WSUS Support Forums: Beginner's WSUS Admin FAQ - WSUS Support Forums

Jump to content

  • (2 Pages)
  • +
  • 1
  • 2
  • You cannot start a new topic
  • This topic is locked

Beginner's WSUS Admin FAQ Please read before posting

#1 User is offline   Rob Dunn 

  • Advanced Member
  • PipPipPip
  • Group: Advisory Members
  • Posts: 619
  • Joined: 06-Jun-05

Post icon  Posted 25 Aug 2005, 14:41

Here is some information that I've compiled regarding WSUS from some of my notes and some recent issues that I've found in the Newsgroups, etc.

Updated 1/23/2007 -
Added new GPO settings for WSUS 3.0
Added registry key information for WSUS settings

http://www.vbshf.com...us/wsus_faq.htm - it is also linked at the bottom of this post just in case you cannot get to it because of Internet filtering, etc.

I think this is an ever-growing work in progress, but I hope it helps someone.

I'd post the complete FAQ here, but all the html tags won't work (because of the board software). Probably the most useful sections are on the extended information about the Automatic Updates GPO, why clients aren't reporting, and how to force the download and installation of approved updates.

Please let me know if you find any inaccurate information or if you'd like to add to it.

Here's an outline of the document:

Wuau.adm

Q: Where can I get wuau.adm for Automatic Updates?.
. How to configure automatic updates by using Group Policy or registry settings:
. Further information from Microsoft on how to configure Automatic Updates via GPO:
. Wuau.adm policy settings.
. Configure Automatic Updates.
. Specify internet Microsoft update service location.
. Enable client-side targeting.
. Reschedule Automatic Updates Scheduled installations.
. No auto-restart for scheduled Automatic Updates installations.
. Automatic Updates detection frequency.
. Allow Automatic Updates immediate installation.
. Delay Restart for scheduled installations.
. Re-prompt for restart with scheduled installations.
. Allow non-administrators to receive update notifications.
. Do not display 'Install Updates and Shut Down' option in Shut Down Windows dialog box.
. Do not adjust default option to 'Install Updates and Shut Down' in Shut Down Windows dialog box
. Enable recommended updates via Automatic Updates (WSUS 3.0)
. Enabling Windows Update Power Management to automatically wake up the system to install scheduled updates (WSUS 3.0)
. Allow signed content from intranet Microsoft update service location (WSUS 3.0)

Q: What registry entries are changed when these policy settings are applied?
Q: Where are the non-GPO Automatic Updates registry keys stored?

Other Windows Update related policy settings.
. Remove access to use all Windows Update features.

Q&A

Selfupdate and WSUSAdmin folders on WSUS IIS Server
Q: What address should I point my clients to in my GPO for Windows Updates?.
Q: What is the Selfupdate tree for?.

Editing the Client Registry (no AD to apply GPO's)
Q: Is it necessary to edit the registry on the clients? When is it necessary?.
. Applying a GPO in a Windows NT domain environment:.
. Manually configuring AU Client for WSUS in a workgroup environment:.

Updating WSUS clients.
Q: How do you push out updates to clients?.
Q: Why do my computers keep rebooting even though I specified to not reboot them?.
Q: Can I deploy Service Packs?.
Q: How can I force my computer to download updates and install?.
Q: How can I tell if my computer has a pending reboot?.
Q: How do I tell a computer to detect needed updates or check in with the server?.
Q: I've applied my GPO, but no clients are showing up in the WSUS console. What's going on?.
. Not enough time has passed for the clients to check in automatically.
. Potential duplicate clients using the same WSUS SID.
. Invalid GPO settings or GPO not being applied correctly to the clients.
Q: How do I control the bandwidth used by Windows Updates (BITS)

Tools and related resources.
Q: Where can I find tools to report information from my WSUS database?.
Q: Where can I download WSUS?.
Q: Where can I locate diagnostic tools to troubleshoot my client and/or server configuration?.
Q: Where can I download the WSUS API Samples?.

