Before deploying Windows Server Update Services (WSUS), you must understand how both
the client and server components should be configured for different environments. Without
proper planning, updates can take too long to distribute, waste large amounts of your limited
Internet and wide area network (WAN) bandwidth, or fail to install correctly. This lesson provides
background and planning information on WSUS.
NOTE New features
If you are familiar with earlier versions of WSUS, WSUS 3.0 with Service Pack 1 (included with Windows
Server 2008) provides a significant amount of new functionality. Most significantly, there is
now a console to manage WSUS; you no longer need to manage it using a Web browser. Additionally,
you have more flexibility for controlling which computers receive which updates.
After this lesson, you will be able to:
■ Describe the purpose of WSUS.
■ Configure the WSUS client.
■ Design a WSUS architecture to meet the needs of both small and large organizations.
■ List the client and server requirements for WSUS.
■ Describe the tools you can use to identify computers that are missing important
Estimated lesson time: 15 minutes
Windows Server Update Services (WSUS) is a private version of the Microsoft Update service
from which Windows computers automatically download updates. Because you can run
WSUS on your own internal network and use it to distribute updates to your computers, you
can use bandwidth more efficiently and maintain complete control over the updates installed
on your client computer.
When you run WSUS, it connects to the Microsoft Update site, downloads information about
available updates, and adds them to a list of updates that require administrative approval. After
an administrator approves and prioritizes these updates (a process that you can entirely automate),
WSUS automatically makes them available to Windows computers. The Windows
Update client (when properly configured) then checks the WSUS server and automatically
440 Chapter 9 Managing Software Updates
downloads and, optionally, installs approved updates. You can distribute WSUS across multiple
servers and locations to scale from small business to enterprise needs.
Windows Update Client
The Windows Update client is the component of WSUS clients that retrieves software from the
WSUS server, verifies the digital signature and the Secure Hash Algorithm (SHA1) hash, notifies
the user that the update is available, and installs the software (if configured to do so). The
Windows Update client installs updates at a scheduled time and can automatically restart the
computer if necessary. If the computer is turned off at that time, the updates can be installed
as soon as the computer is turned on. If the computer’s hardware supports it, Windows
Update can wake a computer from sleep and install the updates at the specified time.
NOTE WSUS client in earlier versions of Windows
In Windows XP and Windows 2000, the client component of WSUS is called the Automatic Updates
Because Windows Update settings should be applied to all computers in your organization,
Group Policy is typically the best way to distribute the settings. Windows Update settings
are located at Computer Configuration\Policies\Administrative Templates\Windows Components\
Windows Update. The Windows Update Group Policy settings are:
■ Specify Intranet Microsoft Update Service Location Specifies the location of your WSUS
■ Configure Automatic Updates Specifies whether client computers will receive security
updates and other important downloads through the Windows Update service. You
also use this setting to configure whether the user is prompted to install updates or the
Windows Update client automatically installs them (and at what time of day the installation
■ Automatic Updates Detection Frequency Specifies how frequently the Windows
Update client checks for new updates. By default, this is a random time between 17 and
■ Allow Non-Administrators To Receive Update Notifications Determines whether all users
or only administrators will receive update notifications. Nonadministrators can install
updates using the Windows Update client.
■ Allow Automatic Updates Immediate Installation Specifies whether Windows Update
will immediately install updates that don’t require the computer to be restarted.
Lesson 1: Understanding Windows Server Update Services 441
■ Turn On Recommended Updates Via Automatic Updates Determines whether client
computers install both critical and recommended updates, which might include
■ No Auto-Restart For Scheduled Automatic Updates Installations Specifies that to complete
a scheduled installation, Windows Update will wait for the computer to be restarted
by any user who is logged on instead of causing the computer to restart automatically.
■ Re-Prompt For Restart With Scheduled Installations Specifies how often the Windows
Update client prompts the user to restart. Depending on other configuration settings,
users might have the option of delaying a scheduled restart. However, the Windows
Update client will automatically remind them to restart based on the frequency configured
in this setting.
■ Delay Restart For Scheduled Installations Specifies how long the Windows Update client
waits before automatically restarting.
■ Reschedule Automatic Updates Scheduled Installations Specifies the amount of time for
Windows Update to wait, following system startup, before continuing with a scheduled
installation that was missed previously. If you don’t specify this amount of time, a missed
scheduled installation will occur one minute after the computer is next started.
■ Enable Client-Side Targeting Specifies which group the computer is a member of. This
option is useful only if you are using WSUS; you cannot use this option with Software
Update Services (SUS), the predecessor to WSUS.
