University of Wyoming
Division of Information Technology
Ask IT Help Documents
Windows Server Update Services (WSUS) is a tool for central management and distribution of critical Windows and Office patches as well as updates. Patches and updates will be provided for Microsoft Windows XP Service Pack 3 and higher operating systems and Microsoft Office XP SP3 and higher.
Further information on WSUS can be found at www.microsoft.com/windowsserversystem/updateservices/evaluation/faqs.mspx.
There are many components to WSUS, but basically it is a client/server application. The server piece is responsible for synchronizing with the Microsoft Update servers, providing those updates that are administratively approved to clients on campus, and logging transactions between the clients and the server. The client piece is responsible for querying the server to see if there are new updates available, downloading those updates, and then installing them on the administratively determined schedule.
More specifically, a service runs on a server maintained by Information Technology (IT) that automatically synchronizes with the Microsoft Update servers. Updates that are digitally signed by Microsoft are downloaded to a local repository. Once the server has synchronized and downloaded new updates from Microsoft, they are ready to be approved. An administrator tests them and determines their suitability for campus. Suitable updates are approved on the server and at that point are ready for client computers to download. During the day, client computers will poll the server and download the approved updates that are appropriate for them. Once the updates are downloaded, the client computer will automatically install them based on a predetermined schedule.
WSUS is intended for Windows XP SP3, Windows Vista, and Windows 7 desktop computers that are members of the windows.uwyo.edu (UWYO) domain, with a few exceptions. When specific conditions are met, Automatic Updates may reboot a computer; therefore, a computer that provides a service that must be available 24x7 without interruption should not participate in this program. Computers that do not participate in WSUS should be updated manually on a regular basis using Microsoft’s update utilities.
A computer that has not been restarted after Automatic Updates requested this will not finish installing the updates nor will it receive future updates from the WSUS server again until a restart occurs. This means that your computer will not continue to be kept up-to-date and secure until it is restarted. After you restart your computer, the service will return to normal operation.
Additionally, IT has the ability to monitor patches and may contact the client if it is obvious there are problems with patch installation.
Contact the IT Help Desk, and they can assist you in opting out of WSUS.
By default, all computers which are part of the windows.uwyo.edu domain automatically participate in the WSUS service, unless someone specifically requests that the computer be opted out. If you believe that the computer you use has been mistakenly opted out, contact the IT Help Desk, and they can assist you in opting in to WSUS.
No. At this time, WSUS is not available to computers that are not part of the windows.uwyo.edu domain, since they cannot be automatically configured. Computers that do not participate in WSUS should be updated manually on a regular basis using Microsoft’s update utilities.
Once the Automatic Updates settings are set via Group Policy for WSUS participation, they can no longer be configured from the Automatic Updates user interface.
Absolutely. This service will not prevent you from accessing the Windows Update website, http://windowsupdate.microsoft.com, in any way.
WSUS distributes Microsoft critical updates, definition updates (i.e. for Microsoft Outlook junk email filters and Windows Defender), security updates, update rollups, service packs, and specific tools like the Malicious Software Removal Tool.
Updates and service packs will be distributed for IT supported Windows operating systems, Microsoft Office, Expression Web, .NET, Project, and Visio. Though patches for additional Microsoft software such as SQL Express Edition, Forefront, and XML may be distributed by WSUS, this software is not supported by IT, and IT cannot guarantee that all applicable patches will be distributed to campus. Therefore, IT does not recommend that individuals running unsupported Microsoft software rely solely on WSUS to keep their computers up-to-date and secure.
No. Only packages that have been digitally signed by Microsoft can be distributed by WSUS.
Though all approved updates go through an internal quality assurance process, IT cannot account for all of the software in use on campus, particularly, in cases where the software is not supported by IT. If an application is not functioning on your computer and you believe that the problem was caused by the installation of a new update through WSUS, contact the IT Help Desk immediately to discuss the problem. If it is a Windows patch that caused the problem, it is likely that others are experiencing the same difficulties, and there may already be a fix in place.
An Automatic Updates window tells me "Your updates have been installed successfully. To complete installation you must restart your computer. Do you want to restart your computer now?" What does this mean, and what should I do?
When this window appears, it means that an update that required a reboot was installed by the WSUS server, and your computer must be restarted to finish the installation process. Clicking the Yes button will restart your computer immediately, so make sure you save your work before clicking this button. Clicking the No button will cancel the restart. Be aware that if the restart is canceled, you must remember to restart your computer manually as soon as it is more convenient for you to do so in order to complete the installation and continue to have your computer updated automatically.
You must have at least Windows XP Service Pack 3 or higher to participate in WSUS. If you are unsure of the Service Pack level of your computer, please go to How to Determine a Windows Computer's Service Pack Level (www.uwyo.edu/askit/displaydoc.asp?askitdocid=242&parentid=1). If you do not have Windows XP SP2 or higher installed, contact your IT user consultant to discuss an upgrade. The computer must also be a member of the windows.uwyo.edu domain. If you are unsure of the domain your computer belongs to, see How to Determine a Computer's Name and Domain (www.uwyo.edu/askit/displaydoc.asp?askitdocid=241&parentid=1) for instructions on determining the name of your computer and the domain to which it belongs.
If you are unsure of the domain your computer belongs to, see How to Determine a Computer's Name and Domain (www.uwyo.edu/askit/displaydoc.asp?askitdocid=241&parentid=1) for instructions on determining the name of your computer and its domain.
