wss/product.do?template=%2Fproductselection%2Flan
dingpages%2FbrowseByProductLandingPage.vm&sitestyle=lenovo&brandind=10&valida
te=true
Here are the steps:
1 Open your WSUS console and access Action and select Import Updates.
The Microsoft Update Catalog site will appear
2 Insert the model of the device that you need to update the driver. For example: Mobile Intel
965 Express. A list with all the drivers for that device will appear and ordered by release date.
3 See for the latest drivers according to your product and select Add.
4 Do that for all the drivers you need and when you finish go to the basket option.
You will see a summary of all the updates youve selected
5 Leave checked the option Import directly to Windows Server Update Services and select
Import.
Now all the drivers updates that you selected will be importing to your WSUS.
6 When this procedure finishes, the clients machines will need to inform about their updates
status again. So, from a client machine that needs any driver that youve just imported, access the
cmd and enter wuauclt /reportnow /detectnow.
It may take several minutes to the clients machines to inform about the status of the updates that
are required.
7 From your WSUS console check on the clients updates status and you will find all the new
updates that can apply to this machine.
You can now approve them and distribute to your test or users machines.
Hope you find it useful!
HOW to deploy patches
This guide assumes that you intend on using WSUS to deploy updates and that you have already
installed it
Note: If you intend on using SCCM 2007 to deploy updates using the WSUS integration then do NOT
do any of the steps here.
The instructions here also assume that your network runs Active Directory and that you use Group
Policy to manage your network. For more information about Group Policy, see Microsofts Group Policy
home page.
You can configure one or more computers by including them in a Group Policy object (GPO). By
configuring Automatic Updates using Group Policy, these settings will take precedence over any settings
that are defined locally on the computers within your Domain.
Note: You should Link this WSUS GPO to an Active Directory container appropriate for your
environment. In a simple environment, you link a single WSUS GPO to the domain. In a more complex
environment, you might link multiple WSUS GPOs to different organizational units (OUs).
Start the Group Policy Management MMC and highlight your domain as in the screenshot below.
[attachment=2020:200908/post_10189_1249308931_8516042049961f787e5276e4f560f7a9.attach]
Right-click the domain and choose Create a GPO in this domain, and link it here
[attachment=2021:200908/post_10189_1249308935_2d586194fa1915db9eebcd955b220396.attach]
When the New Group Policy Object window appears, give it a name like WSUS GPO and click OK
[attachment=2022:200908/post_10189_1249308939_1c9fb568d3c6b5f44db50eec39298e64.attach]
right click on our new GPO and choose Edit
[attachment=2023:200908/post_10189_1249308943_5ec3af8979c0f42b60e03bc6c8595aff.attach]
expand Policies then click and highlight Administrative Templates. Before you can configure WSUS
group policy settings you should load the latest version of the administrative template, wuau.adm. Right
click on Administrative Templates and choose Add/Remove Templates, click on the Add button and
scroll down to the bottom until you can see the wuau.adm file. Select the file and click Open and close.
Now that you have loaded the wuau.adm template, you are ready to expand Windows Components.
[attachment=2024:200908/post_10189_1249308948_e9c6c28c92f578e7830713726c962ec9.attach]
Scroll down to Windows Update and enable the following options (circled in Red)
[attachment=2025:200908/post_10189_1249308951_d1b6638cfc12e7c32977f708b3360a2f.attach]
Automatic Updates are now enabled, but before the computers can receive updates from the WSUS
server we need to configure the following group policy setting:
Specify intranet Microsoft Update service location and fill in the https address of the WSUS server, so
click on it and view it's properties. We have already enabled the group policy setting as in the
screenshot above, however we need to enter the https address of our WSUS server, so do that in the
two empty fields provided and click ok.
Startup WSUS
[attachment=2026:200908/post_10189_1249308956_f3bdac0762cef7612069aa88ada7570d.attach]
WSUS 3.0 : Connecting, Managing and

Moving SUSDB as Internal Database
Like you should know, WSUS gives you the choice, at the moment of installation, to choose a
database instance where you would like to keep the WSUS database (SUSDB): Internal database
(formerly known as SQL Server embedded), an existing database or an existing database on a
remote computer.
Sometimes, for example if you are just spiking about WSUS and you dont want to install any
version of SQL Server, you best choice would be the Internal Database option. But what happens
if you change your mind later and you want to change the location of that internal database to a
different drive? Or simply executing other tasks on the database, like generating a backup or
shrinking?
Fortunately theres a way to connect to that DB without having to re install WSUS:
Using SQL Server Management Studio
Note: If you dont have it, you can download the stand alone tool for SQL 2005 version:
Microsoft SQL Server Management Studio Express;
http://www.microsoft.com/downloads/details.aspx?displaylang=en&FamilyID=c243a
5ae-4bd1-4e3d-94b8-5a0f62bf7796
or you can download SQL Server 2008 Express Edition

http://www.microsoft.com/express/Database/
(the latest of the free SQL Server versions, includes among the tools the SQL Server 2008
Management Studio Express).
1. Open SQL Server Management Studio. In my case, Im using SQL Server 2008 Express
Edition.
2. Using the connection window, connect to this instance:

