Setting up Update Synchronizations

Applies To: Windows Server 2019, Windows Server (Semi-Annual Channel), Windows Server 2016, Windows Server 2012 R2, Windows Server 2012

During synchronization, a WSUS server downloads updates (update metadata and files) from an update source. It also downloads new product classifications and categories, if any. When your WSUS server synchronizes for the first time, it will download all of the updates that you specified when you configured synchronization options. After the first synchronization, your WSUS server downloads only updates from the update source, as well as revisions in metadata for existing updates, and expirations to updates.

The first time a WSUS server downloads updates may take a long time. If you are setting up multiple WSUS servers, you can speed up the process to a certain extent by downloading all the updates on one WSUS server and then copying the updates to the content directories of the other WSUS servers.

You can copy content from one WSUS server’s content directory to another. The location of the content directory is specified when you run the WSUS post installation procedure. You can use the wsusutil.exe tool to export update metadata from one WSUS server to a file. You can then import that file into other WSUS servers.

Setting up Update Synchronizations

The Options page is the central access point in the WSUS Administration Console for customizing how your WSUS server synchronizes updates. You can specify which updates are synchronized automatically, where your server gets updates, connection settings, and the synchronization schedule. You can also use the Configuration Wizard from the Options page to configure or reconfigure your WSUS server at any time.

Synchronizing Update by Product and Classification

A WSUS server downloads updates based on the products or product families (for example, Windows, or Windows Server 2008, Datacenter edition) and classifications (for example, critical updates or security updates) that you specify. at the first synchronization, the WSUS server downloads all of the updates available in the categories that you have specified. In subsequent synchronizations, your WSUS server downloads only the newest updates (or changes to the updates already available on your WSUS server) for the categories you have specified.

You can specify update products and classifications on the Options page under Products and Classifications. Products are listed in a hierarchy, grouped by product family. If you select Windows, you automatically select every product that falls under that product hierarchy. By selecting the parent check box you select all items under it, as well as all future versions. selecting the child check boxes will not select the parent check boxes. The default setting for products is all Windows products, and the default setting for classifications is critical and security updates.

If a WSUS server is running in replica mode, you will not be able to perform this task. For more information about replica mode, see Running WSUS Replica mode, and Step 1: Prepare for Your WSUS Deployment.

To specify update products and classifications for synchronization

In the WSUS Administration Console, click the Options node.

Click Products and Classifications, and then click the Products tab.

Select the check boxes of the products or product families you want to update with WSUS, and then click OK.

On the Classifications tab, select the check boxes of the update classifications you want your WSUS server to synchronize, and then click OK.

You can remove products or classifications in the same way. Your WSUS server will stop synchronizing new updates for the products you have cleared. However, updates that were synchronized for those products before you cleared them will remain on your WSUS server and will be listed as available.

To remove those products, Decline the update, as documented in Updates Operations, and then use the The Server cleanup Wizard to remove them.

Synchronizing Updates by Language

Your WSUS server downloads updates based on the languages that you specify. You can synchronize updates in all of the languages in which they are available, or you can specify a subset of languages. If you have a hierarchy of WSUS servers, and you need to download updates in different languages, make sure that you have specified all the necessary languages on the upstream server. On a downstream server you can specify a subset of the languages you specified on the upstream server.

Synchronizing Updates from the Microsoft Update Catalog

for details about synchronizing updates from the Microsoft Update Catalog site, see: WSUS and the Catalog Site.

Configuring Proxy Server Settings

You can configure your WSUS server to use a proxy server during synchronization with an upstream server or Microsoft Update. This setting will apply only when your WSUS server runs synchronizations. By default your WSUS server will try to connect directly to the upstream server or Microsoft Update.

To specify a proxy server for synchronization

In the WSUS Administration Console, click Options, and then click Update Source and Proxy Server.

On the Proxy Server tab, select the Use a proxy server when synchronizing check box, and then type the server name and port number of the proxy server.

Configure WSUS with the same port number that the proxy server is configured to use.

if you want to connect to the proxy server with specific user credentials, select the Use user credentials to connect to the proxy server check box, and then enter the user name, domain, and password of the user in the corresponding boxes.

if you want to enable basic authentication for the user connecting to the proxy server, select the Allow basic authentication (password is sent in cleartext) check box.

Click OK.

Because WSUS initiates all of its network traffic, there is no need to configure Windows Firewall on a WSUS server connected directly to Microsoft update.

Configuring the Update Source

The update source is the location from which your WSUS server gets its updates and update metadata. You can specify that the update source should be either Microsoft Update or another WSUS server (the WSUS server that acts as the update source is the upstream server, and your server is the downstream server).

Options for customizing how your WSUS server synchronizes with the update source include the following:

You can specify a custom port for synchronization. For information about configuring ports, see Step 3: Configure WSUS in the WSUS deployment guide.

You can use Secure Socket Layers (SSL) to secure synchronization of update information between WSUS servers. For more information about using SSL, see section 3.5. Secure WSUS with the Secure Sockets Layer Protocol of Step 3: Configure WSUS in the WSUS deployment guide.

Synchronizing Manually or Automatically

You can either synchronize your WSUS server manually or specify a time for it to synchronize automatically.

To manually synchronize the WSUS server

In the WSUS Administration Console, click Options, and then click Synchronization Schedule.

Click Synchronize manually, and then click OK.

To set up an automatic synchronization schedule

In the WSUS Administration Console, click Options, then click Synchronization Schedule.

Click Synchronize automatically.