Central reporting for multiple WSUS servers.
Q: How can I extract updates directly from the WSUS database?.

WSUS and WUA Development
Q: Where can I find information on the WSUS (server component) API?.
Q: Where can I find information on the WUA (Windows Update Agent) API?.

WSUS Administration.
Q: Where can I find Microsoft documentation for WSUS?.
Q: I'm having troubles with my WSUS server, what tools are available to help me troubleshoot the problem?
Q: My WSUS content directory is full! How can I clean up unneeded files?.
Q: How do I configure the WSUS console for read-only access for reporting purposes?.
Q: I like to develop VBScripts for administration purposes. Where can I find information on the scripting interface for WSUS?
Q: SUS only took up xGb amount of space! Why does my WSUS content directory have so much more data in it?
Q: I'm getting error code (insert error code here) in my Windows Update logs, what do these errors mean?

Other FAQ’s

WSUS Resources

Also, I have some patch management testing procedures available here if anyone is willing to take a look:

http://www.vbshf.com...t_procedure.htm

Rob

Attached File(s)

  • Attached File  wuau.htm (203.13K)
    Number of downloads: 272

This post has been edited by Rob Dunn: 29 Jan 2007, 14:59

WSUS Beginner's Admin FAQ

Computers not showing up in WSUS? See this post: http://www.wsus.info...?showtopic=9312
-------------------------------------
WSUS Extract - extract update EXE's from the WSUS content folder: WSUS Extract 1.30

UpdateHF - force client to download and install approved Windows Updates: Force Windows Update download and install 2.5 (03/26/07)

SetAuthorization - Perform a /resetauthorization and /detectnow against a remote computer where you have administrative privileges

Various Admin scripts, WSUS stuff, and HTA-driven IS tools: http://www.vbshf.com/vbshf/forum

My electronic music side-project: http://www.funender....c/maximillian_x
0

#2 User is offline   Rob Dunn 

  • Advanced Member
  • PipPipPip
  • Group: Advisory Members
  • Posts: 619
  • Joined: 06-Jun-05

Posted 26 Aug 2005, 10:07

I have updated this quite a bit - can anyone offer feedback? - - i.e. is it worthy of making it a sticky post? :)

Rob
WSUS Beginner's Admin FAQ

Computers not showing up in WSUS? See this post: http://www.wsus.info...?showtopic=9312
-------------------------------------
WSUS Extract - extract update EXE's from the WSUS content folder: WSUS Extract 1.30

UpdateHF - force client to download and install approved Windows Updates: Force Windows Update download and install 2.5 (03/26/07)

SetAuthorization - Perform a /resetauthorization and /detectnow against a remote computer where you have administrative privileges

Various Admin scripts, WSUS stuff, and HTA-driven IS tools: http://www.vbshf.com/vbshf/forum

My electronic music side-project: http://www.funender....c/maximillian_x
0

#3 User is offline   The Real JoS 

  • Advanced Member
  • PipPipPip
  • Group: Regular Members
  • Posts: 87
  • Joined: 02-Aug-05

Posted 26 Aug 2005, 11:53

Great work qc_metal!

This is awesome and comprehensive.

YES YES YESY Sticky...... (though i don't think the mods are ever here to read this so it will prob never get Stick'd)

This post has been edited by The Real JoS: 26 Aug 2005, 13:41

0

#4 User is offline   Rob Dunn 

  • Advanced Member
  • PipPipPip
  • Group: Advisory Members
  • Posts: 619
  • Joined: 06-Jun-05

Posted 26 Aug 2005, 13:08

The Real JoS, on Fri 26th Aug 2005, 01:53 pm, said:

Great work gc_metal!

This is awesome and comprehensive.

YES YES YESY Sticky...... (though i don't think the mods are ever here to read this so it will prob never get Stick'd)


TRJ - Thanks! I figured we'd all seen a lot of questions that were repeated...!

