Installing Active X for WSUS

If active x is not installed on a client computer then Windows update wont install from our WSUS server. Our clients do not have local admin privleges. Is there a way through WSUS or through GPO we cna push out this active x?
LVL 7
tolinromeAsked:
Who is Participating?
 
DonConnect With a Mentor Network AdministratorCommented:
How about posting the latest version of WSUS first.

http://technet.microsoft.com/en-us/wsus/bb466190.aspx


Secondly, by default when clients first connect to a WSUS server they download the "Windows Update Agent"



"Our clients do not have local admin privleges....."

Then all you need to cofigure is

"Allow Non-administrators to Receive Update Notifications"

http://technet.microsoft.com/en-us/library/cc720539%28WS.10%29.aspx


WSUS step by step with screenshots


http://blogs.microsoft.co.il/blogs/yanivf/archive/2007/09/23/install-wsus-3-0-step-by-step.aspx
0
 
digitapCommented:
What's getting installed is the WSUS client.  You can push that via GPO.  Windows XP without any service packs don't have this.  Otherwise, you should be good.  Just in case, the link below discusses it in detail and the second link is where you get the client.

http://articles.techrepublic.com.com/5100-22_11-5888918.html

http://technet.microsoft.com/en-us/wsus/bb466193.aspx

Hope that helps!
0
 
digitapCommented:
@dstewartjr :: Thanks for catching that...didn't see the date.  My suggestion to you is to professionally offer your suggestions:  "How about posting the latest version of WSUS first."  Really?
0
Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

 
DonNetwork AdministratorCommented:
Sorry, should have said "here's the latest version"

no offense intended
0
 
digitapCommented:
My bad...I have my neighbors barking their heads off so I was agitated when typed that and I should have checked my sources.
0
 
DonNetwork AdministratorCommented:
No prob.....nothing a beer cant cure.....LOL
0
 
digitapCommented:
so true...
0
 
tolinromeAuthor Commented:
Thanks this does help but I should have reworded my question.
I really wanted to know how I can get the Microsoft Updates ActiveX to automatically install on client machines so our WSUS server can see the clients and push out the updates.
Our clients do not have local admin rights which prevents them from installing the activex.
Should WSUS have the Microsoft Updates ActiveX add already available for download to the clients?
Thanks!
0
 
digitapCommented:
The ActiveX client that installs in IE is the vehicle used to install the latest WSUS client.  The link that dstewartjr provided is the WSUS client itself.  Pushing this client via GPO will do that same as visiting www.microsoft.com/updates.

You can test this easily by installing the client on a workstation that has your WSUS GPO settings applied.  Then, run gpupdate /force to confirm the settings and run wuauclient /detectnow from the command line.  You should see the client show up in the WSUS console.
0
 
DonNetwork AdministratorCommented:
Wsus doesn't use the activex method, you just need to enable the "Allow non admins to receive update notifications" to allow your clients to download/install upates. However, I recommend against relying on clients to install their own updates. You should use option 4 schedule and install updates at a specific time.
0
 
DonNetwork AdministratorCommented:


The windows update agent does not get pushed out via GPO! This gets downloaded when the client contacts the WSUS server.
0
 
digitapCommented:
But it can, right?  I appreciate the author's situation.  When I had problems with my clients connecting to WSUS (granted, that was over 2.5 years ago), I remember walking around to each computer and connecting to the Microsoft Updates website!  That's ludicrous.  The client has to be deployable in a more enterprise method.

Have said that, I believe with SP 2 and certainly SP3, it was no longer necessary to visit the website, right?
0
 
tolinromeAuthor Commented:
I already use the GPO enabled for "Allow non admins to receive update notifications" to our clients.
But I noticed that if I dont manually install the add on(activex) for MS updates then only Windows updates will be available on the client and the WSUS server will not be able to push out MS updates.

So, how can I make sure that I don't neeed to manually install the add-on (activex) on every machine I roll out? I need to be able to have this done automatically. Can't WSUS push out this add-on to the clients or maybe another suggestion?

 
0
 
DonNetwork AdministratorCommented:
Why are you trying to go to windows update from the client? Wsus clients PULL ALL the updates that they need from the WSUS server. There is no pushing in any form or fashion. The update agent is dl'd in the cab file when the client connects and gets updated if need be.
0
 
tolinromeAuthor Commented:
I dont want to go to windows update from the client.
Like I said before though, if the Microsoft Update Add-On ActiveX is not installed initially on the client then no NS update will happen, WSUS will not see the client for MS updates. Only Windows updates will happen.
I use WSUS SP2.
I want to be able to not manually go to a client and install the Add-On. I would like everything to be done automatically from the WSUS. I think digitap understands better since it seems like he's been through this situation.
Thanks again.
0
 
DonNetwork AdministratorCommented:
I repeat, with WSUS there is no need for activex.... I more than fully understand how WSUS works.

