This document describes known issues affecting Windows Server Update Services Service Pack 1 (WSUS SP1). Immediately following the WSUS SP1 information, you can find all of the information previously included in the original WSUS readme notes. This information includes recommendations and requirements for installing WSUS. To download WSUS SP1, see the
What's New in WSUS SP1
WSUS SP1 is a service pack release that improves the security, reliability, scalability, compatibility, and performance of WSUS. These are the new features and improvements:
-
Windows Vista client support: Computers running Windows Vista can be updated by WSUS SP1 Server.
-
More client language support: Support for all Office and Windows Vista languages.
-
New version of WMSDE: The WMSDE instance will be upgraded to WMSDE SP4 by WSUS SP1 (WSUS RTM uses WMSDE SP3).
-
Performance improvements: WSUS SP1 includes various performance improvements to accelerate user interface response times.
-
All hotfixes: WSUS SP1 includes all changes and hotfixes that have been released since WSUS RTM.
-
Support for SQL Server 2005.
Before You Begin WSUS SP1 Upgrade
The following issues are specific to the WSUS SP1 upgrade. Please note that the issues and requirements outlined in the “Before You Begin” section of the original version of this topic are not addressed in this section and are still valid. For example, the setup requirements outlined in the original “Before You Begin” section are still valid.
Note After applying SP1 to WSUS 2.0, the service pack cannot be uninstalled. Uninstalling SP1 will uninstall the whole product.
Issue 1: Ensure you have enough disk space for database backup
When you upgrade from WSUS RTM, WSUS SP1 Setup automatically creates a backup of the WSUS database. You need to ensure there is enough disk space on the file system of the WSUS server to store the backup of the WSUS database, or WSUS SP1 Setup will fail.
-
Open Windows Explorer and navigate to the folder where the WSUS database is stored. By default, WSUS installs the database here:
<DriveLetter>:\WSUS\MSSQL$WSUS\Data\
-
Press and hold CTRL, select SUSDB.MDF and SUSDB_log.LDF, and then right-click and select Properties.
-
In the Files dialog box, read the value in Size on disk. Your disk must have at least this much free disk space to install WSUS SP1.
-
From the Start menu, click My Computer. Ensure that the disk where WSUS is installed has the amount of free disk space required.
If for some reason WSUS SP1 Setup fails, manually restore the backup database. For instructions about restoring the WSUS database, see the
Issue 2: WSUS SP1 only upgrades WSUS RTM
You can only use WSUS SP1 to upgrade WSUS RTM. At this time, there is no support for upgrading from the WSUS release candidate. If you the WSUS release candidate or any earlier builds of WSUS installed, you must uninstall those builds and then run WSUS SP1.
Issue 3: The IIS service on your server will be stopped during the WSUS SP1 upgrade
The WSUS SP1 upgrade installer stops the Internet Information Services (IIS) service on your server during the upgrade process. This means that all Web sites hosted by the IIS installation on your server will not be available for the duration of the upgrade. IIS will be started automatically at the end of upgrade.
Issue 4: During the upgrade, you should not run applications that call WSUS APIs
WSUS Application Interface (API) calls will conflict with the WSUS SP1 installer, causing the upgrade to fail (you will receive a message asking you to restart your server to complete the upgrade).
Issue 5: If the upgrade fails, you can use the backup database created at the beginning of the upgrade process to restore your WSUS server to its previous state
A backup database is created by the WSUS SP1 upgrade installer at the beginning of the upgrade process. If your upgrade fails, you can manually restore your WSUS server to its previous state by doing the following:
-
Determine the location of the backup database by reviewing the contents of WSUSSetup_%timestamp%.log, which is located in the %programfiles%\Update Services\LogFiles folder. The location of the backup database file is noted within this file.
-
Restore the backup database on your WSUS server.
-
Remove (or uninstall) WSUS, but choose to keep the database when prompted.
