在 Configuration Manager 中進行軟體更新的先決條件Prerequisites for software updates in Configuration Manager

適用於: Configuration Manager (最新分支)Applies to: Configuration Manager (current branch)

此文章列出 Configuration Manager 中軟體更新的先決條件。This article lists the prerequisites for software updates in Configuration Manager. 每項必要條件的內、外部相依性會分列於不同的表格之中。For each of the prerequisites, the external dependencies and internal dependencies are listed in separate tables.

Configuration Manager 外部的軟體更新相依性Software update dependencies that are external to Configuration Manager

下列各節列出軟體更新的外部相依性。The following sections list the external dependencies for software updates.

Internet Information ServicesInternet Information Services

網站系統伺服器上必須安裝 Internet Information Services (IIS),才能執行軟體更新點、管理點與發佈點。Internet Information Services (IIS) must be installed on the site system servers to run the software update point, the management point, and the distribution point. 如需詳細資訊,請參閱站台系統角色的必要條件For more information, see Prerequisites for site system roles.

Windows Server Update ServicesWindows Server Update Services

Windows Server Update Services (WSUS) 是用戶端軟體更新同步及軟體更新適用性掃描的必要條件。Windows Server Update Services (WSUS) is needed for software updates synchronization and for the software updates applicability scan on clients. 必須在建立軟體更新點角色之前安裝 WSUS 伺服器。The WSUS server must be installed before you create the software update point role. 下列版本的 WSUS 支援軟體更新點:The following versions of WSUS are supported for a software update point:

  • WSUS 10.0.14393 (Windows Server 2016 中的角色)WSUS 10.0.14393 (role in Windows Server 2016)
  • WSUS 10.0.17763 (Windows Server 2019 中的角色) (需要 Configuration Manager 1810 或更新版本)WSUS 10.0.17763 (role in Windows Server 2019) (Requires Configuration Manager 1810 or later)
  • WSUS 6.2 和 6.3 (Windows Server 2012 和 Windows Server 2012 R2 中的角色)WSUS 6.2 and 6.3 (role in Windows Server 2012 and Windows Server 2012 R2)

注意

  • 一個站台上有多個軟體更新點時,請確認所有更新點均執行相同版本的 WSUS。When you have multiple software update points at a site, ensure that they're all running the same version of WSUS.

WSUS 管理主控台WSUS Administration Console

如果軟體更新點位於遠端站台系統伺服器上,且站台伺服器尚未安裝 WSUS,則必須在 Configuration Manager 站台伺服器上安裝 WSUS 管理主控台。The WSUS Administration Console is required on the Configuration Manager site server when the software update point is on a remote site system server and WSUS isn't already installed on the site server.

重要

  • 站台伺服器和軟體更新點必須執行相同版本的 WSUS。The WSUS version on the site server must be the same as the WSUS version that's running on the software update points.
  • 請不要使用 WSUS 管理主控台進行 WSUS 設定。Don't use WSUS Administration Console to configure WSUS settings. Configuration Manager 會連線至軟體更新點上執行的 WSUS 執行個體,並進行適當地設定。Configuration Manager connects to the instance of WSUS that is running on the software update point and configures the appropriate settings.

Windows Update 代理程式Windows Update Agent

用戶端上需要有 Windows Update Agent (WUA) 用戶端,才能連線至 WSUS 伺服器。The Windows Update Agent (WUA) client is required on clients so that they can connect to the WSUS server. WUA 會擷取必須進行相容性掃描的軟體更新清單。WUA retrieves the list of software updates that must be scanned for compliance.

安裝 Configuration Manager 時,會下載最新版的 WUA。When you install Configuration Manager, the latest version of WUA is downloaded. 接下來,當您安裝 Configuration Manager 用戶端時,會在必要時升級 WUA。Then, when you install the Configuration Manager client, WUA is upgraded if necessary. 若安裝失敗,便須使用其他方法升級 WUA。If the installation fails, you must use a different method to upgrade WUA.

