Solved

Installing Active X for WSUS

Posted on 2010-08-31
46
1,004 Views
Last Modified: 2013-11-18
If active x is not installed on a client computer then Windows update wont install from our WSUS server. Our clients do not have local admin privleges. Is there a way through WSUS or through GPO we cna push out this active x?
0
Comment
Question by:tolinrome
  • 22
  • 13
  • 11
46 Comments
 
LVL 33

Expert Comment

by:digitap
ID: 33571249
What's getting installed is the WSUS client.  You can push that via GPO.  Windows XP without any service packs don't have this.  Otherwise, you should be good.  Just in case, the link below discusses it in detail and the second link is where you get the client.

http://articles.techrepublic.com.com/5100-22_11-5888918.html

http://technet.microsoft.com/en-us/wsus/bb466193.aspx

Hope that helps!
0
 
LVL 47

Accepted Solution

by:
dstewartjr earned 250 total points
ID: 33572988
How about posting the latest version of WSUS first.

http://technet.microsoft.com/en-us/wsus/bb466190.aspx


Secondly, by default when clients first connect to a WSUS server they download the "Windows Update Agent"



"Our clients do not have local admin privleges....."

Then all you need to cofigure is

"Allow Non-administrators to Receive Update Notifications"

http://technet.microsoft.com/en-us/library/cc720539%28WS.10%29.aspx


WSUS step by step with screenshots


http://blogs.microsoft.co.il/blogs/yanivf/archive/2007/09/23/install-wsus-3-0-step-by-step.aspx
0
 
LVL 33

Expert Comment

by:digitap
ID: 33573057
@dstewartjr :: Thanks for catching that...didn't see the date.  My suggestion to you is to professionally offer your suggestions:  "How about posting the latest version of WSUS first."  Really?
0
 
LVL 47

Expert Comment

by:dstewartjr
ID: 33573091
Sorry, should have said "here's the latest version"

no offense intended
0
 
LVL 33

Expert Comment

by:digitap
ID: 33573101
My bad...I have my neighbors barking their heads off so I was agitated when typed that and I should have checked my sources.
0
 
LVL 47

Expert Comment

by:dstewartjr
ID: 33573126
No prob.....nothing a beer cant cure.....LOL
0
 
LVL 33

Expert Comment

by:digitap
ID: 33573141
so true...
0
 
LVL 7

Author Comment

by:tolinrome
ID: 33580122
Thanks this does help but I should have reworded my question.
I really wanted to know how I can get the Microsoft Updates ActiveX to automatically install on client machines so our WSUS server can see the clients and push out the updates.
Our clients do not have local admin rights which prevents them from installing the activex.
Should WSUS have the Microsoft Updates ActiveX add already available for download to the clients?
Thanks!
0
 
LVL 33

Expert Comment

by:digitap
ID: 33580237
The ActiveX client that installs in IE is the vehicle used to install the latest WSUS client.  The link that dstewartjr provided is the WSUS client itself.  Pushing this client via GPO will do that same as visiting www.microsoft.com/updates.

You can test this easily by installing the client on a workstation that has your WSUS GPO settings applied.  Then, run gpupdate /force to confirm the settings and run wuauclient /detectnow from the command line.  You should see the client show up in the WSUS console.
0
 
LVL 47

Expert Comment

by:dstewartjr
ID: 33580322
Wsus doesn't use the activex method, you just need to enable the "Allow non admins to receive update notifications" to allow your clients to download/install upates. However, I recommend against relying on clients to install their own updates. You should use option 4 schedule and install updates at a specific time.
0
 
LVL 47

Expert Comment

by:dstewartjr
ID: 33580456


The windows update agent does not get pushed out via GPO! This gets downloaded when the client contacts the WSUS server.
0
 
LVL 33

Expert Comment

by:digitap
ID: 33580509
But it can, right?  I appreciate the author's situation.  When I had problems with my clients connecting to WSUS (granted, that was over 2.5 years ago), I remember walking around to each computer and connecting to the Microsoft Updates website!  That's ludicrous.  The client has to be deployable in a more enterprise method.

