Solved

WSUS Client Updates Not Installing

Posted on 2010-08-31
18
895 Views
Last Modified: 2012-05-10
I am running SBS 2003.  I upgraded WSUS to 3.0 a few weeks ago.  I thought it was configured correctly but now I am not sure.  I want to have client updates automatically approved and downloaded and then installd at a scheduled time.  I want to manually approved and download server updates.

I have configured the clients usong Group Policy.  I attached a screen shot of the GP settings.

When I checked updates today, the various computers needed between 14 - 18 updates according to the WSUS reports.  I looked at the Update log on one of the cllient computers and it is successfully connecting to the server and checking for updates.  I am not sure why the updates are not being approved and downloaded to the computers.
I did make a change in the Group Policy that may affect this.  I created two Group Policy objects: WSUS Clients and WSUS Servers.  I added the SBS clients and servers to the respective Group Policy Objetcs.  I am not using the defualt SBS Group Policy Objects: "Small Business Server Update Services Server Computers Policy".  By not using the SBS GP objects, have I prevented the WSUS updates from occurring as designed?

Thanks
WSUS-Client-GP-Settings.jpg
WSUS-Client-GP-Window.jpg
0
Comment
Question by:beyondt
  • 9
  • 5
  • 3
  • +1
18 Comments
 
LVL 20

Assisted Solution

by:MightySW
MightySW earned 50 total points
Comment Utility
Hi, the WSUS GP settings are computer configuration settings.  If you want them to apply to a specific GROUP of computer you need to apply the GPO to the OU that you did and then have a GROUP of server objects in the security filtering option.  Right now, you have authenticated users (default) in the group.  How are servers and computers going to be authenticated if this is a computer GPO and not a user GPO?  

Again, just create a group of workstations and servers and put them into the apply to the following groups section of the GPO.

You can test that the computer updates the RSOP by running (from a command prompt) the following commands:
gpupdate /force (reboot if necessary)
when it comes back up run:
wuauclt /detectnow

Also be sure to check the Automatic update section of the clients to ensure that it says that it is being managed by the system administrator and that no options, or that the options that you set are not available.  

Honestly, I would be sure that you don't apply updates to your servers without testing them first on a lower priority server or a non-production server.

HTH

This will allo
0
 
LVL 47

Expert Comment

by:dstewartjr
Comment Utility
You created new Target groups, did you also configure the auto approval rules ?
0
 
LVL 20

Expert Comment

by:MightySW
Comment Utility
Also, make sure you DO NOT listen to Dstew...

LOL, what up my brotha.  You need to keep in touch dude.  My email address is still good bro.  Hit me up.
0
 
LVL 47

Expert Comment

by:dstewartjr
Comment Utility

LOL
0
 

Author Comment

by:beyondt
Comment Utility
- I Added the WSUS Administrators user to the Security FIltering.  I think that SBS created this by default.

*Again, just create a group of workstations and servers and put them into the apply to the following groups section of the GPO.*
 - I am not exactly clear on what you mean by this...

- Dstewart (contrary to the advise...I listened to you :)) - Are you talking about the Default Autimatic Approval Rule in the WSUS Options?  I was under the impression that the GP overrode that and it was not necessary to enable.

This WSUS is very valuable, but difficult to get a full understanding of the configurations.

BTW, my thinking is to apply the server updates to my tech lab server for at least a week before rolling them out to the production servers.

Thanks!
0
 
LVL 20

Expert Comment

by:MightySW
Comment Utility
You need to apply this GPO to computers and not users.  You have the default setting of authenticated users and now WSUS Administrators that the SETTINGS of the GPO will apply to.  You can make groups of computer just as you would groups of users and then set the group of computer that you just defined into the security filter.  You then apply the GPO to THAT OU where THAT group of computers is actually in.  You just link it.  If you have users being applied to the sec group then its not going to work on computers.  Specifically the computers that are in the OU that you just linked that GPO to.  This is how you filter groups of computers on a GPO.  

Create a group of computers
Move that group object and the computers into an OU
Create the GPO for (say workstation_WSUS_GPO)
Drop the group of computers that you just created into that security filter of THAT workstation_WSUS_GPO
Link the GPO to that OU that the computers are in.  

Again, if you were applying a user policy then you would apply it to user objects and not computer objects (unless you were using merge mode or something).  Then Authenticated users would work just fine in that instance.  You can leave Auth users in the sec filter, but it isn't going to make any difference when the WSUS settings are computer specific.

Hope this clears things up a bit.  Keep posting so we can keep helping you out.