Configuration Manager 內部的軟體更新相依性Software update dependencies that are internal to Configuration Manager

下列各節列出 Configuration Manager 中軟體更新的內部相依性。The following sections list the internal dependencies for software updates in Configuration Manager.

管理點Management points

管理點會在用戶端電腦和 Configuration Manager 站台之間傳送資訊。Management points transfer information between client computers and the Configuration Manager site. 管理點是軟體更新的必要條件。The management points are required for software updates.

軟體更新點Software update points

您必須在 WSUS 伺服器上安裝軟體更新點,才能在 Configuration Manager 中部署軟體更新。You must install a software update point on the WSUS server to deploy software updates in Configuration Manager. 如需詳細資訊,請參閱安裝和設定軟體更新點For more information, see Install and configure a software update point.

發佈點Distribution points

必須要有發佈點,才能儲存軟體更新的內容。Distribution points are required to store the content for software updates. 如需安裝發佈點及管理內容之方式的詳細資訊,請參閱管理內容與內容基礎結構For more information about how to install distribution points and manage content, see Manage content and content infrastructure.

軟體更新的用戶端設定Client settings for software updates

根據預設,用戶端會啟用軟體更新。Software updates are enabled for clients by default. 另有其他設定可以控制用戶端評估軟體更新相容性的方式和時間,以及控制軟體更新的安裝方式。There are other available settings that control how and when clients assess compliance for the software updates and control how the software updates are installed.

如需詳細資訊,請參閱下列文章:For more information, see the following articles:

Reporting Services 點Reporting services points

Reporting Services 點站台系統角色可以顯示軟體更新的報告。The reporting services point site system role can display reports for software updates. 這個角色是選用項目,但建議使用。This role is optional but recommended. 如需如何建立 Reporting Services 點的詳細資訊,請參閱設定報告For more information about how to create a reporting services point, see Configuring reporting.

WSUS 6.2 和 6.3 需要哪些更新?Which updates are required on WSUS 6.2 and 6.3?

在 WSUS 6.2 和 6.3 中同步 [升級] 分類,需要兩項更新。Two updates are required for syncing Upgrades classification in WSUS 6.2 and 6.3. 有時候,如果在安裝 KB3095113 和 KB3159706 之前先同步處理下載或部署升級,可能會發生下載或部署升級錯誤。Occasionally, you might see an error downloading or deploying upgrades if they synchronized before KB3095113 and KB3159706 were installed. 下一節將說明可能問題的相關資訊。Information about possible issues is in the next section.

  • 您必須在您的軟體更新點與網站伺服器上,安裝 2015 年 10 月發行的 KB 3095113,才能同步升級分類。You must install KB 3095113, released in October 2015, on your software update points and site servers before you synchronize the Upgrades classification.
    • 此更新會啟用 [升級] 分類。This update enables the Upgrades classification.
  • 若要服務 Windows 10 1607 版及更新版本,您必須安裝並設定 KB 3159706To service Windows 10 version 1607 and later, you must install and configure KB 3159706. KB 3159706 已於 2016 年 5 月發行。KB 3159706 was released in May 2016.
    • 此更新可讓 WSUS 以原生方式來解密用於升級 Windows 10 1607 版及更新版本的檔案。This update enables WSUS to natively decrypt the files used for upgrading Windows 10 version 1607 and later.

重要

從 2017 年 7 月開始,安全性每月品質彙總包含了 KB 3095113 和 KB 3159706。Both KB 3095113 and KB 3159706 are included in the Security Monthly Quality Rollup starting in July 2017. 這表示您可能不會看到 KB 3095113 和 KB 3159706 顯示為已安裝的更新,因為這兩項更新可能已隨彙總套件一起安裝。This means you may not see KB 3095113 and KB 3159706 as installed updates since they may have been installed with a rollup. 不過,如果需要其中一項更新,建議您安裝 2017 年 10 月之後發行的安全性每月品質彙總,因為這些彙總包含額外的 WSUS 更新,可降低 WSUS clientwebservice 的記憶體使用率。However, if you need either of these updates, we recommend installing a Security Monthly Quality Rollup released after October 2017 since they contain an additional WSUS update to decrease memory utilization on WSUS's clientwebservice.

