How to use WSUS

I have just installed and configured WSUS 3 and would like some pointers on how best to use it.
Windows Server 2003 SP2

My one test machine picks up date GPO "Update Server" change.
It showed up in Unassigend Computers. I assigned it to a group then changed my mind and unassigned it. Now it doesn't show up at all any more. (Even though total computers shows 1).
Searching for it yields nothing.
The missing machine can still access HTTP://Server/SelfUpdate/

I'm also confused by the amount of updates available that are awaiting approval.
21911 updates are in the list.

Selected Products:
Office 2003
SQL Server 2005
SQL Server Feature Pack
SQL Server
Windows Defender
I.E. 8 Dynamic Installer
Windows Server 2003

Selected Classifications: (Automatically approved)
Critical Updates
Definition Updates
Security Updates
Service Packs

Only English updates is selected

Also using Local storage with "Download update files to this server only when updates are approved".

Update Services handles computer group membership

One other things springs to mind..... Am I supposed to configure the servers to also use the WSUS server including the WSUS server itself?

This is the resource I used to deploy and configure:

Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Yes you can configure the servers too...but what I like to do with servers is apply a separate group policy to that only applies to them that doesn't automatically apply updates.  I find I have to automatically apply them to non-server machines because otherwise users just won't apply them.
I usually don't approve service packs automatically, can be a drag if people come in one morning and every machine starts applying a major service pack LOL oh my, multiple users just ran out of disk space, nobody can take an order or whatever.
Not sure where your missing computer went but likely there's a view that will show it?
DennisPostAuthor Commented:
Hi Dateman,
Thanks for commenting.

I already have a seperate GPO for the servers and a seperate Computer Group in Update Services. ;-)

Definitely a valid point about the SPs, but shouldn't much of an issue for us. We only have 17 user with an average of 70% free space (60+ GB).
After restarting Update Services the machine showed up again. (I guess it was a bug).

How do you handle the multitude of updates that need to be approved or declined?
Do I understand you correctly, that the WSUS server can point to itself for updates?
Yes the WSUS server can update from self.

Main thing about service packs is that they can cause problems w/drivers and apps and also tie things up while applying.  I prefer to at least pre-test them.

Mostly I ignore the multitude of extra updates. :)  I automatically approve the ones I am most concerned with.  Some others I have to approve manually like IE8 and SPs so I search for them.
10 Tips to Protect Your Business from Ransomware

Did you know that ransomware is the most widespread, destructive malware in the world today? It accounts for 39% of all security breaches, with ransomware gangsters projected to make $11.5B in profits from online extortion by 2019.

DennisPostAuthor Commented:
So it's normal to have to sift through 2100+ updates the first time round then?

Do you know of a way to manually start the update process on a client or do I have change the update time every time and wait for the next time to run?
e.g. it's now 15:30. I change the automatic update time to the closest time; 16:00 and just wait?
I'm really wanting to test, but it's sooooo slow waiting everytime.
I have manually set the refresh on a client to 1 hour or so I think, not too worried about less than that. :)

You shouldn't have to manually sift through the stuff much you can just say automatically approve these things and apply this rule now...
Here is a script to make the client check immediately.  Copy the below to notepad and save it as wsusforceupdate.cmd.  Execute it on the client you want to update and with in a few minutes it should check in.  Also, as far as the 2100 updates that need to be approved.  You can filter the updates by Needed updates.  When a client connects to the wsus it checks to see if it needs any of the 2100 updates that are not approved.  If it needs one, it will register with wsus that it needs that update.  So you can really filter the updates by updates that are just needed by your clients.  Then approve or decline as needed.  The updates that arent needed by any clients you could really just leave as not approved and if a client in the future needed it, you could approve it then.  Here is the wsusforceupdate.cmd:
@echo off
Echo This batch file will Force the Update Detection from the AU client by:
Echo 1. Stops the Automatic Updates Service (wuauserv)
Echo 2. Deletes the LastWaitTimeout registry key (if it exists)
Echo 3. Deletes the DetectionStartTime registry key (if it exists)
Echo 4. Deletes the NextDetectionTime registry key (if it exists)
Echo 5. Restart the Automatic Updates Service (wuauserv)

