Solved

How to use WSUS

Posted on 2009-07-09
13
645 Views
Last Modified: 2012-05-07
I have just installed and configured WSUS 3 and would like some pointers on how best to use it.
Windows Server 2003 SP2

My one test machine picks up date GPO "Update Server" change.
It showed up in Unassigend Computers. I assigned it to a group then changed my mind and unassigned it. Now it doesn't show up at all any more. (Even though total computers shows 1).
Searching for it yields nothing.
The missing machine can still access HTTP://Server/SelfUpdate/iuiDent.cab

I'm also confused by the amount of updates available that are awaiting approval.
21911 updates are in the list.

Selected Products:
Office 2003
Silverlight
SQL Server 2005
SQL Server Feature Pack
SQL Server
Windows Defender
I.E. 8 Dynamic Installer
Windows Server 2003
XP

Selected Classifications: (Automatically approved)
Critical Updates
Definition Updates
Security Updates
Service Packs

Only English updates is selected

Also using Local storage with "Download update files to this server only when updates are approved".

Update Services handles computer group membership

One other things springs to mind..... Am I supposed to configure the servers to also use the WSUS server including the WSUS server itself?

This is the resource I used to deploy and configure:
http://www.microsoft.com/downloads/details.aspx?familyid=C8FA2FD1-72F6-4F19-A1B0-F689DAE14BE6&displaylang=en

Cheers
0
Comment
Question by:DennisPost
  • 5
  • 5
  • 3
13 Comments
 
LVL 10

Assisted Solution

by:Datedman
Datedman earned 200 total points
ID: 24812411
Yes you can configure the servers too...but what I like to do with servers is apply a separate group policy to that only applies to them that doesn't automatically apply updates.  I find I have to automatically apply them to non-server machines because otherwise users just won't apply them.
I usually don't approve service packs automatically, can be a drag if people come in one morning and every machine starts applying a major service pack LOL oh my, multiple users just ran out of disk space, nobody can take an order or whatever.
Not sure where your missing computer went but likely there's a view that will show it?
0
 
LVL 2

Author Comment

by:DennisPost
ID: 24813089
Hi Dateman,
Thanks for commenting.

I already have a seperate GPO for the servers and a seperate Computer Group in Update Services. ;-)

Definitely a valid point about the SPs, but shouldn't much of an issue for us. We only have 17 user with an average of 70% free space (60+ GB).
After restarting Update Services the machine showed up again. (I guess it was a bug).

How do you handle the multitude of updates that need to be approved or declined?
Do I understand you correctly, that the WSUS server can point to itself for updates?
0
 
LVL 10

Assisted Solution

by:Datedman
Datedman earned 200 total points
ID: 24813170
Yes the WSUS server can update from self.

Main thing about service packs is that they can cause problems w/drivers and apps and also tie things up while applying.  I prefer to at least pre-test them.

Mostly I ignore the multitude of extra updates. :)  I automatically approve the ones I am most concerned with.  Some others I have to approve manually like IE8 and SPs so I search for them.
0
 
LVL 2

Author Comment

by:DennisPost
ID: 24813359
So it's normal to have to sift through 2100+ updates the first time round then?

Do you know of a way to manually start the update process on a client or do I have change the update time every time and wait for the next time to run?
e.g. it's now 15:30. I change the automatic update time to the closest time; 16:00 and just wait?
I'm really wanting to test, but it's sooooo slow waiting everytime.
0
 
LVL 10

Expert Comment

by:Datedman
ID: 24813382
I have manually set the refresh on a client to 1 hour or so I think, not too worried about less than that. :)

You shouldn't have to manually sift through the stuff much you can just say automatically approve these things and apply this rule now...
0
 
LVL 2

Assisted Solution

by:cincytopher
cincytopher earned 300 total points
ID: 24813600
Here is a script to make the client check immediately.  Copy the below to notepad and save it as wsusforceupdate.cmd.  Execute it on the client you want to update and with in a few minutes it should check in.  Also, as far as the 2100 updates that need to be approved.  You can filter the updates by Needed updates.  When a client connects to the wsus it checks to see if it needs any of the 2100 updates that are not approved.  If it needs one, it will register with wsus that it needs that update.  So you can really filter the updates by updates that are just needed by your clients.  Then approve or decline as needed.  The updates that arent needed by any clients you could really just leave as not approved and if a client in the future needed it, you could approve it then.  Here is the wsusforceupdate.cmd:
====================================================
@echo off
Echo This batch file will Force the Update Detection from the AU client by:
Echo 1. Stops the Automatic Updates Service (wuauserv)
Echo 2. Deletes the LastWaitTimeout registry key (if it exists)
Echo 3. Deletes the DetectionStartTime registry key (if it exists)
Echo 4. Deletes the NextDetectionTime registry key (if it exists)
Echo 5. Restart the Automatic Updates Service (wuauserv)

Pause
@echo on
net stop wuauserv
REG DELETE "HKLM\Software\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update" /v LastWaitTimeout /f
REG DELETE "HKLM\Software\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update" /v DetectionStartTime /f
Reg Delete "HKLM\Software\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update" /v NextDetectionTime /f
net start wuauserv

@echo off
Echo This AU client will now check for the Updates on the Local SUS Server.
Echo After 10-20 mts Have a look at C:\Window\Windows update.log
Echo "For any errors; feel free to post on the forum & I will try to help out."
Pause
====================================================
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 
LVL 10

Expert Comment

by:Datedman
ID: 24813623
nice script :)
0
 
LVL 2

Author Comment

by:DennisPost
ID: 24814915
Thanks for the advice and handy script!
Unfortunately I had already declined all updates prior to 2009.......
Look like I can set them to unapproved by approving then selecting "Unapprove"

I've pointed all machines to WSUS in GPO, will check on things on Monday.