下載 Windows 10 升級失敗,出現「錯誤:不正確的憑證簽章」或 0xc1800118Download of Windows 10 upgrades fails with "Error: Invalid certificate signature" or 0xc1800118

本節所述的更新和問題,僅適用於在 Windows Server 2012 或 Windows Server 2012 R2 電腦上執行的 WSUS (WSUS 6.2 和 6.3)。The updates and issue described in this section only apply to WSUS running on Windows Server 2012 or Windows Server 2012 R2 machines (WSUS 6.2 and 6.3). 一般而言,如果在 2017 年 7 月之前安裝 WSUS,且最近才啟用 [升級] 分類,您才會看到本節中所述的問題。Typically, you'll only see the issues described in this section if you installed WSUS before July 2017 and you've recently enabled the Upgrades classification. 不過,在其他情況下也有可能看到這些問題。However, it's possible to see these issues in other situations too.

KB 3095113 的歷程記錄資訊Historical information about KB 3095113

KB 3095113 於 2015 年 10 月發行為 Hotfix,以將 Windows 10 升級的支援新增至 WSUS。KB 3095113 was released as a hotfix in October 2015 to add support for Windows 10 upgrades to WSUS. 此更新可讓 WSUS 在 Windows 10 的 [升級] 分類中同步處理及發佈更新。The update enables WSUS to synchronize and distribute updates in the Upgrades classification for Windows 10.

若未先安裝 Hotfix 3095113,即同步任何升級,將會在 WSUS 資料庫 (SUSDB) 中填入無法使用的資料。If you synchronize any upgrades without having first installed KB 3095113, you populate the WSUS database (SUSDB) with unusable data. 必須先清除該資料,才能正確地部署升級。That data must be cleared before the upgrades can be properly deployed. 無法使用 [下載軟體更新精靈] 來下載此狀態中的 Windows 10 升級。Windows 10 upgrades in this state can't be downloaded by using the Download Software Updates Wizard.

類似下列的錯誤,出現在 [下載軟體更新精靈] 的 [完成] 頁面上:Errors that resemble the following appear on the Completion page of the Download Software Updates Wizard:

Error: Upgrade to Windows 10 Pro, version 1511, 10586
Failed to download content id {content_id}. Error: Invalid certificate signature

此外,類似下列的錯誤會記錄在 PatchDownloader.log 檔案中:Additionally, errors resembling the following are logged in the PatchDownloader.log file:

Download http://wsus.ds.b1.download.windowsupdate.com/d/upgr/2015/12/10586.0.151029-1700.th2_release_...esd...
Authentication of file C:\Users\{username}\AppData\Local\Temp\2\{temporary_filename}.tmp failed, error 0x800b0004
ERROR: DownloadContentFiles() failed with hr=0x80073633
# This log is truncated for readability.

在過去,當發生這些錯誤時,可藉由執行 WSUS 解決步驟的修改版本來解決這些錯誤。Historically, when these errors occurred, they would be resolved by doing a modified version of the resolution steps for WSUS. 由於這些步驟類似於在安裝 KB 3159706 後不執行所需手動步驟的解決方案,所以我們將這兩組步驟結合成下一節中的單一解決方案:Because these steps are similar to the resolution for not doing the manual steps required after KB 3159706 installation, we've combined both sets of steps into a single resolution in the section below:

