Export (0) Print
Expand All

Managing WSUS 3.0 from the Command Line

Applies To: Windows Server 2003 with SP2, Windows Server 2008, Windows Server Update Services

The wsusutil command-line utility is used in managing WSUS servers and is located in the WSUSInstallDir\Tools folder of WSUS servers. The table below summarizes the different parameters that can be used with this utility, and later sections explain the syntax and usage of each parameter.

noteNote
You can also use Windows® PowerShell® to access the WSUS 3.0 APIs from the command line.

You must be an administrator to run the wsusutil utility. This utility is installed only on WSUS server machines, not on console-only installations.

noteNote
To see all wsusutil parameters, type wsusutil help on the command line. To see usage for each of the parameters, type wsusutil helpparameterName.

Summary of wsusutil Commands

Command Description

configuressl

Updates the WSUS server registry key after the IIS configuration has changed.

healthmonitoring

Configures health monitoring values in the database. If new values are not specified, the current values are displayed.

export

Part of the export/import process used to synchronize a downstream WSUS without using a network connection.

Exports update metadata to an export package file. You cannot use this parameter to export update files, update approvals, or server settings.

import

The second part of the export/import process.

Imports update metadata to a server from an export package file created on another WSUS server. This synchronizes the destination WSUS server without using a network connection.

movecontent

Changes the file system location where the WSUS server stores update files, and optionally copies any update files from the old location to the new location

listfrontendservers

Lists the front-end servers related to this WSUS server.

deletefrontendserver

Deletes the specified front-end server from the WSUS database.

checkhealth

Checks the health of the WSUS serve. Results will appear in the Application Event log.

reset

Checks that every update metadata row in the database has corresponding update files stored in the file system. If update files are missing or have been corrupted, downloads the update files again.

listinactiveapprovals

Returns a list of update titles with approvals that are in a permanently inactive state because of a change in server language settings.

removeinactiveapprovals

Removes approvals for updates that are in a permanently inactive state because of a change in WSUS server language settings.

usecustomwebsite

Changes the port number used by the WSUS Web services from 80 to 8530 or vice versa.

Updates the WSUS server registry key after the IIS configuration has changed. If this command is run with the optional parameter ServerCertificateName, it updates the certificate name. If it is run without the optional parameter, it updates the setting for host headers, if there are any. For more information about configuring SSL for WSUS, see "Securing WSUS with the Secure Sockets Layer" in Deploying Microsoft Windows Server Update Services (http://go.microsoft.com/fwlink/?linkid=79983).

The following command updates the host headers, if any:

wsusutil configuressl

The following command updates the server certificateName:

wsusutil configuressl  ServerCertificateName //sets the server certificate name

 

Parameter Description

ServerCertificateName

An optional parameter. When present, it provides the name in the Issued to field of the server certificate.

The output from the wsusutil configuressl command is the address of the WSUS Web site (including the port number), for example https://serverName:443.

This command sets and gets the different parameters for WSUS health monitoring.

Wsusutil healthmonitoring  parameterName

noteNote
You may set or get only one parameter at a time.

 

Parameter Description

IntervalsInMinutes   [DetectInterval] [RefreshInterval]

Sets the values for detect and refresh intervals. If the detect interval is 0, the detect cycle will not run. If the refresh interval is 0, the refresh cycle will not run. For more information about the detect and refresh cycles, see Health Monitoring in WSUS 3.0.

DiskSpaceInMegabytes   [ErrorLevel] [WarningLevel]

Sets the amount of available disk space (in megabytes) at which a low disk space warning or error event should be logged.

CatalogSyncIntervalInDays   [Days]

Sets the number of days that should have passed after synchronization before a warning event should be logged..

InstallUpdatesInPercent   [WarningPercent][ErrorPercent]

Sets the percentage of update installation failures at which a warning or error event should be given.

InventoryInPercen[WarningPercent][ErrorPercent]

Sets the percentage of inventory reporting failures at which a warning or error should be given.

