The following features comprise the server-side component of the WSUS solution.
More updates
At least one WSUS server must connect to Microsoft Update to get updates and update information for Microsoft Windows, Office, SQL Server, and Exchange. Additional Microsoft product updates will become available on Microsoft Update in the future.
Specific updates can be set to download automatically
When a WSUS server downloads available updates, either from Microsoft Update or an upstream WSUS server, “synchronization” occurs.
Administrators can choose which updates are downloaded to a WSUS server during synchronization, based on the following criteria:
-
Product or product family (for example, Windows Server 2003 or Microsoft Office)
-
Update category (for example, Critical Updates, and Drivers)
-
Language (for example, English and Japanese only)
In addition, administrators can specify a schedule for synchronization to initiate automatically.
Automated actions for updates determined by administrator approval
An administrator must approve every automated action to be carried out for the update.
Approval actions include the following:
-
Install
-
Remove (this action is possible only if the update supports uninstall)
-
Detect-only
-
Decline
In addition, the administrator can enforce a deadline for install or remove (uninstall) update approvals. By setting a deadline, the action the administrator specifies initiates by a certain date and time. The administrator can force an immediate download by setting a deadline for a time in the past.
Ability to determine the applicability of updates before installing them
Administrators can estimate how many computers need an update by approving a detect-only action for an update. A detect-only action determines, by computer, if an update is appropriate for installation. This enables the administrator to analyze the update’s impact before actually planning and deploying the update for installation. When an administrator approves an update for detection, the detection occurs for computers the next time they communicate with the WSUS server.
The administrator can also create an automatic approval action for specific types of updates to be approved for either a detect action as well as for installation. Pre-approving updates for detection ensures applicability and need analysis can be automatically generated. Pre-approval of specific types of updates to a computer group gives administrators freedom from manually preparing test machines.
Updates classified as Critical Updates or Security Updates are automatically approved for detection.
Targeting
Targeting enables administrators to deploy updates to specific computers and groups of computers. This can be configured either on the WSUS server directly, on the WSUS server by using Group Policy in an Active Directory® network environment, or on the client computer by editing registry settings.
The following are examples of targeting-enabled tasks that administrators can perform.
-
Deploying new updates to a test computer group and then evaluating the updates before distributing them to the production environment.
-
Protecting computers that run specific applications. For example, if a critical update is incompatible with an application used by only certain computers, an administrator can make sure that the update is not distributed to those computers.
-
Specifying a deadline by which an update must be installed, and then setting different deadlines for different computers or computer groups.
Database options
The WSUS database stores update information, event information about update actions on client computers, and WSUS server settings.
Administrators have the following options for the WSUS database.
-
The Microsoft SQL Server 2000 Desktop Engine (Windows) (WMSDE) database that WSUS can install during setup on Windows Server 2003.
-
An existing Microsoft® SQL Server™ 2000 database.
-
An existing Microsoft Data Engine 2000 (MSDE) with Service Pack 3 (SP3) or later.
Replica synchronization
WSUS enables administrators to create an update management infrastructure consisting of a hierarchy of WSUS servers. WSUS servers can be scaled out to handle any number of clients.
With replica synchronization, updates, target groups, and approvals created by the administrator of the central WSUS server are automatically propagated to WSUS servers designated as replica servers. This is beneficial because branch clients get updates from a local server, and having an unreliable low-bandwidth link to the central server is not a problem for client/server communication. Also, update approval is controlled by the central server; administration is not required at the branch.
Reporting
Using the WSUS reports, administrators can monitor the following activity.
-
Update status
Administrators can assess and monitor the level of update compliance for their client computers on an ongoing basis using the Status of Update report, which provides status for update approval and deployment per update, per computer, and per computer group, based on all events that are sent from the client computer.
-
Computer status
Administrators can assess the status of client computers with respect to the status of updates on those computers-for example, a summary of updates that have been installed or are needed for a particular computer.
-
Computer compliance status
-
Administrators can view or print a summary of compliance information for a specific computer, including software and hardware information, WSUS activity, and update status.
-
Update compliance status
Administrators can view or print a summary of compliance information for a specific update, including the update properties and cumulative status for each computer group.
-
Synchronization (or download) status
Administrators can monitor synchronization activity and status for a given time period, and view the latest updates that have been downloaded.
-
WSUS configuration settings
Administrators can see a summary of options they have specified for their WSUS implementation. The report is in a printable format.
Extensibility
A software development kit (SDK) is available to enable administrators and developers to work with the .NET-based API.
Administrators can create custom code to manage both Automatic Updates and WSUS servers.
Developers can create management applications that integrate with WSUS.
Configurable communication options
Administrators have the flexibility of configuring computers to get updates directly from Microsoft Update, from an intranet WSUS server that distributes updates internally, or from a combination of both, depending on their network configuration.
Administrators can configure a WSUS server to use a custom port for connecting to the intranet or Internet, if appropriate. The default port used by a WSUS server is port 80.
Administrators can configure proxy server settings if the WSUS server connects to the Internet through a proxy server.
Import and export and data migration from the command line
Administrators can import and export update metadata and content between WSUS servers. This is a necessary task in a network with limited or restricted Internet connectivity.
Administrators can seamlessly migrate their previous administrative settings, content approvals and content from a SUS server to a WSUS server. This method can also be useful for consolidation of WSUS servers. For example, administrators can migrate approvals for specific target groups from one WSUS server to another.
Backup and restore
WSUS supports a number of options for backup and restore, including a command-line tool for backing up MSDE and WMSDE databases, NTbackup for update content files, and SQL Enterprise manager for SQL Server metadata.