How to use WSUS

Posted on 2009-07-09
Last Modified: 2012-05-07
I have just installed and configured WSUS 3 and would like some pointers on how best to use it.
Windows Server 2003 SP2

My one test machine picks up date GPO "Update Server" change.
It showed up in Unassigend Computers. I assigned it to a group then changed my mind and unassigned it. Now it doesn't show up at all any more. (Even though total computers shows 1).
Searching for it yields nothing.
The missing machine can still access HTTP://Server/SelfUpdate/

I'm also confused by the amount of updates available that are awaiting approval.
21911 updates are in the list.

Selected Products:
Office 2003
SQL Server 2005
SQL Server Feature Pack
SQL Server
Windows Defender
I.E. 8 Dynamic Installer
Windows Server 2003

Selected Classifications: (Automatically approved)
Critical Updates
Definition Updates
Security Updates
Service Packs

Only English updates is selected

Also using Local storage with "Download update files to this server only when updates are approved".

Update Services handles computer group membership

One other things springs to mind..... Am I supposed to configure the servers to also use the WSUS server including the WSUS server itself?

This is the resource I used to deploy and configure:

Question by:DennisPost
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 5
  • 3
LVL 10

Assisted Solution

Datedman earned 200 total points
ID: 24812411
Yes you can configure the servers too...but what I like to do with servers is apply a separate group policy to that only applies to them that doesn't automatically apply updates.  I find I have to automatically apply them to non-server machines because otherwise users just won't apply them.
I usually don't approve service packs automatically, can be a drag if people come in one morning and every machine starts applying a major service pack LOL oh my, multiple users just ran out of disk space, nobody can take an order or whatever.
Not sure where your missing computer went but likely there's a view that will show it?

Author Comment

ID: 24813089
Hi Dateman,
Thanks for commenting.

I already have a seperate GPO for the servers and a seperate Computer Group in Update Services. ;-)

Definitely a valid point about the SPs, but shouldn't much of an issue for us. We only have 17 user with an average of 70% free space (60+ GB).
After restarting Update Services the machine showed up again. (I guess it was a bug).

How do you handle the multitude of updates that need to be approved or declined?
Do I understand you correctly, that the WSUS server can point to itself for updates?
LVL 10

Assisted Solution

Datedman earned 200 total points
ID: 24813170
Yes the WSUS server can update from self.

Main thing about service packs is that they can cause problems w/drivers and apps and also tie things up while applying.  I prefer to at least pre-test them.

Mostly I ignore the multitude of extra updates. :)  I automatically approve the ones I am most concerned with.  Some others I have to approve manually like IE8 and SPs so I search for them.
Optimizing Cloud Backup for Low Bandwidth

With cloud storage prices going down a growing number of SMBs start to use it for backup storage. Unfortunately, business data volume rarely fits the average Internet speed. This article provides an overview of main Internet speed challenges and reveals backup best practices.


Author Comment

ID: 24813359
So it's normal to have to sift through 2100+ updates the first time round then?

Do you know of a way to manually start the update process on a client or do I have change the update time every time and wait for the next time to run?
e.g. it's now 15:30. I change the automatic update time to the closest time; 16:00 and just wait?
I'm really wanting to test, but it's sooooo slow waiting everytime.
LVL 10

Expert Comment

ID: 24813382
I have manually set the refresh on a client to 1 hour or so I think, not too worried about less than that. :)

You shouldn't have to manually sift through the stuff much you can just say automatically approve these things and apply this rule now...

Assisted Solution

cincytopher earned 300 total points
ID: 24813600
Here is a script to make the client check immediately.  Copy the below to notepad and save it as wsusforceupdate.cmd.  Execute it on the client you want to update and with in a few minutes it should check in.  Also, as far as the 2100 updates that need to be approved.  You can filter the updates by Needed updates.  When a client connects to the wsus it checks to see if it needs any of the 2100 updates that are not approved.  If it needs one, it will register with wsus that it needs that update.  So you can really filter the updates by updates that are just needed by your clients.  Then approve or decline as needed.  The updates that arent needed by any clients you could really just leave as not approved and if a client in the future needed it, you could approve it then.  Here is the wsusforceupdate.cmd:
@echo off
Echo This batch file will Force the Update Detection from the AU client by:
Echo 1. Stops the Automatic Updates Service (wuauserv)
Echo 2. Deletes the LastWaitTimeout registry key (if it exists)
Echo 3. Deletes the DetectionStartTime registry key (if it exists)
Echo 4. Deletes the NextDetectionTime registry key (if it exists)
Echo 5. Restart the Automatic Updates Service (wuauserv)

@echo on
net stop wuauserv
REG DELETE "HKLM\Software\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update" /v LastWaitTimeout /f
REG DELETE "HKLM\Software\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update" /v DetectionStartTime /f
Reg Delete "HKLM\Software\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update" /v NextDetectionTime /f
net start wuauserv

@echo off
Echo This AU client will now check for the Updates on the Local SUS Server.
Echo After 10-20 mts Have a look at C:\Window\Windows update.log
Echo "For any errors; feel free to post on the forum & I will try to help out."
LVL 10

Expert Comment

ID: 24813623
nice script :)

Author Comment

ID: 24814915
Thanks for the advice and handy script!
Unfortunately I had already declined all updates prior to 2009.......
Look like I can set them to unapproved by approving then selecting "Unapprove"

I've pointed all machines to WSUS in GPO, will check on things on Monday.

