SBS 2008 AND WINDOWS 7 UPDATE STATUS UNKNOWN

Howdy,
I have a SBS 2008 server (DC), with 30 clients. 28 of the clients are Win XP Pro. The remaining 2 (new workstations) are Windows 7 Pro. In the SBS console, Network, computers, all is well (green) with the exception of the two Win 7 machines. They show in the "Update Status" column as "Unknown."

I have only one custom Group Policy (all the rest are SBS default) that simply sets screen saver, control panel access, logon/logoff, main menu feature, etc. Nothing fancy. I joined ALL workstations into domain using "connect." When the workstations were initially joined, all had current updates already applied.

Is there something in GP that I'm missing for the Win 7 OS to get SBS to be able to query the update status? Maybe a firewall setting on the client side?

Thanks in advance...
waverobberAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

fordymahnCommented:
hi ,

did u configure WSUS on GP??

here are the instructions..

WSUS Prerequisites
1.Server 2008 or Server 2003 SP1
2.BITS (Background Intelligent Transfer Service)
3.IIS (Internet Information Services)
4.MSDE database or SQL 2005 Database
5..NET Framework 2.0 or higher
 

Install WSUS on Windows Server 2008
1.Open Server Manager > Add Roles
2.Install “Windows Server Update Services” Role
 

Configure on Windows Server 2008
3.On “Select Update Source” screen, check “Store updates locally” (ensure you have enough space to store large amounts of updates)
4.Use existing SQL 2005 Server or choose Windows Internal Database
5.Use the existing IIS site, click Next
6.Click Finish
 

Now you can further configure WSUS by using WSUS MMC. WSUS MMC can be accessed from Administrative Tools or Server manager.

 

Configure Automatic Update client via Group Policy
Use Group Policy to configure Automatic Update client to download from WSUS server.

1.Create a new Domain Policy on Computers OU
2.Expand to Computer Configuration>Administrative Templates>Windows Components>Windows Update
3.Click on “Configure Automatic Updates setting”, here configure Automatic Updates as you desire. Click OK
4.Click on “Specify intranet Microsoft update service location”, choose “Enabled ”, Configure intranet server in this format: http://WSUSSERVER
5.Once this Group Policy is propagated to the clients, clients will start to download from the WSUS server
0
DonNetwork AdministratorCommented:
Are there any errors in the windowsupdate.log?
0
waverobberAuthor Commented:
Hey Fordy ,
Thanks for you input. Everything stated above has been completed. The ONLY item I have changed in the "Update Services Common Policy" is the update interval (22). Everything else is default. I ran the WSUS wizard and all is good. Still no Win 7 clients appear. Threre is really no need to create a custom policy in my case. Defaults are OK.

I did observe however, that when looking at the "Update Services Client Computer Policy," all workstations appear there with the exception of the Win 7's. I tried adding them manually (then ran GPUPDATE /Forse), but they WILL NOT stay in that group.

This is probably why, when I look at the console-security-updates-change security update settings-included computers, all are there except Win 7. I am also unable to ADD them from the "excluded" window, because they are not there!

I am suspecting something within the Win 7 firewall?
0
Learn Ruby Fundamentals

This course will introduce you to Ruby, as well as teach you about classes, methods, variables, data structures, loops, enumerable methods, and finishing touches.

waverobberAuthor Commented:
No errors in windows update log
0
waverobberAuthor Commented:
Fixed It! Here's what the problems were and how they were fixed...

Problem1) When I checked the WSUS Console, I saw that all clients were in a "warning" state. When checked for specifics, it said that the client has not communicated with the server in (any where from 15 - 20) days.

Suspecting client and/or server firewalls, that night I disabled the Server's firewall (control panel, firewall). Next morning, the communication problem between client (the ones that were on) and the server was resolved. At least for now, my problem was isolated to the Server firewall. But, why?

I began by re-enabling the firewall and enabling ALL exceptions. Next check on the WSUS console indicated communication was again down! Bummer, but this pushed me toward the "ports" arena. After verifying that clients were attempting to access port 8530 (via GPO), I made a new exception on the server firewall to allow that specific port. Also, I returned all other exceptions to their previous (default) state.

It was a beautiful thing to see that client/server WSUS comm was restored. Question is, why wouldn't that particular port be made available during the SBS install? I have since deleted the 8530 port on the firewall (less is better) and made the clients look to port 80 (GPO WSUS Common Settings) for their updates. Works fine with firewall defaults.

Problem 2) Now that client to server comm was restored, I was anxiously waiting for the Microsoft updates to come flooding into the server and the clients to begin updating themselves! Didn't happen.

This forced me to look into the LAN perimeter firewall (Sonicwall TZ 100). After some research on that specific device, I found there had been issues with the Gateway Antivirus and WSUS. I began experimenting by disabling the gateway AV. Next morning I found that the server had indeed downloaded the updates.

Per Sonicwall and various online groups, I then checked to insure the "Allow HTTP Byte Range Requests...", was enabled. It was by default. Following additional research into this matter (at Sonicwall), I added the server's IP address to both the From/To area's of the firewall's gateway antivirus exceptions field. This resolved the remaining problem.

All clients and server are receiving and downloading their respective updates (via GPO schedule) and all is well once again! Hope this helps anyone with similar problems!! Cheers
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
waverobberAuthor Commented:
Same as above!
0
waverobberAuthor Commented:
You guys "rock!" I've used this board several times for a myriad of issues. Most of the time the answer can be found here!
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
SBS

From novice to tech pro — start learning today.