Windows Server Update Services (WSUS), previously known as Software Update Services (SUS), is a computer program developed by Microsoft that enables administrators to manage the distribution of updates and hotfixes released for Microsoft products to computers.

Share tech news, updates, or what's on your mind.

Sign up to Post

Hi All,
I have given a task to implement WSUS only for the servers(Windows server 2012 r2) to get update. Scope is to all servers to receive updates from wsus server and install automatically (I have enabled auto update and scheduled install). But i have instructed not to enable auto restart after update. Please recommend me the best practice GPO settings to fulfill following requirements -
Auto install
scheduled update
no auto restart (i have instructed to perform manual restart on monthly basis) - doesn't matter user logged in or not
Free Tool: SSL Checker
LVL 12
Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Block Windows update from Internet, but only to SCCM for Windows 7 and 10

We're moving our windows update scheme form directly from Microsoft Update to internal SCCM/WSUS.

So I need to block Windows updates through GPO.
Ones that I found is this item, "Remove access to use all windows update features" which are under two hives, the one in Computer Policy can be applied to only Windows 10 above and the one under User Policy can be applied to both Windows 7 and 10 as I read the description. I am not sure if this is correct, but as I read the description through GPMC, it looks as true. Then 'Turn off access to all Windows Update Features' which has exactly the same description as "Remove access to use all windows update features" under Computer Policy. So I guess 'Turn off access to all Windows Update Features' is the one to go with? GPO items look complicate, don't know why two items with different name having the same description.

Also, the description says it "Windows automatic updating is also disabled; you will neither be notified about nor will you receive critical updates from Windows Update". Does it imply that if I enable this, it will block Windows update from SCCM/WSUS as well?

1. Computer Policy -> Computer Configuration -> Administrative Templates -> Windows Components -> Windows Update->Remove access to use all windows update features

"This setting allows you to remove access to scan Windows Update.

If you enable this …
I am successfully using WSUS to update our fleet.
I have an issue with the timing of the installation and reboots, particularly of Servers.

At 4am (scheduled install time) all servers download, install and reboot.
Which is what its meant to do.
The issue i have is that often the reboots happens within minutes of each other, and worse, may have all Active Directory Servers rebooting at exactly the same time, so for a few minutes there is no AD servers on the network.

I want to be able to randomise the reboots by 1 hour so that they dont all occur at exactly the same time.

I looked at the Maintenance Scheduler GPO settings which should allow randomisation, so that the Automatic Maintenance runs at 3am (plus or minus 1 hour), which should install Updates and reboot if needed. But this doesnt seem to work.

My GPO settings are as below:

Computer Configuration (Enabled)
Administrative Templates

Windows Components/Maintenance Scheduler

Automatic Maintenance Activation Boundary Enabled  
Regular maintenance activation boundary 2000-01-01T03:00:00

Automatic Maintenance Random Delay Enabled  
Regular maintenance random delay PT1H

Windows Components/Windows Update

Allow Automatic Updates immediate installation Enabled  
Automatic Updates detection frequency Enabled  
Check for updates at the following
interval (hours):  6

Configure Automatic Updates Enabled  
Configure automatic updating: 4 - Auto …
We have a WSUS server running and it has been working just fine for months but the other day I noticed that there were 18 computers sitting under the Unassigned Group and not under the Desktop group we created. The rest of the computers which is about 190, are in the Desktop group. Now we are using the GP for the pc to go to the desktop group that we created. When I move these 18 computers back to the desktop group, after a while they all end up going back to the Unassigned Group.
What is causing this and how can I resolve it?
Whether  Downloading different OS updates sequentially using WSUS is possible?

Query: Set WSUS for “Win 7” updates, Approve and download. Move the download updates to another folder. Change the setting to “Win 10” updates, approve and download  
While performing Image Testing, If Images created using different version (Build) ,  To test two Image (2013/ 2017 with different build), is there any difference in the updates that get downloaded using WSUS. If yes, Then how to manage using WSUS ?
I need to present the computer status tabular reports in form of pie charts and then have the report sent automatically.  Please help me with how I can go about it. I am quite new to this so would appreciate answers in the most basic form if possible.
Thank you.
I need to present the computer status tabular reports in form of pie charts and then have the report sent automatically.  Please help me with how I can go about it.
Thank you.
Windows server 2003 get synchronization failure with following error. What's wrong? How to fix it?

