Features of Windows Server Update Services
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2, Windows Server Update Services
The following features comprise the server-side component of the WSUS solution.
At least one WSUS server must connect to Microsoft Update to get updates and update information for Microsoft Windows, Office, SQL Server, and Exchange. Additional Microsoft product updates will become available on Microsoft Update in the future.
When a WSUS server downloads available updates, either from Microsoft Update or an upstream WSUS server, “synchronization” occurs.
Administrators can choose which updates are downloaded to a WSUS server during synchronization, based on the following criteria:
Product or product family (for example, Windows Server 2003 or Microsoft Office)
Update category (for example, Critical Updates, and Drivers)
Language (for example, English and Japanese only)
In addition, administrators can specify a schedule for synchronization to initiate automatically.
An administrator must approve every automated action to be carried out for the update.
Approval actions include the following:
Remove (this action is possible only if the update supports uninstall)
In addition, the administrator can enforce a deadline for install or remove (uninstall) update approvals. By setting a deadline, the action the administrator specifies initiates by a certain date and time. The administrator can force an immediate download by setting a deadline for a time in the past.
Administrators can estimate how many computers need an update by approving a detect-only action for an update. A detect-only action determines, by computer, if an update is appropriate for installation. This enables the administrator to analyze the update’s impact before actually planning and deploying the update for installation. When an administrator approves an update for detection, the detection occurs for computers the next time they communicate with the WSUS server.
The administrator can also create an automatic approval action for specific types of updates to be approved for either a detect action as well as for installation. Pre-approving updates for detection ensures applicability and need analysis can be automatically generated. Pre-approval of specific types of updates to a computer group gives administrators freedom from manually preparing test machines.
Updates classified as Critical Updates or Security Updates are automatically approved for detection.
Targeting enables administrators to deploy updates to specific computers and groups of computers. This can be configured either on the WSUS server directly, on the WSUS server by using Group Policy in an Active Directory® network environment, or on the client computer by editing registry settings.
The following are examples of targeting-enabled tasks that administrators can perform.
Deploying new updates to a test computer group and then evaluating the updates before distributing them to the production environment.
Protecting computers that run specific applications. For example, if a critical update is incompatible with an application used by only certain computers, an administrator can make sure that the update is not distributed to those computers.
Specifying a deadline by which an update must be installed, and then setting different deadlines for different computers or computer groups.
The WSUS database stores update information, event information about update actions on client computers, and WSUS server settings.
Administrators have the following options for the WSUS database.
The Microsoft SQL Server 2000 Desktop Engine (Windows) (WMSDE) database that WSUS can install during setup on Windows Server 2003.
An existing Microsoft® SQL Server™ 2000 database.
An existing Microsoft Data Engine 2000 (MSDE) with Service Pack 3 (SP3) or later.
WSUS enables administrators to create an update management infrastructure consisting of a hierarchy of WSUS servers. WSUS servers can be scaled out to handle any number of clients.
With replica synchronization, updates, target groups, and approvals created by the administrator of the central WSUS server are automatically propagated to WSUS servers designated as replica servers. This is beneficial because branch clients get updates from a local server, and having an unreliable low-bandwidth link to the central server is not a problem for client/server communication. Also, update approval is controlled by the central server; administration is not required at the branch.
Using the WSUS reports, administrators can monitor the following activity.
Administrators can assess and monitor the level of update compliance for their client computers on an ongoing basis using the Status of Update report, which provides status for update approval and deployment per update, per computer, and per computer group, based on all events that are sent from the client computer.
Administrators can assess the status of client computers with respect to the status of updates on those computers-for example, a summary of updates that have been installed or are needed for a particular computer.
Computer compliance status
Administrators can view or print a summary of compliance information for a specific computer, including software and hardware information, WSUS activity, and update status.
Update compliance status
Administrators can view or print a summary of compliance information for a specific update, including the update properties and cumulative status for each computer group.
Synchronization (or download) status
Administrators can monitor synchronization activity and status for a given time period, and view the latest updates that have been downloaded.
WSUS configuration settings
Administrators can see a summary of options they have specified for their WSUS implementation. The report is in a printable format.
A software development kit (SDK) is available to enable administrators and developers to work with the .NET-based API.
Administrators can create custom code to manage both Automatic Updates and WSUS servers.
Developers can create management applications that integrate with WSUS.
Administrators have the flexibility of configuring computers to get updates directly from Microsoft Update, from an intranet WSUS server that distributes updates internally, or from a combination of both, depending on their network configuration.
Administrators can configure a WSUS server to use a custom port for connecting to the intranet or Internet, if appropriate. The default port used by a WSUS server is port 80.
Administrators can configure proxy server settings if the WSUS server connects to the Internet through a proxy server.
Administrators can import and export update metadata and content between WSUS servers. This is a necessary task in a network with limited or restricted Internet connectivity.
Administrators can seamlessly migrate their previous administrative settings, content approvals and content from a SUS server to a WSUS server. This method can also be useful for consolidation of WSUS servers. For example, administrators can migrate approvals for specific target groups from one WSUS server to another.
WSUS supports a number of options for backup and restore, including a command-line tool for backing up MSDE and WMSDE databases, NTbackup for update content files, and SQL Enterprise manager for SQL Server metadata.
The following features comprise the client-side component of the WSUS solution.
In an Active Directory directory service environment, administrators can configure the behavior of Automatic Updates by using Group Policy. In other cases, administrators can remotely configure Automatic Updates using registry keys through the use of a logon script or similar mechanism.
Administrator capabilities for configuring client computers include the following:
Configuring scheduling and notification options for users through Group Policy.
Configuring how often the client computer checks the update source (either Microsoft Update or another WSUS server) for new updates.
Configuring Automatic Updates to install updates that do not require reboots or service interruptions as soon as it finds them and not wait until the scheduled automatic installation time.
Managing client computers through the Component Object Model (COM)–based API. An SDK is available.
If connected to a WSUS server, client computers can detect if a newer version of Automatic Updates is available, and then upgrade their Automatic Updates service automatically.
Automatic Updates can download and install specific updates that are truly applicable to the computer. Automatic Updates works with the WSUS server to evaluate which updates should be applied to a specific client computer. This is initiated by approving an update for detect-only.
The Automatic Updates service works in the background so that the perceptible impact on employee productivity and network functionality is minimal.
Automatic Updates consolidates updates that require computer restarts into a single restart.
Automatic Updates eliminates the need for users in a managed environment to interact with end user license agreements (EULAs). EULAs are accepted on the WSUS server by administrators on behalf of client computers
BITS 2.0 employs delta compression to facilitate downloads that are invisible to the user. For example, after Automatic Updates downloads an update to a client computer, it will continue to monitor either the upstream WSUS server or Microsoft Update, and then download only changes in an update file to the client computer. This technology also enables efficient distribution of service packs through Automatic Updates.