SilentClientsInPercent   [WarningPercent][ErrorPercent]

Sets the percentage of clients not reporting to the server at which a warning or error should be given.

SilentClientsInDays   [Days]

Sets the number of days clients can fail to report before an error should be given.

TargetComputersInPercent[WarningPercent][ErrorPercent]

Sets the maximum percentage of target computers reporting to this server below which a warning or error event should be given. For example, if you set values of 80 and 60, a warning event will be logged if only 80 percent of computers have reported, and an error event will be logged if only 60 percent of computers have reported.

CheckAcls   on|off

If on, health monitoring should check ACLs on the relevant directories.

CheckForLowDiskSpace   on|off

If on, health monitoring should check for low disk space.

CheckForCatalogSyncFailures   on|off

If on, health monitoring should check for catalog synchronization failures.

CheckForContentSyncFailures   on|off

If on, health monitoring should check for content synchronization failures.

CheckForEmailNotificationFailures   on|off

If on, health monitoring should check for e-mail notification failures.

CheckSelfUpdate   on|off

If on, health monitoring should check for client self-update failures.

CheckClientsExist   on|off

If on, health monitoring should check whether this server has any clients.

CheckForUpdateInstallFailures   on|off

If on, health monitoring should check for update installation failures.

CheckForInventoryFailures   on|off

If on, health monitoring should check for clients failing to report inventory..

CheckForSilentClients   on|off

If on, health monitoring should check for clients that have failed to report to the server.

CheckForTooManyClients   on|off

If on, health monitoring should check whether the number of clients is approaching the maximum number allowed.

CheckReportingWebService   on|off

If on, health monitoring should check the Reporting Web service.

CheckApiRemotingWebService  on|off

If on, health monitoring should check the API Remoting Web service.

CheckServerSyncWebService  on|off

If on, health monitoring should check the Server Synchronization Web service.

CheckClientWebService   on|off

If on, health monitoring should check the client Web service.

CheckSimpleAuthWebService   on|off

If on, health monitoring should check the Simple Authentication Web service.

CheckDssAuthWebService   on|off

If on, health monitoring should check the Downstream Server Authentication Web service.

The output from wsusutil paramName is usually the current state of the given parameter. Some examples are given below:

wsusutil healthmonitoring IntervalsInMinutes

Output:

Detect interval: 10 min, Refresh interval: 360 min

wsusutil healthmonitoring DiskSpaceInMegabytes

Output:

Error level: 200 MB, Warning level: 500 MB

However, with the parameters setting on or off the different health monitoring checks (for example, wsusutil healthmonitoringCheckAcls), the output will simply be a warning that the WSUS Service must be stopped and restarted for the change to take effect.

For more information about exporting and importing updates, see "Set Up a Disconnected Network (Import and Export Updates)" in Deploying Microsoft Windows Server Update Services (http://go.microsoft.com/fwlink/?linkid=79983).

wsusutil export package logfile

 

Parameter Description

package

The path and file name of the package .cab to create.

logfile

The path and file name of the log file to create.

noteNote
Exporting from a WSUS 2.0 server to a WSUS 3.0 server (or from a WSUS 3.0 server to a WSUS 2.0 server) is not supported.

For background and procedural information about exporting and importing updates, see "Set Up a Disconnected Network (Import and Export Updates)" in Deploying Microsoft Windows Server Update Services (http://go.microsoft.com/fwlink/?linkid=79983).

wsusutil import package logfile

 

Parameter Description

package

The path and file name of the package .cab to import.

logfile

The path and file name of the log file to import.

noteNote
Importing from a WSUS 2.0 server to a WSUS 3.0 server (or from a WSUS 3.0 server to a WSUS 2.0 server) is not supported.

When you run this command, wsusutil does the following:

  • Copies the update files from the old location to the new location. The old location is not deleted.

  • Updates the WSUS database to refer to the new location of the update files.

  • Ensures that the content and metadata are synchronized. This check is always run, even if the –skipcopy parameter is used.

