Link to home
Start Free TrialLog in
Avatar of tolinrome
tolinromeFlag for United States of America

asked on

Installing Active X for WSUS

If active x is not installed on a client computer then Windows update wont install from our WSUS server. Our clients do not have local admin privleges. Is there a way through WSUS or through GPO we cna push out this active x?
Avatar of digitap
digitap
Flag of United States of America image

What's getting installed is the WSUS client.  You can push that via GPO.  Windows XP without any service packs don't have this.  Otherwise, you should be good.  Just in case, the link below discusses it in detail and the second link is where you get the client.

http://articles.techrepublic.com.com/5100-22_11-5888918.html

http://technet.microsoft.com/en-us/wsus/bb466193.aspx

Hope that helps!
ASKER CERTIFIED SOLUTION
Avatar of Don
Don
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
@dstewartjr :: Thanks for catching that...didn't see the date.  My suggestion to you is to professionally offer your suggestions:  "How about posting the latest version of WSUS first."  Really?
Sorry, should have said "here's the latest version"

no offense intended
My bad...I have my neighbors barking their heads off so I was agitated when typed that and I should have checked my sources.
No prob.....nothing a beer cant cure.....LOL
so true...
Avatar of tolinrome

ASKER

Thanks this does help but I should have reworded my question.
I really wanted to know how I can get the Microsoft Updates ActiveX to automatically install on client machines so our WSUS server can see the clients and push out the updates.
Our clients do not have local admin rights which prevents them from installing the activex.
Should WSUS have the Microsoft Updates ActiveX add already available for download to the clients?
Thanks!
The ActiveX client that installs in IE is the vehicle used to install the latest WSUS client.  The link that dstewartjr provided is the WSUS client itself.  Pushing this client via GPO will do that same as visiting www.microsoft.com/updates.

You can test this easily by installing the client on a workstation that has your WSUS GPO settings applied.  Then, run gpupdate /force to confirm the settings and run wuauclient /detectnow from the command line.  You should see the client show up in the WSUS console.
Wsus doesn't use the activex method, you just need to enable the "Allow non admins to receive update notifications" to allow your clients to download/install upates. However, I recommend against relying on clients to install their own updates. You should use option 4 schedule and install updates at a specific time.


The windows update agent does not get pushed out via GPO! This gets downloaded when the client contacts the WSUS server.
But it can, right?  I appreciate the author's situation.  When I had problems with my clients connecting to WSUS (granted, that was over 2.5 years ago), I remember walking around to each computer and connecting to the Microsoft Updates website!  That's ludicrous.  The client has to be deployable in a more enterprise method.

Have said that, I believe with SP 2 and certainly SP3, it was no longer necessary to visit the website, right?
I already use the GPO enabled for "Allow non admins to receive update notifications" to our clients.
But I noticed that if I dont manually install the add on(activex) for MS updates then only Windows updates will be available on the client and the WSUS server will not be able to push out MS updates.

So, how can I make sure that I don't neeed to manually install the add-on (activex) on every machine I roll out? I need to be able to have this done automatically. Can't WSUS push out this add-on to the clients or maybe another suggestion?

 
Why are you trying to go to windows update from the client? Wsus clients PULL ALL the updates that they need from the WSUS server. There is no pushing in any form or fashion. The update agent is dl'd in the cab file when the client connects and gets updated if need be.
I dont want to go to windows update from the client.
Like I said before though, if the Microsoft Update Add-On ActiveX is not installed initially on the client then no NS update will happen, WSUS will not see the client for MS updates. Only Windows updates will happen.
I use WSUS SP2.
I want to be able to not manually go to a client and install the Add-On. I would like everything to be done automatically from the WSUS. I think digitap understands better since it seems like he's been through this situation.
Thanks again.
I repeat, with WSUS there is no need for activex.... I more than fully understand how WSUS works.

Are there any errors in any clients windowsupdate.log ??

