Update approval issues

Applies To: Windows Server Update Services

If you are having problems with approvals, use the following sections to troubleshoot the problem.

If IIS Lockdown is installed on WSUS and client computers, do not download updates stored on the WSUS server

If you are using the IIS Lockdown Wizard and have installed the URLScan tool, ensure that you edit the Urlscan.ini file to allow *.exe requests.

After you edit this file, you must restart both IIS and the WSUS server. You can find the Urlscan.ini file in the\WINNT\System32\Inetserv\Urlscan directory on the boot drive of your computer.

To edit the Urlscan.ini file

  1. Open Urlscan.ini in a text editor.

  2. Remove ".exe" from the [DenyExtensions] section.

  3. Make sure the following settings appear under the [AllowVerbs] section:

    • GET

    • HEAD

    • POST


New approvals can take up to one minute to take effect

If you approve an update on the WSUS console and there are client computers running detection at that exact moment, those computers might not get the approved update until they go through another detection cycle. The WSUS server requires approximately one minute to begin offering newly approved updates to client computers.

Remote computers accessed by using Terminal Services cannot be restarted by non-administrators

Non-administrators using terminal services computers will not be able to restart their

computers remotely. Therefore, if a remote computer on which an update is installed needs to be restarted for the update to take effect, users without administrative permissions will be unable to complete the updating of their remote computer.

The number of updates that are approved on a parent upstream server does not match the number of approved updates on a replica server

This might occur if you have changed language settings on the parent upstream server after first synchronizing with the old language settings. For more information see "Listinactiveapprovals," in Managing WSUS from the Command Line.