Home
.. About WSUS Wiki

RSS

WSUS
.. WSUS FAQ
.. WSUS on SBS
.. WSUS Troubleshooting
.. WSUS News Groups
.. Known WSUS Issues
.. WSUS Links
.. WSUS Wish List

WSUS Documents
.. WSUS Deployment Guide
.. WSUS Installation Guide
.. WSUS Release Notes
.. WSUS Best Practice

SUS
.. SUS FAQ
.. What Is SUS
.. SUS Troubleshooting
.. SUS Links
.. SUS Known Issues
.. SUS FAQ
.. What Is SUS
.. SUS Troubleshooting
.. SUS Links
.. SUS Known Issues

Wiki Community
.. Wiki Contributors
.. I Love WSUS
.. WSUS Wiki Diary
.. Wiki Statistics
.. To Do Page

Miscellaneous Stuff
.. Other Resources
.. Do You Know?

Site Meter

Terms of Use
Trademarks
Privacy Statement

 

SUS FAQ

SUS Frequently Asked Questions

 

This page is based on the community's experience with SUS. For a Microsoft SUS FAQ see: http://www.microsoft.com/windowsserversystem/sus/susfaq.mspx

Q. Can you use SUS in a non-Active Directory environment?

A. Yes. You can configure AU Settings through registry or using the local policy editor. See Manipulating SUS Settings through the Registry for more details on the needed registry settings.

Q. Why does the gpedit policy work on one machine and not on another machine and with the same registry based settings ?

A. For Troubleshooting GPO, check out Troubleshooting Group Policy (GPO)

Q. What is BITS?

A. Background Intelligent Transfer Service, BITS, is a service that transfers files in the background using idle network bandwidth. BITS also ensures that the update is completed successfully in the case of network interuptions, or system re-boots. SUS (and WUS) make use of BITS to download updates.

If the BITS service is stopped, Windows Update can not download updates. If BITS is disabled, any services that explicitly depend on it may also fail or fail to operate properly.

Q. Why do clients not download at the time specifed in the policy?

A. AU clients with BITS download updates at random time depending on the Network Traffic and only begin the transfer at the schedule Time which specified in the policy.

Q. How can I force my client to get the update software from the SUS Server ?

A. If you want to force the client to udpate detection, then the only way is to delete LastWaitTimeout from the Registry. For a small script to force the update detection, see AUForceUpdate.cmd

I always just use a command prompt, and type "wuauclt /detectnow" this forces a check too.. 

Q. I get error "The server failed to load application '/LM/W3SVC/1/Root/SUSAdmin"

A. This issue may also occur if the permissions are not correctly configured for the IWAM_ComputerName account or the IUSR_ComputerName account. See http://support.microsoft.com/default.aspx?scid=822699

Q. How do you exclude certain machines from automatically updating?

If you are in AD environment, then its simple: remove them from that OU which is having the WUAU.ADM Template. If configuration is via the Registry, then remove those settings.

Q. Is it possible to download selective updates?

A. No. You can not download selective updates, SUS downloads all the updates that are approved.

Q. Is there a way to see what clients on my network have accessed the SUS and what they have successfully downloaded and installed?

A. Yes, you can certainly see the updated clients, here is how you do;

  1. Browse thru clients %SYSTEMROOT%\Windows Update.log.
  2. Parse SUS IIS Logs on Wayne's Online Log Parser which shows the client download & detection activity.
  3. Have a look at workstations C:\Program Files\WindowsUpdate\V4\iuhist.xml
  4. Windows XP SP# 2 added a checkbox to the top of Add/Remove programs that allows you to see updates.
  5. Look at the many tools on SUSserver.com

Q. Is there any way to let SUS server automatically approve all downloaded updates?

A. Yes - see http://jorrit.net/SUSApprove/ for details. Also, see Auto Approve New Updates on schedule http://www.gatefold.co.uk/sus/

Q. Can you manage the SUS server from another machine?

A. Yes, you can do this. You need to have local administrator rights on the remote machine, and you should add SUSADMIN site to the IE Trusted Sites.

Q. Is it possible for a client to go to a website on my internal SUS box and do an "update" like what is done on the windows update site?

A. SUS does not provide a web interface to install the updates like Windowsupdate.com. Updates are installed to the clients via Automatic Updates Service only.

Q. Is it possible to add more informative message during the AU activity, like before the restart?

A. In such case, you may have to rehack wuauclt.exe(Windows Update AutoUpdate client) But, then you have to deploy the same exe to all the clients to get the customize message.

