Home
.. About WSUS Wiki

RSS

WSUS
.. WSUS FAQ
.. WSUS on SBS
.. WSUS Troubleshooting
.. WSUS News Groups
.. Known WSUS Issues
.. WSUS Links
.. WSUS Wish List

WSUS Documents
.. WSUS Deployment Guide
.. WSUS Installation Guide
.. WSUS Release Notes
.. WSUS Best Practice

SUS
.. SUS FAQ
.. What Is SUS
.. SUS Troubleshooting
.. SUS Links
.. SUS Known Issues
.. SUS FAQ
.. What Is SUS
.. SUS Troubleshooting
.. SUS Links
.. SUS Known Issues

Wiki Community

 .. Wiki Contributors
.. I Love WSUS
.. WSUS Wiki Diary
.. Wiki Statistics
.. To Do Page

Miscellaneous Stuff
.. Other Resources
.. Do You Know?

Site Meter

Terms of Use
Trademarks

Privacy Statement

 

WSUS Wish List

Show Menu

WSUS does not solve all the patch management needs for all customer. The following is a list of desired WSUS features. Feel free to add more wishes to this list - be sure to give as much details on your wish, and why such a feature would be usefull to you and other WSUS customers.

  1. Push Install WSUS Client - It would be a nice goal to push installations to clients for activating the WSUS-Client the right way.
  2. Deploy User Defined Updates - WSUS only supports specific Microsoft issued updates. It would be nice to open up the architecture to allow customer developed and 3rd party updates to be distributed via WSUS (e.g. like Shavlik HFNetCheck Patch).
  3. Delegation Of Administration - Allow only specific administrators to approve updates for a target group.
  4. WSUS Integration With AD - Provide a mechanism to enable the use of AD OUs as the basis for WSUS patch deployment.
  5. Distinguish Between Synchronization And Download - I inadvertently disconnected my WUS B2 server from its Internet connection while it was in the middle of downloading over 1.2Gb of updates.
  6. Big Red Button - In emergency cases this red button is pressed which causes WSUS server to contact all the clients and force them to run a scan at that moment. This feature can also be used by right clicking on a computer and selecting scan now.
  7. Schedule Computers For Reboot - After updates are installed, it would be helpful to be able to select a client, and specify a time for the reboot if desired.
  8. Report By Computer Instead Of By Update - it would be nice to report "per computer" in addition to "per update".
  9. Download Updates By Schedule - to minimize the impact on bandwidth during certain times, it would be nice to be able to schedule when the download can happen.
  10. Client Troubleshooting Tools Needed - we need client side troubleshooting tools.
  11. WSUS Download Server by Policy - change the way the AU client determines where to download updates. Currently, this is defined per WSUS server, however it should be defined at the client.
  12. WSUS Default All Languages Considered Harmful - by default, WSUS is configured to download ALL languages, although you can change it.
  13. Update Via URL - It should be possible to use a WSUS server in the same manner as Windows Update.
  14. More Response To Wish List - it would be nice to know that Microsoft is noticing the contents of this Wiki, and in particular this wish list. Many of the wishes here really should be easy to implement.
  15. Mandatory Updates - Provide the adminstrator to mark an update as "Mandatory" so that update can not be rejected or postponed, even by a user with local admin rights.
  16. Comment Per Update - Provide a comments field for each update. It would also be beneficial for a per-patch comment field to populate the respective event log entry on the client machine. That way if a tech is reviewing the event log checks the entry of a confirmed install he/she can see where locally-relevant annotations that may have been included.
  17. Approve Needed - Provide approval links/options directly from reports pages (i.e. "Needed Updates") to avoid having to go to two places to see what's needed and then to actually approve the updates. Or add "Needed Updates" to the filter list on the Updates page.
  18. Show Superceded - Provide a quick way to view all updates which are superceded by a given update. The superceded updates should also have options to approve or decline each one from the displayed view.
  19. Email Notification - notify admins when new (unapproved) updates are available, as well as new product synchronization categories, etc. Pretty much anything worth notifying about.
  20. [Status Error lookup] - When viewing updates that have failed to install - the "Status" column will list an error number e.g.0x8007063. It would be nice if that error number had a link to the error description on the MS website. (skatterbrain: Or how about actually showing the error description right next to the error number!)
  21. Report Export - Right now (WSUS RC1 anyway) you can only print a report. I would like to be able to crank out an HTML or even TXT report to submit to our helpdesk team leads to show which updates are currently approved for installation. I have to submit such reports, and right now, that means death to evil trees.
  22. Purge Content - I would like to be able to purge content for updates marked as declined, expired, not approved so they don't continue to take disk space.  (Look at Stored Procedure to Delete Declined Updates, I just posted it today 10/24/07)
  23. SQL connection via windows SQL authentication versus windows authentication. I'm hoping this will be an added feature so that the administrator does not have to open up so many ports to the database.
  24. It would be nice to have it where you can schedule the download by a specifc time instead of the "every so many hours" option that gpedit has. This would save my bandwidth during peektimes if I knew all computers were scheduled after hours.
