?
Solved

WSUS - which updates to approve, so many?!

Posted on 2011-03-01
10
Medium Priority
?
525 Views
Last Modified: 2012-05-11
I've just installed WSUS and am pretty new to it.  While I've downloaded only the updates appropriate for my environment, there are still so many updates!  How do I know which ones to install?  Also, is there a good site for finding out which updates cause problems?
Thanks.
0
Comment
Question by:kialn
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
10 Comments
 
LVL 9

Accepted Solution

by:
rawinnlnx9 earned 260 total points
ID: 35012590
Look into your options and check the option that "Delete all updates that have been replaced by future updates". That should clean up your repo a lot. If you go into WSUS Options you can begin to figure out how to manage it.

Grab this: http://www.microsoft.com/downloads/en/details.aspx?FamilyID=113D4D0C-5649-4343-8244-E09E102F9706

And start to read through it. Very helpful.
0
 
LVL 47

Assisted Solution

by:Donald Stewart
Donald Stewart earned 240 total points
ID: 35012706
These should help:


Approving Updates


http://technet.microsoft.com/en-us/library/cc708458(WS.10).aspx


Best Practices with Windows Server Update Services 3.0

http://technet.microsoft.com/en-us/library/cc720525(WS.10).aspx


Managing the WSUS Automatic Updates Client Download, Install, and Reboot Behavior with Group Policy

http://technet.microsoft.com/en-us/library/cc512630.aspx


Explanation of each setting

http://community.spiceworks.com/how_to/show/1390
0
 

Author Comment

by:kialn
ID: 35012985
Thanks - I did the server cleanup wizard which helped, but oddly there were still some updates from 2006.  Any ideas?
0
Get 15 Days FREE Full-Featured Trial

Benefit from a mission critical IT monitoring with Monitis Premium or get it FREE for your entry level monitoring needs.
-Over 200,000 users
-More than 300,000 websites monitored
-Used in 197 countries
-Recommended by 98% of users

 
LVL 47

Expert Comment

by:Donald Stewart
ID: 35013048
You can run a report on "Needed" updates, these are the ones that you should further worry about approving.
0
 

Expert Comment

by:QuiteBored
ID: 35013054
You've cleaned out old updates that have been replaced, these may be updates from 2006 that are still required by client PC's or haven't been replaced, what service pack are the clients running?

Have any clients reported back to the server? This should help you to manage the required or obsolete updates as they will report what they need from what you've got.

There are no good sites to find out what MS updates cause an issue, general rule of thumb is to use a "test" pc to deploy updates for testing prior to rolling out accross the production environment.
0
 
LVL 47

Expert Comment

by:Donald Stewart
ID: 35013112
More on running reports here:

http://technet.microsoft.com/en-us/library/cc720459%28WS.10%29.aspx


You can also from the home page in your wsus console(Click on your servername) view "Computers needing updates" count <<<if you double click on this a report will open up
0
 

Author Comment

by:kialn
ID: 35013253
SP3 for XP.  I'm using GPOs to manage receiving updates from WSUS.  All clients have not yet checked in. I do have the WSUS manual but it's really not as detailed as I would like.  I ran report on needed updates, some clients report "33 (or whatever #) have not been installed."
Does that mean the updates have been approved but not yet installed?  Or does it mean they are 'short' those updates and I need to approve them?  Or should this clear up once client has checked in?  I think I've approved everything....
0
 
LVL 47

Expert Comment

by:Donald Stewart
ID: 35013285
You can view a list of the "needed" updates and  then in the far right tab view the approval status(whether they are approved or not)


Are any of your clients cloned?

http://blogs.technet.com/b/sus/archive/2009/05/05/resolving-the-duplicate-susclientid-issue-or-why-don-t-all-my-clients-show-up-in-the-wsus-console.aspx
0
 
LVL 47

Expert Comment

by:Donald Stewart
ID: 35013333
Here's more on the definition of needed within wsus
http://technet.microsoft.com/en-us/library/cc720463%28WS.10%29.aspx

This is the positive result of a Detect only approval. When referring to the status of one computer, Needed means the update is compliant with (and should be installed on) the computer. When referring to status for a computer group, the Needed column displays the number of computers in the group with which the update is compliant. Additionally, a positive Needed result means, technically, that as of the last time client computers made contact with the WSUS server, the update was determined to be compliant, but has not been installed. Therefore, it is possible that any of the following could be true when the status for an update is Needed:

You have approved the update for installation but the client computers have not yet contacted the WSUS server since you made this change.

You have not yet approved the update for installation, although the Detect only action has been performed.

The update has already been downloaded and installed, but the client computer has not contacted the WSUS server since the update was installed.

The update has already been downloaded and installed but the update requires that the client computer be restarted before changes go into effect, and the client computer has not yet been restarted.

The update has been downloaded to the computer but not installed.

The update has been neither downloaded nor installed on the computer.
0
 

Author Closing Comment

by:kialn
ID: 35032673
Thank you both - all information was extremely helpful.
0

Featured Post

Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article explains how to install and use the NTBackup utility that comes with Windows Server.
For anyone that has accidentally used newSID with Server 2008 R2 (like I did) and hasn't been able to get the server running again because you were unlucky (as I was) and had no backups - I was able to get things working by doing a Registry Hive rec…
This tutorial will walk an individual through the steps necessary to enable the VMware\Hyper-V licensed feature of Backup Exec 2012. In addition, how to add a VMware server and configure a backup job. The first step is to acquire the necessary licen…
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
Suggested Courses

770 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question