This document describes known issues affecting Windows Server Update Services (WSUS). It includes recommendations and requirements for installing WSUS.
Note: |
---|
A downloadable copy of this document is available on the Microsoft Download Center at http://go.microsoft.com/fwlink/?LinkId=48126. |
Before You Begin
Issue 1: IIS must be installed
Microsoft® Windows Server™ Update Services (WSUS) requires that Internet Information Services (IIS) be installed. However, on Microsoft Windows Server 2003 and Microsoft Windows® 2000 Server, IIS is not installed by default, so Windows Server Update Services Setup might be unable to continue, displaying an error message saying that IIS is not installed.
To install IIS:
-
Open Control Panel.
-
Double-click Add or Remove Programs.
-
Click Add/Remove Windows Components.
-
In the Components list, click Application Server.
-
Click Details.
-
Select the ASP.NET check box. Enable network COM+ access and Internet Information Services (IIS) will be selected automatically.
-
Select Internet Information Services (IIS), and then click Details to view the list of IIS optional components.
-
Select all optional components you want to install. The World Wide Web Service optional component includes important subcomponents such as the Active Server Pages component and Remote Administration (HTML). To view and select these subcomponents, click World Wide Web Service, and then click Details. Click OK until you return to the Windows Components Wizard.
-
Click Next, and complete the Windows Components Wizard.
-
After you install IIS, run Windows Server Update Services Setup.
Issue 2: For servers running Windows 2000 Server, at least one Web site needs to be present in IIS before you install WSUS
Windows Server Update Services Setup may fail to create a Web site if no sites were present in IIS when Setup was run. This may happen, for example, if you had a Software Update Services (SUS) 1.0 site as the only site in IIS and you deleted it before installing WSUS.
In this case, you need to create a new Web site by using the Internet Information Services (IIS) Manager snap-in. Once this is done, you can select this site or specify a new site during WSUS Setup.
If you already attempted to install WSUS and Setup failed because no sites were present, open IIS Manager snap-in, and delete the site "Web Site #1". Then follow the steps described earlier, and run Setup again.
Issue 3: Installing prerequisite components
Software requirements
The following table shows required software for each supported operating system. Make sure the WSUS server meets this list of requirements before you run WSUS Setup. If any of these updates require restarting the computer when installation is completed, you should perform the restart prior to installing WSUS.
Operating System | Requirements | Downloads |
---|---|---|
All operating systems |
Microsoft Internet Information Services (IIS) 5.0 |
Install from operating system. See Issue 1: IIS must be installed. |
All operating systems |
Background Intelligent Transfer Service (BITS) 2.0 |
For Windows Server 2003 operating systems, see For Windows Server 2000 operating systems, see |
Windows Server 2003 |
Microsoft .NET Framework 1.1 Service Pack 1 for Windows Server 2003 |
Alternatively, go to |
Windows Server 2003 |
Database software that is 100-percent compatible with Microsoft SQL |
N/A |
Windows 2000 Server |
Database software that is 100-percent compatible with Microsoft SQL |
If you are not using Microsoft SQL Server 2000, you can install Microsoft SQL Server 2000 Desktop Engine (MSDE 2000). This requires several steps. For more information, see Installing MSDE on Windows 2000 below. |
Windows 2000 Server |
Microsoft Internet Explorer 6.0 Service Pack 1 |
|
Windows 2000 Server |
Microsoft .NET Framework Version 1.1 Redistributable Package |
|
Windows 2000 Server |
Microsoft .NET Framework 1.1 Service Pack 1 |
Alternatively, go to |
In addition to these requirements, WSUS might install or configure ASP.NET version 1.1 on your server, if necessary. (WSUS Setup configures ASP.NET.)
Installing MSDE 2000 on Windows 2000
If you are using Windows 2000 for WSUS and do not have access to Microsoft SQL Server 2000, you should install Microsoft SQL Server 2000 Desktop Engine (MSDE) before running WSUS Setup. If you already have MSDE installed on your WSUS server, you do not have to set up a special instance of it for WSUS. You can simply indicate the existing instance name during the WSUS setup process.
Installing MSDE on Windows 2000 Server is a four-step process. First, you must download and expand the MSDE archive to a folder on your WSUS server. Next, use a command prompt and command-line options to run MSDE Setup, set the sa password, and assign WSUS as the instance name. Then, when the MSDE installation finishes, you should verify that the WSUS instance is running as an NT service. Finally, you must add a security patch to MSDE to protect your WSUS server.
Step 1: Download and expand the MSDE archive
You must download and expand the MSDE archive to a folder on your WSUS server. See
Step 2: Install MSDE
Use a command prompt and command-line options to run MSDE Setup, set the sa password, and assign WSUS as the instance name. When the MSDE installation finishes, you should verify the WSUS instance is running as an NT service.