What are the results from a client with clientdiag?


http://download.microsoft.com/download/9/7/6/976d1084-d2fd-45a1-8c27-a467c768d8ef/WSUS%20Client%20Diagnostic%20Tool.EXE
What is the process you are doing that leads you to believe that you need this activex?
i'm going to step out of this question as it's clear i have something to learn in this area...and, the knowledge i have about the wsus client is out dated.

@dstewartjr :: you da man!
"What is the process you are doing that leads you to believe that you need this activex?
"

Because the clients wont recieve MS updates if I dont manually install it. Theyll get the Windows updates from the WSUS but not the MS updates. After I install it, then WSUS will then be able to install MS updates.
I'll check back tomorrow with more info after I test it out again.
Thanks alot.
"Theyll get the Windows updates from the WSUS but not the MS updates"


That's because they will only get updates that are approved on your WSUS server. Once you configure to get updates from WSUS, then clients contact WSUS for updates that are needed/approved. I think this is where the confusion is.


I stress, this activex addon that you insist upon has nothing to do with WSUS.


Did you run clientdiag ?

Did you look thru windowsupdate.log? <<<post one
Ok, I'm going image a new machine and see the logs and run the tool you suggested. I'll let you know. Thanks for your answers - they are helpful.

Just so I understand, lets take it from the beginning. When I take a new machine out of the box and put an image on it (it has been syspreped) and join it to the domain the client should recognize the WSUS and install any Windows\MS updates?

I'll let you know the log results etc.
Thanks!
Yes, if you properly setup your GPO's for WSUS.

The quickest way to verify that it gets the WSUS settings is to run from command prompt:

Reg query "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate"


You can run wuauclt /detectnow to initiate the client to query WSUS for needed updates.
@dstewartjr :: This brings up a good question.  When you setup a new box, for imaging or otherwise, do you install Microsoft Updates from their website as an Admin or do you let WSUS do it all for you?
I let WSUS do it's job


I run wuauclt /detectnow and then click on the yellow shield when it appears.
Forgot to mention this is done after joining domain.
thanks for the info....our practice has always been to install all possible updates from Microsoft's web site, then image or install the workstation.  I guess there's more than one way to skin a cat...
i guess my worry is that WSUS will not install the critical/security updates fast enough before the user gets it in their grubby little hands.
I like to have an updated image so that there arent many updates needed. Another trick is to set Deadlines on updates.
Deadlines within WSUS?  That's interesting...I didn't know that was possible.  So, install certain updates within three days of a workstation coming online with WSUS...something like that?
http://technet.microsoft.com/en-us/library/cc708585%28WS.10%29.aspx


and


http://www.wsuswiki.com/WSUSClientFAQ


Q.    How to forcibly install a patch on all WSUS clients immediately?

A.   To install the patches immediately, you have to do the following: Set a  deadline on patch in the WSUS admin UI for any date in the past. This  will cause all clients to immediately download and install the patch,  rebooting if needed, as soon as they receive it on next scan) From  the command line on each client, run "wuauclt.exe /detectnow". This  will cause AU to immediately do that "next scan" on that client.
More information on Quick AU Client Detection & Installation with Windows Server Updates Services, WSUS

Thanks...good information.
You're welcome
Ok, I took a machine right out of the box, basic setup and joined it to the domain. The client is seen in WSUS and I ran the diagnostic tool and the Reg query "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" it seems fine (see attached screenshots).
I went into the WSUS and re-approved a previously approved update that needs to be installed on every machine. When I ran a detailed status report the client is listed as "Not Installed".
I thought I would see it as "Downloaded" at least and then the GPO would install it a 3am (the specified scheduled GPO time for installs). I didnt manually query the client to see if there were any installs it needed to download, I want WSUS to do that.

You wrote a few posts back - "I let WSUS do it's job, I run wuauclt /detectnow and then click on the yellow shield when it appears."

What is the yellow shield you are clickign on, MS Updates? if so, this is what I want WSUS to do automatically.




