For those on WSUS 3.0 SP2 (or SBS 2011)


As indicated in a previous post, we are making changes to WSUS 4.0 and later that will provide a smoother Windows 10 servicing experience.  Because WSUS 3.0 SP2 is already in extended support (receiving no support at all after January 2020), and we are not shipping these improvements further down-level, it is a good idea to start planning your WSUS migration now.  Here is some guidance on how to respond to the recent changes based on your current situation, with the assumption that you intend to deploy Windows 10 in your environment.

WSUS 3.0 SP2 standalone

For this scenario, Microsoft recommends setting up a new WS12R2 or (depending on when you deploy) WS16 server with WSUS and migrate your existing SUSDB to it.  For those unfamiliar, this is supported: TechNet has guidance on how to perform a WSUS migration.  Making this investment ensures that your environment will be capable of taking advantage of all the Windows 10 servicing improvements coming to WSUS in future updates.

WSUS 3.0 SP2 with Configuration Manager

The operative question is whether you want to deploy feature upgrades via WSUS instead of using task sequences, MDT, or other media-based deployment tools.  If you need this functionality, then Microsoft recommends migrating to a newer WSUS platform, same as for the standalone scenario.  If you intend to rely on media-based deployment for your upgrades, then you could continue using your setup as it is today; however, please be aware that any difficulties you experience with using WSUS 3.0 SP2 for Windows 10 servicing might not be addressed, and that hotfixes cannot be requested for this product.

SBS 2008 and SBS 2011 (which uses WSUS 3.0 SP2)

Here the recommendation is slightly different.  If you have need of third-party software update management, then investigating your options to migrate your WSUS deployment to a member server running Windows Server 2012 or later will prepare your environment for the best Windows 10 servicing experience.  If you do not require third-party software updates to be distributed via WSUS, then you might consider configuring your Group Policy settings to let Windows Update for Business manage your Windows 10 updates instead.  This solution is ideal for administrators that want minimal daily complexity because it can provide a mostly hands-off experience after initial configuration, and it makes staying current with the latest Windows 10 builds and cumulative updates significantly easier.

 

To summarize

Our story for how we support the new servicing model in existing tools will continue to improve in subsequent releases through additional features that support key scenarios.  During this time, WSUS 3.0 SP2 will remain in the old servicing model.  Technically, it can provide minimal Windows 10 update support (i.e., sync and distribute security updates), but the experience is less than ideal.  As an example, the Windows 10 machines will display as “Windows Vista” for those remaining on WSUS 3.0 SP2.

As we move forward, we will continue to update existing guidance and provide recommended best practices for smoother navigation through our new servicing model.

Comments (25)

  1. Inn VNix Ginner says:

    Thanks so much for your contribution.

  2. Harry Johnston says:

    Is WSUS available on the Windows Server 2016 preview? If so, will there be a supported upgrade path to the full version when it is released? (The last thing I’d want to do at this point is install a Windows 2012 R2 server!)

  3. Jb VERNEJOUX says:

    Good post but It looks like there is a typo on the technet’s URL link about Migrating Wsus 3.0 SP2 to WSUS4.0:
    your link "how to perform a WSUS migration" should redirect to this link:
    "Migrate Windows Server Update Services to Windows Server 2012" – "https://technet.microsoft.com/en-us/library/hh852339.aspx"
    more accurate about correct process of Migration from WSUS3.0 SP2to WSUS4.0

  4. Ulrich Bernskov says:

    What do people who rely on SCUP do?
    It is not supported on Windows server 2012.

  5. Inn: Glad you found it useful!

    Harry: Yes, WSUS is available in WS16 Technical Previews, and we’ll be encouraging customers to migrate when it reaches RTM. To that end, we are looking to clarify or improve the migration experience as needed to minimize your obstacles to getting onto the
    latest platform. Feel free to share any blockers that you hit along the way.

    Jb: Thanks for reminding us of the link to more precise guidance for migrating WSUS! The link in the article has been updated accordingly.

    Ulrich: Per https://technet.microsoft.com/en-us/library/hh134742.aspx, System Center Updates Publisher 2011 (SCUP) is supported on all products from System Center Configuration Manager
    2007 to System Center Configuration Manager 2012, the latter of which is installable on Windows Server 2012. What are you running now, where are you considering migrating your technology, and why do you conclude that your migration path is blocked?

  6. Ulrich Bernskov says:

    Hi Steve – thanks for your suggestion.
    The problem is that SCCM is a much bigger system and client licensed is required – compared to my current WSUS/SCUP on server 2008 R2.
    I support approx 350 clients in 15 locations and the simplicity of SCUP for 3. party, where i subscribe to the relevant CAB files – wel it just works.
    I would need CAL for the SCCM clients and all I need is to use the motor from WSUS to deploy the relevant 3.party updates.
    Is there a way to implement SCUP functionality without having to license a huge system like SCCM on server 2012 R2?

  7. Wayne Small says:

    Thanks for this – unfortunately in an SBS 2008/2011 environment. if you use a 2nd WSUS server, you lose the autoapproval features that SBS builds into WSUS. I’m not talking about the WSUS autoapproval rule, I’m talking about the SBS goodness that only
    approves patches that are needed by the client machines. It’s highly likely in the small business space that you will have mixed OS environments with Win7/8 and 10 because not all application developers support Win10 as yet (their loss).

