Manage WSUS 3.0 SP2 from the Command Line

 

Applies To: Windows Server Update Services, Windows Small Business Server 2011 Standard, Windows Server 2008 R2, Windows Server 2003 with SP2, Windows Server 2008 R2 with SP1

You can use the wsusutil command-line utility that is provided with Windows Server Update Services (WSUS) 3.0 SP2 to manage WSUS. The wsusutil tool is located in the WSUSInstallDrive:\WSUSInstallDirectory**\Tools** folder on WSUS servers.

Note

wsusutil is not installed on non-WSUS servers on which the WSUS Administration Console is installed.

In this topic:

To run the wsusutil tool

  1. Log on to the WSUS server by using an account that is an administrator on the local computer.

  2. Open a command prompt (Cmd.exe) as an administrator. To open a command prompt as an administrator, click Start. In Start Search, type Command Prompt. At the top of the Start menu, right-click Command Prompt, and then click Run as administrator. If the User Account Control dialog box appears, enter the appropriate credentials (if requested), confirm that the action it displays is what you want, and then click Continue.

  3. In the Command Prompt window, type the following command:

    Wsusutil /command /parameter

Summary of wsusutil commands

The following table summarizes the wsusutil commands:

Command Description
checkhealth This command checks the health of the WSUS server. The health check is configured by wsusutil healthmonitoring. The results are written to the event logs.

- Syntax: wsusutil checkhealth
configuressl Updates the WSUS server registry key after the Internet Information Services (IIS) configuration has changed.

- If this command is run with the optional ServerCertificateName parameter, the server certificate name is also updated.
- If this command is run without the ServerCertificateName parameter, it updates the host headers settings.
- Syntax: wsusutil configuressl<ServerCertificateName> ( <ServerCertificateName> is an optional parameter)
- The output is the address of the WSUS website (including the port number); for example, https://serverName:443.

For more information about how to configure Internet Information Services (IIS) and Secure Sockets Layer (SSL) for WSUS, see Configure Internet Information Services.
deletefrontendserver Deletes the specified front-end server from the WSUS database.

- Syntax: wsusutil deletefrontendserver serverName Important: This command removes the front-end server from the database only. You will need to run wsussetup /u on the front-end server to uninstall WSUS.
export The first part of the export/import process to synchronize a disconnected downstream WSUS server. Exports update metadata to an export package file. You cannot use this parameter to export update files, update approvals, or server settings.

- Syntax: wsusutil export package logfile
- See the export parameters table.

For more information about exporting and importing updates, see the Configure a Disconnected Network to Receive Updates section in the Windows Server Update Services3.0 SP2 Deployment Guide. Note: Exporting to or from a WSUS 2.0 server is not supported.
healthmonitoring Configures health monitoring values in the database. If new values are not specified, the current values are displayed.

 
  • Syntax: Wsusutil healthmonitoring parameterName
  • See the healthmonitoring parameters table.
  • The output from wsusutil parameterName is usually the current state of the given parameter, for example:

     
    • wsusutil healthmonitoring  IntervalsInMinutes

      Output: Detect interval: 10 min, Refresh interval: 360 min
    • wsusutil healthmonitoring  DiskSpaceInMegabytes

      Output: Error level: 200 MB, Warning level: 500 MB
  • When a health monitoring check parameter (for example, wsusutil healthmonitoringCheckAcls) is set on or off, the output will simply be a warning that the WSUS Service must be stopped and restarted for the change to take effect.
 Note: You can set or get only one parameter at a time.
import The second part of the export/import process. Imports update metadata to a server from an export package file that was created on another WSUS server. This command synchronizes a disconnected destination WSUS server.

- Syntax: wsusutil import package logfile
- See the import parameters table.
listfrontendservers This command lists the front-end servers in a network load balancing (NLB) configuration. It can be useful in troubleshooting an NLB configuration and after setting up a new front-end server to make sure that it is configured properly.
listinactiveapprovals Returns a list of approved update titles that are in a permanently inactive state because of a change in server language settings.

- If you change language options on an upstream WSUS server, the number of approved updates on the upstream server may not match the number of approved updates on a replica server. For example, you configure your upstream server to synchronize all languages, then synchronize and approve 300 updates, of which 50 are non-English language updates. Afterward, you change the language setting on the server to English only. Later, a replica server synchronizes from the upstream server and downloads the "active" approvals, which are now only the English language updates (replica servers synchronize only active approvals). At this point, you will see 300 updates approved on the upstream server, but only 250 approved on the replica server. You can use listinactiveapprovals to see a list of the updates on the parent upstream server that are permanently inactive—in this case, the 50 updates that are not English. You do not have to run this command before running the removeinactiveapprovals command.
- Syntax: wsusutil listinactiveapprovals
movecontent Changes the file system location where the WSUS server stores update files, and optionally copies any update files from the original location to the new location

See the Movecontent section for more information.
removeinactiveapprovals Removes approvals for updates that are in a permanently inactive state because of a change in WSUS server language settings.

- Syntax: wsusutil removeinactiveapprovals
reset You use this command if you store updates locally on your WSUS server, and you want to ensure that the metadata information stored in your WSUS database is accurate.