Q. Why does AU State stay stuck in 4 ?

A. If AU client is in AU STATE 4, sometimes, BITS might get stuck in resolving the SUS SERVER NAME which you have defined in SET OPTIONS, Try using IP ADDRESS instead of NETBIOS NAME OR, Edit the HOST FILE to add SUS Server Host Name and IP Address. For more information on AU states, see [AU State]. More on http://www.faqshop.com/sus/client/AU%20client%20stuck%20state%204.htm#Top

Q. What permissions should I set for SUS?

A. PERMISSIONS:

Make sure on SUS SERVER,

1. You have ANONYMOUS ACCESS on;

  • Default Web Site
  • selfupdate
  • autoupdate
  • content

2. C:\SUS\Content - Everyone should alteast have READ Permission

3. Web Anonymous User, IUSR & IWAM Users may have READ & EXECUTE, LIST FOLDER CONTENTS & READ Permission

Q. Where does AU Stores Updates?

Normally, AU stores patches in C:\WUTEMP or C:\Program Files\Windows Update\wuaudnld.tmp while waiting to install the patches.

Q. I see Error 0x80190194 in Windows update.log

A. You can safely ignore this error, The error is logged when the Automatic Updates client tries to check the server that is running Software Update Services for driver updates that Software Update Services does not synchronize. Therefore, the AutoUpdate driver’s folder does not exist on the server that is running Software Update Services. Error 0x80190194 is actually an HTTP status code 404 (File Not Found). This code is returned to the client by the server that is running Software Update Services. Have a look at http://support.microsoft.com/?kbid=326596

Q. How do I backup SUS downloads and configuration?

A. Start by creating a backup of the IIS metabase using the IIS MMC Snap-in and use NTBACKUP to backup , C:\Inetpubwwwroot; C:\sus; and %windir%\system32\inetsrv\metaback

Q. I don't see a popup with AU Option 2&3. But, when I login as a local Local Admin, I get the popup. Why?

A. For AU Option 2&3, the logged in user must be a Local Admin to see the AU activity, In such case, you may try AU OPTION 4 which is Auto download and Schedule install.

Q. What files does Windows Update use in the background?

A. Windows Update uses the following files:

  • wuaserv.dll is the service dll (Windows Update AutoUpdate Service)
  • wuauclt.exe (Windows Update AutoUpdate client);
  • wuaueng.dll (Windows Update AutoUpdate Engine);
  • wupdmgr.exe (Windows Update Manager for NT);
  • qmgr.dll (BITS service dll)
  • wuapi.dll (Windows Update Client API),
  • wucltui.dll (Windows Update Client UI Plugin)
  • wupdinfo.dll (Windows Update Info for NT)
  • wups.dll (Windows Update client proxy stub)
  • wuv3is.dll (Windows Update Engine)
  • wuweb.dll (Windows Update Web Control)

Q. Which Port is used by Automatic Updates?

A. The AU client always uses TCP port 80 to obtain automatic updates.

Q. Is it true that I can't have any Anti Virus software running on the server?

A. You can have antivirus installed at SUS, only thing is, its not recommended to have more than one website running on IIS of SUS Box and not to conflict with PORT 80. More on Can I Install SUS on a Server that is also running other IIS Enabled Applications

Q. So how do you have the clients look at your SUS Server ? Do you actually do something on the SUS Server or modify on the client side?

A. Just Approve the updates on the server & wait for the clients to download those and install.

Q. How do I create an Offline SUS Server to an Online SUS Server?

A. If you have One SUS which is online, then you can create second SUS as an offline SUS. Perroformed on Offline SUS

  1. Confirm that IIS is installed.
  2. Create a folder named Content
  3. Copy all the files and folders under the Contentcabs directory from the source server running SUS to the Content directory on the server with the manually-created content distribution point:
  4. Copy the following files under the VROOT of the default web site:
    • root of the SUS Web site
    • Aucatalog1.cab
    • root of the SUS Web site
    • Aurtf1.cab
    • root of the SUS Web site
    • approveditems.txt.
  5. Create a VROOT called “Content” and point to the “ContentCabs” directory

Q. How do I ensure that the client settings are fully populated through the GPO?

A. Very simple, do a simple Reg query:

reg query "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" /s

Q. Will users be prompted for windows updates or will they just install automatically?

A. It depends on your AU Options and how you want to setup.

Q. Do users have to logon as a local PC administrators in order for this to work?

A. No, this is not required. If the user is not the Local admin, AU acitivity will not be transparent to him, he will only be informed about the need to reboot.

Q. Where can I find log files for SUS Server?

A. %SYSTEMROOT%\system32\LogFiles\W3SVC1 (for default port 80).

Q. Can Automatic Updates Client download drivers?

A. No, Automatic Updates Client cannot download drivers.

Q. Automatic Update client won't install and gives the message "Microsoft Windows Update Auto Update requires Windows 2000 SP2 or Windows XP".

A. The Message is right! In fact, if you already have WinXp-SP1 & Win2k-SP3 above installed, then you don't need to install Automatic Updates, its installed along with the Service Pack, have a look at the Services Applet from Control Panel.

