FAQ: WSUS and Unified Update Platform (UUP) on premises

Microsoft

Unified Update Platform (UUP) on-premises servicing is almost here! If you're a Windows Server Update Services (WSUS) user, we are sure you have some questions. We hope that you find this FAQ useful, and we will update it periodically. If you have a question not represented here, please leave a comment below.

What versions of WSUS are supported to receive UUP-style updates?

Windows Server 2012 and later versions of WSUS are able to get UUP-style updates. Please consider moving to a supported version if yours is not.

How do I make sure I have the correct MIME type configuration?

In order for UUP on premises to work with your current WSUS infrastructure, you need a specific MIME type configuration. Installing the update for KB5022286 (for Windows Server 2019) and KB5022291 (for Windows Server 2022) will automatically add support for .wim and .msu file types, which are required with UUP updates. If your WSUS server already had these configured elsewhere, you will see the following failure message:

Cannot add duplicate collection entry of type 'mimeMap' with unique key attribute 'fileExtension' set to '.wim'.

To work around this issue, you can use one of the following two solutions.

  1. Locate the .config file that is adding the MIME type and add the <remove fileExtension=".wim" /> line above it to remove the MIME type registered higher up in the hierarchy. The remove should be fine even if .wim MIME type does not exist at a higher level.
  2. The other workaround is to remove the conflicting MIME type from the higher level (i.e., remove .wim from the server level in this case). This can be done with either UI (inetmgr) or CLI (appcmd/powershell).

Read more about the manual and PowerShell steps in Adding file types for Unified Update Platform on premises.

If my WSUS is behind a firewall, what settings should I apply?

Is your WSUS not getting updates? It can happen if there's a corporate firewall between WSUS and the internet. In that case, configure that firewall to ensure that WSUS can get updates.

See guidance to configure your firewall to allow your WSUS servers to connect to Microsoft domains on the internet. There, you'll find the full and recently updated list of domains to support UUP on premises. Note that we've recently added the following domains:

  • http://*.delivery.mp.microsoft.com
  • https://*.delivery.mp.microsoft.com

How can I configure automatic approval rules for UUP updates?

WSUS supports creating automatic approval rules based on the update-specific classification (for example, security) or product (for example, Windows 11). Any existing auto approvals will just work for UUP updates.

See what it looks like to configure automatic approvals in the WSUS Administration Console. Follow the path to Update Services > Options > Automatic Approvals.

The Automatic Approvals dialog box opened from under Options for Update Services in the WSUS Administration ConsoleThe Automatic Approvals dialog box opened from under Options for Update Services in the WSUS Administration Console

The Automatic Approvals dialog box opened from under Options for Update Services in the WSUS Administration Console.

Configure automatic approvals in the Advanced tab by checking all of the boxes, as illustrated.

All boxes are checked in the Advanced tab of the Automatic Approvals dialog boxAll boxes are checked in the Advanced tab of the Automatic Approvals dialog box

All boxes are checked in the Advanced tab of the Automatic Approvals dialog box.

Find detailed instructions in Configure auto-approval rules.

What is the file size of the first UUP update?

Distribution points. Your distribution points will undergo a one-time 10GB download on March 28th, 2023. This new, one-time UUP update will be published as a security update and will have the same payload as KB5023706 published on March 14th. In other words, the March 28th update will supersede the earlier update. It will not contain any additional security fixes.

Endpoint clients. If your endpoint clients were successfully updated on March 14th, they will not receive any downloads until the following month's update and will be smaller than before. Only updates that have differences will be updated on the client.

How do I manage superseded updates on March 28th?

(Updated: 4.3.2023)

The March 28th update will supersede your regular security update installed on or after March 14th (KB5023706). 

Note: Superseded updates are recommended for new features but are not required in WSUS for a client to install a newer update.

Make sure quality updates remain in your environment until most, if not all, of your PCs have installed a more recent quality update. If needed, modify maintenance tasks that remove superseded updates.

  • For details on how to manage superseded updates in WSUS, see The Server cleanup Wizard.
  • For guidance on approving, declining, cleaning up, and reinstalling updates, including superseded updates, visit Updates Operations.

What is required to support Microsoft Connected Cache?

In order to use Microsoft Connected Cache with these updates, make sure WSUS is updated with KB5003217, otherwise known as the 2021.05 non-security update.

Do the following to meet prerequisites for Microsoft Connected Cache and redirect downloads back to CDNs (content delivery networks):

  1. Enable local download on WSUS server.
  2. Use admin PowerShell to:

    reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Update Services\Server\Setup" /v ReturnMuUrlForUpdates /d 1 /t REG_DWORD /f
    iisreset
    Restart-Service *Wsus* -v​
  1. Approve an update. Note: WSUS with the above configuration will always download content locally when an update is approved. However, the client will get the Microsoft Connected Cache URL. This configuration is particularly useful for the case when Microsoft System Center Configuration Manager (SCCM) is used and WSUS has local downloads enabled.
  2. Scan a client, check Windows Update logs for the URL of update files. It will point to Microsoft download endpoints instead of your local WSUS server.

You can configure bandwidth throttling for downloads from WSUS to your devices that use Delivery Optimization. Leverage its peer-to-peer capabilities for additional bandwidth savings. Learn more at Delivery Optimization.

What are some security best practices for using WSUS?

To provide additional protection from potential malware attacks, we recommend using HTTPS with WSUS. See Security best practices for Windows Server Update Services (WSUS) for steps to protect your server.

