WSUS updating client stop when not approved

Hi ,

I setup a WSUS server for my office and start to deploy some replicas for other offices.
Some updates are not approved yet but needed (ex : internet explorer 8) and it appears to block the upgrade process.
For instance, the first 20 updates will be installed on the client on the time I set in the GPO and then the 21rst which is a not approved update but needed blocks the rest of the update until the next schedule.
Now, I wish to find the solution to have all the approved updates installed in one go rather than being blocked by not approved yet updates.

Thanks in advance ,

Regards,

OEGC
LVL 1
plenumAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

DonNetwork AdministratorCommented:
Go over....
Toolkit to Disable Automatic Delivery of Internet Explorer 8
 
The most likely reason the updates are not continuing is because of a pending reboot.
0
plenumAuthor Commented:
thanks for the answer : I took IE8 as an example but I have other not approved updates such as .net Services pack. I can insure it s not a problem with pending reboot : I just did again a test this morning with a pc which was expecting 126 updates and I had to install a first set of 72,reboot tothen enable the download and installation of the remaining patches.
0
DonNetwork AdministratorCommented:
In WSUS, Clients report to the server for available updates. If these updates are not yet approved the client cant pull them from the server. Also WSUS wont even download the updates until they are approved(This is after initial synchronization).
 
Some more information here:
 
http://technet.microsoft.com/en-us/library/cc512630.aspx 
 
Also look at Automatic Approval rules:
 
http://technet.microsoft.com/en-us/library/cc708458(WS.10).aspx 
0
Cloud Class® Course: Certified Penetration Testing

This CPTE Certified Penetration Testing Engineer course covers everything you need to know about becoming a Certified Penetration Testing Engineer. Career Path: Professional roles include Ethical Hackers, Security Consultants, System Administrators, and Chief Security Officers.

plenumAuthor Commented:
so you said that the only chance to run the whole process is to approve or decline all updates and I can not leave some upgrades not approved..
0
DonNetwork AdministratorCommented:
There are updates that won't install until other updates are first installed, like windows installer for ex. Until the latest windows installer is installed then the next group can install
0
plenumAuthor Commented:
I might agree but how do you explain that if I can install a first block of upgrades manually,reboot then the second block which was blocked before is now released and ready to be installed .
0
DonNetwork AdministratorCommented:
"how do you explain that if I can install a first block of upgrades manually,reboot then the second block which was blocked before is now released and ready to be installed ."
Is this while all the updates are approved?
 
You're making this into more than it needs to be. Look at your c:\Windows\windowsupdate.log which will give you clues. What is your reasoning for installing in "Blocks" ?
If you're concerned with bandwidth, you can throttle it.
 
http://blogs.technet.com/sus/archive/2008/06/30/wsus-how-to-throttle-bits.aspx 
 
http://blogs.technet.com/sus/archive/2008/11/19/more-on-throttling-wsus-downloads.aspx 
0
plenumAuthor Commented:
What I meant by block si the following : if I go on WSUS and check the updates needed by a pc, I have a report that will say for example : 100.
On those 100, I have the last 25 approved and downloaded.then the 26 is not approved and any other one that are approved are not downloaded.
Now, if I install manually those 25 updates then reboot, the 26th will remain on the list of updates needed but not aprroved and the rest of the updates will be downloaded.

I also noticed that the SP3 for Windows XP does not get downloaded and installed as any other update and require a manual installation
0
DonNetwork AdministratorCommented:
My question is there a reason you are not approving all the needed updates??? Look on the front page at your download status, are there files still being downloaded?
 
Yes, service packs and IE7/IE8 will need user interaction(manual install)

WSUSDownloadStatus.png
0
plenumAuthor Commented:
thx for that..Yes : We don t want to deploy right now SP for MSFramework .net or any new version as we need to test those before.
I m still very curious to understand why it does not install all approved updates and let the unapproved but needed ones off the process. To do so, I have to run manually the install or wait for the scheduled installation.

0
DonNetwork AdministratorCommented:
"I have to run manually the install or wait for the scheduled installation"
 
That's the reason........they are scheduled. There's a couple things you can do. You can set deadlines on the updates using a date that has already passed.
http://technet.microsoft.com/en-us/library/cc708458(WS.10).aspx
 http://technet.microsoft.com/en-us/library/cc708585(WS.10).aspx
You can reset the default 22 hour waiting period with the .Bat below

%Windir%\system32\net.exe stop bits 
%Windir%\system32\net.exe stop wuauserv 
%Windir%\system32\net.exe stop cryptsvc

del %WINDIR%\WindowsUpdate.log /S /Q  



reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v AccountDomainSid /f
reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v PingID /f
reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v SusClientId /f
reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update" /v LastWaitTimeout /f
reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update" /v DetectionStartTime /f
reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update" /v NextDetectionTime /f


rd /s /q %windir%\softwareDistribution
%Windir%\system32\net.exe start cryptsvc
%Windir%\system32\net.exe start bits 
%Windir%\system32\net.exe start wuauserv 


sc sdset wuauserv D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;AU)(A;;CCLCSWRPWPDTLOCRRC;;;PU)


sc sdset bits D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;AU)(A;;CCLCSWRPWPDTLOCRRC;;;PU)

wuauclt /resetauthorization /detectnow
wuauclt /reportnow

exit /B 0 

Open in new window

0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2003

From novice to tech pro — start learning today.