Microsoft WSUS - Part 1

Microsoft WSUS - Part 1


The information in this article applies to WSUS 3.0 SP2 and later.

WSUS is a zero-cost solution, used for the distribution of updates (critical and security) in an organization. WSUS enables administrators to manage and distribute updates of operating systems and Microsoft applications. Updates are made automatically and manually.

You can specify the time and date on which updates can be installed, and applications that will make updates. According to the rules that apply updates are configured by using the WSUS management console and group policy. This solution does not distribute and 3rd party patches, it is necessary for management tools such as Microsoft System Center advanced Essentials or Microsoft System Center Configuration Manager 2007 SP2 R3.

WSUS 3.0 SP2 comes with support for Windows Server 2008 R2, Windows 7, BranchCache, auto-approval rules with deadlines and the ability to sort the target groups in alphabetical order. A single WSUS 3.0 SP2 server supports up to 25,000 clients, for 50,000 clients using 2x WSUS servers back to back with a Standard Microsoft SQL server.

Some Architecting & Implementing

1- Simple Architecture

  Single, well-connected site

       WSUS Updates from Microsoft Update

       Clients update from WSUS

  Single server can handle 25,000 clients

2- Simple, with Groups Architecture

  Largest use case in production today

  Driving forces to move to Machine Groups:

       Differing patching requirements or schedules

       Test groups

       Servers vs. Workstations


  Not necessarily used for load distribution

3- Centralized Architecture

  Downstream servers are replicas of primary server

  Little downstream control over servers

       Downstream admins drop machines into predefined groups

       All update approvals and schedule done at primary server

WSUS Chaining

  Chaining involves downstream servers getting updates (and sometimes Group data) from upstream servers

  Options for chaining

       Distributed vs. Centralized model

       “Autonomous Mode” vs. “Replica Mode”

  Chaining solves the problem of “MESH” or “Fully Independent” architectures

       Wastes resources and bandwidth

            Not that some situations don’t mandate “MESH” or “Fully Independent”

4- Distributed Architecture

  Downstream servers obtain updates from primary server, except:

       Update approvals do not flow down. Assigned at each site individually.

       Downstream admins have greater control. Can create groups and assign approvals.

  Used for distribution rather than control of updates

5- Disconnected Architecture

  Many environments don’t have Internet connectivity.

       Test/dev, government, classified, air gap environments

  Data must be imported from “the outside”

       Any the previous architectures will work

  Manual import process required

       Gives CM/QA/Security the option to review updates prior to bringing “inside”.


6- High Availability Architecture

  WSUS 3.0 includes native support for high availability

       NLB Clusters connect multiple WSUS web servers via a single cluster IP

       SQL Cluster manages the database

       No single point of failure

This design is useful for availability, but does little for performance.

5- WSUS Update storage sites

  • Store update sites can be made on other servers and remote, recommended for locations with a small number of users connected to a network limited WAN but with a stable connection to the Internet.


Approval and Installation of updates

Updates can be aprobabate initially for one or more workstations in a workgroup. Test stations in the group will contact the WSUS server in the urmtoarele 24 hours, after that period, the rate of success when you install the update, you can check the WSUS reports. If the tests associated with success, updates can be approved for the rest of the Group of computers within the organization.

In the WSUS console, select update or updates you want, and then Approve option:

To select the desired computer group and Approved for Install:

The Update has been approved for installation:

In the WSUS console, the update has been approved for one of the existing computer groups (1/4):

Quick Approval of the update sites

Select an update from the list to Approve:

Choose the desired category and Custom:

Choose a date on which the update should be installed:

The Update has been approved for installation:

Approval of Automatic Update

In the server management console, select the WSUS Automatic Approvals:

Natively, there is a single update policy, but new ones can be customized:

Select The New Rule:

Select The Critical Updates:

Choose the computer you want to Tier1Desktops:

Select the category and classification, we set a name, such as Critical Desktop Updates:

The new rule was created successfully, select and OK:


Your WSUS server allows the download-area type metadata information before downloading the update sites. Updates are downloaded immediately after the approval, which help save bandwidth and the space on your hard disk. Updates can be tested before being installed on the Windows clients.

Below is presented a way to download the update sites using multiple WSUS servers (if you want such an architecture in the future):

Email notification setting

WSUS server can be configured to send notifications by e-mail of new updates occurred or daily or monthly detailed reports about the WSUS network.

Notices will be sent every time the WSUS server synchronizes its new updates. Notices shall include information on the downstream WSUS servers.

Customizing the WSUS administration console

You can configure the space on the WSUS administration console, displaying information about the status update and WSUS clients.

Update of the classification

Classification Updates




Critical Updates


Fixes of problems specific to solutions.


Updated definitions


Updates of virus definitions.



Software components designed to support new types of hardware.


Feature packs (Features)


New product launches gathered under a future product.


Security updates


Fixes of specific solutions to security issues.


Service Packs (service packs)


Cumulative packages that contain critical fixes and security updates, and a limited number of updates at the request of clients.



Utilities or features that come in through a task or set of tasks.

Cumulative updates


Cumulative packages fixes, critical updates Security and implemented together.



Fixes to specific problems and solutions addressed to non-critical and non-security.


Managing WSUS server from the command line

Wsusutil command is used in the administration of the WSUS server and is in the WSUSInstallDir\Tools folder, the command may be rolled under credentiale. Below are listed and described the commands that can be run from the command line:





Updating the registry keys on the WSUS server after IIS configuration was changed.



Configures health monitoring values in the database. If new values are not specified, the current values are displayed.



Part of the export/import process used to synchronize a downstream WSUS without using a network connection.

Exports update metadata to an export package file. You cannot use this parameter to export update files, update approvals, or server settings.



The second part of the export/import process.

Imports update metadata to a server from an export package file created on another WSUS server. This synchronizes the destination WSUS server without using a network connection.



Changes the file system location where the WSUS server stores update files, and optionally copies any update files from the old location to the new location



Lists the front-end servers related to this WSUS server.



Deletes the specified front-end server from the WSUS database.



Checks the health of the WSUS server. Results will appear in the Application Event log.



Checks that every update metadata row in the database has corresponding update files stored in the file system. If update files are missing or have been corrupted, downloads the update files again.



Returns a list of update titles with approvals that are in a permanently inactive state because of a change in server language settings.



Removes approvals for updates that are in a permanently inactive state because of a change in WSUS server language settings.



Changes the port number used by the WSUS Web services from 80 to 8530 or vice versa.


Microsoft WSUS 3.0 SP2 - Part 2
Microsoft WSUS 3.0 SP2 - Part 3

Leave a Comment
  • Please add 1 and 3 and type the answer here:
  • Post
Wiki - Revision Comment List(Revision Comment)
Sort by: Published Date | Most Recent | Most Useful
  • Ed Price - MSFT edited Revision 16. Comment: Font style; adding tags

  • Patris_70 edited Revision 15. Comment: added part 3 link

  • FZB edited Revision 14. Comment: typo

  • Patris_70 edited Revision 13. Comment: added en-US

  • Fernando Lugão Veltem edited Revision 11. Comment: add toc

  • Patris_70 edited Revision 10. Comment: added part 2 link

  • Patris_70 edited Revision 9. Comment: part 1 is completed

  • Patris_70 edited Revision 8. Comment: not completed