Untitled.png
untitled1.bmp
The yellow shield is what you see in the taskbar next to clock. You shoud have at first seen it and when hovering mouse over it, it should either say downloading updates with a percentage or updates have been downloaded and are ready for installation. Your clientdiag and reg query look fine so everything should be hunky dory. You will see the client in wsus, but you won't see a status of downloaded until the next time the client reports.
I have the GPO for every 1 hour for the auto update detection and it's been at least 4 hours or so and in WSUS it still shows "not installed". I though it would at least download itand then install it at the specified time (3:00am).........

Anyway, the main point is that I hope this new client will receive all approved updates without manually doing anything to the client.
Post the windowsupdate.log from the client
Here it is...

Windowsupdate.log
from the log


The following updates are downloaded and ready for installation. This computer is currently scheduled to install these updates on Friday, September 03, 2010 at 3:00 AM:  - Update for Windows XP (KB898461)
You also have the error  8024400d


look into the hotfix mentioned here


http://msmvps.com/blogs/athif/archive/2006/05/08/Error-0x8024400D-SOAP-Fault-0x00012c.aspx



and also look here


http://support.microsoft.com/kb/836941
Ok, I'll look into those hotfixes in a few minutes.

This is becoming confusing. The Windows update log from the client this morning shows that it's waiting for the machine to wake up from hibernation (which I did around 9:14 this morning) to install the update, then at 5:46 am ("during hibernation") in the log it shows that it installed Windows XP (KB898461) (which I'm hoping is the add-on that I have to manually click on to get MS updates as previously posted).
Anyway, so it shows in the log installed the update but when I ran the report from the WSUS for this client it shows that Windows XP (KB898461) is in status of Install/Downloaded. So it's approved for install but it's only downloaded.

How can I simply just put the machine on the domain and it downloads and installs all the approved updates?
Attached is this mornings log file.
Thanks again for your help.
Windowsupdate.log
Ok, HOW MANY TIMES DO I HAVE TO STRESS? THERE IS NO ADD-ON THAT NEEDS TO BE INSTALLED IN ORDER FOR WSUS AND CLIENT MACHINES TO WORK.
 I have repeatedly said this and you refuse to take my word on it.

From the log, everything is working and you're getting nervous over nothing.


   Success    Content Install    Installation Ready: The following updates are downloaded and ready for installation. This computer is currently scheduled to install these updates on Saturday, September 04, 2010 at 3:00 AM:  - Security Update for Flash Player (KB923789) - Group Policy Preference Client Side Extensions for Windows XP (KB943729) - Microsoft .NET Framework 3.5 SP1 Update for Windows Server 2003 and Windows XP x86 (KB982168) - Update for Windows XP (KB971513) - Security Update for Windows XP (KB974392) - Update for Microsoft Silverlight (KB982926) - Windows Media Player 11 - Windows Internet Explorer 7 for Windows XP - Microsoft .NET Framework 3.5 SP1 and .NET Framework 2.0 SP2 Update for Windows Server 2003 and Windows XP x86 (KB982524) - Internet Explorer 8 for Windows XP


once these are installed, if there are further updates needed it will continue.
lol,
I'm not refusing to take your word on it, really. I just dont understand certain things in the windows client log and the report for the client on the WSUS - they seem to be contradicting each other.

My situation is that we need a certain update "(KB982926)" on all clients. I approved it yesterday afternoon and it should have installed at 3:00 this morning, it didnt, from the logs it shows it will install tomorrow morning at 3:00am, this confuses me since it should have already installed. I don't know why it didn't???

From the logs it looks like 898461 (a package installer) needed to be installed first and I figured this needed to be installed first before additional updates.

Bottom line is KB982926 should have been installed already and it's not. That's all.
Thanks for all your help and have a good weekend.


There would be a number of reasons like a pending reboot, or since KB982926 is an update to silverlight--then silverlight would have to be initially installed. If you want certain updates to install immediately, use the "Deadline" approach that I described to Digitap earlier.
Thanks for all your help.
Your welcome, I hope I helped you to better understand WSUS.
@dstewartjr :: Nice work!  I've added this question to my KB.