WSUS Problems...

WSUS does not seem to be updating the machines on our network on a regular basis and I need help configuring it to work properly.  Here is my existing configuration:

1.  WSUS is controlled by GPO; servers are set to #3, workstations are set to #4 and I have a separate OU for new builds set to #3.  All are set to every day.
2.  WSUS sees all the machines and there does not seem to be any problem with communication.
3.  WSUS is running on a server using MSDE (will transfer to SQL soon).
4.  I can see the patches that need to be applied to machines from day to day, but patches do not appear to be applied.  On one server the last patch applied was 3-2-2006, even though the server has been rebooted recently.  However, the WSUS last updated date is recent.

Here are my problems:

1.  How can I get WSUS to update machines on a regular basis?  I want to be able to control updates and apply them immediately if needed.
2.  What are all the relevant switches for wuauclt.exe (i.e. wuauclt /detectnow).  What operating systems will wuauclt.exe work on (i.e. XP, 2000, etc.)?
3.  How can I tell if a patch is waiting for a restart to be applied?  How can I tell if it has been downloaded to a machine?
4.  I have tried to use wuauclt /detectnow on some of the clients in the seprate OU I mentioned above but get no action I can see at the workstation.
5.  How do I get rid of the Unknown patches?  If I just set patches to install into each computer group, apparently WSUS will determine which client in which group needs the patch and ignore the rest?  I don't really need to set patches to install to certain groups?  How does this work exactly?
6.  If I need to apply a patch immediately, do I have to modify the GPO?  By this, I mean modify the GPO to a time just beyond the time (90 minutes?) it takes for all clients to update their GPO settings?
7.  What settings should I use to update my workstations once every day?

Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Check out these webcasts to get a better overall idea of how WSUS works....:

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
isd503Author Commented:
I understand how it works, I just need more details on the details...
Hi isd503,

what is your current GPO config? do you have a separate policy for your WSUS settings. what have you got configured so far?

Cloud Class® Course: Certified Penetration Testing

This CPTE Certified Penetration Testing Engineer course covers everything you need to know about becoming a Certified Penetration Testing Engineer. Career Path: Professional roles include Ethical Hackers, Security Consultants, System Administrators, and Chief Security Officers.

isd503Author Commented:
This is the setting for the workstations.  I have a separate GPO for the workstations, one for the severs and one for new machines.

Administrative Templates

System/Internet Communication Management/Internet Communication settings
Turn off access to all Windows Update features Enabled

Windows Components/Windows Update
Allow Automatic Updates immediate installation Enabled
Allow non-administrators to receive update notifications Enabled
Automatic Updates detection frequency Enabled
Check for updates at the following
interval (hours):  22
Configure Automatic Updates Enabled
Configure automatic updating: 4 - Auto download and schedule the install
The following settings are only required
and applicable if 4 is selected.
Scheduled install day:  0 - Every day
Scheduled install time: 03:00
Do not adjust default option to 'Install Updates and Shut Down' in Shut Down Windows dialog box Enabled
Do not display 'Install Updates and Shut Down' option in Shut Down Windows dialog box Enabled
No auto-restart for scheduled Automatic Updates installations Enabled
Re-prompt for restart with scheduled installations Enabled
Wait the following period before
prompting again with a scheduled
restart (minutes):  20
Reschedule Automatic Updates scheduled installations Enabled
Wait after system
startup (minutes):  10
Specify intranet Microsoft update service location Enabled
Set the intranet update service for detecting updates: http://servername 
Set the intranet statistics server: http://servername
are the clients actually getting the policy

just run a gpresult on the client end for me to double check the policy actually hits
isd503Author Commented:
It hits.  It's the detailed configuration I need help with.  The WSUS client test tool reports all is OK.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2003

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.