- With this command, you verify that every update metadata row in the WSUS database corresponds to update files that are stored in the local update file storage location on your WSUS server. If update files are missing or have been corrupted, WSUS downloads the update files again. This command might be useful to run after you restore your database, or as a first step when troubleshooting update approvals.
- Syntax: wsusutil reset
usecustomwebsite - If set to true, WSUS Setup will use port 8530 for its default website. If you set it to false, WSUS will use port 80.
- Syntax: wsusutil usecustomwebsite true Important:  
  • You must use this command before you configure SSL.
  • If you are installing SharePoint on the same computer as WSUS, the value of usecustomwebsite should be set to true before the installation.
  • Using this command after running WSUS Setup will fail if the index of the default website is set to a value other than 1.

Healthmonitoring parameters

Parameter Description
IntervalsInMinutes `` [DetectInterval] [RefreshInterval] Sets the values for detect and refresh intervals. If the detect interval is 0, the detect cycle will not run. If the refresh interval is 0, the refresh cycle will not run.

For more information about the detect and refresh cycles, see Health monitoring in WSUS 3.0 SP2.
DiskSpaceInMegabytes  [ErrorLevel] [WarningLevel] Sets the amount of available disk space (in megabytes) at which a low disk space warning or error event should be logged.
CatalogSyncIntervalInDays `` [Days] Sets the number of days that should have passed after synchronization before a warning event is logged.
InstallUpdatesInPercent `` [WarningPercent][ErrorPercent] Sets the percentage of update installation failures at which a warning or error event is given.
InventoryInPercent [WarningPercent][ErrorPercent] Sets the percentage of inventory reporting failures at which a warning or error is given.
SilentClientsInPercent `` [WarningPercent][ErrorPercent] Sets the percentage of client computers not reporting to the server at which a warning or error should be given.
SilentClientsInDays `` [Days] Sets the number of days that client computers can fail to report before an error should be given.
TargetComputersInPercent [WarningPercent][ErrorPercent] Sets the maximum percentage of target computers reporting to this server below which a warning or error event should be given. For example, if you set values of 80 and 60, a warning event will be logged if only 80 percent of computers have reported, and an error event will be logged if only 60 percent of computers have reported.
CheckAcls `` on|off On indicates to check ACLs on the relevant directories.
CheckForLowDiskSpace `` on|off On indicates to check for low disk space.
CheckForCatalogSyncFailures `` on|off On indicates to check for catalog synchronization failures.
CheckForContentSyncFailures `` on|off On indicates to check for content synchronization failures.
CheckForEmailNotificationFailures `` on|off On indicates to check for email notification failures.
CheckSelfUpdate `` on|off On: check for client self-update failures.
CheckClientsExist `` on|off On indicates to check whether this server has any client computers.
CheckForUpdateInstallFailures `` on|off On: check for update installation failures.
CheckForInventoryFailures `` on|off On indicates to check for client computers that fail to report inventory.
CheckForSilentClients `` on|off On indicates to check for client computers that failed to report to the server.
CheckForTooManyClients `` on|off On indicates to check whether the number of client computers is approaching the maximum number allowed.
CheckReportingWebService `` on|off On indicates to check the Reporting web service.
CheckApiRemotingWebService  on|off On indicates to check the API Remoting web service.
CheckServerSyncWebService  on|off On indicates to check the Server Synchronization web service.
CheckClientWebService `` on|off On indicates to check the client web service.
CheckSimpleAuthWebService `` on|off On indicates to check the Simple Authentication web service.
CheckDssAuthWebService `` on|off On indicates to check the Downstream Server Authentication web service.

Export parameters

Parameter Description
package The path and file name of the.cab file to create.
logfile The path and file name of the log file to create.

Import parameters

Parameter Description
package The path and file name of the.cab file to import.
logfile The path and file name of the log file to import.

Movecontent

When you run this command, wsusutil does the following:

  • Copies the update files from the old location to the new location. The old location is not deleted.

  • Updates the WSUS database to refer to the new location of the update files.

  • Ensures that the content and metadata are synchronized. This check is always run, even if the –skipcopy parameter is used.

The destination folder to which update files are moved must be on an NTFS partition. The utility will not try to copy update files if they already exist in the destination folder. The destination folder will have the same permissions that were set for the original folder.

Note

You can use xcopy, the Backup utility, or other methods to copy update files from the old location to the new one. If you copy the files by using a method other than wsusutil, you still need to run wsusutil to perform the second part of the move, which is using the -skipcopy parameter. See the Syntax section for more information.

There are two scenarios in which you might move update files from one WSUS hard disk drive to another:

  • If the hard disk drive is full

  • If the hard disk drive fails

If the hard disk drive is full

If the hard disk drive where WSUS stores update files is full, you can do one of the following:

  • Add more space to your current hard disk drive by using NTFS functionality. This operation can be done without using wsusutil, because it does not affect WSUS configuration or operation.

  • Install a new hard disk drive, and then move the update files from the old hard disk drive to the new location by using wsusutil.

If the hard disk drive fails

If the hard disk drive fails, you must do the following:

  1. Install a new hard disk drive on your computer, and then restore the update files from your backup files.

Note

If you have not backed up your update files, WSUSutil.exe downloads the missing files at the end of the content move operation.

  1. Run wsusutil movecontent newLocation, and specify the location for the new hard disk drive. In addition, you specify the –skipcopy parameter, because you are putting the files in the new folder through the backup utility, or the source folder does not exist. The update files will be downloaded at the end of this process.

  2. When the move operation is complete, all the missing files are downloaded.

Syntax

wsusutil movecontent contentpath logfile -skipcopy

Movecontent parameters

Parameter Description
contentpath The new root for content files. The path must exist.
logfile The path and file name of the log file to create.
-skipcopy Indicates that only the server configuration should be changed, and that the content files should not be copied.