For First synchronization, select the time you want synchronization to start each day.

for Synchronizations per day, select the number of synchronizations you want to do each day. For example, if you want four synchronizations a day starting at 3:00 A.M., then synchronizations will occur at 3:00 A.M., 9:00 A.M., 3:00 P.M., and 9:00 P.M. each day. (Note that a random time offset will be added to the scheduled synchronization time in order to space out the server connections to Microsoft Update.)

Click OK.

To synchronize your WSUS server immediately

On the WSUS Administration Console, select the top server node.

In the Overview pane, under Synchronization Status, click Synchronize now.

The synchronization is initiated by the downstream server.

Synchronize software updates

Applies to: Configuration Manager (current branch)

Software update synchronization in Configuration Manager is the process of retrieving the software update metadata that meets the criteria that you configure. This includes specific products, classifications, and languages. Typically, the software update point on the central administration site, or on a stand-alone primary site, retrieves the metadata from Microsoft Update. Then, the top-level site will send a synchronization request to other sites. When a site receives the synchronization request from the parent site, the software update point for the site retrieves software updates metadata from its upstream synchronization source. For more information about software update synchronization process, see Software updates synchronization.

You configure software update synchronization to run on a schedule in the properties for the software update point at the top-level site. Once you configure the synchronization schedule, you’ll typically not change the schedule as part of normal operations. However, you can manually initiate software update synchronization when it’s necessary.

Software update points must be connected to their upstream synchronization source to synchronize software updates. When a software update point is disconnected from its upstream synchronization source, you can use the export and import method to synchronize software updates. For more information, see Synchronize software updates from a disconnected software update point.

Schedule software updates synchronization

When you configure a schedule for software updates synchronization, the top-level software update point starts synchronization with Microsoft Update at the scheduled date and time. The custom schedule allows you to synchronize software updates on a date and time when the demands of the Windows Server Update Services (WSUS) server, site server, and network are low. For example, you can set the schedule so that software updates are synchronized every week at 2:00 AM. During the scheduled synchronization, all changes to the software updates metadata since the last scheduled synchronization are inserted into the site database. This includes new software updates metadata or metadata that has been modified, removed, or is now expired.

Use the following procedures on the top-level site to schedule software updates synchronization.

To schedule software updates synchronization

In the Configuration Manager console, click Administration.

In the Administration workspace, expand Site Configuration, and then click Sites.

In the results pane, click the central administration site or stand-alone primary site.

On the Home tab, in the Settings group, expand Configure Site Components, and then click Software Update Point.

In the Software Update Point Component Properties dialog box, select Enable synchronization on a schedule, and then specify the synchronization schedule.

Manually start software updates synchronization

You can manually initiate software updates synchronization on the top-level site in the Configuration Manager console from the All Software Updates node in the Software Library workspace.

Use the following procedures on the top-level site to manually initiate software updates synchronization.

To manually start software updates synchronization

In the Configuration Manager console that is connected to the central administration site or stand-alone primary site, click Software Library.

In the Software Library workspace, expand Software Updates and click All Software Updates or Software Update Groups.

On the Home tab, in the All Software Updates group, click Synchronize Software Updates. Click Yes in the dialog box to confirm that you want to initiate the synchronization process.

After you initiate the synchronization process on the software update point, you can monitor the synchronization process from the Configuration Manager console for all software update points in your hierarchy. Use the following procedure to monitor the software updates synchronization process.

Monitor software updates synchronization

After you initiate the synchronization process, you can use the Configuration Manager console to monitor the process for all software update points in your hierarchy. Use the following procedure to monitor the software update synchronization process. For more information about monitoring software updates, including the synchronization process, see Monitor software updates.

To monitor the software updates synchronization process

In the Configuration Manager console, click Monitoring.

In the Monitoring workspace, click Software Update Point Synchronization Status.

The software update points in your Configuration Manager hierarchy are displayed in the results pane. From this view, you can monitor the synchronization status for all software update points. When you want more detailed information about the synchronization process, you can review the wsyncmgr.log file that is located in \Logs on each site server.

Import updates from the Microsoft Update Catalog

The top-level Software Update Point uses WSUS to get information about software updates from Microsoft into Configuration Manager. Occasionally, you might need an update that doesn’t automatically synchronize into WSUS for your selected products and classifications but is available in the Microsoft Update Catalog. Updates that don’t automatically synchronize into WSUS are typically meant to resolve highly specific issues. Usually if an update is available in the catalog, you can import it into WSUS. You can then synchronize it into Configuration Manager and deploy it like any other update.

To import an update from the Microsoft Update Catalog

1. Open the WSUS administration console and connect it to the top-level WSUS server in your hierarchy.
   • If Internet Explorer isn’t the computer’s default web browser, temporarily set it as the default.
2. Click on Updates or click your WSUS server’s name.
3. In the Actions pane, select Import Updates. which will open a browser window to the Microsoft Update Catalog.
4. If prompted, install the Microsoft Update Catalog ActiveX control. The control must be installed to import updates into WSUS.
5. In the browser window, search for the update that you want. Click the Add* button to add it to the basket.
6. Click view basket. Make sure that the option to Import directly into Windows Server Update Services is selected. Then, click Import.
7. Once the import is complete, click Close on the browser window.
   • Reset your default browser if needed.
8. Synchronize your Configuration Manager Software Update Point.

Next steps

After you synchronize software updates for the first time, or after there are new classifications or products available, you must configure the new classifications and products to synchronize software updates with the new criteria.

After you synchronize software updates with the criteria that you need, manage settings for software updates.