Mar 20 2023 10:58 AM - edited Apr 03 2023 03:56 PM
Mar 20 2023 10:58 AM - edited Apr 03 2023 03:56 PM
Unified Update Platform (UUP) on-premises servicing is almost here! If you're a Windows Server Update Services (WSUS) user, we are sure you have some questions. We hope that you find this FAQ useful, and we will update it periodically. If you have a question not represented here, please leave a comment below.
Windows Server 2012 and later versions of WSUS are able to get UUP-style updates. Please consider moving to a supported version if yours is not.
In order for UUP on premises to work with your current WSUS infrastructure, you need a specific MIME type configuration. Installing the update for KB5022286 (for Windows Server 2019) and KB5022291 (for Windows Server 2022) will automatically add support for .wim and .msu file types, which are required with UUP updates. If your WSUS server already had these configured elsewhere, you will see the following failure message:
Cannot add duplicate collection entry of type 'mimeMap' with unique key attribute 'fileExtension' set to '.wim'.
To work around this issue, you can use one of the following two solutions.
Read more about the manual and PowerShell steps in Adding file types for Unified Update Platform on premises.
Is your WSUS not getting updates? It can happen if there's a corporate firewall between WSUS and the internet. In that case, configure that firewall to ensure that WSUS can get updates.
See guidance to configure your firewall to allow your WSUS servers to connect to Microsoft domains on the internet. There, you'll find the full and recently updated list of domains to support UUP on premises. Note that we've recently added the following domains:
WSUS supports creating automatic approval rules based on the update-specific classification (for example, security) or product (for example, Windows 11). Any existing auto approvals will just work for UUP updates.
See what it looks like to configure automatic approvals in the WSUS Administration Console. Follow the path to Update Services > Options > Automatic Approvals.
The Automatic Approvals dialog box opened from under Options for Update Services in the WSUS Administration Console.
Configure automatic approvals in the Advanced tab by checking all of the boxes, as illustrated.
All boxes are checked in the Advanced tab of the Automatic Approvals dialog box.
Find detailed instructions in Configure auto-approval rules.
Distribution points. Your distribution points will undergo a one-time 10GB download on March 28th, 2023. This new, one-time UUP update will be published as a security update and will have the same payload as KB5023706 published on March 14th. In other words, the March 28th update will supersede the earlier update. It will not contain any additional security fixes.
Endpoint clients. If your endpoint clients were successfully updated on March 14th, they will not receive any downloads until the following month's update and will be smaller than before. Only updates that have differences will be updated on the client.
The March 28th update will supersede your regular security update installed on or after March 14th (KB5023706).
Note: Superseded updates are recommended for new features but are not required in WSUS for a client to install a newer update.
Make sure quality updates remain in your environment until most, if not all, of your PCs have installed a more recent quality update. If needed, modify maintenance tasks that remove superseded updates.
In order to use Microsoft Connected Cache with these updates, make sure WSUS is updated with KB5003217, otherwise known as the 2021.05 non-security update.
Do the following to meet prerequisites for Microsoft Connected Cache and redirect downloads back to CDNs (content delivery networks):
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Update Services\Server\Setup" /v ReturnMuUrlForUpdates /d 1 /t REG_DWORD /f iisreset Restart-Service *Wsus* -v
You can configure bandwidth throttling for downloads from WSUS to your devices that use Delivery Optimization. Leverage its peer-to-peer capabilities for additional bandwidth savings. Learn more at Delivery Optimization.
To provide additional protection from potential malware attacks, we recommend using HTTPS with WSUS. See Security best practices for Windows Server Update Services (WSUS) for steps to protect your server.
You should also monitor who has access to different security groups such as the administrators and reports group. Make sure that you give access to people who should have access.
To add a user to the WSUS Administrators group, follow these steps:
Yes, there are several changes. When Windows feature update starts, whether via a media-based update or a WSUS-based feature update, Dynamic Update is one of the first steps invoked. Windows Setup connects to an internet-facing URL hosted by Microsoft to fetch Dynamic Update content, and then applies those updates to the operating system installation media. With UUP on-premises servicing, there are several changes around publishing Dynamic Update to WSUS and to the Microsoft Update Catalog.
In the event of a failure to connect to Microsoft, the fallback to WSUS for Dynamic Update content acquisition is no longer supported.
If you are using setupconfig.ini to configure a UUP-based feature update, the only applicable Dynamic Update parameter is /DynamicUpdate NoDrivers. The reason is the other relevant Dynamic Update packages are automatically included within the approved feature update. If you are configuring Dynamic Update using Setup.exe for a media-based feature update, Setup.exe will continue to connect to Microsoft to fetch Dynamic Update content. It then applies those updates to the operating system installation media.
Three changes have been made to the publishing of Dynamic Update to the Microsoft Update Catalog.
Dynamic Update content will continue to be published to the Microsoft Update Catalog. However, you'll no longer be able to import these updates into WSUS for the purpose of Dynamic Update fallback. This option is no longer supported with UUP on-premises servicing.
You can now easily search for the update title, product, and description for safe OS, setup update, and Servicing Stack Update (if it is published separately from the Cumulative Update). For example:
Finally, the Cumulative Update will be published to the Microsoft Update Catalog as an MSU file only. What does this mean for you?
Don't fret! Online installation of the MSU has been supported starting with Windows 11, version 21H2. Consult DISM Operating System Package (.cab or .msu) Servicing Command-Line Options for details.
If your concern isn't listed, please check out the following resources and leave us a comment below.
Mar 20 2023 11:53 AM
Thank you for sharing!
Mar 23 2023 06:23 AM
"make sure WSUS is updated with KB5003217"
That is update for Server 2019. Does that mean that wsus on 2016 won't work?!
Mar 23 2023 03:51 PM
Mar 27 2023 10:10 PM
Mar 28 2023 12:10 PM
@aimutch Thank you for your question. At this time we do not have any additional information to share.
Mar 28 2023 08:23 PM
@Paul_Reed Thanks for the follow-up. I guess we'll have to wait and see. The rollout today went smoothly and we're already seeing Windows 11 clients updating using the new arrangement. I can't say yet whether it's faster but it's working so that by itself is a success.
Two other small but important items:
1. The FAQ doesn't specifically say that KB5022838 addresses the MIME configuration on Server 2016, something you noted in one of your responses here. Spelling that out, as was done for Server 2019 and Server 2022, might avoid confusion for those of us still on Server 2016. In our case, it saved us a step as those were already configured by that update.
2. Will the problem of the WSUS console not properly reporting Windows 11 devices as running the Windows 11 operating system ever get addressed? I know there's a third party product that addresses that but I would think that particular glitch/deficiency in WSUS would be something that Microsoft could fix for those of us managing environments with clients running various versions of Windows.
Mar 29 2023 11:00 AM