Have said that, I believe with SP 2 and certainly SP3, it was no longer necessary to visit the website, right?
0
 
LVL 7

Author Comment

by:tolinrome
ID: 33580514
I already use the GPO enabled for "Allow non admins to receive update notifications" to our clients.
But I noticed that if I dont manually install the add on(activex) for MS updates then only Windows updates will be available on the client and the WSUS server will not be able to push out MS updates.

So, how can I make sure that I don't neeed to manually install the add-on (activex) on every machine I roll out? I need to be able to have this done automatically. Can't WSUS push out this add-on to the clients or maybe another suggestion?

 
0
 
LVL 47

Expert Comment

by:dstewartjr
ID: 33580692
Why are you trying to go to windows update from the client? Wsus clients PULL ALL the updates that they need from the WSUS server. There is no pushing in any form or fashion. The update agent is dl'd in the cab file when the client connects and gets updated if need be.
0
 
LVL 7

Author Comment

by:tolinrome
ID: 33581827
I dont want to go to windows update from the client.
Like I said before though, if the Microsoft Update Add-On ActiveX is not installed initially on the client then no NS update will happen, WSUS will not see the client for MS updates. Only Windows updates will happen.
I use WSUS SP2.
I want to be able to not manually go to a client and install the Add-On. I would like everything to be done automatically from the WSUS. I think digitap understands better since it seems like he's been through this situation.
Thanks again.
0
 
LVL 47

Expert Comment

by:dstewartjr
ID: 33581866
I repeat, with WSUS there is no need for activex.... I more than fully understand how WSUS works.

Are there any errors in any clients windowsupdate.log ??

What are the results from a client with clientdiag?


http://download.microsoft.com/download/9/7/6/976d1084-d2fd-45a1-8c27-a467c768d8ef/WSUS%20Client%20Diagnostic%20Tool.EXE
0
 
LVL 47

Expert Comment

by:dstewartjr
ID: 33581876
What is the process you are doing that leads you to believe that you need this activex?
0
 
LVL 33

Expert Comment

by:digitap
ID: 33582292
i'm going to step out of this question as it's clear i have something to learn in this area...and, the knowledge i have about the wsus client is out dated.

@dstewartjr :: you da man!
0
 
LVL 7

Author Comment

by:tolinrome
ID: 33583543
"What is the process you are doing that leads you to believe that you need this activex?
"

Because the clients wont recieve MS updates if I dont manually install it. Theyll get the Windows updates from the WSUS but not the MS updates. After I install it, then WSUS will then be able to install MS updates.
I'll check back tomorrow with more info after I test it out again.
Thanks alot.
0
 
LVL 47

Expert Comment

by:dstewartjr
ID: 33583569
"Theyll get the Windows updates from the WSUS but not the MS updates"


That's because they will only get updates that are approved on your WSUS server. Once you configure to get updates from WSUS, then clients contact WSUS for updates that are needed/approved. I think this is where the confusion is.


I stress, this activex addon that you insist upon has nothing to do with WSUS.


Did you run clientdiag ?

Did you look thru windowsupdate.log? <<<post one
0
 
LVL 7

Author Comment

by:tolinrome
ID: 33587043
Ok, I'm going image a new machine and see the logs and run the tool you suggested. I'll let you know. Thanks for your answers - they are helpful.

Just so I understand, lets take it from the beginning. When I take a new machine out of the box and put an image on it (it has been syspreped) and join it to the domain the client should recognize the WSUS and install any Windows\MS updates?

I'll let you know the log results etc.
Thanks!
0
 
LVL 47

Expert Comment

by:dstewartjr
ID: 33587184
Yes, if you properly setup your GPO's for WSUS.

The quickest way to verify that it gets the WSUS settings is to run from command prompt:

Reg query "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate"


You can run wuauclt /detectnow to initiate the client to query WSUS for needed updates.
0
 
LVL 33

Expert Comment

by:digitap
ID: 33588239
@dstewartjr :: This brings up a good question.  When you setup a new box, for imaging or otherwise, do you install Microsoft Updates from their website as an Admin or do you let WSUS do it all for you?
0
IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 
LVL 47

Expert Comment

by:dstewartjr
ID: 33588279
I let WSUS do it's job


I run wuauclt /detectnow and then click on the yellow shield when it appears.
0
 
LVL 47

Expert Comment

by:dstewartjr
ID: 33588287
Forgot to mention this is done after joining domain.
0
 