WebException: The underlying connection was closed: An unexpected error occurred on a send. ---> System.IO.IOException: Unable to read data from the transport connection: An existing connection was forcibly closed by the remote host.
at System.Web.Services.Protocols.WebClientProtocol.GetWebResponse(WebRequest request)
   at System.Web.Services.Protocols.HttpWebClientProtocol.GetWebResponse(WebRequest request)
   at Microsoft.UpdateServices.ServerSync.ServerSyncCompressionProxy.GetWebResponse(WebRequest webRequest)
   at System.Web.Services.Protocols.SoapHttpClientProtocol.Invoke(String methodName, Object[] parameters)
   at Microsoft.UpdateServices.ServerSyncWebServices.ServerSync.ServerSyncProxy.GetAuthConfig()
   at Microsoft.UpdateServices.ServerSync.ServerSyncLib.InternetGetServerAuthConfig(ServerSyncProxy proxy, WebServiceCommunicationHelper webServiceHelper)
   at Microsoft.UpdateServices.ServerSync.ServerSyncLib.Authenticate(AuthorizationManager authorizationManager, Boolean checkExpiration, ServerSyncProxy proxy, Cookie cookie, WebServiceCommunicationHelper webServiceHelper)
   at Microsoft.UpdateServices.ServerSync.CatalogSyncAgentCore.SyncConfigUpdatesFromUSS()
SCCM (2012R2) shows server updates for Win 2008 X64 or Win 2012 X64 which are not installed but also not required. Why are they not required?
I am new to SCCM windows patching and while some patches are installing just fine others show as not required despite that I have a few hundred server running 2008 and 2012, why is it that these updates are not required?

Thanks in advance.

The 14th Annual Expert Award Winners
The 14th Annual Expert Award Winners

The results are in! Meet the top members of our 2017 Expert Awards. Congratulations to all who qualified!

Windows 2008 R2 Server Failing to install updates
Windows 2012 R2 Server running WSUS 4.0
Other servers updating fine.

One update fails to apply this is after we lost power to the data center all machines came backup up with now errors
This is a physical box running Exchange Server 2010

The update is KB915597  Defender update

The server continues to report to the WSUS server every 6 hours per GPO policy in place

I ran this process on the server

Please try the following steps on your client:

1. Stop the Automatic Updates service and BITS service.

net stop wuauserv

net stop bits

2. Delete “%windir%\softwaredistribution” directory.

3. Start the Automatic Updates service and BITS service. When these two services
have been started, they will auto-create “softwaredistribution” and its subfolder
at system directory.

net start wuauserv

net start bits

4. After the “%windir%\softwaredistribution” directory has been generated, please
let the client contact the WSUS server immediately.

wuauclt.exe /resetauthorization /detectnow

If the problem still exists, please check %windir%\windowsupdate.log
and post the error message in this thread

In the Windowsupdate.log I see this

2018-03-09      21:46:29:060      2040      40e8      Handler      :::::::::::::
2018-03-09      21:46:29:060      2040      40e8      Handler      :: START ::  Handler: Command Line Install
2018-03-09      21:46:29:060      2040      40e8      Handler      :::::::::
2018-03-09      21:46:29:060      2040      40e8      Handler        : Updates …
Recently installed WSUS 3.0 sp2 on new install of 2008 r2.  The issue I'm having is that sometimes the MMC console has an error "reset server node" when attempting to display updates.  This is accompanied by event ID 7053.  I have installed KB2720211; .Net 4.6.2 and we are using WID for the database.  Is there a value that can be increased, timeout or otherwise.
Thank you
i have windows 2016 and i install wsus role.
first time evertging is working fine.
after i start sync  when i reload the wsus consol and when i click on sync it's give me after 2min that it's can connect to wsus server.