■ Enabling Windows Update Power Management To Automatically Wake Up The System To
Install Scheduled Updates If people in your organization tend to shut down their computers
when they leave the office, enable this setting to configure computers with supported
hardware to automatically start up and install an update at the scheduled time.
Computers will not wake up unless there is an update to be installed. If the computer is
on battery power, the computer will automatically return to sleep after two minutes.
■ Allow Signed Updates From An Intranet Microsoft Update Service Location Specif i e s
whether Windows XP with Service Pack 1 or later will install updates signed using a
trusted certificate even if the certificate is not from Microsoft. This is not a commonly
Additionally, the following two settings are available at the same location under User Configuration
(which you can use to specify per-user settings) in addition to Computer Configuration:
■ Do Not Display ‘Install Updates And Shut Down’ Option In Shut Down Windows Dialog
Box Specifies whether Windows XP with Service Pack 2 or later shows the Install
Updates And Shut Down option.
442 Chapter 9 Managing Software Updates
■ Do Not Adjust Default Option To ‘Install Updates And Shut Down’ In Shut Down Windows
Dialog Box Specifies whether Windows XP with Service Pack 2 or later automatically
changes the default shutdown option to Install Updates And Shut Down when Windows
Update is waiting to install an update.
Finally, the last user setting is available only at User Configuration\Administrative Templates
\Windows Components\Windows Update:
■ Remove Access To Use All Windows Update Features When enabled, prevents a user from
accessing the Windows Update interface.
WSUS can scale from small organizations to multinational enterprises. In general, you’ll need a
single WSUS server for each regional office with more than 10 computers and a separate WSUS
server for each different IT department that requires control over how updates are approved.
Typically, redundancy is not required for WSUS servers; however, you should back up the
WSUS database and be prepared to repair or replace the server within a week of failure. If a
WSUS server fails, there’s no direct impact on users, and updates are rarely so time-critical that
there would be any impact if it took even a few days to restore a WSUS server.
The sections that follow describe how to design WSUS architectures for different types of offices.
Organizations with One Office
If you have only one location, you can use a single WSUS server—regardless of the total number
of client computers. The Windows Update client is designed to share bandwidth and wait
when your network is busy, so network impact should be minimal.
Organizations with Multiple Offices
If you were to use a single WSUS server to support clients at multiple offices, each client computer
would need to download updates across your WAN connection. Updates, especially service
packs, can be several hundred megabytes. Because WAN connections tend to have lower
bandwidth than LAN connections, downloading large updates across the WAN could affect
overall WAN performance. If your WAN is low-bandwidth or highly busy, clients might not be
able to retrieve updates promptly.
To allow clients to retrieve updates from your LAN, configure one WSUS server at each
regional location and configure the WSUS servers to retrieve updates in a hierarchy from their
parent servers. For best results, use a hierarchy that mirrors your WAN architecture while minimizing
the number of levels in the hierarchy. Figure 9-1 illustrates a typical WAN architecture,
and Figure 9-2 demonstrates an efficient WSUS design for that architecture.
Lesson 1: Understanding Windows Server Update Services 443
Figure 9-1 A typical WAN architecture
Figure 9-2 An efficient WSUS architecture for the previous sample WAN
Sweden Egypt China
444 Chapter 9 Managing Software Updates
In this architecture, only the Boston WSUS server would retrieve updates directly from
Microsoft. All update management would be performed on the Boston WSUS server, and all
other WSUS servers would be configured as replicas. The downstream servers would pull
updates from the upstream servers; for example, Los Angeles (the downstream server) would
pull updates from Boston (the upstream server). Similarly, Argentina is considered a downstream
server to Costa Rica.
To provide updates for small offices that cannot support a local WSUS server, configure client
computers to download updates from the nearest WSUS server. If the office has a fast Internet
connection, consider deploying a WSUS replica that does not store updates locally and
instead directs client computers to retrieve updates directly from Microsoft.
Organizations with Multiple IT Departments
The architecture demonstrated in the previous section shows an ideal that is rarely realistic: an
entire multinational company managed by a single IT department. Most organizations have
separate IT departments, with their own processes and guidelines, who will insist on controlling
which updates are deployed to the client computers they manage.
In organizations with distributed IT departments, you can design the WSUS architecture
exactly as described in the previous section. The only difference is in the configuration—
instead of configuring each WSUS server as a replica, configure the WSUS servers as autonomous,
which allows for approvals and management at each specific server. The configuration
steps required are described in Lesson 2, “Using Windows Server Update Services.”