LVL 33

Expert Comment

by:digitap
ID: 33588307
thanks for the info....our practice has always been to install all possible updates from Microsoft's web site, then image or install the workstation.  I guess there's more than one way to skin a cat...
0
 
LVL 33

Expert Comment

by:digitap
ID: 33588313
i guess my worry is that WSUS will not install the critical/security updates fast enough before the user gets it in their grubby little hands.
0
 
LVL 47

Expert Comment

by:dstewartjr
ID: 33588349
I like to have an updated image so that there arent many updates needed. Another trick is to set Deadlines on updates.
0
 
LVL 33

Expert Comment

by:digitap
ID: 33588405
Deadlines within WSUS?  That's interesting...I didn't know that was possible.  So, install certain updates within three days of a workstation coming online with WSUS...something like that?
0
 
LVL 47

Expert Comment

by:dstewartjr
ID: 33588461
http://technet.microsoft.com/en-us/library/cc708585%28WS.10%29.aspx


and


http://www.wsuswiki.com/WSUSClientFAQ


Q.    How to forcibly install a patch on all WSUS clients immediately?

A.   To install the patches immediately, you have to do the following: Set a  deadline on patch in the WSUS admin UI for any date in the past. This  will cause all clients to immediately download and install the patch,  rebooting if needed, as soon as they receive it on next scan) From  the command line on each client, run "wuauclt.exe /detectnow". This  will cause AU to immediately do that "next scan" on that client.
More information on Quick AU Client Detection & Installation with Windows Server Updates Services, WSUS

0
 
LVL 33

Expert Comment

by:digitap
ID: 33588482
Thanks...good information.
0
 
LVL 47

Expert Comment

by:dstewartjr
ID: 33588501
You're welcome
0
 
LVL 7

Author Comment

by:tolinrome
ID: 33590889
Ok, I took a machine right out of the box, basic setup and joined it to the domain. The client is seen in WSUS and I ran the diagnostic tool and the Reg query "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" it seems fine (see attached screenshots).
I went into the WSUS and re-approved a previously approved update that needs to be installed on every machine. When I ran a detailed status report the client is listed as "Not Installed".
I thought I would see it as "Downloaded" at least and then the GPO would install it a 3am (the specified scheduled GPO time for installs). I didnt manually query the client to see if there were any installs it needed to download, I want WSUS to do that.

You wrote a few posts back - "I let WSUS do it's job, I run wuauclt /detectnow and then click on the yellow shield when it appears."

What is the yellow shield you are clickign on, MS Updates? if so, this is what I want WSUS to do automatically.




Untitled.png
untitled1.bmp
0
 
LVL 47

Expert Comment

by:dstewartjr
ID: 33591198
The yellow shield is what you see in the taskbar next to clock. You shoud have at first seen it and when hovering mouse over it, it should either say downloading updates with a percentage or updates have been downloaded and are ready for installation. Your clientdiag and reg query look fine so everything should be hunky dory. You will see the client in wsus, but you won't see a status of downloaded until the next time the client reports.
0
 
LVL 7

Author Comment

by:tolinrome
ID: 33591538
I have the GPO for every 1 hour for the auto update detection and it's been at least 4 hours or so and in WSUS it still shows "not installed". I though it would at least download itand then install it at the specified time (3:00am).........

Anyway, the main point is that I hope this new client will receive all approved updates without manually doing anything to the client.
0
 
LVL 47

Expert Comment

by:dstewartjr
ID: 33591682
Post the windowsupdate.log from the client
0
 
LVL 7

Author Comment

by:tolinrome
ID: 33591755
Here it is...

Windowsupdate.log
0
 
LVL 47

Expert Comment

by:dstewartjr
ID: 33592898
from the log


The following updates are downloaded and ready for installation. This computer is currently scheduled to install these updates on Friday, September 03, 2010 at 3:00 AM:  - Update for Windows XP (KB898461)
0
 
LVL 47

Expert Comment

by:dstewartjr
ID: 33592947
You also have the error  8024400d


look into the hotfix mentioned here


http://msmvps.com/blogs/athif/archive/2006/05/08/Error-0x8024400D-SOAP-Fault-0x00012c.aspx



and also look here


http://support.microsoft.com/kb/836941
0
 
LVL 7

Author Comment

by:tolinrome
ID: 33596613
Ok, I'll look into those hotfixes in a few minutes.