@echo on
net stop wuauserv
REG DELETE "HKLM\Software\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update" /v LastWaitTimeout /f
REG DELETE "HKLM\Software\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update" /v DetectionStartTime /f
Reg Delete "HKLM\Software\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update" /v NextDetectionTime /f
net start wuauserv

@echo off
Echo This AU client will now check for the Updates on the Local SUS Server.
Echo After 10-20 mts Have a look at C:\Window\Windows update.log
Echo "For any errors; feel free to post on the forum & I will try to help out."
nice script :)
DennisPostAuthor Commented:
Thanks for the advice and handy script!
Unfortunately I had already declined all updates prior to 2009.......
Look like I can set them to unapproved by approving then selecting "Unapprove"

I've pointed all machines to WSUS in GPO, will check on things on Monday.

I'll keep you guys posted.

Thanks again for your time!
Look like I can set them to unapproved by approving then selecting "Unapprove"
That is exactly right.  Then on Monday you can sort them by "Needed" and approve as you see fit.
DennisPostAuthor Commented:
Things seem to be going reasonably well, though I still don't understand some things.

As I understand it, machines will only pick up the updates that they "Need". If this is indeed true then what is the purpose of having "Comuter Groups"?
I should be able to put my Servers (DCs) and workstations in the same group and have everything working fine. (As long as the GPO Automatic Update settings are different).
Even after 2 full work days, only one workstation is reporting that it doesn't "Need" any more updates. The test machine that I am constantly updating still needs the Root Certificate update. 2 minutes after successfully installing it, it tries to install it again.
I deleted the machine, but after a couple of hours and using cincytopher's script, it show up again.

I found that reregistring these dlls helps resolves some update problems. (But not in this case)
regsvr32 "C:\WINDOWS\system32\wups2.dll"
regsvr32 wuapi.dll
regsvr32 wuaueng.dll
regsvr32 wuaueng1.dll
regsvr32 wucltui.dll
regsvr32 wups.dll
regsvr32 wups2.dll
regsvr32 wuweb.dll  
Some machines show "Updates installed / not applicable"* > 21000 others
"Updates with no status" > 21000
Is this by design or a bug?
* = Report generation takes a very long time and shows 400+ pages.
Any idea's?
I'll keep monitoring things and post anything new again.

Thanks for you time!!
Might want to start by sorting by date and getting rid of all old updates. :)

The root certificate update thing sounds like a separate issue.

Do you have it set to apply updates or notifiy users?  The one that doesn't "need" any updates may be the only user who actually applied updates. ;)
As I understand it, machines will only pick up the updates that they "Need". If this is indeed true then what is the purpose of having "Computer Groups"?    Yes, this is true, and yes you can put all the computers in one group if you choose.  I have is setup so that each branch has its own group so that I can push out the updates to each branch when I choose.  For example, when SP3 for XP came out, I approved it for one branch at a time so if there were any issues it would spread out the support calls over a couple of weeks as opposed to one day.  Same thing with the servers, you may want to approve updates slower or faster than you do with the workstations so by having them in different groups you can do this.
Even after 2 full work days, only one workstation is reporting that it doesn't "Need" any more updates.  This is not out of the ordinary.  Once you approve an update the client still has to check in and download it.  It then has to schedule the install and install it.  It then has to check back in so the WSUS can update its status and see that it doesnt need any more updates. Typically a client is only going to check in about once a day (unless you force it with the script).
The Root Cert. update sounds like an issue with the client and not the WSUS.  Try installing this update from  If it is still having trouble with this update you will just have to troubleshoot it on the client side
As for the updates installed/not applicable that just means that the computer doesnt need those updates or has already installed them.  This is normal.   The Updates with no status are updates that have been downloaded to the WSUS since the client last checked in.  As the clients continue to check in, this should go to 0.
You just need to give it some time.  As clients continue to check in and install needed updates, the (reports/ look of WSUS) will continue to improve.  

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
DennisPostAuthor Commented:
Thanks a lot guys! You have been a great help!
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2003

From novice to tech pro — start learning today.