To install MSDE, set the sa password, and assign an instance name:
-
At the command prompt, navigate to the MSDE installation folder specified in “Step 1: Download and expand the MSDE archive.”
-
Type the following: setup sapwd="password" instancename=WSUS
where password is a strong password for the sa account on this instance of MSDE, and instancename is the name of the database instance. Alternatively, you can use the default instance name (instead of "WSUS") for your WSUS database. If you choose to do this then you do not have to type instancename=WSUS in your command-line parameter. This command launches the MSDE setup program, sets the sa password, and names this instance of MSDE to whatever value you specify.
Step 3: Verify that the WSUS instance of MSDE is installed
-
Click Start, and then click Run.
-
In the Open box, type services.msc and then click OK.
Scroll down the list of services, and verify that a service named MSSQL$WSUS (if you used "WSUS" for the instancename) or MSSQLSERVER (if you used the default instancename) exists.
Step 4: Start the MSDE instance.
At the end of the MSDE installation, you have to start the instance. If you used "WSUS" for the instancename, then you would start "MSSQL$WSUS." If you used the default instancename, then you would start MSSQLSERVER. Unless you start this service WSUS will not be able to use the database instance.
Step 5: Update MSDE
You must download and install the security patch described in the bulletin
To download the security patch, see
Issue 4: Minimum disk-space requirements
The following are the minimum disk-space requirements to install Windows Server Update Services:
-
1 gigabyte (GB) on the system partition
-
2 GB for the volume on which database files will be stored
-
6 GB, based on content projection numbers
Issue 5: Earlier versions of WSUS must be uninstalled by using Add or Remove Programs before installing the latest version
If you plan to install Windows Server Update Services on a server that has Windows Update Services Beta 1 or Beta 2 installed, you first need to uninstall the earlier version by using Add or Remove Programs in Control Panel.
Issue 6: WSUS requires the nested triggers option to be turned on in SQL Server
This option is turned on by default; however, it can be turned off by a SQL Server administrator.
If you plan to use a SQL Server database as the Windows Server Update Services data store, the SQL Server administrator should verify that the nested triggers option on the server is turned on before the WSUS administrator installs WSUS and specifies the database during setup.
WSUS Setup turns on the RECURSIVE_TRIGGERS option, which is a database-specific option; however, it does not turn on the nested triggers option, which is a server global option.
To see if nested triggers are on, use the following:
sp_configure 'nested triggers'
To turn on the nested triggers option in SQL Server, run the following from a batch file on the computer running SQL Server:
sp_configure 'nested triggers', 1
GO
RECONFIGURE
GO
Issue 7: WSUS Setup command-line parameters
You can perform unattended installations of WSUS. For more information and command-line parameters, see "Appendix A: Unattended Installation" in
Known Issues
Issue 1: IIS Lockdown Wizard
If you are running Internet Information Services (IIS) on a computer running Windows 2000 Server, install the latest version of IIS Lockdown Wizard (which includes URLScan) from the IIS Lockdown Tool page on Microsoft TechNet. Microsoft strongly recommends that you install this tool to help keep your IIS servers secure. The IIS Lockdown Wizard works by turning off un-needed features of IIS, thereby reducing the security risk exposure.
Note: |
---|
WSUS Setup does not install these components. You have to install them manually. You do not need to install IIS Lockdown on computers running Windows Server 2003, because the functionality is built in. |
Issue 2: Changing WSUS configuration directly in the database is not supported
Windows Server Update Services stores its configuration data in a database (either MSDE or SQL Server). However, changing the configuration data by accessing the database directly is not supported. Administrators should not attempt to modify WSUS configuration in this way. The supported way of changing your WSUS configuration is by using the WSUS console or by calling WSUS APIs.
Issue 3: Active scripting must be enabled in order to access the WSUS administration site
On the administrator's workstation, you must configure Internet Explorer to allow active scripting before you can use Internet Explorer to access the WSUS administration site.
Issue 4: IIS will be restarted during WSUS Setup
Windows Server Update Services Setup will restart IIS without notification. This could affect existing Web sites within your organization.
Issue 5: WSUS is not supported on servers running Terminal Services
For this Windows Server Update Services release, it is recommended that you do not install WSUS on a server running Terminal Services.
Issue 6: Changing the WSUS or SMS management points (MPs) virtual directory access
By default, the content virtual directory for Windows Server Update Services is set with anonymous access. If you change this setting to require authentication, clients will receive authentication errors and be denied access to download updates. This is a known issue where Winhttp.dll uses the wrong authentication context when implicit authentication is required, so the authentication challenge will fail. To prevent this issue, ensure that the WSUS server and SMS MPs are set up with anonymous access to IIS virtual directories.
