Unified Update Platform (UUP) on-premises servicing is almost here! If you're a Windows Server Update Services (WSUS) user, we are sure you have some questions. We hope that you find this FAQ useful, and we will update it periodically. If you have a question not represented here, please leave a comment below.

What versions of WSUS are supported to receive UUP-style updates?

Windows Server 2012 and later versions of WSUS are able to get UUP-style updates. Please consider moving to a supported version if yours is not.

How do I make sure I have the correct MIME type configuration?

In order for UUP on premises to work with your current WSUS infrastructure, you need a specific MIME type configuration. Installing the update for KB5022286 (for Windows Server 2019) and KB5022291 (for Windows Server 2022) will automatically add support for .wim and .msu file types, which are required with UUP updates. If your WSUS server already had these configured elsewhere, you will see the following failure message:

Cannot add duplicate collection entry of type 'mimeMap' with unique key attribute 'fileExtension' set to '.wim'.

To work around this issue, you can use one of the following two solutions.

1. Locate the .config file that is adding the MIME type and add the <remove fileExtension=".wim" /> line above it to remove the MIME type registered higher up in the hierarchy. The remove should be fine even if .wim MIME type does not exist at a higher level.
2. The other workaround is to remove the conflicting MIME type from the higher level (i.e., remove .wim from the server level in this case). This can be done with either UI (inetmgr) or CLI (appcmd/powershell).

Read more about the manual and PowerShell steps in Adding file types for Unified Update Platform on premises.

If my WSUS is behind a firewall, what settings should I apply?

Is your WSUS not getting updates? It can happen if there's a corporate firewall between WSUS and the internet. In that case, configure that firewall to ensure that WSUS can get updates.

See guidance to configure your firewall to allow your WSUS servers to connect to Microsoft domains on the internet. There, you'll find the full and recently updated list of domains to support UUP on premises. Note that we've recently added the following domains:

• http://*.delivery.mp.microsoft.com
• https://*.delivery.mp.microsoft.com

How can I configure automatic approval rules for UUP updates?

WSUS supports creating automatic approval rules based on the update-specific classification (for example, security) or product (for example, Windows 11). Any existing auto approvals will just work for UUP updates.

See what it looks like to configure automatic approvals in the WSUS Administration Console. Follow the path to Update Services > Options > Automatic Approvals.

The Automatic Approvals dialog box opened from under Options for Update Services in the WSUS Administration Console

The Automatic Approvals dialog box opened from under Options for Update Services in the WSUS Administration Console.

Configure automatic approvals in the Advanced tab by checking all of the boxes, as illustrated.

All boxes are checked in the Advanced tab of the Automatic Approvals dialog box

All boxes are checked in the Advanced tab of the Automatic Approvals dialog box.

Find detailed instructions in Configure auto-approval rules.

What is the file size of the first UUP update?

Distribution points. Your distribution points will undergo a one-time 10GB download on March 28th, 2023. This new, one-time UUP update will be published as a security update and will have the same payload as KB5023706 published on March 14th. In other words, the March 28th update will supersede the earlier update. It will not contain any additional security fixes.

Endpoint clients. If your endpoint clients were successfully updated on March 14th, they will not receive any downloads until the following month's update and will be smaller than before. Only updates that have differences will be updated on the client.

How do I manage superseded updates on March 28th?

(Updated: 4.3.2023)

The March 28th update will supersede your regular security update installed on or after March 14th (KB5023706). 

Note: Superseded updates are recommended for new features but are not required in WSUS for a client to install a newer update.

Make sure quality updates remain in your environment until most, if not all, of your PCs have installed a more recent quality update. If needed, modify maintenance tasks that remove superseded updates.

• For details on how to manage superseded updates in WSUS, see The Server cleanup Wizard.
• For guidance on approving, declining, cleaning up, and reinstalling updates, including superseded updates, visit Updates Operations.

What is required to support Microsoft Connected Cache?

In order to use Microsoft Connected Cache with these updates, make sure WSUS is updated with KB5003217, otherwise known as the 2021.05 non-security update.