  25. Currently, AFAIK, the only statuses are Installed, Needed, and Unknown. It would be nice to have an 'Approved' status. That way you could see which patches were scheduled for deployment....
  26. From the main "Computers" section, it would be nice to be able to change/add columns to the list.
    This does fall slighly into the realms of the "Reports" page, but thats fine.!
    For example, a Username column would be extremly handy.! How many people here know exactly where a PC is from it name.?
    A column saying how many updates are needed for each computer in the list, instead of clicking each one and looking at the status. Even a simple tick icon would help.
  27. An option to ADD a computer to the list would help. This would save non-AD admins installing registry hacks to each machine. WUS could then do this automatically from preset values that the admin can change.
  28. My wish list addition would be making the Approving Updates for Installation feature more flexible. Right now there is only a "Deadline" schedule. I'd like a starting installation date schedule.
    Example: It's Thursday. I want to approve the updates for
    installation now but I want them to be installed between
    Saturday at noon and Sunday by 5:00 p.m.
  29. My addition would be to add the patches/updates for Office 2000 (yes, I know it's quite old but we are having a really tough time convince the powers that be to cough up the money to move to Office 2003).  If you can get the Office 2000 patches by visiting officeupdate.microsoft.com, then why can't we deploy them via WSUS.  We have so many issues just gettting everyone up to SP3 of Office 2000 due to all the various administrative install points we have inherited (we've consolidated IT support of several divisions and inherited their clients as well as their various software repair points).  If we could use WSUS to patch these machines and get them all up to SP3 and all the needed security patches, this would be a huge help to us.  SMS just isn't going to cut it for us on this due to the administrative install points issue (maybe the Office 2000 patches/SP's don't have the same capability as the Office 2003 ones do at dealing with install point issues).
  30. Store Patches on a remote network drive. I have an *old* server with a 4gb data drive, ideal for WSUS,  but I can't use this as the installation won't let me proceed without 6GB of free space.  I have a 320GB Win2003 NAS server on the LAN but WSUS won't let me store updates on this remote drive.  The installation white paper mentions being able to use /v in install options and then specifying a mapped drive,  but this doesn't work.  I think this would be useful for lots of smaller companies that have invested in NAS storage and a lot of companies have an old server in the cupboard that is perfectly useable but a little short on space.
  31. Add functionality to delete locally stored updates from WSUS server when they have been deployed on client machines.  This will save on disk space - there is no need to store old updates once they have been installed and this would save on disk space for those customers who are storing the updates locally.
  32. Would like to have the ability to add Microsoft Hotfixes to the list of deployable updates.  Maybe by have a field that says "enter KB article number" and then on the next synchronization the WSUS box would go and download the hotfix.  The administrator could then approve the update for installation.  Just because it is a hotfix does not mean it is specific to an individual computer (e.g. KB836051 & KB819536).
  33. Filter Updates by OS would be handy.
  34. 'Stop all downloads' button - "Downloading 15.74 of 2,172.79mb". Ooops.
  35. DISABLE MANDATORY REBOOT FOR SERVERS!!! Give admins the ability to force an updated computer to remain online w/out a forced reboot. Many admins have strict monitoring & reboot schedules that are sync'd tightly. Allow the admin to schedule & execute the reboot through some other means, even if it means keeping a "half-patched, reboot-pending" server online for an extra few hours. Please dont force us to create & run dubious WUA API install scripts as a work-around.
  36. It sure would be nice to have some concrete documentation of error messages. We've been struggling with intermittent problems with WSUS admin, specifically with the "check your server configuration, Non-running services" SelfUpdate."
  37. "REMOVE DOWNLOADED UPDATES" MENU OPTION - Many users are concerned about disk space being used unnecessarily by expired, superceded, or otherwise unneeded update binaries. The method provided in WsusDebugTool /purgeunneededfiles is problematic, and akin to using a sledgehammer to swat flies - it can sometimes do more damage than good.  I would like to see the following features added:  1) Downloaded updates which have expired should automagically be removed from the file system. 2) Same thing with older revisions once the newer version has been approved  3) A menu option(s) should be added to delete downloaded updates - one or multiple selected items at a time. This should be available from the Updates view, and perhaps from other windows as well to make use of the various filtering mechanisms already present in the UI.  A "select all" option would be handy once the user has things filtered appropriately.
  38. "Additional Field 'LoginName (User)' in Reporting/Update pages - I would like to have an additional field 'User Loginname' or the last known logged in User in all pages . It would be easier to find a PC in our huge environment. Also it would be good,  if it would be possible to filter the computers after the loginname.