Im having some problems to download updates with WSUS server.
Windows server 2008 R2
WSUS 3.2

Update Service use domain-admin user. The server have internet access.

Fails when try to download WSUS updates and event ID 364 appear.

Event ID 364
Content file download failed. Reason: The operation being requested was not performed because the user has not logged on to the network. The specified service does not exist. (Exception from HRESULT: 0x800704DD) Source File: /msdownload/update/software/crup/2010/06/ Destination File: d:\WSUS\WsusContent\EB\

Any clue? I've been searching every forum and still can´t solve this problem.

We recently upgraded our WSUS to a windows 2012 server following the process outlined in one of the articles on the web The upgrade process went to plan, I deleted the original wsus server after taking a complete backup and the new machine was added to the domain with the original name and IP address. For some reason none of the clients are reporting back to the server. I have attached a  log from my workstation where you can see that it is complaining that it cannot contact the web-server

[webserviceinfra]WS error: There was an error communicating with the endpoint at 'http://mpau-wsus/SimpleAuthWebService/SimpleAuth.asmx'.

I am stuck with how to proceed from here. Any help would be appreciated

WSUS server failed to download kb4022730 update.I could not conclude this issue and when I check eventvwr it is showing  Event Id=364,and 10032
I am using wsus on 2012r2 and using WID.
Only problem with downloading kb4022730. Rest of all updates are good.

Any reply can be helpful to me.Thanks in advance.
Hello all,

Some of our machines are in WSUS, but they are not taking updates. I looked up the computer in Wsus and it shows updates have unknown status. We have 20 WIN10 test machines 16 are good but 4 machines are showing no status.
Any suggestions?

I have a detached WSUS server that I can't get to import updates correctly.  I export the metadata and move the content files from my attached server, run the wsusutil.exe import command,  and I see the new updates available for approval.  Once I approve the new updates it never "downloads" the files even though the files are present in the correct directory on the import server.  When I look in the SoftwareDistribution log I see an error that says the following:

 "Warning w3wp.8SoapExceptionProcessor.SerializeAndThrow Discarding stack trace for user DOMAINNAME\, IP Address x.x.x.x, exception System.Security.SecurityException: Request for principal permission failed.
 at System.Security.Permissions.PricipalPermission.ThrowSecurityException()
 at System.Security.Permissions.PricipalPermission.Demand()
 at System.Security.PermissionSet.DemanNonCAS()
 at MicrosoftUpdateServices.Internal.DatabaseAccess.AdminDataAccess.ExecuteSPGetComputerCount(StringcomputerTargetScopeXmll)
 at MicrosoftUpdateServices.Internal.ApiRemoting.Exeecute.SPGetComputerCount(String computerTargetScopeXml)
 The action that failed was:
 The type of the first permission that failed was:

 Any one have any suggestions on what I need to do to get this fixed?
None of my 2012 servers are able to update.  There are no GPO's preventing updates and no WSUS server.  Registry shows defaults and no update servers.  I'm at a loss.  Where else might I look please.
Free Tool: Subnet Calculator
LVL 12
Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.


What will happen when I delete all superseded updates in WSUS? Is it safe to decline them all?

Why doesn't WSUS Cleanup Tool find and clean all these superseded updates if they aren't needed? Why is there shown a warning that indicates the superseded update might still be needed?

The WSUS built-in cleanup-wizard seems to leave a lot of unnecessary updates on a WSUS server. When the number of updates available exceeds a certain amount, WSUS clients stop being able to update and start generating time out errors.

   If this is the case, and I'm not saying it isn't, then why does WSUS recommend verifying a superseded update is no longer needed by any computers?  If superseded updates are never needed after their superseding successors are released, we shouldn't be shown a warning that indicates the superseded update might still be needed.

Why is that?

When answering, consider this (I did some research):

   "WSUS does not automatically decline superseded updates, and it is recommended that you do not assume that superseded updates should be declined in favor of the new, superseding update. Before declining a superseded update, make sure that it is no longer needed by any of your client computers.
    The following are examples of scenarios in which you might need to install a superseded update:

    "      If a superseding update supports only newer versions of an operating system, and some of your client
Hello Everybody,

We're testing the Offline Servicing way of working on Configuration Manager 1702.