-
Install WSUS again, and choose to use the existing database when prompted.
Issue 6: When upgrading to WSUS SP1, you may need to disable antivirus programs
When you upgrade WSUS by applying WSUS SP1, you may need to disable antivirus programs before you can successfully perform the upgrade or apply the service pack. After disabling antivirus programs, restart the Windows Server computer before you apply the upgrade or service pack. This procedure prevents files that the update process needs to access from being locked. After the installation is complete, be sure to reenable your antivirus program. Visit your antivirus program vendor’s Web site for the exact steps to disable and reenable your antivirus program and version.
Caution |
---|
This workaround may make your computer or your network more vulnerable to attack by malicious users or by malicious software such as viruses. We do not recommend this workaround, but are providing this information so that you can implement this workaround at your own discretion. Use this workaround at your own risk. |
Note |
---|
An antivirus program is designed to help protect your computer from viruses. You must not download or open files from sources that you do not trust, visit Web sites that you do not trust, or open e-mail attachments when your antivirus program is disabled. |
Original Content from WSUS Readme Follows
The following is the original content from the WSUS readme. WSUS SP1 does not address any of the following issues. This content is included here for your convenience.
Before You Begin
Issue 1: IIS must be installed
Microsoft® Windows Server™ Update Services (WSUS) requires that Internet Information Services (IIS) be installed. However, on Microsoft Windows Server 2003 and Microsoft Windows® 2000 Server, IIS is not installed by default, so Windows Server Update Services Setup might be unable to continue, displaying an error message saying that IIS is not installed.
To install IIS:
-
Open Control Panel.
-
Double-click Add or Remove Programs.
-
Click Add/Remove Windows Components.
-
In the Components list, click Application Server.
-
Click Details.
-
Select the ASP.NET check box. Enable network COM+ access and Internet Information Services (IIS) will be selected automatically.
-
Select Internet Information Services (IIS), and then click Details to view the list of IIS optional components.
-
Select all optional components you want to install. The World Wide Web Service optional component includes important subcomponents such as the Active Server Pages component and Remote Administration (HTML). To view and select these subcomponents, click World Wide Web Service, and then click Details. Click OK until you return to the Windows Components Wizard.
-
Click Next, and complete the Windows Components Wizard.
-
After you install IIS, run Windows Server Update Services Setup.
Issue 2: For servers running Windows 2000 Server, at least one Web site needs to be present in IIS before you install WSUS
Windows Server Update Services Setup may fail to create a Web site if no sites were present in IIS when Setup was run. This may happen, for example, if you had a Software Update Services (SUS) 1.0 site as the only site in IIS and you deleted it before installing WSUS.
In this case, you need to create a new Web site by using the Internet Information Services (IIS) Manager snap-in. Once this is done, you can select this site or specify a new site during WSUS Setup.
If you already attempted to install WSUS and Setup failed because no sites were present, open IIS Manager snap-in, and delete the site "Web Site #1". Then follow the steps described earlier, and run Setup again.
Issue 3: Installing prerequisite components
Software requirements
The following table shows required software for each supported operating system. Make sure the WSUS server meets this list of requirements before you run WSUS Setup. If any of these updates require restarting the computer when installation is completed, you should perform the restart prior to installing WSUS.
