Configuration Manager 中的软件更新的先决条件Prerequisites for software updates in Configuration Manager

适用范围: Configuration Manager (Current Branch)Applies to: Configuration Manager (current branch)

本文列出了 Configuration Manager 中软件更新的先决条件。This article lists the prerequisites for software updates in Configuration Manager. 对于这些先决条件中的每一个,在不同的表格中列出了外部依赖关系和内部依赖关系。For each of the prerequisites, the external dependencies and internal dependencies are listed in separate tables.

Configuration Manager 外部的软件更新依赖关系Software update dependencies that are external to Configuration Manager

以下部分列出了软件更新的外部依赖关系。The following sections list the external dependencies for software updates.

Internet Information ServicesInternet Information Services

Internet Information Services (IIS) 必须安装在站点系统服务器上才可运行软件更新点、管理点和分发点。Internet Information Services (IIS) must be installed on the site system servers to run the software update point, the management point, and the distribution point. 有关详细信息,请参阅站点系统角色的先决条件For more information, see Prerequisites for site system roles.

Windows Server 更新服务Windows Server Update Services

软件更新同步和在客户端上进行的软件更新适用性扫描都需要使用 Windows Server Update Services (WSUS)。Windows Server Update Services (WSUS) is needed for software updates synchronization and for the software updates applicability scan on clients. 在创建软件更新点角色之前,必须安装 WSUS 服务器。The WSUS server must be installed before you create the software update point role. 软件更新点支持以下版本的 WSUS:The following versions of WSUS are supported for a software update point:

  • WSUS 10.0.14393(Windows Server 2016 中的角色)WSUS 10.0.14393 (role in Windows Server 2016)
  • WSUS 10.0.17763(Windows Server 2019 中的角色)(需要使用 Configuration Manager 1810 或更高版本)WSUS 10.0.17763 (role in Windows Server 2019) (Requires Configuration Manager 1810 or later)
  • WSUS 6.2 和 6.3(Windows Server 2012 和 Windows Server 2012 R2 中的角色)WSUS 6.2 and 6.3 (role in Windows Server 2012 and Windows Server 2012 R2)

备注

  • 如果在一个站点上有多个软件更新点,请确保它们全都运行相同版本的 WSUS。When you have multiple software update points at a site, ensure that they're all running the same version of WSUS.

WSUS 管理控制台WSUS Administration Console

当软件更新点位于远程站点系统服务器上,且该站点服务器并未安装 WSUS 时,Configuration Manager 站点服务器上需要安装 WSUS 管理控制台。The WSUS Administration Console is required on the Configuration Manager site server when the software update point is on a remote site system server and WSUS isn't already installed on the site server.

重要

  • 站点服务器上的 WSUS 版本必须与在软件更新点上运行的 WSUS 版本相同。The WSUS version on the site server must be the same as the WSUS version that's running on the software update points.
  • 不要使用 WSUS 管理控制台配置 WSUS 设置。Don't use WSUS Administration Console to configure WSUS settings. Configuration Manager 连接到在软件更新点上运行的 WSUS 的实例,并配置适当的设置。Configuration Manager connects to the instance of WSUS that is running on the software update point and configures the appropriate settings.

Windows 更新代理Windows Update Agent

需要在客户端上安装 Windows 更新代理 (WUA) 客户端,这样客户端才能连接到 WSUS 服务器。The Windows Update Agent (WUA) client is required on clients so that they can connect to the WSUS server. WUA 检索为实现符合性而必须扫描的软件更新列表。WUA retrieves the list of software updates that must be scanned for compliance.

安装 Configuration Manager 时,会下载 WUA 的最新版本。When you install Configuration Manager, the latest version of WUA is downloaded. 之后,安装 Configuration Manager 客户端时,如有必要会升级 WUA。Then, when you install the Configuration Manager client, WUA is upgraded if necessary. 如果安装失败,必须使用另一种方法升级 WUA。If the installation fails, you must use a different method to upgrade WUA.

Configuration Manager 内部的软件更新依赖关系Software update dependencies that are internal to Configuration Manager

以下部分列出了 Configuration Manager 中软件更新的内部依赖关系。The following sections list the internal dependencies for software updates in Configuration Manager.