The biggest thing I wanted to notate was the GPO settings and what they really do in the real world :)

oh - it's 'q'c_metal, by the way! It's hard to tell with the underline :D

Rob
WSUS Beginner's Admin FAQ

Computers not showing up in WSUS? See this post: http://www.wsus.info...?showtopic=9312
-------------------------------------
WSUS Extract - extract update EXE's from the WSUS content folder: WSUS Extract 1.30

UpdateHF - force client to download and install approved Windows Updates: Force Windows Update download and install 2.5 (03/26/07)

SetAuthorization - Perform a /resetauthorization and /detectnow against a remote computer where you have administrative privileges

Various Admin scripts, WSUS stuff, and HTA-driven IS tools: http://www.vbshf.com/vbshf/forum

My electronic music side-project: http://www.funender....c/maximillian_x
0

#5 User is offline   The Real JoS 

  • Advanced Member
  • PipPipPip
  • Group: Regular Members
  • Posts: 87
  • Joined: 02-Aug-05

Posted 26 Aug 2005, 13:41

qc_metal, on Fri 26th Aug 2005, 04:08 pm, said:

oh - it's 'q'c_metal, by the way!  It's hard to tell with the underline :D


oops...edit'd!
0

#6 User is offline   Jones 

  • Newbie
  • Pip
  • Group: Regular Members
  • Posts: 3
  • Joined: 19-Aug-05

Posted 27 Aug 2005, 14:18

Great Job. All thumbs up. :)
0

#7 User is offline   Bunce 

  • Advanced Member
  • PipPipPip
  • Group: Regular Members
  • Posts: 1491
  • Joined: 11-Sep-03

Posted 28 Aug 2005, 19:41

I've made it a sticky. Great work Rob!!
0

#8 User is offline   ac1dburn 

  • Member
  • PipPip
  • Group: Regular Members
  • Posts: 46
  • Joined: 09-Sep-03

Posted 29 Aug 2005, 13:48

Rob - as usual, nice work!!

TRJ - does this include the topics that we had discussed via PM a couple of weeks back?
(I have kinda forgotten what we had PM'ed about, but I remember the idea of trying to make a sticky for it...) :)

Bunce - thanks for sticky-izing this! Much appreciated!!

This post has been edited by ac1dburn: 29 Aug 2005, 13:49

0

#9 User is offline   MDavies 

  • Newbie
  • Pip
  • Group: New Members
  • Posts: 2
  • Joined: 06-Sep-05

Posted 06 Sep 2005, 10:23

Hi,
Just read your FAQ - really useful, and nice work.

I have one requested addition to make please - the section on centrally updating WSUS to clients on a non-AD Domain (i.e. NT4 Domain). You don't have to use regedit (either manually or via script). You can use the wuau.adm template provided for use with GPO, in NT4 System Policy Editor, SO LONG AS you resave the template in non-unicode format.
Been using it this week, and it seems to work fine.

Mike
0

#10 User is offline   Rob Dunn 

  • Advanced Member
  • PipPipPip
  • Group: Advisory Members
  • Posts: 619
  • Joined: 06-Jun-05

Posted 06 Sep 2005, 12:00

MDavies, on Tue 6th Sep 2005, 12:23 pm, said:

Hi,
Just read your FAQ - really useful, and nice work.

I have one requested addition to make please - the section on centrally updating WSUS to clients on a non-AD Domain (i.e. NT4 Domain). You don't have to use regedit (either manually or via script). You can use the wuau.adm template provided for use with GPO, in NT4 System Policy Editor, SO LONG AS you resave the template in non-unicode format.
Been using it this week, and it seems to work fine.

