WSUS - which updates to approve, so many?!

I've just installed WSUS and am pretty new to it.  While I've downloaded only the updates appropriate for my environment, there are still so many updates!  How do I know which ones to install?  Also, is there a good site for finding out which updates cause problems?
Thanks.
kialnAsked:
Who is Participating?
 
rawinnlnx9Connect With a Mentor Commented:
Look into your options and check the option that "Delete all updates that have been replaced by future updates". That should clean up your repo a lot. If you go into WSUS Options you can begin to figure out how to manage it.

Grab this: http://www.microsoft.com/downloads/en/details.aspx?FamilyID=113D4D0C-5649-4343-8244-E09E102F9706

And start to read through it. Very helpful.
0
 
Donald StewartConnect With a Mentor Network AdministratorCommented:
These should help:


Approving Updates


http://technet.microsoft.com/en-us/library/cc708458(WS.10).aspx


Best Practices with Windows Server Update Services 3.0

http://technet.microsoft.com/en-us/library/cc720525(WS.10).aspx


Managing the WSUS Automatic Updates Client Download, Install, and Reboot Behavior with Group Policy

http://technet.microsoft.com/en-us/library/cc512630.aspx


Explanation of each setting

http://community.spiceworks.com/how_to/show/1390
0
 
kialnAuthor Commented:
Thanks - I did the server cleanup wizard which helped, but oddly there were still some updates from 2006.  Any ideas?
0
Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

 
Donald StewartNetwork AdministratorCommented:
You can run a report on "Needed" updates, these are the ones that you should further worry about approving.
0
 
QuiteBoredCommented:
You've cleaned out old updates that have been replaced, these may be updates from 2006 that are still required by client PC's or haven't been replaced, what service pack are the clients running?

Have any clients reported back to the server? This should help you to manage the required or obsolete updates as they will report what they need from what you've got.

There are no good sites to find out what MS updates cause an issue, general rule of thumb is to use a "test" pc to deploy updates for testing prior to rolling out accross the production environment.
0
 
Donald StewartNetwork AdministratorCommented:
More on running reports here:

http://technet.microsoft.com/en-us/library/cc720459%28WS.10%29.aspx


You can also from the home page in your wsus console(Click on your servername) view "Computers needing updates" count <<<if you double click on this a report will open up
0
 
kialnAuthor Commented:
SP3 for XP.  I'm using GPOs to manage receiving updates from WSUS.  All clients have not yet checked in. I do have the WSUS manual but it's really not as detailed as I would like.  I ran report on needed updates, some clients report "33 (or whatever #) have not been installed."
Does that mean the updates have been approved but not yet installed?  Or does it mean they are 'short' those updates and I need to approve them?  Or should this clear up once client has checked in?  I think I've approved everything....
0
 
Donald StewartNetwork AdministratorCommented:
You can view a list of the "needed" updates and  then in the far right tab view the approval status(whether they are approved or not)


Are any of your clients cloned?

http://blogs.technet.com/b/sus/archive/2009/05/05/resolving-the-duplicate-susclientid-issue-or-why-don-t-all-my-clients-show-up-in-the-wsus-console.aspx
0
 
Donald StewartNetwork AdministratorCommented:
Here's more on the definition of needed within wsus
http://technet.microsoft.com/en-us/library/cc720463%28WS.10%29.aspx

This is the positive result of a Detect only approval. When referring to the status of one computer, Needed means the update is compliant with (and should be installed on) the computer. When referring to status for a computer group, the Needed column displays the number of computers in the group with which the update is compliant. Additionally, a positive Needed result means, technically, that as of the last time client computers made contact with the WSUS server, the update was determined to be compliant, but has not been installed. Therefore, it is possible that any of the following could be true when the status for an update is Needed:

You have approved the update for installation but the client computers have not yet contacted the WSUS server since you made this change.

You have not yet approved the update for installation, although the Detect only action has been performed.

The update has already been downloaded and installed, but the client computer has not contacted the WSUS server since the update was installed.

The update has already been downloaded and installed but the update requires that the client computer be restarted before changes go into effect, and the client computer has not yet been restarted.

The update has been downloaded to the computer but not installed.

The update has been neither downloaded nor installed on the computer.
0
 
kialnAuthor Commented:
Thank you both - all information was extremely helpful.
0
All Courses

From novice to tech pro — start learning today.