I succeeded to add the cumulative update of November inside the WIM. I can see it in the 'Update Statuts' tab, but not in 'Installed Updates' tab in Properties of this image. I don't know why ?..

I also wanted to know how to remove this update from the image ? When I will add the December CU, I want to remove the oldest.

Does somebody know how to do it ?

Thanks in advance
All our clients are laptops in different states and they frequently get online and offline on different occasions .
Lots of clients when they are not connected to internet or they just turned off  they disappeared form WSUS.
As soon as  you put them online they appeared back on .
In order keep inventory we have t keep all clients visible and in to the right group. Any idea whey clients have to be online in order stay on WSUS

Hi All,

I have a new customer that has SBS2011.  The server appears to be running well in all respects, but sometime in the past WSUS was disabled due to them running out of disk space, so they disabled WSUS and removed the WSUS files that were stored in either:




(Both folders exist - I have done a search and cannot find any other WSUS folders)

T:\ is mapped to a Virtual Disk on the Hyper-V host (not a network drive physically elsewhere)

I have increased their storage capacity (shared network files were on the server, I have moved them to a NAS).

So, I would like to now 'reinstate' WSUS, but I don't know how it will react due to the missing files that were deleted, and that makes me nervous, so looking for advice on what I should check and do in what order as I have never been here before.

SBS2011 is running as a VM on Hyper-V.  There is one other VM on Hyper-V which appears to be a print 'server' (actually Win7 Pro), but it is shutdown, and I have not touched it so far (I'll get to it later, but its way down the list).

Backups are running fine - using SBS2011 Backup three times a day to an external USB drive, and the drive is backed up to another drive through the day, and that goes offsite every day.

WSUS has been disabled by disabling the service called 'WSUSService' with a display name of 'Update Services'.  At this point, I am inclined to just re-enable that, but what will happen if I do that, and none of …
Hi, I have following simple questions as our SCCM admin is off and needs some things to sort out as I am new to SCCM 2012.

1. I want to know what/when is the latest update check was done and if those updates are installed on all computers or not. Basically I also want to see list of all latest patches deployed by date installed.

2. Also how do I see how often the updates are checked and deployed ?

3. There was a recent critical update issued by Microsoft MS16-037, how I make sure it has been downloaded and installed.

I am running Server 2012 64-bit, and a standalone WSUS 4.0 (Version 6.2.9200.21848) that is manually updated every day via offline file transfer and meta-data import from an air-gapped online WSUS Server. SQL Server 2014 is running locally on the WSUS server to host the SUSDB. I have recently re-indexed it to try and fix this issue.

Ever since it updated from 6.2.9200.18324 to the newest version WSUS Console is crashing when I try cancel the download of a Definition Update for Windows Defender, Security Essentials, or Endpoint. It only crashes on those types of updates. I need to cancel the download since it is offline. I am not sure why it is trying to download the update files when they already exist in the file storage location. Files are transferred long before the meta-data is exported. moved, and imported into said offline server.

The error message displayed is as follows:
Problem Event Name: CLR20r3
Problem Signature 1: mmc.exe
Problem Signature 2: 6.2.9200.16496
Problem Signature 3: 50ece2e8
Problem Signature 4: Microsoft.UpdateServices.BaseApi
Problem Signature 5: 6.2.9200.21848
Problem Signature 6: 571cc7c5
Problem Signature 7: 61e
Problem Signature 8: 1b
Problem Signature 9: System.Data.SqlClient.Sql
OS Version: 6.2.9200.
Locale ID: 1033
Additional Information 1: 9950
Additional Information 2: 99504e5b16d00ac2776c5771c670163c
Additional Information 3: cd67
Additional Information 4: cd67b1856d9540b8bc614699ba4bb3cf

I have run the …


Windows Server Update Services (WSUS), previously known as Software Update Services (SUS), is a computer program developed by Microsoft that enables administrators to manage the distribution of updates and hotfixes released for Microsoft products to computers.