Operating System | Requirements | Downloads |
---|---|---|
All operating systems |
Microsoft Internet Information Services (IIS) 5.0 |
Install from operating system. See Issue 1: IIS must be installed. |
All operating systems |
Background Intelligent Transfer Service (BITS) 2.0 |
For Windows Server 2003 operating systems, see Update for Background Intelligent Transfer Service (BITS) 2.0 and WinHTTP 5.1 Windows Server 2003 (KB842773) on the Download Center ( For Windows Server 2000 operating systems, see Update for Background Intelligent Transfer Service (BITS) 2.0 and WinHTTP 5.1 Windows 2000 (KB842773) on the Download Center ( |
Windows Server 2003 |
Microsoft .NET Framework 1.1 Service Pack 1 for Windows Server 2003 |
Alternatively, go to |
Windows Server 2003 |
Database software that is 100-percent compatible with Microsoft SQL |
N/A |
Windows 2000 Server |
Database software that is 100-percent compatible with Microsoft SQL |
If you are not using Microsoft SQL Server 2000, you can install Microsoft SQL Server 2000 Desktop Engine (MSDE 2000). This requires several steps. For more information, see Installing MSDE on Windows 2000 below. |
Windows 2000 Server |
Microsoft Internet Explorer 6.0 Service Pack 1 |
|
Windows 2000 Server |
Microsoft .NET Framework Version 1.1 Redistributable Package |
|
Windows 2000 Server |
Microsoft .NET Framework 1.1 Service Pack 1 |
Alternatively, go to |
In addition to these requirements, WSUS might install or configure ASP.NET version 1.1 on your server, if necessary. (WSUS Setup configures ASP.NET.)
Installing MSDE 2000 on Windows 2000
If you are using Windows 2000 for WSUS and do not have access to Microsoft SQL Server 2000, you should install Microsoft SQL Server 2000 Desktop Engine (MSDE) before running WSUS Setup. If you already have MSDE installed on your WSUS server, you do not have to set up a special instance of it for WSUS. You can simply indicate the existing instance name during the WSUS setup process.
Installing MSDE on Windows 2000 Server is a four-step process. First, you must download and expand the MSDE archive to a folder on your WSUS server. Next, use a command prompt and command-line options to run MSDE Setup, set the sa password, and assign WSUS as the instance name. Then, when the MSDE installation finishes, you should verify that the WSUS instance is running as an NT service. Finally, you must add a security patch to MSDE to protect your WSUS server.
Step 1: Download and expand the MSDE archive
You must download and expand the MSDE archive to a folder on your WSUS server. See
Step 2: Install MSDE
Use a command prompt and command-line options to run MSDE Setup, set the sa password, and assign WSUS as the instance name. When the MSDE installation finishes, you should verify the WSUS instance is running as an NT service.
To install MSDE, set the sa password, and assign an instance name:
-
At the command prompt, navigate to the MSDE installation folder specified in “Step 1: Download and expand the MSDE archive.”
-
Type the following: setup sapwd="password" instancename=WSUS
where password is a strong password for the sa account on this instance of MSDE, and instancename is the name of the database instance. Alternatively, you can use the default instance name (instead of "WSUS") for your WSUS database. If you choose to do this then you do not have to type instancename=WSUS in your command-line parameter. This command launches the MSDE setup program, sets the sa password, and names this instance of MSDE to whatever value you specify.
Step 3: Verify that the WSUS instance of MSDE is installed
-
Click Start, and then click Run.
-
In the Open box, type services.msc and then click OK.
Scroll down the list of services, and verify that a service named MSSQL$WSUS (if you used "WSUS" for the instancename) or MSSQLSERVER (if you used the default instancename) exists.
Step 4: Start the MSDE instance.
At the end of the MSDE installation, you have to start the instance. If you used "WSUS" for the instancename, then you would start "MSSQL$WSUS." If you used the default instancename, then you would start MSSQLSERVER. Unless you start this service WSUS will not be able to use the database instance.
Step 5: Update MSDE
You must download and install the security patch described in the bulletin
To download the security patch, see
Issue 4: Minimum disk-space requirements
The following are the minimum disk-space requirements to install Windows Server Update Services:
-
1 gigabyte (GB) on the system partition
-
2 GB for the volume on which database files will be stored
-
6 GB, based on content projection numbers
Issue 5: Earlier versions of WSUS must be uninstalled by using Add or Remove Programs before installing the latest version
If you plan to install Windows Server Update Services on a server that has Windows Update Services Beta 1 or Beta 2 installed, you first need to uninstall the earlier version by using Add or Remove Programs in Control Panel.
