With the latest update to WSUS (described in KB2720211) also came an update to the WUA, version 7.6.7600.256; however, this updated WUA is not available for separate download and can only be installed directly via WSUS as described in KB949104. This is somewhat disconcerting for a handful of reasons including the following:

  • There is no control of how or when this update gets pushed to the clients by WSUS. Enterprises use ConfigMgr because they want to have control over how and when things go out.
  • Many enterprises don’t have WSUS servers local to their clients — there is often no reason to have local WSUS servers with ConfigMgr in place and properly designed. This means this update now must be distributed to all clients across the WAN from their existing WSUS servers.
  • Many folks have turned off/disabled Automatic updates based on CSS (KB2476479) and MVP (mainly mine) recommendations to avoid the WUA causing unexpected reboots and to prevent WSUS from automatically deploying anything (like updated WUAs). Folks that have done this, have *no* way to update the WUA without a separate WUA installer that has traditionally been available.
  • There is no way to include this latest update in an OSD task sequence.

While I am dismayed by the short-sighted decision not to make the update available separately, in the meantime this is really no big deal for ConfigMgr. Why? Because the updated WUA included in 2720211 is not relevant to ConfigMgr managed clients. This hotfix addresses shortcomings in the download and delivery of updates via WSUS. As most (hopefully all) ConfigMgr admins know, WSUS does neither of these when integrated into ConfigMgr.

If you have never disabled Automatic Updates, not to worry, this conversation is completely moot because know it or not, like it or not, your clients already have the latest version of the WUA (based upon your WSUS update status) because it was automatically delivered to them from WSUS.

Here are all of the valid options you can pick from if you have disabled Automatic Updates:

  1. Install 2720211 on your WSUS servers and deploy (or continue to use) the previous version of the WUA, 7.4.7600.226: (KB946928).
  2. Don’t install 2720211 on your WSUS servers and deploy (or continue to use) the previous version of the WUA, 7.4.7600.226.
  3. Install 2720211 and temporarily enable automatic updates (via group policy) to allow WSUS to update your client agents to 7.6.7600.256. You’ll of course have to track your client agent update progress using ConfigMgr. This doesn’t address new clients deployed into the environment though because at some point, the implication here is that you will once again disable automatic updates and thus leave those new systems with a previous version of the WUA.
  4. Install 2720211, enable automatic updates (via group policy) to allow WSUS to update your client agents to 7.6.7600.256, and enable the Remove access to use all Windows Update features user-centric group policy setting while also setting the Configure notifications option in this setting to Do not show any notifications. This will enable the infrequent (and uncontrolled) updates to the WUA via WSUS but will suppress any reboots and/or notifications from the WUA. Note that I’ve never tested this one so YMMV.

I guess that there are other possible options, like doing nothing at all, but those aren’t really valid IMO – kind of like “walk middle of road, squish, like grape”.

I tend to like #2, but the best choice from the above really depends upon your environment and ConfigMgr hierarchy.

If you find the above decision as short-sighted as I do, reach out to Microsoft and express your opinion; use the appropriate channels like CSS, premier support, or your TAM and justify business impact. Also note, this is not the ConfigMgr product team’s fault or doing.