THanks
0
 
LVL 47

Expert Comment

by:dstewartjr
Comment Utility
Authenticated users includes computers and is all you need.
0
 
LVL 47

Expert Comment

by:dstewartjr
Comment Utility
You said "...various computers needed between 14 - 18 updates according to the WSUS reports"
 
Run the report from within the WSUS console and then you can double-click on any of the updates to further investigate(Verify if they have been approved or not)
0
 

Assisted Solution

by:cgoheen
cgoheen earned 50 total points
Comment Utility
You need to login to WSUS and click on options in the Right Pane.  this will bring up your options and from there you will need to select Automatic Approvals.  To setup Automatic approvals for all desktops, you would select "When an update is in a specific classification" and then in the second windows you will change "approve the update for ****" and select the group your desktops are in.  Lastly specify a name.
autoup.JPG
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 

Author Comment

by:beyondt
Comment Utility
Okay, I think things are moving forward.  I very much appreciate everyone's input and patience.  Here are my comments and questinos:
1. When I approve updates in WSUS, they do, in fact, get downloaded and installed to the client computers.  This happens with just Authenticated Users in the Security FIlter.  So, is DStewart correct about not needing the computer group added to the Security Filter?

2. I added the WSUS Rule to approve Critical, Security and Patch updates for the WSUS Clients computer group.  My assumtion is that this only works when WSUS checks for updtes.  In other words, the updates that are currently Unapproved, still need to be manually approved.  Am I correct?

3. I have set the WSUS Clients GPO setting, "Re-prompt for start with scheduled installations" to Disabled.  It seems that one user keeps getting the "Restart now...or later" message every 10 minutes (not sure about the exact interval).  Is this a setting that I need to modify on the local machine?  Where would I do this?

Thanks
0
 
LVL 47

Accepted Solution

by:
dstewartjr earned 200 total points
Comment Utility
1 yes<<< that is all I ever use
2 yes<<<Wsus only downloads updates that are approved
3 there's a great explanation of all settings here


http://web.archive.org/web/20070815191337/www.vbshf.com/vbshf/wsus/wsus_faq.htm
0
 
LVL 47

Expert Comment

by:dstewartjr
Comment Utility
enable the setting


“No auto-restart with logged on users for scheduled automatic updates installations”
0
 

Author Comment

by:beyondt
Comment Utility
Thanks for the response.
I have set the No auto-restart... and that works fine.  The other setting is the Re-prompt for restart...
I currently had the re-prompt setting as not configured, but it appears that when not configured, it defaults to re-prompt for restart every 10 minutes (ahh... the Microsoft logic).  So to correct it, I enabled the setting and set it to re-prompt every 1440 minutes (once/day).  I ran the gpupdate /force and will see if the client computer has stopped getting the messages.
0
 
LVL 47

Expert Comment

by:dstewartjr
Comment Utility
Yeah, the link above has good explanations/notes on all the settings
0
 

Author Comment

by:beyondt
Comment Utility
That link is very clear...Thanks.
Now, one last issue.  I went to several of the client machines and their local Windows Updates are configured inconsistantly.  Here are four client configurations I found:
- One has everything grayed out in the Update window, with none of the radio buttons selected.
- One has everything grayed out in the Update window, with Automatic Updates radio buttons selected.  I would think that this is the way they all should be.
- One has everything enabled (not grayed out) out in the Update window, with Automatic Updates radio buttons selected.
- One has everything enabled (not grayed out) out in the Update window, with none of the radio buttons selected.  This one has the icon in the taskbar promting the user to configure how updates will be applied.

The Windows Update log on al of the computers are identifying the server as the WSUS server (the SBS 2003 server).  So my confussion continues...What have I configured or not configured correctly?

Again, I appreciate the help..
0
 
LVL 47

Expert Comment

by:dstewartjr
Comment Utility
try running gpupdate /force /boot on them all and compare again
0
 
LVL 47

Expert Comment

by:dstewartjr
Comment Utility
try running gpupdate /force /boot on them all and compare again
0
 

Author Closing Comment

by:beyondt
Comment Utility
The gpupdate /force /boot worked great.  All of the clients were set for Auto updates and the update configuration was didabled for the users.
I tested this by approving updates and running detectnow on a couple of clients and then letting other clients receive and install update per the GP settings.  All seemed to work as expected.
I will monitor Tuesday and Wednesday for new MS updates and see if they get installed.

Thanks for the help and the learning experience.
0

Featured Post

How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

Join & Write a Comment

Recently, I had the need to build a standalone system to run a point-of-sale system. I’m running this on a low-voltage Atom processor, so I wanted a light-weight operating system, but still needed Windows. I chose to use Microsoft Windows Server 200…
Scenerio: You have a server running Server 2003 and have applied a retail pack of Terminal Server Licenses.  You want to change servers or your server has crashed and you need to reapply the Terminal Server Licenses. When you enter the 16-digit lic…
In this seventh video of the Xpdf series, we discuss and demonstrate the PDFfonts utility, which lists all the fonts used in a PDF file. It does this via a command line interface, making it suitable for use in programs, scripts, batch files — any pl…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

728 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now