\\.\pipe\MSSQL$MICROSOFT##SSEE\sql\query
3. You should see now in Object Explorer the database instance connection. Right-click on
SUSDB > Tasks > Detach
4. Check the options for Drop Connections to remove all active connections to that DB. Click
OK.
5. A message saying that the DB is not accessible should appear. Click OK.
6. Move the database files to the new drive or location where you are planning to keep it.
7. Back to the instance connection. Right-click Databases > Attach.
8. Click on Add and select the .mdf folder where you relocated the database.
9. Click OK to attach it again.
10. Your database should be working now on the new location.
Using SQL functions / SQLCMD
Note: If you want to use SQLCMD command line utility you can download it from the Microsoft
SQL Server 2008 Feature Pack,
http://www.microsoft.com/downloads/en/details.aspx?FamilyID=228de03f-3b5a428a-923f-58a033d316e1&displaylang=en
where youll find plenty of SQL utilities.

1. Run cmd and locate it where the sqlcmd executable is. Usually: %Program
Files%\Microsoft SQL Server\90\Tools\binn.
2. Type in
sqlcmd -S \\.\pipe\mssql$microsoft##ssee\sql\query E
press Enter.
3. You are now connected to Internal Database instance. Type
EXEC sp_detach_db @dbname = SUSDB
4. On the next query line, type GO and press Enter.

5. Exit the SQLCMD utility. Type EXIT and then type GO.
6. Move the database files to the new file location.
7. Reconnect to the Internal Database instance:

sqlcmd -S \\.\pipe\mssql$microsoft##ssee\sql\query E
8. Attach it again:
EXEC sp_attach_db @dbname = SUSDB, @filename1 = <path>SUSDB.mdf,
@filename2 = <path>SUSDB_log.ldf
9. Exit the SQLCMD utility. Type EXIT and then type GO.
Even though you now know how to access the internal WSUS database, I would recommend to
migrate this internal database to a SQL Server database if you have the chance, and remember
that you can use the light and free version of Microsoft database engine: SQL Server Express
Edition (2005 or 2008 version).
To execute the migration check this link:
Migrating from Windows Internal Database to SQL Server
http://technet.microsoft.com/en-us/library/cc708558%28WS.10%29.aspx
Hope you find it useful!
Upgrading WSUS Service Pack 1 to Service

Pack 2
We have two options to upgrade WSUS SP1 to SP2:
1. As an offer from Microsoft Update
KB972455
http://support.microsoft.com/?scid=kb%3Ben-us%3B972455&x=17&y=15
is the WSUS SP2 update. If you want to see SP2 in the list of updates make sure you have
selected Service Packs in the Classification list. Custom view has been added for Service Packs
in the below screenshot.
For WSUS SP2 to be offered on the server running WSUS SP1, the following conditions should
not be true:
1. SQL is running remote
2. Server is running MOM version of SCE
We are checking for the following registry keys to know if above conditions are met. If SP2 is
not offered on the server running SP1 we may need to install SP2 manually in these scenarios.
HKEY_LOCAL_MACHINE" Subkey="Software\Microsoft\Microsoft Operations
Manager\3.0\Setup" Value="ServerVersion" Comparison="EqualTo"
Data="6.0.1251.0"
"HKEY_LOCAL_MACHINE" Subkey="Software\Microsoft\Microsoft Operations
Manager\3.0\Setup" Value="ServerVersion" Comparison="EqualTo"
Data="6.0.5000.0"
"HKEY_LOCAL_MACHINE" Subkey="Software\Microsoft\Update Services\Server\Setup"
Value="SqlInstanceIsRemote" Comparison="EqualTo" Data="1"
"HKEY_LOCAL_MACHINE" Subkey="Software\Microsoft\System Center
Essentials\2.0\Setup\Components" Value="SERVER-VERSION" Type="REG_SZ"
If the above conditions are not true, SP2 will be offered to any server running SP1 if the
following conditions are true:
"HKEY_LOCAL_MACHINE\Software\Microsoft\Update Services\Server\Setup
Value="Version" Comparison="EqualTo" Data="3"
Value="ServicePackLevel" Comparison="EqualTo" Data="1"
Value="VersionString" Comparison="EqualTo" Data="3.1.6001.65"
If SP2 is offered for the server running SP1 then we can approve the update for the installation.
This update is not for the WSUS Clients. Following are some of the screenshots showing the SP2
installation through WSUS.
Note: SP2 upgrade is not a silent process, Admin intervention is required.
If WSUS SP2 is offered through WSUS, the installation process will first backup the SUSDB
and we will see the following line in the WSUSSetup.log.
2009-09-06 02:40:39 Success MWUSSetup Creating database backup...
2. Manual Upgrade
As mentioned earlier, if SQL is on a remote machine we have to download the SP2 setup from
the below link and run the upgrade manually on the server. Before running the setup you need to
backup the SUSDB manually from the remote SQL box as the upgrade process will not take any
backup of the database.
http://www.microsoft.com/downloads/details.aspx?FamilyId=a206ae20-2695-436c9578-3403a7d46e40&displaylang=en
Once the setup is finished, the regular configuration wizard will start which can be ignored by
clicking cancel.
How to check if Upgrade was Successful?
The installation of SP2 can be verified from Add/Remove Programs:
or from the Console:
or via the Registry:
Note: Administrative Tools will not show any Service Pack version at this time.
Hope this helps
Deploy WSUS Updates to a Workgroup

