?
Solved

How to use WSUS

Posted on 2009-07-09
13
Medium Priority
?
653 Views
Last Modified: 2012-05-07
I have just installed and configured WSUS 3 and would like some pointers on how best to use it.
Windows Server 2003 SP2

My one test machine picks up date GPO "Update Server" change.
It showed up in Unassigend Computers. I assigned it to a group then changed my mind and unassigned it. Now it doesn't show up at all any more. (Even though total computers shows 1).
Searching for it yields nothing.
The missing machine can still access HTTP://Server/SelfUpdate/iuiDent.cab

I'm also confused by the amount of updates available that are awaiting approval.
21911 updates are in the list.

Selected Products:
Office 2003
Silverlight
SQL Server 2005
SQL Server Feature Pack
SQL Server
Windows Defender
I.E. 8 Dynamic Installer
Windows Server 2003
XP

Selected Classifications: (Automatically approved)
Critical Updates
Definition Updates
Security Updates
Service Packs

Only English updates is selected

Also using Local storage with "Download update files to this server only when updates are approved".

Update Services handles computer group membership

One other things springs to mind..... Am I supposed to configure the servers to also use the WSUS server including the WSUS server itself?

This is the resource I used to deploy and configure:
http://www.microsoft.com/downloads/details.aspx?familyid=C8FA2FD1-72F6-4F19-A1B0-F689DAE14BE6&displaylang=en

Cheers
0
Comment
Question by:DennisPost
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 5
  • 3
13 Comments
 
LVL 10

Assisted Solution

by:Datedman
Datedman earned 800 total points
ID: 24812411
Yes you can configure the servers too...but what I like to do with servers is apply a separate group policy to that only applies to them that doesn't automatically apply updates.  I find I have to automatically apply them to non-server machines because otherwise users just won't apply them.
I usually don't approve service packs automatically, can be a drag if people come in one morning and every machine starts applying a major service pack LOL oh my, multiple users just ran out of disk space, nobody can take an order or whatever.
Not sure where your missing computer went but likely there's a view that will show it?
0
 
LVL 2

Author Comment

by:DennisPost
ID: 24813089
Hi Dateman,
Thanks for commenting.

I already have a seperate GPO for the servers and a seperate Computer Group in Update Services. ;-)

Definitely a valid point about the SPs, but shouldn't much of an issue for us. We only have 17 user with an average of 70% free space (60+ GB).
After restarting Update Services the machine showed up again. (I guess it was a bug).

How do you handle the multitude of updates that need to be approved or declined?
Do I understand you correctly, that the WSUS server can point to itself for updates?
0
 
LVL 10

Assisted Solution

by:Datedman
Datedman earned 800 total points
ID: 24813170
Yes the WSUS server can update from self.

Main thing about service packs is that they can cause problems w/drivers and apps and also tie things up while applying.  I prefer to at least pre-test them.

Mostly I ignore the multitude of extra updates. :)  I automatically approve the ones I am most concerned with.  Some others I have to approve manually like IE8 and SPs so I search for them.
0
Get MySQL database support online, now!

At Percona’s web store you can order your MySQL database support needs in minutes. No hassles, no fuss, just pick and click. Pay online with a credit card.

 
LVL 2

Author Comment

by:DennisPost
ID: 24813359
So it's normal to have to sift through 2100+ updates the first time round then?

Do you know of a way to manually start the update process on a client or do I have change the update time every time and wait for the next time to run?
e.g. it's now 15:30. I change the automatic update time to the closest time; 16:00 and just wait?
I'm really wanting to test, but it's sooooo slow waiting everytime.
0
 
LVL 10

Expert Comment

by:Datedman
ID: 24813382
I have manually set the refresh on a client to 1 hour or so I think, not too worried about less than that. :)

You shouldn't have to manually sift through the stuff much you can just say automatically approve these things and apply this rule now...
0
 
LVL 2

Assisted Solution

by:cincytopher
cincytopher earned 1200 total points
ID: 24813600
Here is a script to make the client check immediately.  Copy the below to notepad and save it as wsusforceupdate.cmd.  Execute it on the client you want to update and with in a few minutes it should check in.  Also, as far as the 2100 updates that need to be approved.  You can filter the updates by Needed updates.  When a client connects to the wsus it checks to see if it needs any of the 2100 updates that are not approved.  If it needs one, it will register with wsus that it needs that update.  So you can really filter the updates by updates that are just needed by your clients.  Then approve or decline as needed.  The updates that arent needed by any clients you could really just leave as not approved and if a client in the future needed it, you could approve it then.  Here is the wsusforceupdate.cmd:
====================================================
@echo off
Echo This batch file will Force the Update Detection from the AU client by:
Echo 1. Stops the Automatic Updates Service (wuauserv)
Echo 2. Deletes the LastWaitTimeout registry key (if it exists)
Echo 3. Deletes the DetectionStartTime registry key (if it exists)
Echo 4. Deletes the NextDetectionTime registry key (if it exists)
Echo 5. Restart the Automatic Updates Service (wuauserv)

Pause
@echo on
net stop wuauserv
REG DELETE "HKLM\Software\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update" /v LastWaitTimeout /f
REG DELETE "HKLM\Software\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update" /v DetectionStartTime /f
Reg Delete "HKLM\Software\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update" /v NextDetectionTime /f
net start wuauserv

@echo off
Echo This AU client will now check for the Updates on the Local SUS Server.
Echo After 10-20 mts Have a look at C:\Window\Windows update.log
Echo "For any errors; feel free to post on the forum & I will try to help out."
Pause
====================================================
0
 
LVL 10

Expert Comment

by:Datedman
ID: 24813623
nice script :)
0
 
LVL 2

Author Comment

by:DennisPost
ID: 24814915
Thanks for the advice and handy script!
Unfortunately I had already declined all updates prior to 2009.......
Look like I can set them to unapproved by approving then selecting "Unapprove"

I've pointed all machines to WSUS in GPO, will check on things on Monday.