Are there any errors in any clients windowsupdate.log ??

What are the results from a client with clientdiag?


http://download.microsoft.com/download/9/7/6/976d1084-d2fd-45a1-8c27-a467c768d8ef/WSUS%20Client%20Diagnostic%20Tool.EXE
0
 
DonNetwork AdministratorCommented:
What is the process you are doing that leads you to believe that you need this activex?
0
 
digitapCommented:
i'm going to step out of this question as it's clear i have something to learn in this area...and, the knowledge i have about the wsus client is out dated.

@dstewartjr :: you da man!
0
 
tolinromeAuthor Commented:
"What is the process you are doing that leads you to believe that you need this activex?
"

Because the clients wont recieve MS updates if I dont manually install it. Theyll get the Windows updates from the WSUS but not the MS updates. After I install it, then WSUS will then be able to install MS updates.
I'll check back tomorrow with more info after I test it out again.
Thanks alot.
0
 
DonNetwork AdministratorCommented:
"Theyll get the Windows updates from the WSUS but not the MS updates"


That's because they will only get updates that are approved on your WSUS server. Once you configure to get updates from WSUS, then clients contact WSUS for updates that are needed/approved. I think this is where the confusion is.


I stress, this activex addon that you insist upon has nothing to do with WSUS.


Did you run clientdiag ?

Did you look thru windowsupdate.log? <<<post one
0
 
tolinromeAuthor Commented:
Ok, I'm going image a new machine and see the logs and run the tool you suggested. I'll let you know. Thanks for your answers - they are helpful.

Just so I understand, lets take it from the beginning. When I take a new machine out of the box and put an image on it (it has been syspreped) and join it to the domain the client should recognize the WSUS and install any Windows\MS updates?

I'll let you know the log results etc.
Thanks!
0
 
DonNetwork AdministratorCommented:
Yes, if you properly setup your GPO's for WSUS.

The quickest way to verify that it gets the WSUS settings is to run from command prompt:

Reg query "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate"


You can run wuauclt /detectnow to initiate the client to query WSUS for needed updates.
0
 
digitapCommented:
@dstewartjr :: This brings up a good question.  When you setup a new box, for imaging or otherwise, do you install Microsoft Updates from their website as an Admin or do you let WSUS do it all for you?
0
 
DonNetwork AdministratorCommented:
I let WSUS do it's job


I run wuauclt /detectnow and then click on the yellow shield when it appears.
0
 
DonNetwork AdministratorCommented:
Forgot to mention this is done after joining domain.
0
 
digitapCommented:
thanks for the info....our practice has always been to install all possible updates from Microsoft's web site, then image or install the workstation.  I guess there's more than one way to skin a cat...
0
 
digitapCommented:
i guess my worry is that WSUS will not install the critical/security updates fast enough before the user gets it in their grubby little hands.
0
 
DonNetwork AdministratorCommented:
I like to have an updated image so that there arent many updates needed. Another trick is to set Deadlines on updates.
0
 
digitapCommented:
Deadlines within WSUS?  That's interesting...I didn't know that was possible.  So, install certain updates within three days of a workstation coming online with WSUS...something like that?
0
 
DonNetwork AdministratorCommented:
http://technet.microsoft.com/en-us/library/cc708585%28WS.10%29.aspx


and


http://www.wsuswiki.com/WSUSClientFAQ


Q.    How to forcibly install a patch on all WSUS clients immediately?

A.   To install the patches immediately, you have to do the following: Set a  deadline on patch in the WSUS admin UI for any date in the past. This  will cause all clients to immediately download and install the patch,  rebooting if needed, as soon as they receive it on next scan) From  the command line on each client, run "wuauclt.exe /detectnow". This  will cause AU to immediately do that "next scan" on that client.
More information on Quick AU Client Detection & Installation with Windows Server Updates Services, WSUS

0
 
digitapCommented:
Thanks...good information.
0
 
DonNetwork AdministratorCommented:
You're welcome
0
 
tolinromeAuthor Commented:
Ok, I took a machine right out of the box, basic setup and joined it to the domain. The client is seen in WSUS and I ran the diagnostic tool and the Reg query "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" it seems fine (see attached screenshots).
I went into the WSUS and re-approved a previously approved update that needs to be installed on every machine. When I ran a detailed status report the client is listed as "Not Installed".
I thought I would see it as "Downloaded" at least and then the GPO would install it a 3am (the specified scheduled GPO time for installs). I didnt manually query the client to see if there were any installs it needed to download, I want WSUS to do that.

You wrote a few posts back - "I let WSUS do it's job, I run wuauclt /detectnow and then click on the yellow shield when it appears."