Issue 7: When installing WSUS on Windows Small Business Server 2003, the default Web site WSUS vroots’ access settings must be modified to enable WSUS clients to self-update from the server
The WSUS Server installs two vroots, SelfUpdate and ClientWebService, and some files under the home directory of the default Web site (on port 80). This enables clients to self-update through the default Web site. By default, on Windows Small Business Server 2003, the default Web site is configured to deny access to any IP or localhost other than those of the server. This means the SelfUpdate and ClientWebService vroots are denied access and the clients will not self-update. To grant access to the clients to self-update, complete the following steps on the default Web site’s SelfUpdate and ClientWebService vroots.
-
Click the vroot Properties, click Directory Security, click IP address and domain name restrictions, and then click Edit.
-
Select Granted Access, and then click OK. Close all the property pages.
Issue 8: Installing WSUS on Small Business Server - Integration Issues
-
If Windows Small Business Server 2003 uses an ISA proxy server to access the Internet, the following must be entered manually in the Settings user interface: proxy server settings, proxy server name, and port.
-
If ISA is using Windows Authentication, proxy server credentials should be entered in the form "DOMAIN\user" (The user belonging to "Internet Users" group).
Issue 9: When moving a computer from one computer group into another, it may take up to one hour for the computer to appear in the new group as viewed from the administrative console
When a computer is assigned to a target group for the first time, data on the computer is modified with the group information. That data is refreshed periodically or hourly. Therefore, when moving a computer from one computer group to another, it may take up to one hour for that information to refresh on the client and display as changed in the WSUS administrative console.
Issue 10: If you install WSUS on a member server and then want to promote the member server to a domain controller, you should first uninstall WSUS
If you install WSUS on a member server and then want to promote the member server to a domain controller, you will need to take the following steps:
-
Uninstall WSUS.
-
Promote the server to a domain controller.
-
Reinstall WSUS.
Issue 11: If you want to demote a WSUS Server from a domain controller to a member server you should first uninstall WSUS
If you’re running WSUS Server on a domain controller and want to demote the domain controller to a member server, you will need to complete the following steps:
-
Uninstall WSUS and retain the database.
-
Create a user account called ASPNET.
-
At the command prompt, type aspnet_regiis -i.
-
Reinstall WSUS and use the retained database.
Issue 12: If .NET Framework 1.0 or 2.0 is installed after WSUS is installed, the WSUS administrative console will not appear
This is caused by the fact that.NET Framework 1.0 is registered with IIS and that WSUS Server requires.NET Framework 1.1. To resolve this issue, open aspnet_regiis.exe and run the following commands, where website id is the value contained in the following registry key:
HKLM\Software\Microsoft\WindowsUpdateServices\Server\Setup\IISTargetWebsiteIndex
-
%windir%\Microsoft.NET\Framework\v1.1.4322\\aspnet_regiis.exe -s W3SVC\<website id>\ROOT\ReportingWebService
-
%windir%\Microsoft.NET\Framework\v1.1.4322\\aspnet_regiis.exe -s W3SVC\<website id>\ROOT\ClientWebService
-
%windir%\Microsoft.NET\Framework\v1.1.4322\\aspnet_regiis.exe -s W3SVC\<website id>\ROOT\SimpleAuthWebService
-
%windir%\Microsoft.NET\Framework\v1.1.4322\\aspnet_regiis.exe -s W3SVC\<website id>\ROOT\WSUSAdmin
-
%windir%\Microsoft.NET\Framework\v1.1.4322\\aspnet_regiis.exe -s W3SVC\<website id>\ROOT\AdministrationWebService
-
%windir%\Microsoft.NET\Framework\v1.1.4322\\aspnet_regiis.exe -s W3SVC\<website id>\ROOT\ServrSyncWebService
-
%windir%\Microsoft.NET\Framework\v1.1.4322\\aspnet_regiis.exe -s W3SVC\<website id>\ROOT\DssAuthWebService
-
%windir%\Microsoft.NET\Framework\v1.1.4322\\aspnet_regiis.exe -s W3SVC\<website id>\ROOT\Content
Issue 13: Remote SQL limitations
WSUS offers limited support for running database software on a computer separate from the computer with the rest of the WSUS application.
-
You cannot use Windows 2000 Server as the front-end computer in a remote SQL pair.
-
You cannot use a server configured as a domain controller for either the front-end or the back-end of the remote SQL pair.
-
You cannot use WMSDE or MSDE for database software on the back-end computer.