Do the following to meet prerequisites for Microsoft Connected Cache and redirect downloads back to CDNs (content delivery networks):

1. Enable local download on WSUS server.
2. Use admin PowerShell to:
   
   

   reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Update Services\Server\Setup" /v ReturnMuUrlForUpdates /d 1 /t REG_DWORD /f
   iisreset
   Restart-Service *Wsus* -v​

3. Approve an update. Note: WSUS with the above configuration will always download content locally when an update is approved. However, the client will get the Microsoft Connected Cache URL. This configuration is particularly useful for the case when Microsoft System Center Configuration Manager (SCCM) is used and WSUS has local downloads enabled.
4. Scan a client, check Windows Update logs for the URL of update files. It will point to Microsoft download endpoints instead of your local WSUS server.

You can configure bandwidth throttling for downloads from WSUS to your devices that use Delivery Optimization. Leverage its peer-to-peer capabilities for additional bandwidth savings. Learn more at Delivery Optimization.

What are some security best practices for using WSUS?

To provide additional protection from potential malware attacks, we recommend using HTTPS with WSUS. See Security best practices for Windows Server Update Services (WSUS) for steps to protect your server.

You should also monitor who has access to different security groups such as the administrators and reports group. Make sure that you give access to people who should have access.

To add a user to the WSUS Administrators group, follow these steps:

1. On the WSUS server, click Start > Administrative Tools > Computer Management.
2. From the expanded Local Users and Groups view, select Groups > WSUS Administrators.
3. In the WSUS Administrators Properties dialog box, click Add.
4. In the Enter the object names to select (examples) box, type the object name, and then click OK.

Does UUP on-premises servicing change how Dynamic Update works?

Yes, there are several changes. When Windows feature update starts, whether via a media-based update or a WSUS-based feature update, Dynamic Update is one of the first steps invoked. Windows Setup connects to an internet-facing URL hosted by Microsoft to fetch Dynamic Update content, and then applies those updates to the operating system installation media. With UUP on-premises servicing, there are several changes around publishing Dynamic Update to WSUS and to the Microsoft Update Catalog.

Publishing Dynamic Update to WSUS

In the event of a failure to connect to Microsoft, the fallback to WSUS for Dynamic Update content acquisition is no longer supported.

If you are using setupconfig.ini to configure a UUP-based feature update, the only applicable Dynamic Update parameter is /DynamicUpdate NoDrivers. The reason is the other relevant Dynamic Update packages are automatically included within the approved feature update. If you are configuring Dynamic Update using Setup.exe for a media-based feature update, Setup.exe will continue to connect to Microsoft to fetch Dynamic Update content. It then applies those updates to the operating system installation media.

Publishing Dynamic Update to the Microsoft Update Catalog

Three changes have been made to the publishing of Dynamic Update to the Microsoft Update Catalog.

Dynamic Update content will continue to be published to the Microsoft Update Catalog. However, you'll no longer be able to import these updates into WSUS for the purpose of Dynamic Update fallback. This option is no longer supported with UUP on-premises servicing.

You can now easily search for the update title, product, and description for safe OS, setup update, and Servicing Stack Update (if it is published separately from the Cumulative Update). For example:

• YYYY-MM Safe OS Dynamic Update for Windows 11, version 22H2 for x64-based systems (KB…)
• YYYY-MM Setup Dynamic Update for Windows 11, version 22H2 for x64-based systems (KB…)
• YYYY-MM Servicing Stack Update for Windows 11, version 22H2 for x64-based systems (KB…)

Finally, the Cumulative Update will be published to the Microsoft Update Catalog as an MSU file only. What does this mean for you?

• The CAB format of the update will no longer be published.
• If you are using DISM to perform the online installation of CAB-based Cumulative Update, you should change your code to perform the online installation using the MSU.
• The inner CAB (within the MSU) is not standalone and will fail to install.

Don't fret! Online installation of the MSU has been supported starting with Windows 11, version 21H2. Consult DISM Operating System Package (.cab or .msu) Servicing Command-Line Options for details.

Other helpful resources

If your concern isn't listed, please check out the following resources and leave us a comment below.

• What's UUP? New update style coming next week!
• UUP on premises updates for Windows 11
• Adding file types for Unified Update Platform on premises