KB 3159706 的歷程記錄資訊Historical information about KB 3159706

KB 3148812 最初於 2016 年 4 月發行,讓 WSUS 以原生方式來解密用於升級 Windows 10 套件的 .esd 檔案。KB 3148812 was initially released in April 2016 to enable WSUS to natively decrypt the .esd files used for upgrading Windows 10 packages. KB 3148812 造成了部分客戶的問題,並已取代為 KB 3159706KB 3148812 caused problems for some customers and was replaced with KB 3159706. 您必須先在所有軟體更新點和站台伺服器上安裝 KB 3159706,才能服務 Windows 10 1607 版和更新版本的裝置。KB 3159706 needs to be installed on all your software update points and site servers before you can service Windows 10 Version 1607 and later devices. 不過,如果您不知道在安裝 KB 之後需要進行下列手動步驟,就可能會發生問題:However, problems can arise if you don't realize the KB requires the following manual steps after installation:

  1. 從提高權限的命令提示下,執行 "C:\Program Files\Update Services\Tools\wsusutil.exe" postinstall /servicingFrom an elevated command prompt run "C:\Program Files\Update Services\Tools\wsusutil.exe" postinstall /servicing.
  2. 重新啟動所有 WSUS 伺服器上的 WSUS 服務。Restart the WSUS service on all of the WSUS servers.

如果您不知道 KB 3159706 在安裝後有手動步驟,或在安裝 KB 3159706 之前已同步處理 Windows 10 1607,則在連線至 WSUS 主控台並分別部署升級時會遇到問題。If you don't realize that KB 3159706 had manual steps after installation, or you synchronized in the upgrade for Windows 10 1607 before installing KB 3159706, you would run into issues connecting to the WSUS console and deploying the upgrade respectively. 當用戶端下載升級檔案時,會收到 0xC1800118錯誤碼When a client downloaded the upgrade file, it would get a 0xC1800118 error code.

由於解決方案步驟類似於在安裝 KB 3095113 之前同步處理升級的解決方案,所以我們將這兩組步驟結合成下一節中的單一解決方案。Because the resolution steps are similar to the resolution for synchronizing upgrades before KB 3095113 installation, we've combined both sets of steps into a single resolution in the next section.

安裝 KB 3095113 或 KB 3159706 之前,先將同步升級復原To recover from synchronizing the upgrades before you install KB 3095113 or KB 3159706

請依照下方步驟來解決 0xc1800118 錯誤和「錯誤:不正確的憑證簽章」:Follow the steps below to resolve both the 0xc1800118 error and "Error: Invalid certificate signature":

  1. 在 WSUS 和 Configuration Manager 兩者中停用 [升級] 分類。Disable the Upgrades classification in both WSUS and Configuration Manager. 在指示要您同步處理前,請勿進行同步處理。You don't want a synchronization to occur until you're directed to by these instructions.
    • 取消核取頂層網站上,軟體更新點元件屬性中的升級分類。Uncheck the Upgrades classification in the software update point component properties on the top-level site.
    • 從 WSUS 選項 頁面的 [產品和分類] 下方,取消選取 [升級] 分類,或使用以系統管理員身分執行的 PowerShell ISE。Uncheck the Upgrades classification from WSUS under Products and Classifications on the Options page, or use the PowerShell ISE running as administrator.
      Get-WsusClassification | Where-Object -FilterScript {$_.Classification.Title -Eq "Upgrades"} | Set-WsusClassification -Disable
      