You should also monitor who has access to different security groups such as the administrators and reports group. Make sure that you give access to people who should have access.

To add a user to the WSUS Administrators group, follow these steps:

  1. On the WSUS server, click Start > Administrative Tools > Computer Management.
  2. From the expanded Local Users and Groups view, select Groups > WSUS Administrators.
  3. In the WSUS Administrators Properties dialog box, click Add.
  4. In the Enter the object names to select (examples) box, type the object name, and then click OK.

Does UUP on-premises servicing change how Dynamic Update works?

Yes, there are several changes. When Windows feature update starts, whether via a media-based update or a WSUS-based feature update, Dynamic Update is one of the first steps invoked. Windows Setup connects to an internet-facing URL hosted by Microsoft to fetch Dynamic Update content, and then applies those updates to the operating system installation media. With UUP on-premises servicing, there are several changes around publishing Dynamic Update to WSUS and to the Microsoft Update Catalog.

Publishing Dynamic Update to WSUS

In the event of a failure to connect to Microsoft, the fallback to WSUS for Dynamic Update content acquisition is no longer supported.

If you are using setupconfig.ini to configure a UUP-based feature update, the only applicable Dynamic Update parameter is /DynamicUpdate NoDrivers. The reason is the other relevant Dynamic Update packages are automatically included within the approved feature update. If you are configuring Dynamic Update using Setup.exe for a media-based feature update, Setup.exe will continue to connect to Microsoft to fetch Dynamic Update content. It then applies those updates to the operating system installation media.

Publishing Dynamic Update to the Microsoft Update Catalog

Three changes have been made to the publishing of Dynamic Update to the Microsoft Update Catalog.

Dynamic Update content will continue to be published to the Microsoft Update Catalog. However, you'll no longer be able to import these updates into WSUS for the purpose of Dynamic Update fallback. This option is no longer supported with UUP on-premises servicing.

You can now easily search for the update title, product, and description for safe OS, setup update, and Servicing Stack Update (if it is published separately from the Cumulative Update). For example:

  • YYYY-MM Safe OS Dynamic Update for Windows 11, version 22H2 for x64-based systems (KB…)
  • YYYY-MM Setup Dynamic Update for Windows 11, version 22H2 for x64-based systems (KB…)
  • YYYY-MM Servicing Stack Update for Windows 11, version 22H2 for x64-based systems (KB…)

Finally, the Cumulative Update will be published to the Microsoft Update Catalog as an MSU file only. What does this mean for you?

  • The CAB format of the update will no longer be published.
  • If you are using DISM to perform the online installation of CAB-based Cumulative Update, you should change your code to perform the online installation using the MSU.
  • The inner CAB (within the MSU) is not standalone and will fail to install.

Don't fret! Online installation of the MSU has been supported starting with Windows 11, version 21H2. Consult DISM Operating System Package (.cab or .msu) Servicing Command-Line Options for details.

Other helpful resources

If your concern isn't listed, please check out the following resources and leave us a comment below.

 

8 Replies

@Paul_Reed 

Thank you for sharing!

 "make sure WSUS is updated with KB5003217"
That is update for Server 2019. Does that mean that wsus on 2016 won't work?!

Hi @chavadar71 - KB5003217 is to enable Microsoft Connected Cache, which is supported on WSUS running on Windows Server 2019 and newer. Microsoft Connected Cache is unrelated to UUP update technology. UUP updates are supported with WSUS running on Windows Server 2012 and newer. In order to enable UUP updates to function properly you need to enable the MIME types referenced in the FAQ above. We do have a KB available for Windows Server 2016 and that KB is KB5022838. That will automatically add the MIME types to Windows Server 2016. For Windows Server 2012 you can manually add the MIME file types as documented https://learn.microsoft.com/en-us/windows-server/administration/windows-server-update-services/plan/...
Are there any plans to extend support for using UUP to deploy updates for other MS operating systems for those of us running on-premise installations of WSUS?

@aimutch Thank you for your question.  At this time we do not have any additional information to share.  

@Paul_Reed Thanks for the follow-up. I guess we'll have to wait and see. The rollout today went smoothly and we're already seeing Windows 11 clients updating using the new arrangement. I can't say yet whether it's faster but it's working so that by itself is a success. 

Two other small but important items:
1. The FAQ doesn't specifically say that KB5022838 addresses the MIME configuration on Server 2016, something you noted in one of your responses here. Spelling that out, as was done for Server 2019 and Server 2022, might avoid confusion for those of us still on Server 2016. In our case, it saved us a step as those were already configured by that update. 

2. Will the problem of the WSUS console not properly reporting Windows 11 devices as running the Windows 11 operating system ever get addressed? I know there's a third party product that addresses that but I would think that particular glitch/deficiency in WSUS would be something that Microsoft could fix for those of us managing environments with clients running various versions of Windows. 

Hi @aimutch

1. That was an oversight on my part. I have talked to my editor about getting the main blog updated, or whether or not we will use this thread as kind of a running Q&A section.

2. We understand why the issue is occurring, but I don't have any update that I can share at this time.
Does it mean we cannot cleanup superseded updates for windows 11 from SCCM/ WSUS?

Considering the monthly UUP updates only contains updated contents, and UUP updates from previous month would contain the rest. In an enterprise environment, it's hard to ensure patching compliance at 100%, so there are always some clients missing the previous patches and we will never be able to clean up previous UUP updates.