管理点Management points

管理点在客户端计算机和 Configuration Manager 站点之间传输信息。Management points transfer information between client computers and the Configuration Manager site. 管理点对于软件更新是必需的。The management points are required for software updates.

软件更新点Software update points

必须在 WSUS 服务器上安装软件更新点,才能在 Configuration Manager 中部署软件更新。You must install a software update point on the WSUS server to deploy software updates in Configuration Manager. 有关详细信息,请参阅安装和配置软件更新点For more information, see Install and configure a software update point.

分发点Distribution points

需要使用分发点来存储软件更新的内容。Distribution points are required to store the content for software updates. 有关如何安装分发点和管理内容的详细信息,请参阅管理内容和内容基础结构For more information about how to install distribution points and manage content, see Manage content and content infrastructure.

软件更新的客户端设置Client settings for software updates

客户端默认会启用软件更新。Software updates are enabled for clients by default. 还可以使用其他一些设置来控制客户端评估软件更新符合性的方法和时间,以及控制软件更新的安装方式。There are other available settings that control how and when clients assess compliance for the software updates and control how the software updates are installed.

有关详细信息,请参阅下列文章:For more information, see the following articles:

重要

从 2020 年 9 月累积更新开始,基于 HTTP 的 WSUS 服务器默认是安全的。Beginning with the September 2020 cumulative update, HTTP-based WSUS servers will be secure by default. 默认情况下,将不再允许在针对基于 HTTP 的 WSUS 的客户端更新扫描中利用用户代理。A client scanning for updates against an HTTP-based WSUS will no longer be allowed to leverage a user proxy by default. 如果仍需要用户代理(即使存在安全影响),可以使用新的软件更新客户端设置来允许这些连接。If you still require a user proxy despite the security trade-offs, a new software updates client setting is available to allow these connections. 若要详细了解对扫描 WSUS 的更改,请参阅 2020 年 9 月更改,旨在提高 Windows 设备扫描 WSUS 的安全性For more information about the changes for scanning WSUS, see September 2020 changes to improve security for Windows devices scanning WSUS. 为了确保最佳安全协议就位,我们强烈建议你使用 TLS/SSL 协议来帮助保护软件更新基础结构To ensure that the best security protocols are in place, we highly recommend that you use the TLS/SSL protocol to help secure your software update infrastructure.

Reporting Services 点Reporting services points

Reporting Services 点站点系统角色可以显示软件更新的报表。The reporting services point site system role can display reports for software updates. 此角色是可选的,但建议使用它。This role is optional but recommended. 有关 Reporting Services 点创建方法的详细信息,请参阅配置报表For more information about how to create a reporting services point, see Configuring reporting.

WSUS 6.2 及 6.3 需要哪些更新?Which updates are required on WSUS 6.2 and 6.3?

要在 WSUS 6.2 及 6.3 中同步“升级”分类,需要这两个更新 。Two updates are required for syncing Upgrades classification in WSUS 6.2 and 6.3. 有时,如果在安装 KB3095113 和 KB3159706 之前同步升级项,你可能会在下载或部署这些升级项时看到错误。Occasionally, you might see an error downloading or deploying upgrades if they synchronized before KB3095113 and KB3159706 were installed. 下一部分介绍了可能出现的问题。Information about possible issues is in the next section.

  • 必须在你的软件更新点和站点服务器上安装 2015 年 10 月发布的 3095113,然后再同步“升级” 分类。You must install KB 3095113, released in October 2015, on your software update points and site servers before you synchronize the Upgrades classification.
    • 此更新会启用“升级”分类 。This update enables the Upgrades classification.
  • 要为 Windows 10 版本 1607 或更高版本提供服务,必须安装和配置 KB 3159706To service Windows 10 version 1607 and later, you must install and configure KB 3159706. KB 3159706 是 2016 年 5 月发布的。KB 3159706 was released in May 2016.
    • 通过此更新,WSUS 可以本机方式解密用于升级 Windows 10 版本 1607 或更高版本的文件。This update enables WSUS to natively decrypt the files used for upgrading Windows 10 version 1607 and later.