      • 如果您在多個 WSUS 伺服器之間共用 WSUS 資料庫,則只需要針對每個資料庫取消選取 [升級] 一次。If you share the WSUS database between multiple WSUS servers, you only need to uncheck Upgrades once for each database.
  2. 在每部 WSUS 伺服器上,從提高權限的命令提示字元執行:"C:\Program Files\Update Services\Tools\wsusutil.exe" postinstall /servicingOn each WSUS server, from an elevated command prompt run: "C:\Program Files\Update Services\Tools\wsusutil.exe" postinstall /servicing. 然後,重新啟動所有 WSUS 伺服器上的 WSUS 服務。Then, restart the WSUS service on all of the WSUS servers.
    • WSUS 會先將資料庫設定為單一使用者模式,再檢查是否需要服務。WSUS places the database into single user mode before it checks to see if servicing is needed. 服務是否會執行取決於檢查結果。The servicing either runs or doesn't run based on the results of the check. 然後,資料庫會設定回多使用者模式。Then, the database is put back into multi-user mode.
    • 如果您在多個 WSUS 伺服器之間共用 WSUS 資料庫,則只需要針對每個資料庫執行一次這項服務。If you share the WSUS database between multiple WSUS servers, you only need to do this servicing once for each database.
  3. 使用以系統管理員身分執行的 PowerShell ISE,從每個 WSUS 資料庫刪除所有 Windows 10 升級。Delete all of the Windows 10 upgrades from each WSUS database using the PowerShell ISE running as administrator.
    [reflection.assembly]::LoadWithPartialName("Microsoft.UpdateServices.Administration")
    $wsus = [Microsoft.UpdateServices.Administration.AdminProxy]::GetUpdateServer();
    $wsus.GetUpdates() | Where {$_.UpdateClassificationTitle -eq 'Upgrades' -and $_.Title -match 'Windows 10'} `
    | ForEach-Object {$wsus.DeleteUpdate($_.Id.UpdateId.ToString()); Write-Host $_.Title removed}
    
  4. 從軟體更新點使用的每個 WSUS 資料庫中,刪除 tbFile 資料表中的檔案。Delete files from the tbFile table from each of the WSUS databases used by your software update points. 在 WSUS 資料庫上,從 SQL Server Management Studio 執行下列命令:On the WSUS database, run the following commands from SQL Server Management Studio:
    declare @NotNeededFiles table (FileDigest binary(20) UNIQUE)
    insert into @NotNeededFiles(FileDigest) (select FileDigest from tbFile where FileName like '%.esd%'  except select FileDigest from tbFileForRevision)
    delete from tbFileOnServer where FileDigest in (select FileDigest from @NotNeededFiles)
    delete from tbFile where FileDigest in (select FileDigest from @NotNeededFiles)
    
  5. 在 Configuration Manager 的最上層站台啟動軟體更新同步處理,並等候其完成。Start the software updates synchronization on your top-level site in Configuration Manager and wait for it to complete. 由於我們已在移除 [升級] 時變更了分類 Configuration Manager,所以會進行完整同步處理。A full synchronization occurs because we made a change to the classifications Configuration Manager when we removed Upgrades. (如需詳細資訊,請參閱同步軟體更新(For more information, see Synchronize software updates.
  6. 選取軟體更新點元件屬性中的升級分類。Select the Upgrades classification in the software update point component properties. 接下來,啟動另一個軟體更新同步處理,讓 [升級] 返回 WSUS 和 Configuration Manager。Then, start another software updates synchronization to bring the Upgrades back into WSUS and Configuration Manager. 您不需要在 WSUS 中啟用 [升級] 分類,因為 Configuration Manager 會為您執行這項操作。You don't have to enable the Upgrades classification in WSUS since Configuration Manager will do it for you.
  7. 如果您的用戶端在下載升級時收到 0xC1800118 錯誤碼,則必須刪除 Windows Update 代理程式所使用的資料存放區。If your clients received the 0xC1800118 error code when downloading an upgrade, you'll need to delete the data store used by the Windows Update Agent. 您也可能必須刪除裝置上隱藏的 ~BT 資料夾。You may also have to delete the hidden ~BT folder on the device. 用戶端下次掃描時,將對 WSUS 伺服器而非差異進行完整掃描,。The next time the client scans, it will be a full scan against the WSUS server rather than a delta. 您可以使用類似下列範例指令碼的 PowerShell 指令碼:You can use a PowerShell script that's similar to the following sample script:
    stop-service wuauserv
    remove-item -path c:\windows\softwaredistribution\datastore -recurse -force
    # If the device has a hidden ~BT folder on the c drive, delete it too by uncommenting the next line.
    # remove-item -path c:\~BT -recurse -force
    start-service wuauserv
    

後續步驟Next steps

準備軟體更新管理Prepare for software updates management