Issue 6: WSUS requires the nested triggers option to be turned on in SQL Server
This option is turned on by default; however, it can be turned off by a SQL Server administrator.
If you plan to use a SQL Server database as the Windows Server Update Services data store, the SQL Server administrator should verify that the nested triggers option on the server is turned on before the WSUS administrator installs WSUS and specifies the database during setup.
WSUS Setup turns on the RECURSIVE_TRIGGERS option, which is a database-specific option; however, it does not turn on the nested triggers option, which is a server global option.
To see if nested triggers are on, use the following:
sp_configure 'nested triggers'
To turn on the nested triggers option in SQL Server, run the following from a batch file on the computer running SQL Server:
sp_configure 'nested triggers', 1
GO
RECONFIGURE
GO
Issue 7: WSUS Setup command-line parameters
You can perform unattended installations of WSUS. For more information and command-line parameters, see "Appendix A: Unattended Installation" in
Known Issues
Issue 1: IIS Lockdown Wizard
If you are running Internet Information Services (IIS) on a computer running Windows 2000 Server, install the latest version of IIS Lockdown Wizard (which includes URLScan) from the IIS Lockdown Tool page on Microsoft TechNet. Microsoft strongly recommends that you install this tool to help keep your IIS servers secure. The IIS Lockdown Wizard works by turning off un-needed features of IIS, thereby reducing the security risk exposure.
Note |
---|
WSUS Setup does not install these components. You have to install them manually. You do not need to install IIS Lockdown on computers running Windows Server 2003, because the functionality is built in. |
Issue 2: Changing WSUS configuration directly in the database is not supported
Windows Server Update Services stores its configuration data in a database (either MSDE or SQL Server). However, changing the configuration data by accessing the database directly is not supported. Administrators should not attempt to modify WSUS configuration in this way. The supported way of changing your WSUS configuration is by using the WSUS console or by calling WSUS APIs.
Issue 3: Active scripting must be enabled in order to access the WSUS administration site
On the administrator's workstation, you must configure Internet Explorer to allow active scripting before you can use Internet Explorer to access the WSUS administration site.
Issue 4: IIS will be restarted during WSUS Setup
Windows Server Update Services Setup will restart IIS without notification. This could affect existing Web sites within your organization.
Issue 5: Changing the WSUS or SMS management points (MPs) virtual directory access
By default, the content virtual directory for Windows Server Update Services is set with anonymous access. If you change this setting to require authentication, clients will receive authentication errors and be denied access to download updates. This is a known issue where Winhttp.dll uses the wrong authentication context when implicit authentication is required, so the authentication challenge will fail. To prevent this issue, ensure that the WSUS server and SMS MPs are set up with anonymous access to IIS virtual directories.
Issue 6: When installing WSUS on Windows Small Business Server 2003, the default Web site WSUS vroots’ access settings must be modified to enable WSUS clients to self-update from the server
The WSUS Server installs two vroots, SelfUpdate and ClientWebService, and some files under the home directory of the default Web site (on port 80). This enables clients to self-update through the default Web site. By default, on Windows Small Business Server 2003, the default Web site is configured to deny access to any IP or localhost other than those of the server. This means the SelfUpdate and ClientWebService vroots are denied access and the clients will not self-update. To grant access to the clients to self-update, complete the following steps on the default Web site’s SelfUpdate and ClientWebService vroots.
-
Click the vroot Properties, click Directory Security, click IP address and domain name restrictions, and then click Edit.
-
Select Granted Access, and then click OK. Close all the property pages.
Issue 7: Installing WSUS on Small Business Server - Integration Issues
-
If Windows Small Business Server 2003 uses an ISA proxy server to access the Internet, the following must be entered manually in the Settings user interface: proxy server settings, proxy server name, and port.