-
For more information about remote SQL issues, see "Appendix C: Remote SQL" in
Deploying Microsoft Windows Server Update Services .
Issue 14: A replica downstream server may have fewer approvals than the parent upstream server
A replica downstream server may have fewer approvals than the parent upstream server. This is because installation approvals do not flow to a downstream server until the content finishes downloading on the upstream server.
Issue 15: If synchronization fails, retry synchronization
If synchronization fails, you might get an error message. If this occurs, you should first try synchronization.
Issue 16: When you try to access the WSUS Administration console, a System.IO.FileNotFoundException error message appears
If you get the following error message, you may need to adjust permissions on the Network Service or ASP.NET accounts:
System.IO.FileNotFoundException: File or Assembly name xxxxxx.dll, or one of its dependencies, was not found
Where xxxx is a random name.
To resolve this issue in Windows Server 20003 operating systems, grant the Network Service account read/write access to %systemroot%\Temp. In Windows 2000 Server, grant the ASP.NET account read/write access to %systemroot%\Temp.
Issue 17: SQL Security Update MS03-031 (KB815495)
This update may show as installed on the WSUS server even though the installation actually failed on the client. This can cause the package to be reoffered to the client. You can workaround this issue by unapproving the update on the server.
Issue 18: IIS settings are lost during RTM upgrade.
If you install WSUS RTM on a server with a previous version of WSUS (for example, RC), WSUS RTM will uninstall the earlier version and then install the new version. This means that vroots and files associated with WSUS in IIS will be deleted.
If you installed WSUS on the default Web site, you will lose any WSUS-related settings you have made to the WSUS vroots. For example, if you have configured the WSUS vroots for SSL in order to secure WSUS, you will need to configure them again after you install the RTM version of WSUS. Note: you will receive a notification on the WSUS console that SSL is not enabled.
If you had installed WSUS on a Web site other than the Default Web site, then all the additional settings at the WSUS Web site level are lost.
Issue 19: Using host headers
If you want to assign host header values to the default Web site (WSUS Web site) in IIS, you need to add “All Unassigned” or an assigned IP address to the list of IP addresses without host header value to the default Web site. This should also be added to the non-default Web site
Warning: This might break Microsoft SharePoint and Exchange functionality.
Issue 20: WSUS console URL needs to be added to the list of Trusted sites and Local intranet Web content zones on computers on which Internet Explorer hardening is enabled
If you have Internet Explorer hardening (also known as the Microsoft Windows Server 2003 Internet Explorer Enhanced Security Configuration component) enabled on a computer and you do not add the WSUS console to the Trusted sites and Local intranet Web content zones, you will be prompted for user credentials every time you open a page in the WSUS console.
To add the WSUS console to the Local intranet and Trusted sites Web content zones:
-
Open Internet Options (for example, click Start, point to Control Panel, and then click Internet Options).
-
On the Security tab, click Local intranet, click Sites, click Advanced, add the URL (http://WSUSServername/WSUSAdmin), and then click OK.
-
Click Trusted sites, click Sites, add the WSUS console URL, click OK, and then click OK again to exit Internet Options.
Issue 21: Upgrading from WSUS Release Candidate fails
Upgrading from the WSUS Release Candidate might fail due to a self-update tree problem. This can occur if multiple clients self-update at the same time you attempt the upgrade.
To resolve this issue:
-
Disconnect the WSUS server from the network, ensuring that clients cannot connect to it.
-
At a command prompt, type: iisrestart /reset and then press ENTER.
-
Run the upgrade.
Issue 22: Some approvals from SUS 1.0 fail to migrate to WSUS.
When you migrate from SUS 1.0 to WSUS, some approvals on the SUS 1.0 server will fail to migrate to the WSUS server. This is because a number of updates that were available to SUS 1.0 are no longer available to WSUS. In addition, because WSUS supports more updates than SUS, there may be important updates on your WSUS server that are unapproved after the migration process finishes.
Microsoft strongly recommends that you review the set of unapproved updates on your WSUS server after migration from SUS 1.0.
For more information about migrating from SUS 1.0 to WSUS, see
Copyright
The information contained in this document represents the current view of Microsoft Corporation on the issues discussed as of the date of publication. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information presented after the date of publication.
This document is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS DOCUMENT.
Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation.
Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property.
Unless otherwise noted, the example companies, organizations, products, domain names, e-mail addresses, logos, people, places, and events depicted herein are fictitious, and no association with any real company, organization, product, domain name, e-mail address, logo, person, place, or event is intended or should be inferred.
© 2005 Microsoft Corporation. All rights reserved.
Microsoft, SQL Server, Windows, and Windows Server are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries.
The names of actual companies and products mentioned herein may be the trademarks of their respective owners.