  39. [Forced Update Installation Onboot]Since not all users have their computers turned on at night it would be good if the updates are forced to install before they log on, with an message "Please wait while system installs latest patches from the WSUS server" and then reboot if it have to.

  40. [Anyprogrampatchsystem]]Any windows program should patched by WSUS. I guess that require that you can add another cerificated patch server in WSUS. The other server then work in the same. You downloadpatch information and then download an xml for which programs it can serve.

    40b - Allow WSUS to import/push custom Microsoft patches.  An example would be the DST Time Patch for Windows 2000.

  41. To remove obsolete patches. I ported an SUS to  WSUS and the oldpatches for languanges which I dont need or have, still show up as dected only and WSUS complains that it does want to install them but when I say to deploy them it says wrong language.
  42. Allow administrators to delay the "Automatic Updates:  Updating your computer is almost ready...." nag screen from first appearing (or never appearing, but I've already read all of the arguments as to why the developers want to require this screen to appear).  We've set Group Policy to have client updates loaded and ready to install an hour before the users go home.  Everyone turns off their computers before leaving.  Right now, they receive the nag screen within an hour before leaving and have to drag it to one side to continue working (they do not have local Administrator rights, so they cannot click "Restart Later").  We want them to NOT see that screen, but instead use the "Install Updates and Shutdown" option when they shutdown to go home.
  43. Disable the "Automatic Updates: Updating your computer is almost ready..." nag screen for ICA / RDP clients.  This is really frustrating when trying to use WSUS with Citrix servers.  The users can't click ANYTHING on the nag screen, but only drag it off to the side, so it is useless for them to even see it (which is always, since it always has focus).
  44. Master/slave reporting rollup.  The "unsupported" roll-up tool in WSUS 2.0 leaves a lot to be desired. If using WSUS in an enterprise it takes a lot of effort to track down slave update statuses.   The roll-up tool ignores target groups and doesn't have many features.  In an multi-server installation, having the slave tbUpdateStatusPerComputer and tbTarget* tables roll up to the master SQL server would make reporting of the whole organization a lot more consolidated. 
  45. Prevent the WSUS globe / sheild from showing up in a Citrix Seamless desktop.  If a user is connecting to a Citrix Server in seamless mode, the WSUS icon shows up in their system tray.  This is a cause for concern because the users (or administrators) can't tell if they are installing updates on the server, or their PC.
  46. When installing updates which require Windows Installer have WSUS set the Windows Installer service to manual, and start the service when required After updates are installed set the service back to the previous state (disabled/stopped).  We would like to set the Windows Installer to disabled & stopped to prevent users from installing new programs, but we are finding the many Microsoft updates require this service to be startable.


