What is the Minimum Required Licences?

The minimum required licence is 1 ‘Single or Upstream‘ licence. WSUS Automated Maintenance (WAM) © must be used on ALL WSUS Servers including Online/Offline/Disconnected Upstream Servers, Downstream Servers (Replica Servers or Autonomous Servers), and Stand Alone WSUS Servers. Failure to do so will cause database and file structure inconsistency between Upstream and Downstream servers (usually with reporting).

If you do not have access to the Upstream server and cannot install WSUS Automated Maintenance on it, you still must purchase the licence for it to be compliant on the same account as the downstream licences. Our eCommerce system has automation to prevent access to the software and licence to any account that does not have an upstream licence.

If the Upstream system administrators are not performing the required maintenance, the ‘system as a whole’ is not going to be as optimized and maintained as it can be (and against Microsoft’s recommendations). WAM can still be installed only on the downstream servers. When installed on autonomous WSUS Servers only, WAM will still function at 100% efficiency on that specific system as WAM is able to perform all of its tasks. The only caveat is that you must also purchase the licence for the upstream to be compliant. When installed on replica downstream servers only, you will still get the functionality of WAM at about a 50-60% efficiency as downstream replica’s inherit approvals and WAM cannot decline updates unless it is run at the upstream server. The only other caveat is that you must also purchase the licence for the upstream to be compliant.

Do you have a Single WSUS Server?

The most basic WSUS deployment consists of a server inside the corporate firewall that serves client computers on a private intranet. The WSUS server connects to Microsoft Update to download updates. If you have a single WSUS server licensing WSUS Automated Maintenance requires 1 ‘Single or Upstream’ licence.

 

Root WSUS Upstream

The WSUS server that connects to Microsoft Update is known as the root WSUS server.

Do you have Multiple WSUS Servers?

A WSUS deployment can consist of multiple connected servers. When you connect multiple WSUS servers, you create at least one upstream WSUS server and at least one downstream WSUS server. This configuration creates a hierarchy of WSUS servers, as shown in the following image:

WSUS Design

WSUS Design – Upstream – Downstream

Root WSUS Upstream Server

A root WSUS upstream server is defined as a system that synchronizes directly with Microsoft Update. Each root WSUS upstream server requires a ‘Single or Upstream’ licence.

Downstream Replica

A downstream replica server, also called centralized administration, works by having an upstream WSUS server that shares updates, approval status, and computer groups with downstream servers. Replica servers inherit update approvals and are not administered separately from the upstream WSUS server. Each downstream replica server requires a ‘Downstream’ licence.

Downstream Autonomous

A downstream autonomous server, also called distributed administration, is the default installation option for WSUS. In Autonomous mode, an upstream WSUS server shares updates with downstream servers during synchronization. Downstream autonomous servers are administered separately, and they do not receive update approval status or computer group information from the upstream server. Each downstream autonomous server requires a ‘Downstream’ licence.

Do you have a WSUS deployment for disconnected networks?

Online Staging Server

Each online staging WSUS Server requires a ‘Single or Upstream’ licence. This is the server that you would export the updates metadata from using the WsusUtil.exe export command.

Disconnected Downstream

Each disconnected server requires an ‘Disconnected Downstream’ licence. This is the server that you would import the updates metadata to using the WsusUtil.exe import command.
Do you have Microsoft Configuration Manager (ConfigMgr/SCCM)?

Microsoft Configuration Manager uses Software Update Points (SUP) in the distribution of patches within your network. You can install more than one software update point on a site. The first software update point that you install is configured as the synchronization source and is installed on the central administration site and/or the primary site. The software update point interacts with the WSUS services to configure the software update settings and to request synchronization of software updates metadata.

Root WSUS Upstream Server

The other software update points on the site are configured as replicas of the first software update point. The first installation of the software update point is on the Root WSUS Upstream Server. A root WSUS upstream server is defined as a system that synchronizes directly with Microsoft Update and requires a ‘Single or Upstream’ licence.

Downstream Replica

The other software update points on the site are configured as downstream replicas of the first software update point. Each downstream replica server requires a ‘Downstream’ licence.