-
If ISA is using Windows Authentication, proxy server credentials should be entered in the form "DOMAIN\user" (The user belonging to "Internet Users" group).
Issue 8: When moving a computer from one computer group into another, it may take up to one hour for the computer to appear in the new group as viewed from the administrative console
When a computer is assigned to a target group for the first time, data on the computer is modified with the group information. That data is refreshed periodically or hourly. Therefore, when moving a computer from one computer group to another, it may take up to one hour for that information to refresh on the client and display as changed in the WSUS administrative console.
Issue 9: If you install WSUS on a member server and then want to promote the member server to a domain controller, you should first uninstall WSUS
If you install WSUS on a member server and then want to promote the member server to a domain controller, you will need to take the following steps:
-
Uninstall WSUS.
-
Promote the server to a domain controller.
-
Reinstall WSUS.
Issue 10: If you want to demote a WSUS Server from a domain controller to a member server you should first uninstall WSUS
If you’re running WSUS Server on a domain controller and want to demote the domain controller to a member server, you will need to complete the following steps:
-
Uninstall WSUS and retain the database.
-
Create a user account called ASPNET.
-
At the command prompt, type aspnet_regiis -i.
-
Reinstall WSUS and use the retained database.
Issue 11: If .NET Framework 1.0 or 2.0 is installed after WSUS is installed, the WSUS administrative console will not appear
This is caused by the fact that.NET Framework 1.0 is registered with IIS and that WSUS Server requires.NET Framework 1.1. To resolve this issue, open aspnet_regiis.exe and run the following commands, where website id is the value contained in the following registry key:
HKLM\Software\Microsoft\WindowsUpdateServices\Server\Setup\IISTargetWebsiteIndex
-
%windir%\Microsoft.NET\Framework\v1.1.4322\\aspnet_regiis.exe -s W3SVC\<website id>\ROOT\ReportingWebService
-
%windir%\Microsoft.NET\Framework\v1.1.4322\\aspnet_regiis.exe -s W3SVC\<website id>\ROOT\ClientWebService
-
%windir%\Microsoft.NET\Framework\v1.1.4322\\aspnet_regiis.exe -s W3SVC\<website id>\ROOT\SimpleAuthWebService
-
%windir%\Microsoft.NET\Framework\v1.1.4322\\aspnet_regiis.exe -s W3SVC\<website id>\ROOT\WSUSAdmin
-
%windir%\Microsoft.NET\Framework\v1.1.4322\\aspnet_regiis.exe -s W3SVC\<website id>\ROOT\AdministrationWebService
-
%windir%\Microsoft.NET\Framework\v1.1.4322\\aspnet_regiis.exe -s W3SVC\<website id>\ROOT\ServrSyncWebService
-
%windir%\Microsoft.NET\Framework\v1.1.4322\\aspnet_regiis.exe -s W3SVC\<website id>\ROOT\DssAuthWebService
-
%windir%\Microsoft.NET\Framework\v1.1.4322\\aspnet_regiis.exe -s W3SVC\<website id>\ROOT\Content
Issue 12: Remote SQL limitations
WSUS offers limited support for running database software on a computer separate from the computer with the rest of the WSUS application.
-
You cannot use Windows 2000 Server as the front-end computer in a remote SQL pair.
-
You cannot use a server configured as a domain controller for either the front-end or the back-end of the remote SQL pair.
-
You cannot use WMSDE or MSDE for database software on the back-end computer.
-
Set up of a remote SQL Server (to use as the WSUS database) fails if Terminal Services is installed on the remote server and is running in application mode. When installing SQL Server to a Terminal Services server, you must do the following:
-
Before running setup, open a command prompt and type: "change user /install"
-
Run SQL Server Setup.
-
After running setup, at the command prompt type: "change user /execute"
-
Before running setup, open a command prompt and type: "change user /install"
-
You must be a member of the local administrators security group on both the front-end and back-end computer to set up the remote SQL Server WSUS database.
