Updating Devices


Topic Last Modified: 2012-10-16


This topic applies only to IP phones.

Microsoft Lync Server 2010 includes the Device Update Web service, which is automatically installed with Web Services. You can use this service to download updates from Microsoft, test them, and then deploy the updates to all the IP phones in your organization. You can also use Device Update Web service to roll back devices to previous software versions. We recommend that you check for updates every three months.

For details about viewing updates for device in your organization, see Getting Started with Device Update Web service.


Before you can use the Device Update Web service, you must fulfill the topology, component, and other requirements described in Planning to Deploy IP and USB Devices in the Planning documentation.

This topic helps prepare you to use the Device Update Web service by providing an overview of the components and update process.

Usage Scenarios

Use the Device Update Web service in the following management scenarios:

Testing and deploying updates   Retrieve updates from Microsoft and upload them to Device Update Web service. Test, and then approve or reject, specific updates for deployment to your organization’s IP phones to make sure that all updates are valid and functional, instead of having to troubleshoot after deployment.


Updates are not automatically copied over. The updates need to be uploaded to each server in the pool.

Rolling back an update   Roll back a defective update and retain a tested prior update as the latest update. The device goes back to the backup tested update, which is always stored on the device as a backup.

Introducing new device models   Make available all software updates relevant to a new model of an IP phone that is being introduced to the market.

Inventory management for devices in organizations   Use the log files and audit information stored in the Device Updates folder to view the IP phones in your organization and information about them, such as the current firmware version.

Components of the Device Update Web service

The Device Update Web service is made up of the following components:

Device Request Handler

The device request handler performs the following tasks:

  • Receives requests for software updates from IP phones.

  • Receives device logs and stores them on the server.

  • Generates audit logs for device update activity.

Device Updates Cabinet Files

Microsoft makes updates available in cabinet (.cab files) that you can download from the Microsoft Help and Support website. An update .cab file contains updates for one or more unified communications (UC) devices. After obtaining the .cab file, you upload it to Device Update Web service by using the Lync Server Management Shell.

The following file types are contained in an update:

  • .cat: Security catalog

  • .nbt: Software image

  • .xml: Description file

Lync Server 2010 Control Panel

In Microsoft Lync Server 2010 Control Panel, use the following to manage the Device Update Web service on the Clients page:

  • Device Update   Provides the ability to view updates in the device update store, create device update rules in Central Management store and approve or reject device updates for deployment, approve or reject updates for test devices, and roll back updates to a previous version.

  • Test Device   Provides the ability to specify the devices that are to receive pending updates for testing purposes.

Device Updates File Store

The device updates file store serves as the central repository for the update information, logs, and audit information. It provides the installation point for devices that require updates.

In Lync Server 2010 Standard Edition, this folder is automatically created by the installer and located in the Web Services folder, under the installation folder. The default path is as follows:<share>\<Webservice instance>\DeviceUpdateLogs\Server\Audit\ImageUpdates.


This is located on every web server. If you are looking for device upload log files, the default path is as follows:<share>&lt;Webservice instance>\DeviceUpdateLogs\Client. You will need to check every Front End Server in the pool, as the user’s logs could have been updated to any one of them (the routing algorithm determines this based on load). You can also check to the file store path using the Topology Builder: Select the site, and then select FileStore. The path will be listed.

In Lync Server 2010 Enterprise Edition, prior to installation, the administrator creates a shared folder to contain both client and device update files. The administrator then specifies the location of this folder in the Create Front End Pool wizard during deployment.


We recommended that you create a quota on the Device Update Web service log file store at %ProgramFiles%\Microsoft Lync Server\Web Services\DeviceUpdateFiles, using the File Server Resource Manager. A quota will help to ensure that the number of log files does not increase greater than the size of the file store, which could cause problems on the Web Services role. The Device Update Web service log file store is installed as part of the Front End Server role, and we recommend that you set up the quota whether or not you are using the Device Update Web service.
For details about setting up a quota using the File Server Resource manager, see "File Server Resource Manager Step-by-Step Guide for Windows Server 2008" at https://go.microsoft.com/fwlink/p/?LinkId=201142.

The Device Update Process

The device update process begins with you downloading an update from the Microsoft website, and then using the Lync Server 2010 Control Panel to test, approve, or reject the update. Approved updates become pending updates that devices retrieve by using the following process.

The first time a user starts an IP phone and signs in, the device gets information by using in-band provisioning from the server. The information contains the internal URL of the server running the Device Update Web service.

If the device is turned on, but no user signs in, and no user has ever signed in on the device, then the device sends a DNS lookup request to ucupdates-r2.<DNSDomainNameProvidedByDHCP>, and obtains the internal URL of the server running the Device Update Web service.

The device checks for updates every time it is turned on, every time the user signs in, and every 24 hours, by default. It checks by sending an HTTP request over port 443 to the Front End Server that hosts the Device Update Web service. The request includes the current version of software that the phone is running, and the response is determined by the device and whether there is a new update on the server to download.

Internal Devices

If device is inside the organization’s firewall and the user is signed in, the Device Update Web service returns a response that contains one of the following:


To update devices inside the organization’s firewall the following Internet Information Services (IIS) virtual directory must be set to the following: http://<Internal FQDN>/DeviceUpdateFiles_Int

  • If no approved updates exist for the current version of the firmware, or if the current version of the firmware matches the version of the approved update, the response contains NumOfFiles = 0. For test devices, pending updates are also considered.

  • If an approved update is available for the current firmware version, the response contains the path to the location from where the update can be downloaded.

External Devices

If the device is outside the organization’s firewall, and the user is signed in, the Device Update Web service returns a response indicating that anonymous access is not supported. The device then sends an HTTPS update request over port 443 to the Device Update Web service. The Device Update Web service returns one of the responses listed previously in the internal case.


To update devices outside the organization’s firewall, Lync 2010 Phone Edition upgrade files are required when publishing websites using a reverse proxy server. Publishing websites typically requires the following reverse proxy certificates: Subject Name = ExternalWebFarmFQDN (for example, ocsrp.contoso.com)

If the device is outside the organization’s firewall, and the user is not signed in, the Device Update Web service denies the request.

When the update is complete, the device uses the update as its current version, and the previous version is stored in the firmware as a backup.

Device Out of Box

When the device is turned on for the first time, it sends a DNS lookup request to ucupdates-r2.<DNSDomainNameProvidedByDHCP> to obtain internal URL of the server running the Device Update Web service. The device will then make a HTTPS request to request for device updates.

Dependencies for this function:

  • The phone must be on the corporate network.

  • UCUpdates-R2 must be configured in DNS.

  • Device Update certificate must have SAN entries containing ‘UCUpdates-R2’ (hostname) and ‘UCUpdates-R2.contoso.com’ (FQDN).

  • The server running the Device Update Web service must have a certificate trusted by Lync 2010 Phone Edition.

    • Refer to the Trusted Authorities Cache for a list of publicly trusted certificates.

    • If you use a private enterprise certificate, the device will not receive updates. To work around this, have the user attempt sign-in on the device. Regardless of whether or not the sign-in is successful, the sign-in process will trigger the bootstrapper and download the root certificate from the server.

  • Network Time Protocol (NTP) must be configured correctly for the device. For details, see Using NTP to Set the Correct Time and Date for Devices.