Mike


I've added the information, and am uploading right now (I've loosely paraphrased your comment) - I would like to find some step-by-step, uh, steps to put into the document. Do you have any on hand? Otherwise, I'll see if I can Google something later -

Thanks Mike!
Rob
WSUS Beginner's Admin FAQ

Computers not showing up in WSUS? See this post: http://www.wsus.info...?showtopic=9312
-------------------------------------
WSUS Extract - extract update EXE's from the WSUS content folder: WSUS Extract 1.30

UpdateHF - force client to download and install approved Windows Updates: Force Windows Update download and install 2.5 (03/26/07)

SetAuthorization - Perform a /resetauthorization and /detectnow against a remote computer where you have administrative privileges

Various Admin scripts, WSUS stuff, and HTA-driven IS tools: http://www.vbshf.com/vbshf/forum

My electronic music side-project: http://www.funender....c/maximillian_x
0

#11 User is offline   MDavies 

  • Newbie
  • Pip
  • Group: New Members
  • Posts: 2
  • Joined: 06-Sep-05

Posted 07 Sep 2005, 05:31

Rob,
I don't want to repeat what has already been said by Microsoft, and other people, but here is my method.

The hint about saving the wuau.adm template in non-unicode format is here: http://support.micro...kb;en-us;325909

I am using the latest version of System Policy Editor, under XP-SP2.

All the settings are the same as for the AD GPO, and are well-documented in the Microsoft White papers, especially "Deploying Microsoft WSUS" by Tim Elhajj and Sean Bentley.

I edited the Default Computer object, after testing the settings with specific named Computer objects in my Domain. As with all NT4 Domain System Policy, you must save the resulting file as NTConfig.pol in the netlogon share of your domain controllers (typically the PDC has the master copy), and ensure that this file is replicated to all other BDCs in the Domain.

Reboot the client to pick up the setting changes. If you have access to regedit, you can check the appropriate keys to ensure the change has taken place.

WSUS detection, client update, and any approved installs should now happen according to your specified schedule.

I hope this helps.
Mike
0

#12 User is offline   Rob Dunn 

  • Advanced Member
  • PipPipPip
  • Group: Advisory Members
  • Posts: 619
  • Joined: 06-Jun-05

Posted 07 Sep 2005, 06:34

Awesome Mike - I added it to the FAQ, hopefully it will help some people.

Thanks!
Rob
WSUS Beginner's Admin FAQ

Computers not showing up in WSUS? See this post: http://www.wsus.info...?showtopic=9312
-------------------------------------
WSUS Extract - extract update EXE's from the WSUS content folder: WSUS Extract 1.30

UpdateHF - force client to download and install approved Windows Updates: Force Windows Update download and install 2.5 (03/26/07)

SetAuthorization - Perform a /resetauthorization and /detectnow against a remote computer where you have administrative privileges

Various Admin scripts, WSUS stuff, and HTA-driven IS tools: http://www.vbshf.com/vbshf/forum

My electronic music side-project: http://www.funender....c/maximillian_x
0

#13 User is offline   NTNEWS 

  • Member
  • PipPip
  • Group: Regular Members
  • Posts: 12
  • Joined: 10-Sep-05

Post icon  Posted 01 Oct 2005, 23:53

Great FAQ! Thanks for al your hard work on this. I did want to point something out that I think mat be incorrect. See the follwoing FAQ

~~~~~~~~~~~~~~~~~~~
Q: Can I deploy Service Packs to Windows 2000?
Yes, WSUS is able to provide SP4 to Win2k SP3 computers.

Service Pack 4 for Windows 2000 is categorized under "Update Rollups" at the WSUS server. Verify that you have selected "Update Rollups" under update classification.

In the WSUS admin console:
Options --> Synchronization Options --> Press the "Change..." button under "Update classifications" --> Select "Update Rollups" if not already selected.

If it was not selected, save the settings, then do a new sync.
Afterward, to locate SP4 for Win2k, you can create a custom view that includes "Update Rollups", and you can use the following search text: Service Pack 4
~~~~~~~~~~~~~~~~~~~

I do not believe this is true. Although there is a Rollup update for Windows 2000 SP4 under the "Update Rollups" option, when I filter on ALL Service Packs, I find "Windows 2000 Service Pack 4 Network Install for IT Professionals".