    We need to summarize and consolidate these comments:

    From tdwilli - 2005-01-26 7:10 AM []

     

    Enhanced Reporting Features

     

    It would be very helpful to be able to filter reports (for printing/export to CSV, etc.). In my domain, we don't enforce updates/installations to our client machines (for a number or reasons), but we have a unit policy that instructs each user to update their system unless they can present a valid reason why they shouldn't.
    So, for example, I would like to be able to print a report showing all systems on my domain that have a status of "Needed" for any or all available updates from my WUS servers. This filtering capability should apply to all defined computer groups and updates, permitting the administrator to keep tabs on which machines are still in need of specific (approved) updates, as well as the other status indicators (Installed & Failed).
    In its current state, the only way (that I've found anyway) to obtain this information is to open the reporting page in the WUS admin console, select "Any Action" and "All Computers" from the View section, expand the entire list of updates, then start paging down the list while expanding each "All Computer" section within each update listing. This is very time-consuming and tedious, not to mention the number of trees I kill just printing the report because it also includes all the "Installed" "Not Applicable" entries as well.

    From Skatterbrain - 2005-01-26 9:38 PM []

    Thanks for the heads-up tfl, I wasn't aware of that. I'm not sure I have access to the "OEP" beta site though. I've worked on many betas, but I was only able to get into the "public" part of this one (beta 2). If the CHM is available to goons like us, please point me to the URL? :) TIA

    From tfl - 2005-01-27 1:32 PM []

    The API documentation is available at the same place you got WUS from! Go to the beta web site, and click on downloads, then look for the API documentation. There's a 2mb or so download.

    From pieterkotze - 2005-01-31 7:25 AM []

    It looks like selfupdate only works on port 80.

    It would be nice if it could work on port 8530 as port 80 is sometimes blocked on

    secure intranets.

    It seems to be like that or am I wrong ????????????????

    pieter.kotze@sita.co.za

    From Skatterbrain - 2005-02-01 8:38 PM []

    I found the OEP site and got the downloads and everything fine. My wishlist addition would be to add more right-click features. It's very frustrating to switch from another app to the WUS console and try (habitually obviously) to right-click on things like a computer and expect to see something like "Move to another group" Or right-click an update and select "Install", "Detect" etc. Not there.

    I've read plenty that says there will not be an upgrade path from beta 2 to RTM, but I wonder if I deployed b2 now and then RTM ships and I decide to slick/reload my server with the RTM setup (same hw/sw/name/etc), will it still answer to clients or will it cause major disruptions in the overall flow of things?

    From Wizard - 2005-02-04 6:30 AM []

    I would like the option of removing declined and expired updates from the database.
    I know I can filter them, but when the home page says...
    Total: updates, Apprived

    From Wizard - 2005-02-04 6:30 AM []

    I would like the option of removing declined and expired updates from the database.
    I know I can filter them, but when the home page says...
    Total: 463
    Approved updates: 221
    Updates not approved: 0
    Expired updates: 82
    I have 160 updates not accounted for.!