What is the yellow shield you are clickign on, MS Updates? if so, this is what I want WSUS to do automatically.




Untitled.png
untitled1.bmp
0
 
DonNetwork AdministratorCommented:
The yellow shield is what you see in the taskbar next to clock. You shoud have at first seen it and when hovering mouse over it, it should either say downloading updates with a percentage or updates have been downloaded and are ready for installation. Your clientdiag and reg query look fine so everything should be hunky dory. You will see the client in wsus, but you won't see a status of downloaded until the next time the client reports.
0
 
tolinromeAuthor Commented:
I have the GPO for every 1 hour for the auto update detection and it's been at least 4 hours or so and in WSUS it still shows "not installed". I though it would at least download itand then install it at the specified time (3:00am).........

Anyway, the main point is that I hope this new client will receive all approved updates without manually doing anything to the client.
0
 
DonNetwork AdministratorCommented:
Post the windowsupdate.log from the client
0
 
tolinromeAuthor Commented:
Here it is...

Windowsupdate.log
0
 
DonNetwork AdministratorCommented:
from the log


The following updates are downloaded and ready for installation. This computer is currently scheduled to install these updates on Friday, September 03, 2010 at 3:00 AM:  - Update for Windows XP (KB898461)
0
 
DonNetwork AdministratorCommented:
You also have the error  8024400d


look into the hotfix mentioned here


http://msmvps.com/blogs/athif/archive/2006/05/08/Error-0x8024400D-SOAP-Fault-0x00012c.aspx



and also look here


http://support.microsoft.com/kb/836941
0
 
tolinromeAuthor Commented:
Ok, I'll look into those hotfixes in a few minutes.

This is becoming confusing. The Windows update log from the client this morning shows that it's waiting for the machine to wake up from hibernation (which I did around 9:14 this morning) to install the update, then at 5:46 am ("during hibernation") in the log it shows that it installed Windows XP (KB898461) (which I'm hoping is the add-on that I have to manually click on to get MS updates as previously posted).
Anyway, so it shows in the log installed the update but when I ran the report from the WSUS for this client it shows that Windows XP (KB898461) is in status of Install/Downloaded. So it's approved for install but it's only downloaded.

How can I simply just put the machine on the domain and it downloads and installs all the approved updates?
Attached is this mornings log file.
Thanks again for your help.
Windowsupdate.log
0
 
DonNetwork AdministratorCommented:
Ok, HOW MANY TIMES DO I HAVE TO STRESS? THERE IS NO ADD-ON THAT NEEDS TO BE INSTALLED IN ORDER FOR WSUS AND CLIENT MACHINES TO WORK.
 I have repeatedly said this and you refuse to take my word on it.

From the log, everything is working and you're getting nervous over nothing.


   Success    Content Install    Installation Ready: The following updates are downloaded and ready for installation. This computer is currently scheduled to install these updates on Saturday, September 04, 2010 at 3:00 AM:  - Security Update for Flash Player (KB923789) - Group Policy Preference Client Side Extensions for Windows XP (KB943729) - Microsoft .NET Framework 3.5 SP1 Update for Windows Server 2003 and Windows XP x86 (KB982168) - Update for Windows XP (KB971513) - Security Update for Windows XP (KB974392) - Update for Microsoft Silverlight (KB982926) - Windows Media Player 11 - Windows Internet Explorer 7 for Windows XP - Microsoft .NET Framework 3.5 SP1 and .NET Framework 2.0 SP2 Update for Windows Server 2003 and Windows XP x86 (KB982524) - Internet Explorer 8 for Windows XP


once these are installed, if there are further updates needed it will continue.
0
 
tolinromeAuthor Commented:
lol,
I'm not refusing to take your word on it, really. I just dont understand certain things in the windows client log and the report for the client on the WSUS - they seem to be contradicting each other.

My situation is that we need a certain update "(KB982926)" on all clients. I approved it yesterday afternoon and it should have installed at 3:00 this morning, it didnt, from the logs it shows it will install tomorrow morning at 3:00am, this confuses me since it should have already installed. I don't know why it didn't???

From the logs it looks like 898461 (a package installer) needed to be installed first and I figured this needed to be installed first before additional updates.

Bottom line is KB982926 should have been installed already and it's not. That's all.
Thanks for all your help and have a good weekend.


0
 
DonNetwork AdministratorCommented:
There would be a number of reasons like a pending reboot, or since KB982926 is an update to silverlight--then silverlight would have to be initially installed. If you want certain updates to install immediately, use the "Deadline" approach that I described to Digitap earlier.
0
 
tolinromeAuthor Commented:
Thanks for all your help.
0
 
DonNetwork AdministratorCommented:
Your welcome, I hope I helped you to better understand WSUS.
0
 
digitapCommented:
@dstewartjr :: Nice work!  I've added this question to my KB.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.