Jut wanted to conform with you. Thanks again fr all the work!! Hey any idea on how to DELETE custom filters after you create them as I created one saying "All SP but Windows 2000 SP4" :-)

Thanks
NTNEWS
0

#14 User is offline   Rob Dunn 

  • Advanced Member
  • PipPipPip
  • Group: Advisory Members
  • Posts: 619
  • Joined: 06-Jun-05

Posted 11 Nov 2005, 09:14

View PostNTNEWS, on Sun 2nd Oct 2005, 12:53 am, said:

Great FAQ! Thanks for al your hard work on this. I did want to point something out that I think mat be incorrect. See the follwoing FAQ

~~~~~~~~~~~~~~~~~~~
Q: Can I deploy Service Packs to Windows 2000?
Yes, WSUS is able to provide SP4 to Win2k SP3 computers.

Service Pack 4 for Windows 2000 is categorized under "Update Rollups" at the WSUS server. Verify that you have selected "Update Rollups" under update classification.

In the WSUS admin console:
Options --> Synchronization Options --> Press the "Change..." button under "Update classifications" --> Select "Update Rollups" if not already selected.

If it was not selected, save the settings, then do a new sync.
Afterward, to locate SP4 for Win2k, you can create a custom view that includes "Update Rollups", and you can use the following search text: Service Pack 4
~~~~~~~~~~~~~~~~~~~

I do not believe this is true. Although there is a Rollup update for Windows 2000 SP4 under the "Update Rollups" option, when I filter on ALL Service Packs, I find "Windows 2000 Service Pack 4 Network Install for IT Professionals".

Jut wanted to conform with you. Thanks again fr all the work!! Hey any idea on how to DELETE custom filters after you create them as I created one saying "All SP but Windows 2000 SP4" :-)

Thanks
NTNEWS


Sorry about the delay on this, I've updated the documentation.

To delete the custom query, you must select the query in your Update window, then click 'Change custom view'. When the 'Customize View' window comes up, you can click the 'Delete' button to remove the custom filter.

Rob
WSUS Beginner's Admin FAQ

Computers not showing up in WSUS? See this post: http://www.wsus.info...?showtopic=9312
-------------------------------------
WSUS Extract - extract update EXE's from the WSUS content folder: WSUS Extract 1.30

UpdateHF - force client to download and install approved Windows Updates: Force Windows Update download and install 2.5 (03/26/07)

SetAuthorization - Perform a /resetauthorization and /detectnow against a remote computer where you have administrative privileges

Various Admin scripts, WSUS stuff, and HTA-driven IS tools: http://www.vbshf.com/vbshf/forum

My electronic music side-project: http://www.funender....c/maximillian_x
0

#15 User is offline   serge~ 

  • Newbie
  • Pip
  • Group: Validating
  • Posts: 1
  • Joined: 05-Dec-05

Posted 05 Dec 2005, 01:06

And nothing on Russian... There is a lot of information abput this great MS product on English, but there is no good info on Russian.
So, I really need help. Can someone publish links to the BITS 2.0 and Framework (ver. that is needed to WSUS). Thanks.
0

#16 User is offline   RonZoid 

  • Newbie
  • Pip
  • Group: New Members
  • Posts: 2
  • Joined: 02-Dec-05

Posted 06 Dec 2005, 09:25

gc_metal

You're taking on a big task, I worry that you have way too much free time! :)

I already used your FAQ to find the reporting tools.

Keep up the good work!