This is becoming confusing. The Windows update log from the client this morning shows that it's waiting for the machine to wake up from hibernation (which I did around 9:14 this morning) to install the update, then at 5:46 am ("during hibernation") in the log it shows that it installed Windows XP (KB898461) (which I'm hoping is the add-on that I have to manually click on to get MS updates as previously posted).
Anyway, so it shows in the log installed the update but when I ran the report from the WSUS for this client it shows that Windows XP (KB898461) is in status of Install/Downloaded. So it's approved for install but it's only downloaded.

How can I simply just put the machine on the domain and it downloads and installs all the approved updates?
Attached is this mornings log file.
Thanks again for your help.
Windowsupdate.log
0
 
LVL 47

Expert Comment

by:dstewartjr
ID: 33596890
Ok, HOW MANY TIMES DO I HAVE TO STRESS? THERE IS NO ADD-ON THAT NEEDS TO BE INSTALLED IN ORDER FOR WSUS AND CLIENT MACHINES TO WORK.
 I have repeatedly said this and you refuse to take my word on it.

From the log, everything is working and you're getting nervous over nothing.


   Success    Content Install    Installation Ready: The following updates are downloaded and ready for installation. This computer is currently scheduled to install these updates on Saturday, September 04, 2010 at 3:00 AM:  - Security Update for Flash Player (KB923789) - Group Policy Preference Client Side Extensions for Windows XP (KB943729) - Microsoft .NET Framework 3.5 SP1 Update for Windows Server 2003 and Windows XP x86 (KB982168) - Update for Windows XP (KB971513) - Security Update for Windows XP (KB974392) - Update for Microsoft Silverlight (KB982926) - Windows Media Player 11 - Windows Internet Explorer 7 for Windows XP - Microsoft .NET Framework 3.5 SP1 and .NET Framework 2.0 SP2 Update for Windows Server 2003 and Windows XP x86 (KB982524) - Internet Explorer 8 for Windows XP


once these are installed, if there are further updates needed it will continue.
0
 
LVL 7

Author Comment

by:tolinrome
ID: 33597364
lol,
I'm not refusing to take your word on it, really. I just dont understand certain things in the windows client log and the report for the client on the WSUS - they seem to be contradicting each other.

My situation is that we need a certain update "(KB982926)" on all clients. I approved it yesterday afternoon and it should have installed at 3:00 this morning, it didnt, from the logs it shows it will install tomorrow morning at 3:00am, this confuses me since it should have already installed. I don't know why it didn't???

From the logs it looks like 898461 (a package installer) needed to be installed first and I figured this needed to be installed first before additional updates.

Bottom line is KB982926 should have been installed already and it's not. That's all.
Thanks for all your help and have a good weekend.


0
 
LVL 47

Expert Comment

by:dstewartjr
ID: 33597761
There would be a number of reasons like a pending reboot, or since KB982926 is an update to silverlight--then silverlight would have to be initially installed. If you want certain updates to install immediately, use the "Deadline" approach that I described to Digitap earlier.
0
 
LVL 7

Author Comment

by:tolinrome
ID: 33597911
Thanks for all your help.
0
 
LVL 47

Expert Comment

by:dstewartjr
ID: 33597996
Your welcome, I hope I helped you to better understand WSUS.
0
 
LVL 33

Expert Comment

by:digitap
ID: 33598215
@dstewartjr :: Nice work!  I've added this question to my KB.
0

Featured Post

Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

Join & Write a Comment

The password reset disk is often mentioned as the best solution to deal with the lost Windows password problem. In Windows 2008, 7, Vista and XP, a password reset disk can be easily created. But besides Windows 7/Vista/XP, Windows Server 2008 and ot…
Find out how to use Active Directory data for email signature management in Microsoft Exchange and Office 365.
In this video, we discuss why the need for additional vertical screen space has become more important in recent years, namely, due to the transition in the marketplace of 4x3 computer screens to 16x9 and 16x10 screens (so-called widescreen format). …
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now