    From Skatterbrain - 2005-02-09 10:33 AM []

    I wish the GPO setting that allows non-admins to receive update notifications would actually allow the users to install them. Laptop users in particular are tough to handle since they're typically offsite at night (when our desktops are updated - 3am). Even if I set the laptop GPO to do updates at like 9am, if they don't have admin rights they cannot actually install the updates. The weirdest thing is that it prompts, they try to install and it looks like it's actually doing the updates (downloads/installs, etc.) no errors or warnings. Then it pops up again and says the same updates are required and they repeat the process. It should either install as a system account context or block their attempts (like WU web site does) with a message about non-admins not having rights to install updates. I'd prefer the former to the latter, but oh well.

    From Skatterbrain - 2005-02-09 2:44 PM []

    While I'm at it, I'd like to be able to resize columns in the Updates view table. Seems odd that you cannot resize them.

    From tfl - 2005-02-09 5:16 PM []

    The inability to resize columns has been filed as a bug. Feel free to fine one yourself!! Thomas Lee

    From ucinv - 2005-02-10 3:06 PM []

    We do a lot of cloning from image files. Sometimes our image files are old and therefore are not up to date on updates. As is, WUS doesn't support "temporary" computers very well. I want to be able to boot up the cloned PC's and have them get their updates from the WUS server and then have the computers be deployed/sold/rented/destroyed, whatever. What I do now, is at the command prompt I type "wuauclt.exe /detectnow", but I never seem to know when it is done detecting and applying updates, there isn't even an option to get some indication or messagebox. I'd like to at least have the option to display a message like "No updates needed from the <NAME> WUS Server, You are up-to-date!"

    From tfl - 2005-02-11 3:30 AM []

    Re UCINV's comments:

    Updating cloned images is really not one of the sweet spots for this product. If you are handling clones and cloned images you might be better off using SMS. What would be useful for you is if you could simply use the cloned system's browser and navigate to your WUS server and get updated (similar to how you can be updated at windows update). That way, once cloned, you could simply navigate to you local server and get updated. So far as I'm aware, this option has not been accepted by MS.

    I agree totally about the need for a better client tool. You can see option 9 for my first take at what this could look like. If you have some better ideas on this, please feel free to update that page!

    MS is planning on doing some work to improve the client experience, and hopefuly this will be in the RC that's coming soon. In the mean time, please file bugs on this. At this point about the only thing that will make any real difference is bug reports: no matter how good an idea I think it is, it's the number of bug reports that MS gets that makes a difference! Thomas Lee

    From danholme - 2005-02-12 7:52 AM []

    Are there any developers who read this wiki? Seems to me (don't bother calling me naive--I know I am :-) ) that several of these wish-list items should be easy to implement. For example:

    • Given the wuauclt.exe /detectnow command, it should be relatively easy to create a Microsoft Update-like web page with a link that at minimum causes the computer to do a scan... and aren't scan results stored in XML somewhere, therefore present-able?
    • Since the Microsoft Update site uses an ActiveX control to scan for updates, is that control 'accessible' in such a way that, again, a Microsoft Update-like site could be created? Maybe not completely the same, but at least a step in that direction?
    • An AD event sink or monitoring tool that determines when a computer is moved (i.e. DN changes) and changes that computer's membership in 'parallel' WUS groups?
    • Can anyone (from MS or elsewhere) shed light on where certain defaults (i'm thinking specifically of "every language") are stored so we can create a script to run that changes that as part of a 'post installation clean-up' routine?
      •

    Some of these items on this wish list are so 'fundamental' that it is a bit interesting they're not already in the product... (hello... AD integration???) but I'm hoping we can round up some developers to start creating workarounds...

    Dan Holme
    Intelliem

    From tfl - 2005-02-12 8:38 AM []

    Regarding danholme's comment:

    I'm certain MS folks are reading both the wiki and the comments on these pages (as well as messages in the TAP/OEP newsgroups). From responses to bugs I've filed, not only am I certain the developer's are reading this site, I am also certain that they are listening and responding.