重要

自 2017 年 7 月起,KB 3095113 和 KB 3159706 都包含在安全性月度质量汇总中 。Both KB 3095113 and KB 3159706 are included in the Security Monthly Quality Rollup starting in July 2017. 这意味着,你可能不会在已安装的更新中看到 KB 3095113 和 KB 3159706,因为它们可能尚未与汇总一起安装。This means you may not see KB 3095113 and KB 3159706 as installed updates since they may have been installed with a rollup. 但是,如果需要其中一种更新,则建议安装在 2017 年 10 月之后发布的安全性月度质量汇总,因为它们包含额外的 WSUS 更新,以减少在 WSUS 的客户端 Web 服务上的内存占用 。However, if you need either of these updates, we recommend installing a Security Monthly Quality Rollup released after October 2017 since they contain an additional WSUS update to decrease memory utilization on WSUS's clientwebservice.

Windows 10 升级下载失败,出现“错误:证书签名无效”或 0xc1800118Download of Windows 10 upgrades fails with "Error: Invalid certificate signature" or 0xc1800118

本部分中所述的更新和问题仅适用于在 Windows Server 2012 或 Windows Server 2012 R2 计算机运行的 WSUS(WSUS 6.2 及 6.3)。The updates and issue described in this section only apply to WSUS running on Windows Server 2012 or Windows Server 2012 R2 machines (WSUS 6.2 and 6.3). 通常,如果你已在 2017 年 7 月之前安装 WSUS,并且你最近已启用“升级”分类,则你将仅看到本部分中所述的问题 。Typically, you'll only see the issues described in this section if you installed WSUS before July 2017 and you've recently enabled the Upgrades classification. 但是,也可能在其他情况下看到这些问题。However, it's possible to see these issues in other situations too.

关于 KB 3095113 的历史信息Historical information about KB 3095113

KB 3095113 于 2015 年 10 月作为修补程序发布,添加了对 Windows 10 升级到 WSUS 的操作的支持。KB 3095113 was released as a hotfix in October 2015 to add support for Windows 10 upgrades to WSUS. 借助此更新,WSUS 可在 Windows 10 的“升级”分类中同步和分发更新 。The update enables WSUS to synchronize and distribute updates in the Upgrades classification for Windows 10.

如果未先安装 KB 3095113 就同步任何升级,则会使用不可用数据填充 WSUS 数据库 (SUSDB)。If you synchronize any upgrades without having first installed KB 3095113, you populate the WSUS database (SUSDB) with unusable data. 必须先清除该数据,才能正确部署升级。That data must be cleared before the upgrades can be properly deployed. 无法使用“下载软件更新”向导来下载此状态中的 Windows 10 升级。Windows 10 upgrades in this state can't be downloaded by using the Download Software Updates Wizard.

“下载软件更新”向导的“完成”页面上会显示如下所示的错误:Errors that resemble the following appear on the Completion page of the Download Software Updates Wizard:

Error: Upgrade to Windows 10 Pro, version 1511, 10586
Failed to download content id {content_id}. Error: Invalid certificate signature

此外,PatchDownloader.log 文件会记录如下所示的错误:Additionally, errors resembling the following are logged in the PatchDownloader.log file:

Download http://wsus.ds.b1.download.windowsupdate.com/d/upgr/2015/12/10586.0.151029-1700.th2_release_...esd...
Authentication of file C:\Users\{username}\AppData\Local\Temp\2\{temporary_filename}.tmp failed, error 0x800b0004
ERROR: DownloadContentFiles() failed with hr=0x80073633
# This log is truncated for readability.