When planning your WSUS deployment, keep the following requirements in mind:
■ The WSUS server must establish HTTP connections to the Internet (specifically, to the
Microsoft Update Web site). If the connection uses a proxy server, you must provide credentials
■ Downstream WSUS servers must establish connections to upstream WSUS servers
using either HTTP (and TCP port 80) or, if you have an SSL certificate installed, HTTPS
(and TCP port 443).
■ Client computers must connect from your intranet using either HTTP or HTTPS.
■ The client computer operating system must be one of the following:
❑ Windows 2000 with Service Pack 3 or Service Pack 4
❑ Windows XP Professional
❑ Windows Vista
Lesson 1: Understanding Windows Server Update Services 445
❑ Windows Server 2003
❑ Windows Server 2008
■ If client computers are disconnected from your network for an extended period of time
(for example, if a professor leaves on sabbatical or an employee works from home for
months and does not connect to the virtual private network [VPN]), the client will not be
able to download updates. Consider configuring the computer to automatically install
updates directly from Microsoft or, using NAP, to require computers to have updates
before connecting to your intranet. For more information about NAP, read Chapter 8,
“Configuring Windows Firewall and Network Access Protection.”
Planning the WSUS Installation
During the WSUS installation process, you will need to make several critical decisions:
■ Update source WSUS can retrieve updates either directly from Microsoft Update or
from another WSUS server on your own network. Typically, you should choose the
method that is most bandwidth efficient. If two WSUS servers are connected by a highspeed
local area network (LAN), have one of those servers retrieve updates from
Microsoft Update and the second server retrieve updates from the first. If you have
WSUS servers in three remote offices that are linked using VPNs across the Internet, it
would be more efficient for each to download updates directly from Microsoft—because
the updates would need to cross the individual Internet connections anyway. Your
WSUS architecture defines the exact arrangement, with downstream servers configured
to retrieve updates from upstream servers.
■ Approval and configuration replication If you have multiple WSUS servers and you configure
servers to retrieve updates from one of your WSUS servers, you can choose to also
synchronize approvals, settings, computers, and groups from the parent WSUS server.
Essentially, this makes the child WSUS server a perfect replica. If you configure a server
as a replica, you do not need to approve updates on the replica server. If you configure a
server as autonomous, you must manually approve updates on the WSUS servers—
which is useful for giving multiple IT departments independent control.
■ Update storage WSUS can either copy updates from Microsoft and store them locally
or direct client computers to download updates directly from Microsoft. If you choose to
store updates locally, the WSUS server will require at least 6 GB of free disk space
(although the actual amount can be much greater, depending on how many updates
Microsoft releases and how many languages you require). Storing updates locally can
greatly reduce your Internet bandwidth update by allowing clients to retrieve updates
across the LAN.
446 Chapter 9 Managing Software Updates
■ Database By default, WSUS will store the list of updates (including which updates you
want to deploy and other settings) in a Windows Internal Database. The WSUS setup
process requires at least 3 GB of free disk space to store the Windows Internal Database,
although the actual size is typically closer to 1 GB. The Windows Internal Database
works for most purposes, but you can also use an existing database server (such as a
Microsoft SQL Server) on the local computer or a remote computer.
NOTE Default WSUS database location
By default, the database is located at C:\WSUS\UpdateServicesDbFiles\SUSDB.mdf.
■ Web site selection WSUS requires IIS because client computers retrieve updates using
HTTP or HTTPS (if you have an SSL certificate, such as one purchased from a public certification
authority or generated by a Windows Server 2008 certification authority). If
you do not use IIS for any other purposes on the WSUS server, you can use the existing
IIS default Web site. Otherwise, you can create a new Web site specifically for WSUS.
■ Languages Many updates are language-specific. To minimize disk space usage, you
should choose to download only languages that are required by client computers that
will access the WSUS server. You should avoid selecting all languages, because the total
storage space and bandwidth required will be very high.
■ Products Microsoft Update can provide updates for a wide variety of products other than
core Windows operating systems. For example, Microsoft Update distributes updates for
Exchange Server, ISA Server, SQL Server, and Office. Select only the applications and operating
systems used within your organization to minimize the disk space required.
After deploying WSUS, some client computers might still be missing updates because the
update installation fails, the client computer is misconfigured (or is not part of your Active
Directory domain), or the client computer has been disconnected from your network for a
long time. You can use several techniques to identify computers that are missing updates:
■ Windows Update console You can use the Computers And Reports node to identify
WSUS clients that have not ins