  8. anonymouscommenter says:

    212 Microsoft Team blogs searched, 44 blogs have new articles. 139 new articles found searching from

  9. anonymouscommenter says:

    [ This blog is a Re-Post of the Blog Published on the SUS Blog ]

    As indicated in a previous post

  10. shaughnessy says:

    We have a 3.2.7600.226 WSUS version. Does that qualify as WSUS 3.0 in your article or are we still safe when it comes to Win10?

  11. Wayne: Can you send me an email (via "Email blog author") with more details on your scenario? I don’t want to engage in a lengthy public discussion, but I think we can find something that works for you.

    shaughnessy: WSUS 3.0, 3.1, 3.2, 3.0 SP1, and 3.0 SP2 all qualify as "WSUS 3.0" products. Can you clarify what you mean as to whether you’re "safe when it comes to Win10"?

  12. Harry Johnston says:

    Is the fact that we’re still using WSUS 3 the reason that Windows 10 clients don’t bother to tell the user that they need to reboot? Or is that just a limitation in the new Windows Update client? (We have group policy configured to stop the machines from
    rebooting automatically.)

  13. Wayne Small says:

    Thanks Steve – have emailed you as you will know by now 🙂

  14. Ulrich Bernskov says:

    Hi Steve
    Could you share some light on how I best proceed to server 2012 R2?
    I currently use WSUS and SCUP on server 2008 R2 and I have no idea on how to implement the same solution on the new server without also installing SCCM.
    Any hints?

  15. ML49448 says:

    Hi Steve,

    Loads of my smaller customers still have WSUS 3.0 and only one Server 2008 R2 onsite. They won’t be using Windows 10 so the Upgrade classification in WSUS for these customers won’t be required. So far so good, no need for KB3095113 für these customers.

    Some customers DO use Windows 10 machines and they have Server 2012 R2 servers. Also ok.

    BUT… All customer’s WSUS servers are replica servers of one "central" Server 2012 R2.
    What happens when I install KB 3095113 on the "central" server 2012 R2 and all customer’s Server 2012 R2 replica servers and start syncing Win 10 upgrades?
    What will happen to the 2008 R2 machines with WSUS 3.0? Will that work? Will that break WSUS 3.0 servers? Or can I simply continue replicating the WSUS 3.0 servers from the "central" 2012 R2 even with "Product Upgrades" enabled and KB 3095113 installed?

    Thanks,
    Michael

  16. Michael: The replica configuration is a bit confounding. WSUS 3.0 SP2 should not enable the Upgrades classification, since it cannot properly marshal this content to managed clients. In the replica scenario, it cannot help but select this classification,
    and approvals are even out of its control. This means that any clients managed by the WSUS 3.0 SP2 server could be served Upgrades that fail to download and install. It doesn’t "hurt" anything, but your reports might contain this known failure and related
    errors until it can be properly addressed.

    We’re looking into a more elegant solution, but for now you might have to get creative about how you approve this content in your environment. For instance, you could unapprove the Upgrades after they have been shared throughout your environment, or make the
    WSUS 3.0 SP2 server autonomous, or migrate the WSUS 3.0 SP2 to WSUS 4.0 to avoid the problem entirely.

    We’ll let you know when a better solution becomes available for this uniquely mixed replica hierarchy.

  17. osman says:

    Hey, what do people who rely on SCUP do?
    It is not supported on Windows server 2012 !

    http://www.orjinalkirmizibal.gen.tr

  18. mike says:

    Heyi, Is the fact that we’re still using WSUS 3 the reason that Windows 10 clients don’t bother to tell the user that they need to reboot? Thanks.

    https://www.youtube.com/watch?v=C4ZAgOqok_I

  19. Vic Hsu says:

    Server 2003r2 + WSUS 3.2
    After approved kb3012973 show error in SoftwareDistribution.log:
    "EventId=364,Type=Error,Category=Synchronization,Message=Content file download failed. Reason: File cert verification failure." (for all esd-files).

    It is a end and solution not exist? Only migrate to 2012?
    Thanks.

  20. Ryan Theuma says:

    If you have a mix of servers with server 2012 and 2008 and you upgrade the 2012 to wsus 4.0 and leave the 2008 with 3.0, will a 2008 be able to be set as a downstream server and connected to a upstream server with a 2012 os?

  21. Dan Thomas says:

    So, question about planning migration. I have an internet connected WSUS server that does my downloads and several servers hosting WSUS on disconnected networks. All servers are Win 2008R2 right now. What is the supported way to get the systems upgraded with minimal downtime? Can I export updates from a Windows 2012R2 server (WSUS 6) to a Windows 2008R2 server (WSUS 3.0SP2)? Does it work in reverse? Will I just have to upgrade all the servers at the same time?

    1. Newer versions of WSUS will understand older schemas, but the reverse is not true. In your scenario, you could export from WSUS 3.2 and import into WSUS 4.0 without issue, but I wouldn’t guarantee going the opposite direction, especially if you plan to export Upgrades (feature updates) as part of the transaction.

  22. Titan Jel says:

    Is WSUS available on the Windows Server 2012 preview?

    1. WSUS is a server role on Windows Server 2012 and 2012 R2. If you’re going to deploy a preview, why not try Windows Server 2016 Technical Preview 5? You can pick it up on TechNet today.