过去,当发生这些错误时,会通过执行修改后的 WSUS 解决步骤来解决它们。Historically, when these errors occurred, they would be resolved by doing a modified version of the resolution steps for WSUS. 由于这些步骤与不执行安装 KB 3159706 后所需的手动步骤的解决方案类似,因此我们在下一部分,将这两套步骤结合在了一个解决方案中:Because these steps are similar to the resolution for not doing the manual steps required after KB 3159706 installation, we've combined both sets of steps into a single resolution in the section below:

关于 KB 3159706 的历史信息Historical information about KB 3159706

KB 3148812 最初发布于 2016 年 4 月,它使 WSUS 能够以本机方式解密升级 Windows 10 包时所用的 .esd 文件。KB 3148812 was initially released in April 2016 to enable WSUS to natively decrypt the .esd files used for upgrading Windows 10 packages. KB 3148812 给某些客户造成了一些问题,而它已被 KB 3159706 取代。KB 3148812 caused problems for some customers and was replaced with KB 3159706. 需要在你的所有软件更新点和站点服务器上安装 KB 3159706,然后你才能为 Windows 10 版本 1607 及更高版本的设备提供服务。KB 3159706 needs to be installed on all your software update points and site servers before you can service Windows 10 Version 1607 and later devices. 但是,如果你不知道到 KB 在安装后需要手动操作,则可能会出现问题:However, problems can arise if you don't realize the KB requires the following manual steps after installation:

  1. 从提升的命令提示符运行 "C:\Program Files\Update Services\Tools\wsusutil.exe" postinstall /servicingFrom an elevated command prompt run "C:\Program Files\Update Services\Tools\wsusutil.exe" postinstall /servicing.
  2. 在所有 WSUS 服务器上重启 WSUS 服务。Restart the WSUS service on all of the WSUS servers.

如果你不知道 KB 3159706 在安装后需要手动操作,或者你已在安装 KB 3159706 之前对 Windows 10 1607 的升级进行了同步,则在连接到 WSUS 控制台和部署升级时,会分别遇到问题。If you don't realize that KB 3159706 had manual steps after installation, or you synchronized in the upgrade for Windows 10 1607 before installing KB 3159706, you would run into issues connecting to the WSUS console and deploying the upgrade respectively. 在客户端下载升级文件时,它会收到 0xC1800118 错误代码When a client downloaded the upgrade file, it would get a 0xC1800118 error code.

由于解决方案步骤与安装 KB 3095113 前升级同步的解决方案类似,因此我们在下一部分,将这两套步骤结合在一个解决方案中。Because the resolution steps are similar to the resolution for synchronizing upgrades before KB 3095113 installation, we've combined both sets of steps into a single resolution in the next section.

在安装 KB 3095113 或 KB 3159706 之前从同步升级中恢复To recover from synchronizing the upgrades before you install KB 3095113 or KB 3159706

按照以下步骤来解决 0xc1800118 错误和“错误:证书签名无效”:Follow the steps below to resolve both the 0xc1800118 error and "Error: Invalid certificate signature":

  1. 在 WSUS 和 Configuration Manager 中禁用“升级”分类 。Disable the Upgrades classification in both WSUS and Configuration Manager. 在按照这些说明操作之前,你不希望进行同步。You don't want a synchronization to occur until you're directed to by these instructions.
    • 在顶级站点的软件更新点组件属性中取消选中“升级”分类 。Uncheck the Upgrades classification in the software update point component properties on the top-level site.
    • “选项”页面上的“产品和分类”下取消选择 WSUS 的“升级”分类,或者使用以管理员身份运行的 PowerShell ISE 。Uncheck the Upgrades classification from WSUS under Products and Classifications on the Options page, or use the PowerShell ISE running as administrator.
      Get-WsusClassification | Where-Object -FilterScript {$_.Classification.Title -Eq "Upgrades"} | Set-WsusClassification -Disable
      