I'll keep you guys posted.

Thanks again for your time!
0
 
LVL 2

Assisted Solution

by:cincytopher
cincytopher earned 1200 total points
ID: 24815145
Look like I can set them to unapproved by approving then selecting "Unapprove"
That is exactly right.  Then on Monday you can sort them by "Needed" and approve as you see fit.
0
 
LVL 2

Author Comment

by:DennisPost
ID: 24847788
Things seem to be going reasonably well, though I still don't understand some things.

As I understand it, machines will only pick up the updates that they "Need". If this is indeed true then what is the purpose of having "Comuter Groups"?
I should be able to put my Servers (DCs) and workstations in the same group and have everything working fine. (As long as the GPO Automatic Update settings are different).
Even after 2 full work days, only one workstation is reporting that it doesn't "Need" any more updates. The test machine that I am constantly updating still needs the Root Certificate update. 2 minutes after successfully installing it, it tries to install it again.
I deleted the machine, but after a couple of hours and using cincytopher's script, it show up again.

I found that reregistring these dlls helps resolves some update problems. (But not in this case)
regsvr32 "C:\WINDOWS\system32\wups2.dll"
regsvr32 wuapi.dll
regsvr32 wuaueng.dll
regsvr32 wuaueng1.dll
regsvr32 wucltui.dll
regsvr32 wups.dll
regsvr32 wups2.dll
regsvr32 wuweb.dll  
Some machines show "Updates installed / not applicable"* > 21000 others
"Updates with no status" > 21000
Is this by design or a bug?
* = Report generation takes a very long time and shows 400+ pages.
Any idea's?
I'll keep monitoring things and post anything new again.

Thanks for you time!!
0
 
LVL 10

Expert Comment

by:Datedman
ID: 24849545
Might want to start by sorting by date and getting rid of all old updates. :)

The root certificate update thing sounds like a separate issue.

Do you have it set to apply updates or notifiy users?  The one that doesn't "need" any updates may be the only user who actually applied updates. ;)
0
 
LVL 2

Accepted Solution

by:
cincytopher earned 1200 total points
ID: 24849547
As I understand it, machines will only pick up the updates that they "Need". If this is indeed true then what is the purpose of having "Computer Groups"?    Yes, this is true, and yes you can put all the computers in one group if you choose.  I have is setup so that each branch has its own group so that I can push out the updates to each branch when I choose.  For example, when SP3 for XP came out, I approved it for one branch at a time so if there were any issues it would spread out the support calls over a couple of weeks as opposed to one day.  Same thing with the servers, you may want to approve updates slower or faster than you do with the workstations so by having them in different groups you can do this.
Even after 2 full work days, only one workstation is reporting that it doesn't "Need" any more updates.  This is not out of the ordinary.  Once you approve an update the client still has to check in and download it.  It then has to schedule the install and install it.  It then has to check back in so the WSUS can update its status and see that it doesnt need any more updates. Typically a client is only going to check in about once a day (unless you force it with the script).
The Root Cert. update sounds like an issue with the client and not the WSUS.  Try installing this update from windowsupdate.microsoft.com/.  If it is still having trouble with this update you will just have to troubleshoot it on the client side
As for the updates installed/not applicable that just means that the computer doesnt need those updates or has already installed them.  This is normal.   The Updates with no status are updates that have been downloaded to the WSUS since the client last checked in.  As the clients continue to check in, this should go to 0.
You just need to give it some time.  As clients continue to check in and install needed updates, the (reports/ look of WSUS) will continue to improve.  
0
 
LVL 2

Author Closing Comment

by:DennisPost
ID: 31601507
Thanks a lot guys! You have been a great help!
0

Featured Post

Veeam Disaster Recovery in Microsoft Azure

Veeam PN for Microsoft Azure is a FREE solution designed to simplify and automate the setup of a DR site in Microsoft Azure using lightweight software-defined networking. It reduces the complexity of VPN deployments and is designed for businesses of ALL sizes.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

When it comes to showing a 404 error page to your visitors, you do not want that generic page to show, and you especially do not want your hosting provider’s ad error page to show either. In this article, I will show you how to enable the custom 40…
This article provides a convenient collection of links to Microsoft provided Security Patches for operating systems that have reached their End of Life support cycle. Included operating systems covered by this article are Windows XP,  Windows Server…
Michael from AdRem Software outlines event notifications and Automatic Corrective Actions in network monitoring. Automatic Corrective Actions are scripts, which can automatically run upon discovery of a certain undesirable condition in your network.…
In this video, Percona Director of Solution Engineering Jon Tobin discusses the function and features of Percona Server for MongoDB. How Percona can help Percona can help you determine if Percona Server for MongoDB is the right solution for …
Suggested Courses

777 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question