    However, you need to understand that a product is supposed to be feature complete to go to a final beta. This is the way MSF works and the way that MS traditionally runs projects.That's not to say that there won't be feature changes going into the RC, but at RC stage, the whole idea is to do final sanity checking on the feature set - not adding huge new features.

    This is, I suppose, a longwinded way of saying that whie I agree that many of the wishes here should be trivial to code, they each mean extra effort - and given that the proejct team is presumably fixed sized, more features just means more delays. As it is, WUS is badly late - and as much as I really want the new features, the products's ship date is an important feature too.

    I guess what I'd like to see is RTM as soon as possible, with an SP1 in 6 months time that makes the product better.

    My .02€ worth!

    Thomas

    From Skatterbrain - 2005-02-12 11:39 PM []

    Thanks for the info on column headings. I wonder if the issue of the WUS console text not respecting the text size options in IE have been submitted also? (just curious - don't want to beat a dead horse)

    From Skatterbrain - 2005-02-12 11:45 PM []

    The single biggest concern for our environment is the issue of whether or not the GPO option to "allow non-administrators" to receive update notifications will actually work consistently with ordinary "User" users (vice "Power Users" users). Half of our work force uses laptops, which are almost never left powered on overnight. That forces us to deal with updates during working hours (less than ideal, but there are no other options). This means the user is actively logged in and they don't have admin rights. We seldom add them to Power Users as well (unless they don't deal with secure information contracts). This new WUS GPO option looks very exciting but our tests show it is unreliable. It simply does not work on W2K/SP4 clients, and on XP clients it does work well except with OS service packs. In all cases where it doesn't work, it appears to be working (prompts, downloads, installs, confirms) but simply repeats itself again and again until an administrator logs on to run the updates. I'm hoping this gets fixes before RC or RTM.

    From PHPSE - 2005-02-23 4:05 PM []

    Support to push updates, patches, SPs to 2000 server? I did not see it in the supported list, not have I seen it in the updates list. Is this planned, or should I assume that this is a way to push servers to go 2003?

    TIA

    From Skatterbrain - 2005-03-01 7:04 AM []

    How about mandatory updates? That way, even with ElevateNonAdmins enabled, it would prevent users from de-selecting updates approved at the server. The default could be "optional", with an option to make each one "mandatory".

    From rdafoe - 2005-03-15 8:37 AM

    I would like a new column on the report. Right now there is an Installed, Needed, Failed, and Last Updated column. It would be really beneficial to have a Downloaded column to see what has been downloaded to pcs. This would help trying to figure out who is not rebooting their pcs for the updates, as in our environment, we cannot force a reboot.

    From Klaustro - 2005-05-23 5:11 PM

    I have two points:
    • I need more filter-options in the Updates-View. For example it would be really helpful if you could filter by updates which are only approved or not approved by a special group. You know? It would be great for example if you'd see the same tiny window you get when you set the install-options for a single patch in order to filter by your settings...
    • Another thing would be (and this is a really important one!!!), turning off all messages on the clients. In our environment everybody is working as a local administrator and everybody gets this annoying message that the pc needs a reboot. Why isn't there a "AUOptions=5 # Don't even notify anyone, just install and wait for the next restart" or maybe a better way "AUOptions=5 # Install next time when PC is shutting down"! These annoying messages disqualifies WSus in our environment and I believe we're not the only one...
      •


    (me again) - I'd LOVE to see a client-side API that could be invoked through scripting, .NET etc. to allow for custom automation and control. I'm just thinking of the potential flexibility that could provide with login scripts, SMS package deployments, and remote scripting.

     

    I added items 42 and 43 above...

  47. I would like to see a secondary source for the updates. It would work like this: if the primary WSUS server is not available, the client defaults to requesting updates from MU. This is an urgently needed update, since many of our clients have laptops and very seldom come itno the office and connect to the LAN. We have to andte that our nurses come in at least once a week and let the client sync. This results in potential security exposures.

Last Modified 5/1/08 5:33 AM