User Profile
Paul_Reed
Former Employee
Joined 8 years ago
User Widgets
Recent Discussions
Help smooth WSUS driver sync deprecation
Do you use Windows Server Update Services (WSUS)? We’ll be ending the synchronization of driver updates via WSUS now that cloud-based driver servicing is available. We want to help ensure a smooth transition for your organization based on your context. Please help us by filling out our brief survey: WSUS Driver Sync Deprecation. We hope to understand your needs around the following: How do you use driver update synchronization in your environment? What’s the impact on your IT infrastructure? How reasonable is 12 months for you to prepare? Our proposed deprecation date is December 2024. However, we’d like to get your early thoughts and provide you with a reasonable timeline and support for this change. For cloud-based driver servicing, Learn about Windows Driver updates policy for Windows 10 Windows 11 devices in Intune. For on-premises contexts, you’ll still be able to import and package drivers manually. Take the WSUS Driver Sync Deprecation survey here. Thank you! Microsoft respects your privacy. Review our online Microsoft Privacy Statement.FAQ: WSUS and Unified Update Platform (UUP) on premises
Unified Update Platform (UUP) on-premises servicing is almost here! If you're a Windows Server Update Services (WSUS) user, we are sure you have some questions. We hope that you find this FAQ useful, and we will update it periodically. If you have a question not represented here, please leave a comment below. What versions of WSUS are supported to receive UUP-style updates? Windows Server 2012 and later versions of WSUS are able to get UUP-style updates. Please consider moving to a supported version if yours is not. How do I make sure I have the correct MIME type configuration? In order for UUP on premises to work with your current WSUS infrastructure, you need a specific MIME type configuration. Installing the update for KB5022286 (for Windows Server 2019) and KB5022291 (for Windows Server 2022) will automatically add support for .wim and .msu file types, which are required with UUP updates. If your WSUS server already had these configured elsewhere, you will see the following failure message: Cannot add duplicate collection entry of type 'mimeMap' with unique key attribute 'fileExtension' set to '.wim'. To work around this issue, you can use one of the following two solutions. Locate the .config file that is adding the MIME type and add the <remove fileExtension=".wim" /> line above it to remove the MIME type registered higher up in the hierarchy. The remove should be fine even if .wim MIME type does not exist at a higher level. The other workaround is to remove the conflicting MIME type from the higher level (i.e., remove .wim from the server level in this case). This can be done with either UI (inetmgr) or CLI (appcmd/powershell). Read more about the manual and PowerShell steps in Adding file types for Unified Update Platform on premises. If my WSUS is behind a firewall, what settings should I apply? Is your WSUS not getting updates? It can happen if there's a corporate firewall between WSUS and the internet. In that case, configure that firewall to ensure that WSUS can get updates. See guidance to configure your firewall to allow your WSUS servers to connect to Microsoft domains on the internet. There, you'll find the full and recently updated list of domains to support UUP on premises. Note that we've recently added the following domains: http://*.delivery.mp.microsoft.com https://*.delivery.mp.microsoft.com How can I configure automatic approval rules for UUP updates? WSUS supports creating automatic approval rules based on the update-specific classification (for example, security) or product (for example, Windows 11). Any existing auto approvals will just work for UUP updates. See what it looks like to configure automatic approvals in the WSUS Administration Console. Follow the path to Update Services > Options > Automatic Approvals. The Automatic Approvals dialog box opened from under Options for Update Services in the WSUS Administration Console. Configure automatic approvals in the Advanced tab by checking all of the boxes, as illustrated. All boxes are checked in the Advanced tab of the Automatic Approvals dialog box. Find detailed instructions in Configure auto-approval rules. What is the file size of the first UUP update? Distribution points. Your distribution points will undergo a one-time 10GB download on March 28th, 2023. This new, one-time UUP update will be published as a security update and will have the same payload as KB5023706 published on March 14th. In other words, the March 28th update will supersede the earlier update. It will not contain any additional security fixes. Endpoint clients. If your endpoint clients were successfully updated on March 14th, they will not receive any downloads until the following month's update and will be smaller than before. Only updates that have differences will be updated on the client. How do I manage superseded updates on March 28th? (Updated: 4.3.2023) The March 28th update will supersede your regular security update installed on or after March 14th (KB5023706). Note: Superseded updates are recommended for new features but are not required in WSUS for a client to install a newer update. Make sure quality updates remain in your environment until most, if not all, of your PCs have installed a more recent quality update. If needed, modify maintenance tasks that remove superseded updates. For details on how to manage superseded updates in WSUS, see The Server cleanup Wizard. For guidance on approving, declining, cleaning up, and reinstalling updates, including superseded updates, visit Updates Operations. What is required to support Microsoft Connected Cache? In order to use Microsoft Connected Cache with these updates, make sure WSUS is updated with KB5003217, otherwise known as the 2021.05 non-security update. Do the following to meet prerequisites for Microsoft Connected