I'll keep you guys posted.

Thanks again for your time!
0
 
LVL 2

Assisted Solution

by:cincytopher
cincytopher earned 300 total points
ID: 24815145
Look like I can set them to unapproved by approving then selecting "Unapprove"
That is exactly right.  Then on Monday you can sort them by "Needed" and approve as you see fit.
0
 
LVL 2

Author Comment

by:DennisPost
ID: 24847788
Things seem to be going reasonably well, though I still don't understand some things.

As I understand it, machines will only pick up the updates that they "Need". If this is indeed true then what is the purpose of having "Comuter Groups"?
I should be able to put my Servers (DCs) and workstations in the same group and have everything working fine. (As long as the GPO Automatic Update settings are different).
Even after 2 full work days, only one workstation is reporting that it doesn't "Need" any more updates. The test machine that I am constantly updating still needs the Root Certificate update. 2 minutes after successfully installing it, it tries to install it again.
I deleted the machine, but after a couple of hours and using cincytopher's script, it show up again.

I found that reregistring these dlls helps resolves some update problems. (But not in this case)
regsvr32 "C:\WINDOWS\system32\wups2.dll"
regsvr32 wuapi.dll
regsvr32 wuaueng.dll
regsvr32 wuaueng1.dll
regsvr32 wucltui.dll
regsvr32 wups.dll
regsvr32 wups2.dll
regsvr32 wuweb.dll  
Some machines show "Updates installed / not applicable"* > 21000 others
"Updates with no status" > 21000
Is this by design or a bug?
* = Report generation takes a very long time and shows 400+ pages.
Any idea's?
I'll keep monitoring things and post anything new again.

Thanks for you time!!
0
 
LVL 10

Expert Comment

by:Datedman
ID: 24849545
Might want to start by sorting by date and getting rid of all old updates. :)

The root certificate update thing sounds like a separate issue.

Do you have it set to apply updates or notifiy users?  The one that doesn't "need" any updates may be the only user who actually applied updates. ;)
0
 
LVL 2

Accepted Solution

by:
cincytopher earned 300 total points
ID: 24849547
As I understand it, machines will only pick up the updates that they "Need". If this is indeed true then what is the purpose of having "Computer Groups"?    Yes, this is true, and yes you can put all the computers in one group if you choose.  I have is setup so that each branch has its own group so that I can push out the updates to each branch when I choose.  For example, when SP3 for XP came out, I approved it for one branch at a time so if there were any issues it would spread out the support calls over a couple of weeks as opposed to one day.  Same thing with the servers, you may want to approve updates slower or faster than you do with the workstations so by having them in different groups you can do this.
Even after 2 full work days, only one workstation is reporting that it doesn't "Need" any more updates.  This is not out of the ordinary.  Once you approve an update the client still has to check in and download it.  It then has to schedule the install and install it.  It then has to check back in so the WSUS can update its status and see that it doesnt need any more updates. Typically a client is only going to check in about once a day (unless you force it with the script).
The Root Cert. update sounds like an issue with the client and not the WSUS.  Try installing this update from windowsupdate.microsoft.com/.  If it is still having trouble with this update you will just have to troubleshoot it on the client side
As for the updates installed/not applicable that just means that the computer doesnt need those updates or has already installed them.  This is normal.   The Updates with no status are updates that have been downloaded to the WSUS since the client last checked in.  As the clients continue to check in, this should go to 0.
You just need to give it some time.  As clients continue to check in and install needed updates, the (reports/ look of WSUS) will continue to improve.  
0
 
LVL 2

Author Closing Comment

by:DennisPost
ID: 31601507
Thanks a lot guys! You have been a great help!
0

Featured Post

Don't lose your head updating email signatures!

Do your end users still have the wrong email signature? Do email signature updates bore you or fill you with a sense of dread? You can make this a whole lot easier on yourself by trusting an Exclaimer email signature management solution. Over 50 million users do...so should you!

Join & Write a Comment

What is an ISAPI filter?   •      It's an assembly (.dll file) that can add or change the way IIS works.   •      They can be enabled globally for your web server or on a site-by-site basis.   When the IIS server receives a request, enabling the ISAPI fi…
Know what services you can and cannot, should and should not combine on your server.
In this seventh video of the Xpdf series, we discuss and demonstrate the PDFfonts utility, which lists all the fonts used in a PDF file. It does this via a command line interface, making it suitable for use in programs, scripts, batch files — any pl…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now