If you are unsure of the Service Pack level of your computer, please go to How to Determine a Windows Computer's Service Pack Level (www.uwyo.edu/askit/displaydoc.asp?askitdocid=242&parentid=1).
WSUS is supported for Windows XP Service Pack 3, Windows Vista, and Windows 7 operating systems.
The following Operating Systems are no longer supported by Microsoft and therefore they are no longer safe to run on campus (because they don’t get security patches or updates necessary to protect computers from malicious attacks).
Important Note: This list may not be comprehensive. Microsoft discontinues support of older Operating Systems on a regular basis. To verify the current status of a any OS please visit the following Microsoft sites:
Please contact the IT Helpdesk at 766-4357, option 1, if you have an out-of-support Operating System to determine what your options are.
When an update requires a restart, Automatic Updates / WSUS will determine whether or not to reboot a computer based on the security level of the user currently logged on to the computer. When an update requires a restart, it is very important that it occurs in a timely manner. Until the restart occurs, the computer will not be able to download and install additional updates.
All user accounts will receive the following message: "Your updates have been installed successfully. To complete installation you must restart your computer. Do you want to restart your computer now?" The options the user will have in restarting the computer or not depends on the security level of the account as follows.
An account with administrative access will receive a restart notification that will allow the user to initiate the restart or postpone it. This notification does not have a countdown timer; therefore, the user must initiate the system restart.
Any account that does not have administrative privileges on a computer will receive a restart notification that will allow the user to initiate the restart but will not allow the user to postpone it. This notification does not have a countdown timer; therefore, the user must initiate the system restart.
User Account without Restart Privileges (very rare case):
Any account that does not have administrative privileges on a computer and that does not have restart privileges will receive a restart notification that does not allow the user to initiate the restart or postpone it. This notification does not have a countdown timer; therefore, the user must log off of the computer which will allow it to restart automatically or wait for an authorized user to initiate the system restart.
No Account Logged On:
If no account is logged on to a computer, the computer will restart automatically following the installation of the updates. No restart notification will be present. This configuration is the least imposing option for users, as there is no user intervention necessary. Be aware that locking the computer is not the same as logging off. A locked computer will not automatically restart, as Automatic Updates detects that the computer is still in use.
No. WSUS participation is based on the computer account and its domain membership and not a user's personal domain account. WSUS updates are only deployed to computers that are members of the windows.uwyo.edu domain. If your UW-owned computer is not on the windows.uwyo.edu domain, contact the IT Help Desk for assistance in joining your computer to the domain.
IT does not allow for personally-owned home computers to join the windows.uwyo.edu domain. However, if you work from home on a UW-owned computer, and if the computer is a member of the windows.uwyo.edu domain, it may receive updates from WSUS. However, as this process cannot be guaranteed or supported in the home environment due to differences in network providers, speed of connections, etc., it is recommended that you contact your IT user consultant to opt out of WSUS for this system. For computers that have been opted out of WSUS, see How to Install and Run Windows Automatic Updates (www.uwyo.edu/askit/displaydoc.asp?askitdocid=181&parentid=1) for information on updating your computer and keeping it current through the Windows Update site and Automatic Updates.
If you choose to have your computer running a server operating system take part in WSUS, against IT recommendation, please be aware of the following:
No. WSUS will not work as intended if a user connects exclusively via UW Wireless. Using wireless, various problems can arise with campus applications that rely on services, timing, and connection properties that are only available consistently through a wired connection to campus. The wireless network is not a replacement for the campus wired network, and as such, is not recommended nor will it be supported as an alternative to wired access.
It is recommended that you visit http://windowsupdate.microsoft.com, and install all listed Critical Updates as soon as you first turn it on. A computer that has been turned off for a long period of time will connect to the WSUS server to download and install available updates at some point after it is turned back on. However, there can be delays in this process, which leaves your computer vulnerable to many network security risks. Using the Windows Update Web site to patch your computer will ensure that you are protected immediately. Once your computer is up-to-date, you can let WSUS take over again for any future updates.
Load balancing is actually handled by the Automatic Updates client. Every 22 hours minus a random offset, the Automatic Updates client computers will poll the WSUS server for approved updates to install. The random offset helps ensure that all the client computers do not try to talk to the server at the same time.
The client computer downloads updates from WSUS using a technology called Background Intelligent Transfer Service (BITS). BITS uses idle network bandwidth to transfer data, so regardless of the size or number of updates required, downloading them should not interfere with other network activities being run on a client computer.
Updates are downloaded to computers that are part of the UWYO domain on the third Tuesday of each month.
Outstanding patches from the previous month will be installed automatically starting on the second Tuesday of each month. If you choose to wait for the automatic installation, these are the steps you will need to follow the night before:
Yes. As an alternative to leaving your computer on overnight, you can go directly to the Microsoft Update page and begin the process of checking for needed updates and immediately start installing them. The utilities that are located there will continue to check your system until all updates have been applied.
The next time you shut down your computer, updates will automatically install. A taskbar icon indicates when WSUS updates are pending. Users who missed an overnight update can manually start the WSUS update by clicking on the WSUS icon – or else wait till the next time they shut down their computer.
No. There are several advantages of using WSUS:
Reviewed: 0912 By: MD
Additional help with the installation and configuration of
UW-supported software is available:
Contact your IT user consultant
Contact the IT Help Desk at 766-HELP (4357), option 1
Contact the IT Help Desk at 766-HELP (4357), option 1
Come to the student computer lab in the lobby of the
Information Technology Center.