      • 如果在多个 WSUS 服务器之间共享 WSUS 数据库,则只需对每个数据库取消勾选“升级”一次 。If you share the WSUS database between multiple WSUS servers, you only need to uncheck Upgrades once for each database.
  2. 在每个 WSUS 服务器上,从提升的命令提示符处运行:"C:\Program Files\Update Services\Tools\wsusutil.exe" postinstall /servicingOn each WSUS server, from an elevated command prompt run: "C:\Program Files\Update Services\Tools\wsusutil.exe" postinstall /servicing. 然后,在所有 WSUS 服务器上重启 WSUS 服务。Then, restart the WSUS service on all of the WSUS servers.
    • WSUS 会将数据库置于单用户模式下,然后会检查是否需要维护。WSUS places the database into single user mode before it checks to see if servicing is needed. 维护操作是否运行由检查结果而定。The servicing either runs or doesn't run based on the results of the check. 然后,数据库会恢复到多用户模式。Then, the database is put back into multi-user mode.
    • 如果在多个 WSUS 服务器之间共享 WSUS 数据库,则只需对每个数据库执行一次此维护。If you share the WSUS database between multiple WSUS servers, you only need to do this servicing once for each database.
  3. 使用以管理员身份运行的 PowerShell ISE 从每个 WSUS 数据库删除所有 Windows 10 升级。Delete all of the Windows 10 upgrades from each WSUS database using the PowerShell ISE running as administrator.
    [reflection.assembly]::LoadWithPartialName("Microsoft.UpdateServices.Administration")
    $wsus = [Microsoft.UpdateServices.Administration.AdminProxy]::GetUpdateServer();
    $wsus.GetUpdates() | Where {$_.UpdateClassificationTitle -eq 'Upgrades' -and $_.Title -match 'Windows 10'} `
    | ForEach-Object {$wsus.DeleteUpdate($_.Id.UpdateId.ToString()); Write-Host $_.Title removed}
    
  4. 从软件更新点使用的每个 WSUS 数据库的 tbFile 表中删除文件。Delete files from the tbFile table from each of the WSUS databases used by your software update points. 在 WSUS 数据库中,从 SQL Server Management Studio 运行以下命令:On the WSUS database, run the following commands from SQL Server Management Studio:
    declare @NotNeededFiles table (FileDigest binary(20) UNIQUE)
    insert into @NotNeededFiles(FileDigest) (select FileDigest from tbFile where FileName like '%.esd%'  except select FileDigest from tbFileForRevision)
    delete from tbFileOnServer where FileDigest in (select FileDigest from @NotNeededFiles)
    delete from tbFile where FileDigest in (select FileDigest from @NotNeededFiles)
    
  5. 在 Configuration Manager 中的顶层站点上开始软件更新同步,然后等待更新完成。Start the software updates synchronization on your top-level site in Configuration Manager and wait for it to complete. 会进行完全同步,原因是我们在删除“升级”分类时更改了 Configuration Manager 分类 。A full synchronization occurs because we made a change to the classifications Configuration Manager when we removed Upgrades. 有关详细信息,请参阅同步软件更新(For more information, see Synchronize software updates.
  6. 在软件更新点组件属性中选择“升级”分类 。Select the Upgrades classification in the software update point component properties. 然后,开始另一个软件更新同步,将“升级”分类返回到 WSUS 和 Configuration Manager 。Then, start another software updates synchronization to bring the Upgrades back into WSUS and Configuration Manager. 你无需在 WSUS 中启用“升级”分类,因为 Configuration Manager 会代你操作 。You don't have to enable the Upgrades classification in WSUS since Configuration Manager will do it for you.
  7. 如果客户端在下载升级时收到 0xC1800118 错误代码,则需要删除 Windows 更新代理使用的数据存储 。If your clients received the 0xC1800118 error code when downloading an upgrade, you'll need to delete the data store used by the Windows Update Agent. 可能还需要删除设备上隐藏的 ~BT 文件夹。You may also have to delete the hidden ~BT folder on the device. 客户端下次扫描时,会针对 WSUS 服务器执行完全扫描,而不是执行增量扫描。The next time the client scans, it will be a full scan against the WSUS server rather than a delta. 可使用类似于下面的示例脚本的 PowerShell 脚本:You can use a PowerShell script that's similar to the following sample script:
    stop-service wuauserv
    remove-item -path c:\windows\softwaredistribution\datastore -recurse -force
    # If the device has a hidden ~BT folder on the c drive, delete it too by uncommenting the next line.
    # remove-item -path c:\~BT -recurse -force
    start-service wuauserv
    

后续步骤Next steps

准备软件更新管理Prepare for software updates management