Ronzoid
0

#17 User is offline   Stiddy 

  • Advanced Member
  • PipPipPip
  • Group: Regular Members
  • Posts: 61
  • Joined: 02-Sep-03

Posted 13 Dec 2005, 11:13

Way to go Rob. Excellent write up. I feel knowledgeable in WSUS usage and technics but picked up a few tips while reading and actually enjoyed reading it. Thanks for adding the html ability for those of us behind overly secure security admins filtering web traffic.
0

#18 User is offline   Indiana Red 

  • Member
  • PipPip
  • Group: Regular Members
  • Posts: 12
  • Joined: 07-Feb-06

Posted 31 Mar 2006, 08:28

Excellent resource. Thanks. I have relied upon this FAQ heavily as a new IT person with very limited formal training and have been asked to get WSUS up and running on our network.\
I particularly liked your "real world" comments on each section as the MS documentation reads a bit like an engineer wrote them. ; )
Thanks again B)
0

#19 User is offline   paulmoityva 

  • Newbie
  • Pip
  • Group: New Members
  • Posts: 1
  • Joined: 19-Jun-06

Posted 19 Jun 2006, 06:35

From what I read, WSUS is pull-based, rather than push; however, before I write WSUS off and venture over to SMS, I have a quick question. We have an environment in which I need to push out updates to web and database production servers, but cannot have the servers down for a restart without someone being here (for obvious reasons), and our maintenance times are certain days of the week between 4am - 6pm. So my question is since I can’t manually push out update requests, is it possible to use group policies to pull updates to our non-development and staging servers in a group in the WSUS database, and not restart automatically until manually rebooted. Or is there an easier way to achieve this?

This post has been edited by paulmoityva: 19 Jun 2006, 06:44

0

#20 User is offline   Temarias 

  • Newbie
  • Pip
  • Group: Regular Members
  • Posts: 3
  • Joined: 18-May-06

Posted 26 Sep 2006, 10:26

Hi Everyone,

I'm trying to use wuau.adm in NT4's System Policy Editor. I've taken off the unicode check and can add wuau.adm to the policy template without any error. However, when I click "Open Policy...", wuau.adm is not available and the system only gives me the option to view *.pol files. I read in another article that registry.pol is where the actual policy is held, but when I attempt to open registry.pol (with wuau.adm still available in the policy templates) I get "Unable to open C:\registry.pol: The system has attempted to load or restore a file into the Registry, but the specified file is not a Registry file format." I've attempted to open both wuau.adm and registry.pol on a NT4 and W2k machin, but to no avail. For some reason, I do not have a system policy editor on my XP SP2 machine. What am I doing wrong?

I'm trying to edit the file because I need to change the some of the registry settings. I currently have one WSUS machine that services about ~180 PCs. The original WSUS server was setup by another admin, AdminX, who has since left. When AdminX configured the clients, he imported some reg keys, installed the Automatic Update Agent, and did a detect now -- all manually. I directly edit the reg keys in one client's registry, but each time the user logs off or restarts the machine, the settings go back to what AdminX set them to. So from this, I know that we are centrally configured; in addtion the Automatic Updates in Control Panel is greyed out. Our backend is NT and frontend is XP and some W2k machines. I've looked at the ntconfig.pol and there is no indication of WSUS settings. I changed the reg keys for the WSUS server itself, but when I reboot/logoff, the reg values go back to AdminX set them to. We do not use the Local Group Policy, but I tried changing it anyway. Same thing happened, a reboot/logogg and back to AdminX settings.

I'm thinking that at some point AdminX started to use the logon script to create the reg keys for new clients. But I don't know how to view or edit an executable file. But when I logon to a new machince, none of the reg keys are there in HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate. There are keys in HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\WindowsUpdate. Example of these keys include AccountDomainSID and PingID. Can anyone brainstorm up another method AdminX used to centrally configure Automatic Updates. Thank you so very much!!!
0

  • (2 Pages)
  • +
  • 1
  • 2
  • You cannot start a new topic
  • This topic is locked

2 User(s) are reading this topic
0 members, 2 guests, 0 anonymous users