In some instances you may need to deploy updates with WSUS to a workgroup that is not a part
of your domain. This can be done with a quick registry edit.
WSUS and SUS are great ways of managing the deployment of operating system updates. This is
a technology that a lot of the time is only available to domain users, but why should they get all
of the fun? Even in some small workgroup environments there are benefits to being able to
automatically handle updates.
In order to do this, create a text file with a .reg extension and put the following in it:
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate]
"WUServer"="yoursusserver"
"WUStatusServer"="yoursusserver"
"ElevateNonAdmins"=dword:00000001
"TargetGroupEnabled"=dword:00000001
"TargetGroup"="Workstations"
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU]
"NoAUShutdownOption"=dword:00000000
"AutoInstallMinorUpdates"=dword:00000001
"NoAUAsDefaultShutdownOption"=dword:00000001
"NoAutoRebootWithLoggedOnUsers"=dword:00000001
"RescheduleWaitTimeEnabled"=dword:00000001
"RescheduleWaitTime"=dword:00000001
"UseWUServer"=dword:00000001
"NoAutoUpdate"=dword:00000000
"AUOptions"=dword:00000004
"ScheduledInstallDay"=dword:00000000
"ScheduledInstallTime"=dword:00000010
"DetectionFrequencyEnabled"=dword:00000001
"DetectionFrequency"=dword:00000016
"RebootWarningTimeoutEnabled"=dword:00000001
"RebootWarningTimeout"=dword:00000005
"RebootRelaunchTimeoutEnabled"=dword:00000001
"RebootRelaunchTimeout"=dword:0000000a
Once you have done this, simply run this .reg file on each target computer in your workgroup
and they should begin getting updates from your WSUS or SUS server

WSUS

Hochgeladen von

Dokumentinformationen

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

WSUS

Hochgeladen von

Copyright:

Verfügbare Formate

How to install WSUS 3.

There are 4 common methods of deploying WSUS:

Install the Report Viewer first

once done click finish.

you'll see a summary click next to continue

Posted 12 December 2009 - 05:18 PM

Back to Windows Server Update Service (WSUS)

Reply to this topic

Rich Text Editor

More Reply Options

1 user(s) are reading this topic

1 members, 0 guests, 0 anonymous users

2008 - 2011 CertCollection IT Certification Forum

Community Forum Software by IP.Board

Adding workgroup computer into WSUS

BITS Peer cashing (in WSUS 3.0)

This feature of BITS can:

To enable BITS Peercaching:

Remove SUSClientID for clone workstation

In order to fix this problem, i have created two script file

Copy both files to C:drive. Execute file clonewsus.bat.

Deploy MSP updates via WSUS

Now we can save the duplicate template with a click on OK .

Part 2 - Package creation for Adobe Reader X

Move WSUS 3.0 to a new server

Moving WSUS Server Updates Folder

(where x: is the new destination)

Migrate WSUS 3.0 from SQL Express to a

1. Download and install the SQLCmd tool on the WSUS server.

Selective install Windows updates via WSUS

or remote via PsExec:

Here a CMD window now opens for each computer.

WScript.Echo "System reboot now" & vbCRLF

Installing and configuring WSUS clients

Windows XP Professional RTM, SP1, SP2 or later versions;

6 expand the Computer Configuration node, Policies, Administrative Templates, Windows

How to install WSUS on Windows Server

Install WSUS on Windows Server 2008

Configure on Windows Server 2008

Configure Automatic Update client via Group Policy

Installing WSUS 3.0 SP2

Configuring WSUS 3.0 SP2

Windows Server Update Services (WSUS) 3.0 SP2.

Installing WSUS 3.0 SP2

Windows Small Business Server 2003;

What's New In This Release

Integration with Windows Server 2008 R2.

Prerequisites for WSUS Server Software

One of the following supported operating systems:

Windows Server 2008 R2;

IIS 6.0 or later versions;

Microsoft Management Console 3.0

Configuration Prerequisites and best practice recommendations for the

%windir%\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files.

Nested triggers option in SQL Server

Windows XP Professional SP2 or later versions;

Upgrade requirements and recommendations

WSUS 2.0 SP1, 2.0, 3.0 and 3.0 SP1.

Windows Server 2008 R2.

How to recover from a failed Upgrade

1 after verifying software and hardware requirements to install WSUS 3.0

Exploring the WSUS 3.0 SP2 Console

Windows Server Update Services (WSUS) 3.0 SP2.

Exploring the WSUS 3.0 SP2 Console