Cache and redirect downloads back to CDNs (content delivery networks): Enable local download on WSUS server. Use admin PowerShell to: reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Update Services\Server\Setup" /v ReturnMuUrlForUpdates /d 1 /t REG_DWORD /f iisreset Restart-Service *Wsus* -v Approve an update. Note: WSUS with the above configuration will always download content locally when an update is approved. However, the client will get the Microsoft Connected Cache URL. This configuration is particularly useful for the case when Microsoft System Center Configuration Manager (SCCM) is used and WSUS has local downloads enabled. Scan a client, check Windows Update logs for the URL of update files. It will point to Microsoft download endpoints instead of your local WSUS server. You can configure bandwidth throttling for downloads from WSUS to your devices that use Delivery Optimization. Leverage its peer-to-peer capabilities for additional bandwidth savings. Learn more at Delivery Optimization. What are some security best practices for using WSUS? To provide additional protection from potential malware attacks, we recommend using HTTPS with WSUS. See Security best practices for Windows Server Update Services (WSUS) for steps to protect your server. You should also monitor who has access to different security groups such as the administrators and reports group. Make sure that you give access to people who should have access. To add a user to the WSUS Administrators group, follow these steps: On the WSUS server, click Start > Administrative Tools > Computer Management. From the expanded Local Users and Groups view, select Groups > WSUS Administrators. In the WSUS Administrators Properties dialog box, click Add. In the Enter the object names to select (examples) box, type the object name, and then click OK. Does UUP on-premises servicing change how Dynamic Update works? Yes, there are several changes. When Windows feature update starts, whether via a media-based update or a WSUS-based feature update, Dynamic Update is one of the first steps invoked. Windows Setup connects to an internet-facing URL hosted by Microsoft to fetch Dynamic Update content, and then applies those updates to the operating system installation media. With UUP on-premises servicing, there are several changes around publishing Dynamic Update to WSUS and to the Microsoft Update Catalog. Publishing Dynamic Update to WSUS In the event of a failure to connect to Microsoft, the fallback to WSUS for Dynamic Update content acquisition is no longer supported. If you are using setupconfig.ini to configure a UUP-based feature update, the only applicable Dynamic Update parameter is /DynamicUpdate NoDrivers. The reason is the other relevant Dynamic Update packages are automatically included within the approved feature update. If you are configuring Dynamic Update using Setup.exe for a media-based feature update, Setup.exe will continue to connect to Microsoft to fetch Dynamic Update content. It then applies those updates to the operating system installation media. Publishing Dynamic Update to the Microsoft Update Catalog Three changes have been made to the publishing of Dynamic Update to the Microsoft Update Catalog. Dynamic Update content will continue to be published to the Microsoft Update Catalog. However, you'll no longer be able to import these updates into WSUS for the purpose of Dynamic Update fallback. This option is no longer supported with UUP on-premises servicing. You can now easily search for the update title, product, and description for safe OS, setup update, and Servicing Stack Update (if it is published separately from the Cumulative Update). For example: YYYY-MM Safe OS Dynamic Update for Windows 11, version 22H2 for x64-based systems (KB…) YYYY-MM Setup Dynamic Update for Windows 11, version 22H2 for x64-based systems (KB…) YYYY-MM Servicing Stack Update for Windows 11, version 22H2 for x64-based systems (KB…) Finally, the Cumulative Update will be published to the Microsoft Update Catalog as an MSU file only. What does this mean for you? The CAB format of the update will no longer be published. If you are using DISM to perform the online installation of CAB-based Cumulative Update, you should change your code to perform the online installation using the MSU. The inner CAB (within the MSU) is not standalone and will fail to install. Don't fret! Online installation of the MSU has been supported starting with Windows 11, version 21H2. Consult DISM Operating System Package (.cab or .msu) Servicing Command-Line Options for details. Other helpful resources If your concern isn't listed, please check out the following resources and leave us a comment below. What's UUP? New update style coming next week! UUP on premises updates for Windows 11 Adding file types for Unified Update Platform on premisesRe: FAQ: WSUS and Unified Update Platform (UUP) on premises
Hi aimutch 1. That was an oversight on my part. I have talked to my editor about getting the main blog updated, or whether or not we will use this thread as kind of a running Q&A section. 2. We understand why the issue is occurring, but I don't have any update that I can share at this time.Re: FAQ: WSUS and Unified Update Platform (UUP) on premises
Hi @chavadar71 - KB5003217 is to enable Microsoft Connected Cache, which is supported on WSUS running on Windows Server 2019 and newer. Microsoft Connected Cache is unrelated to UUP update technology. UUP updates are supported with WSUS running on Windows Server 2012 and newer. In order to enable UUP updates to function properly you need to enable the MIME types referenced in the FAQ above. We do have a KB available for Windows Server 2016 and that KB is KB5022838. That will automatically add the MIME types to Windows Server 2016. For Windows Server 2012 you can manually add the MIME file types as documented https://learn.microsoft.com/en-us/windows-server/administration/windows-server-update-services/plan/plan-your-wsus-deployment#manually-add-the-required-mime-types-for-uup