I'll keep you guys posted.

Thanks again for your time!

Assisted Solution

cincytopher earned 300 total points
ID: 24815145
Look like I can set them to unapproved by approving then selecting "Unapprove"
That is exactly right.  Then on Monday you can sort them by "Needed" and approve as you see fit.

Author Comment

ID: 24847788
Things seem to be going reasonably well, though I still don't understand some things.

As I understand it, machines will only pick up the updates that they "Need". If this is indeed true then what is the purpose of having "Comuter Groups"?
I should be able to put my Servers (DCs) and workstations in the same group and have everything working fine. (As long as the GPO Automatic Update settings are different).
Even after 2 full work days, only one workstation is reporting that it doesn't "Need" any more updates. The test machine that I am constantly updating still needs the Root Certificate update. 2 minutes after successfully installing it, it tries to install it again.
I deleted the machine, but after a couple of hours and using cincytopher's script, it show up again.

I found that reregistring these dlls helps resolves some update problems. (But not in this case)
regsvr32 "C:\WINDOWS\system32\wups2.dll"
regsvr32 wuapi.dll
regsvr32 wuaueng.dll
regsvr32 wuaueng1.dll
regsvr32 wucltui.dll
regsvr32 wups.dll
regsvr32 wups2.dll
regsvr32 wuweb.dll  
Some machines show "Updates installed / not applicable"* > 21000 others
"Updates with no status" > 21000
Is this by design or a bug?
* = Report generation takes a very long time and shows 400+ pages.
Any idea's?
I'll keep monitoring things and post anything new again.

Thanks for you time!!
LVL 10

Expert Comment

ID: 24849545
Might want to start by sorting by date and getting rid of all old updates. :)

The root certificate update thing sounds like a separate issue.

Do you have it set to apply updates or notifiy users?  The one that doesn't "need" any updates may be the only user who actually applied updates. ;)

Accepted Solution

cincytopher earned 300 total points
ID: 24849547
As I understand it, machines will only pick up the updates that they "Need". If this is indeed true then what is the purpose of having "Computer Groups"?    Yes, this is true, and yes you can put all the computers in one group if you choose.  I have is setup so that each branch has its own group so that I can push out the updates to each branch when I choose.  For example, when SP3 for XP came out, I approved it for one branch at a time so if there were any issues it would spread out the support calls over a couple of weeks as opposed to one day.  Same thing with the servers, you may want to approve updates slower or faster than you do with the workstations so by having them in different groups you can do this.
Even after 2 full work days, only one workstation is reporting that it doesn't "Need" any more updates.  This is not out of the ordinary.  Once you approve an update the client still has to check in and download it.  It then has to schedule the install and install it.  It then has to check back in so the WSUS can update its status and see that it doesnt need any more updates. Typically a client is only going to check in about once a day (unless you force it with the script).
The Root Cert. update sounds like an issue with the client and not the WSUS.  Try installing this update from  If it is still having trouble with this update you will just have to troubleshoot it on the client side
As for the updates installed/not applicable that just means that the computer doesnt need those updates or has already installed them.  This is normal.   The Updates with no status are updates that have been downloaded to the WSUS since the client last checked in.  As the clients continue to check in, this should go to 0.
You just need to give it some time.  As clients continue to check in and install needed updates, the (reports/ look of WSUS) will continue to improve.  

Author Closing Comment

ID: 31601507
Thanks a lot guys! You have been a great help!

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
User wants to log with Username or Email 4 86
Server 2012 r2 licensing CALs 3 83
Add a loading gif while php runs server side 15 67
Recover options for a failed domain. 4 54
Remote Apps is a feature in server 2008 which allows users to run applications off Remote Desktop Servers without having to log into them to run the applications.  The user can either have a desktop shortcut installed or go through the web portal to…
Prologue It is often required to host multiple websites on a single instance of IIS, mostly in development environments instead of on production servers. I am sure it is not much a preferred solution on production servers but this is at least a pos…
In an interesting question ( here at Experts Exchange, a member asked how to split a single image into multiple images. The primary usage for this is to place many photographs on a flatbed scanner…
Are you ready to implement Active Directory best practices without reading 300+ pages? You're in luck. In this webinar hosted by Skyport Systems, you gain insight into Microsoft's latest comprehensive guide, with tips on the best and easiest way…

726 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question