The destination folder to which update files are moved must be on an NTFS partition. The utility will not try to copy update files if they already exist in the destination folder. The destination folder will have the same permissions that were set on the original folder.

noteNote
You can use xcopy, the Backup utility, or other methods to copy update files from the old location to the new one. If you copy the files by using a method other than wsusutil, you still need to run wsusutil to perform the second part of the move, using the -skipcopy parameter. See the "Syntax" section for more information.

There are two scenarios in which you might move update files from one WSUS drive to another:

  • If the drive is full

  • If the hard disk fails

If the drive where WSUS stores update files is full, you can do one of the following:

  • Add more space to your current drive by using NTFS functionality. This operation can be done without using wsusutil, because it does not affect WSUS configuration or operation.

  • Install a new drive, and then move the update files from the old drive to the new location by using wsusutil.

If the hard disk fails, you must do the following:

  1. Install the new disk on your computer, and then restore the update files from your backup files. Note: If you have not backed up your update files, WSUSutil.exe downloads the missing files at the end of the content move operation.

  2. Run wsusutil movecontent newLocation, specifying the location for the new disk. In addition, you specify the -skipcopy parameter, because you are either putting the files in the new folder through the backup utility or the source folder does not exist; the update files will be downloaded at the end of this process.

  3. When the move operation is complete, all the missing files are downloaded.

wsusutil movecontent contentpath logfile -skipcopy

 

Parameter Description

contentpath

The new root for content files. The path must exist.

logfile

The path and file name of the log file to create.

-skipcopy

Indicates that only the server configuration should be changed, and that the content files should not be copied.

This command lists the different front-end servers in a network load balancing configuration. It can be useful in troubleshooting a NLB (network load balancing) configuration and after setting up a new front-end server to make sure that it is configured properly.

This command deletes the given front-end server.

wsusutil deletefrontendserver serverName

 

Parameter Description

serverName

The name of the front-end server to be deleted.

ImportantImportant
This command removes the front-end server from the database only. You will need to run wsussetup /u on the front-end server to uninstall WSUS.

This command checks the health of the WSUS server. The health check is configured by wsusutil healthmonitoring). The results are written to the event logs.

wsusutil checkhealth

You use this command if you store updates locally on your WSUS server and want to ensure that the metadata information stored in your WSUS database is accurate. With this command, you verify that every update metadata row in the WSUS database corresponds to update files stored in the local update file storage location on your WSUS server. If update files are missing or have been corrupted, WSUS downloads the update files again. This command might be useful to run after you restore your database, or as a first step when troubleshooting update approvals.

wsusutil reset

If you change language options on an upstream WSUS server, the number of approved updates on the upstream server may not match the number of approved updates on a replica server. For example, consider the following scenario. You configure your upstream server to synchronize all languages, then synchronize and approve 300 updates, of which 50 are non-English language updates. Afterward, you change the language setting on the server to English only. Later, a replica server synchronizes from the upstream server and downloads the "active" approvals, which now are only the English language ones (replica servers synchronize only active approvals). At this point, you will see 300 updates approved on the upstream server, but only 250 approved on the replica server. You can use listinactiveapprovals to see a list of the updates on the parent upstream server that are permanently inactive—in this case, the 50 updates that are not English. You do not have to run this command before running the removeinactiveapprovals command.  

wsusutil listinactiveapprovals

See the explanation above for a description of situations in which you might need to use removeinactiveapprovals. You do not have to run the listinactiveapprovals command before running this command.  

wsusutil removeinactiveapprovals

If you set this value to true, WSUS Setup will use port 8530 for its Default Web site. If you set it to false, WSUS will use port 80.

ImportantImportant
You must use this command before you configure SSL.

ImportantImportant
If you are installing SharePoint on the same machine as WSUS, the value of usecustomwebsite should be set to true before the install.

ImportantImportant
Using this command after running WSUS Setup will fail if the index of the default Web site is set to a value other than 1.

wsusutil usecustomwebsite true

Was this page helpful?
(1500 characters remaining)
Thank you for your feedback

Community Additions

ADD
Show:
© 2014 Microsoft