-
For more information about remote SQL issues, see "Appendix C: Remote SQL" in
Deploying Microsoft Windows Server Update Services .
Issue 13: A replica downstream server may have fewer approvals than the parent upstream server
A replica downstream server may have fewer approvals than the parent upstream server. This is because installation approvals do not flow to a downstream server until the content finishes downloading on the upstream server.
Issue 14: Retry synchronization upon initial synchronization failure
If synchronization fails, your first course of troubleshooting action should be to try to synchronize the server again. If subsequent synchronizations fail, use the troubleshooting information in the WSUS Operations Guide.
Issue 15: When you try to access the WSUS Administration console, a System.IO.FileNotFoundException error message appears
If you get the following error message, you may need to adjust permissions on the Network Service or ASP.NET accounts:
System.IO.FileNotFoundException: File or Assembly name xxxxxx.dll, or one of its dependencies, was not found
Where xxxx is a random name.
To resolve this issue in Windows Server 20003 operating systems, grant the Network Service account read/write access to %systemroot%\Temp. In Windows 2000 Server, grant the ASP.NET account read/write access to %systemroot%\Temp.
Issue 16: SQL Security Update MS03-031 (KB815495)
This update may show as installed on the WSUS server even though the installation actually failed on the client. This can cause the package to be reoffered to the client. You can workaround this issue by unapproving the update on the server.
Issue 17: IIS settings are lost during RTM upgrade.
If you install WSUS RTM on a server with a previous version of WSUS (for example, RC), WSUS RTM will uninstall the earlier version and then install the new version. This means that vroots and files associated with WSUS in IIS will be deleted.
If you installed WSUS on the default Web site, you will lose any WSUS-related settings you have made to the WSUS vroots. For example, if you have configured the WSUS vroots for SSL in order to secure WSUS, you will need to configure them again after you install the RTM version of WSUS. Note: you will receive a notification on the WSUS console that SSL is not enabled.
If you had installed WSUS on a Web site other than the Default Web site, then all the additional settings at the WSUS Web site level are lost.
Issue 18: Using host headers
If you want to assign host header values to the default Web site (WSUS Web site) in IIS, you need to add “All Unassigned” or an assigned IP address to the list of IP addresses without host header value to the default Web site. This should also be added to the non-default Web site
Warning: This might break Microsoft SharePoint and Exchange functionality.
Issue 19: WSUS console URL needs to be added to the list of Trusted sites and Local intranet Web content zones on computers on which Internet Explorer hardening is enabled
If you have Internet Explorer hardening (also known as the Microsoft Windows Server 2003 Internet Explorer Enhanced Security Configuration component) enabled on a computer and you do not add the WSUS console to the Trusted sites and Local intranet Web content zones, you will be prompted for user credentials every time you open a page in the WSUS console.
To add the WSUS console to the Local intranet and Trusted sites Web content zones:
-
Open Internet Options (for example, click Start, point to Control Panel, and then click Internet Options).
-
On the Security tab, click Local intranet, click Sites, click Advanced, add the URL (http://WSUSServername/WSUSAdmin), and then click OK.
-
Click Trusted sites, click Sites, add the WSUS console URL, click OK, and then click OK again to exit Internet Options.
Copyright
The information contained in this document represents the current view of Microsoft Corporation on the issues discussed as of the date of publication. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information presented after the date of publication.
This document is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS DOCUMENT.
Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation.
Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property.
Unless otherwise noted, the example companies, organizations, products, domain names, e-mail addresses, logos, people, places, and events depicted herein are fictitious, and no association with any real company, organization, product, domain name, e-mail address, logo, person, place, or event is intended or should be inferred.
© 2006 Microsoft Corporation. All rights reserved.
Microsoft, SQL Server, Windows, and Windows Server are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries.
The names of actual companies and products mentioned herein may be the trademarks of their respective owners.