Q. Can Power Users delay the reboot?

A. No. Only Administrators will get an option to click on NO to delay the reboot.

Q. Is it possible to allow non admin users to click no when AU is finished installing updates to the client's pc?

A. No - this is not possible with SUS. The user has to be a part of local Admin to postpone the reboot.

Q. SUS with Remote Clients on slow Network bandwith does not update, Why?

 

A. This problem may occur if the client computer resets the connection to the server before the server has sent all the data to the client during automatic update detection. A supported hotfix is now available from Microsoft. Have a look at http://support.microsoft.com/?id=842289

Q. Why do I see 2 log files for Windowsupdate in %SYSTEMROOT% directory?

A. If you have XP SP2 installed, You will have two logs: Windows Update.log (v4 windows update component) AND windowsupdate.log (v5 windows update component). More on Why do my Clients show two Windows Update Log Files?

Q. How do I clear all the pending downloads from BITS which are in queue?

A. Delete C:\Documents and Settings\All Users\Application Data\Microsoft\NetworkDownloaderqmgr0.dat & qmgr1.dat. You may have to stop the BITS service before you delete these files. Don't forget to restart the service .

Q. How do I Uninstall SUS using MSI Installer Command?

A. This should call the MSUS update wizard where you can choose to Repair or Remove.

MsiExec.exe /I{AFF0D9D3-6F0D-437E-9327-98108B4A8644}

Q. How do I Troubleshoot Error in Application Log on SUS "The Template Persistent Cache initialization failed for Application Pool 'DefaultAppPool' because of the following error: Could not create a Disk Cache Sub-directory for the Application Pool. The data may have additional error codes"?

A. The problem occurs because the Application pool is using the NT Authority Network Service account, and the NT Authority Network Service account may not have permissions to access the required folders. These links might help you in resolving permission issues on IIS by Manually set permissions on the folders;

http://support.microsoft.com/?kbid=842493 http://support.microsoft.com/?kbid=332097

Q. Does SUS download the patch IE 5.X/6.X SP1 to update Workstation from IE 6.0 to IE 6.0 SP1 ?

A. No.You have to do this over GPO or manually update IE. For more information read: http://support.microsoft.com/?kbid=810011

Q. While trying to see the approval log on my SUS 1.0 server I'm getting the following error message: Response object error 'ASP 0251 : 80004005' Response Buffer Limit Exceeded /autoupdate/administration/en/showlog.asp, line 0.

A. Execution of the ASP page caused the Response Buffer to exceed its configured limit.

Set the buffer limit to unlimited using the following commands.

Try using "ADSUTIL" & Run these commands;

1. adsutil set w3svc/1/root/autoupdate/aspbufferinglimit -1

2. adsutil set w3svc/aspbufferinglimit -1

ADSUTIL is found in C:InetpubAdminScripts of SUS Server.

Q. How do I interpret ApprovedItems.txt file to check which updates are approved?

A. Check in Approveditems.txt for 0@|1@|0@. These three fields correspond to Approved, Missing and Updated. Therefore, if the first number has a 1, this means it is approved.

Q. Some Clients are continuing to download the same patch. How do I troubleshoot Repeated Updates?

A. Do the following:

  1. Identify the repeatedly installed update.
  2. Check if the patch is Cumuilative Superseeded one.
  3. If yes, Approve the latest one and disapprove the old ones.
SUS does not support Superceding of Cumulative Patches.

Q. I don't need .NET patches & other Service Packs, How do I delete them to recover the hard drive space?

A. You cannot delete those. And even if you do delete then, they are re-downloaded on next sync. Here is a around:

  1. Rename the file to be deleted.
  2. Create a dummy file with the same name & extension.
  3. Save this file. By this way, you recover the storage space and the patch will not be re-downloaded.

Q. How do I enable logging for wutrack.bin from IIS ??

A. In IIS, in Default Website, scroll for wutrack.bin and enable logging for this.

Q. XP SP2 clients will not update and the same with the clients with V5 component of Windows Update..Why?

A. Since, this is a V5 client, make sure you have the appropriate registry values for V5 component of Windows Update. See: Why do my Clients show two Windows Update Log Files? for more details.

Q. Is there a way to save and restore the approvals on SUS?

A. Copy the following files to the target location

  • wwwroot\approveditems.txt
  • wwwroot\autoupdate\dictionaries\approvedtiems.txt
  • wwwroot\autoupdatedictionaries\settings.txt
  • wwwroot\autoupdate\administration\history-sync.xml
  • wwwroot\autoupdate\administration\history-approve.xml

Comments:

From anshuman27 - 3/8/07 2:47 AM

Hi,

I have 2 SUS servers in 2 different domains which are isolated from each other. I just need to have the list of approved updates to be replicated on other server. Will it be sufficient if I just replicate the file approveditems.txt to the other server?

ApprovedItems.txt in the folder Inetpub\wwwroot and Inetpub\wwwroot\autoupdate\dictionaries

Regards,

Anshuman


Last Modified 4/13/07 10:13 AM

Hide Tools

Site
Changes
Index
Search

User
Log In
Register