We help IT Professionals succeed at work.

Is WSUS Setup Correctly?

I want to have a WSUS Server for a network to save on bandwidth.  I don't want to enforce update settings - all the users are computer savvy and can install updates themselves.

I have it up and going, but I don't think its working correctly:
When I check for updates from a PC, it says that updates are managed by the system administrator and windows is up to date.  But if I check online for updates from Microsoft Update, there are 82 important updates available for Windows and Office etc.

Here is my setup:
New Server 2008 R2 with only WSUS 3.0 SP2 installed - Full Server install.  I am using the Windows internal database and existing IIS default website (Server has no other roles).

I went through the WSUS Server Configuration Wizard and set Products & Classifications, Sync schedule and turned on Automatic Approvals for All Computers (Critical Updates, Definition Updates, Security Updates, Service Packs and Update Rollups).

Synchronizations have been succeeding.  Group Policy is set on the Default Domain policy - set to http://wsus-servername, allow local admin to choose setting, allow immediate installation, turn on recommended updates, no auto-restart.

Any ideas?
Comment
Watch Question

Can you show registry settings on PC:
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate

Author

Commented:
(Default) (value not set)
WUServer http://wsus-servername
WUStatusServer http://wsus-servername
And here:
[HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate\AU]

Author

Commented:
Here ya go:
DonNetwork Administrator

Commented:
"I want to have a WSUS Server for a network to save on bandwidth.  I don't want to enforce update settings - all the users are computer savvy and can install updates themselves."


For the Bandwidth << Did you select "Store updates locally on this server"  ???

"... all the users are computer savvy and can install updates themselves." <<< I highly suggest against this, relying on the users to install updates themselves will never work. Given the opportunity to either postpone an update/restart the users will do so.


You've turned on automatic approvals, but have you verified that "these 82" updates have been approved?

Author

Commented:
Yes, updates are stored locally on the Server.

I haven't checked the KB #s to see if they are approved by WSUS, but shouldn't they be auto-approved since a lot of them are "Security Updates" for Office and Windows 7?

Office and Windows 7 are both checked on the Products list.  Critical Updates, Definition Updates, Security Updates, Service Packs and Update Rollups are checked on the Classifications list.

Automatic Approvals for All Computers is checked under the Default Automatic Approval Rule for these Products and Classifications.
DonNetwork Administrator

Commented:
Are your users in local Administrators group?

Author

Commented:
Yes, users are Local Admins.
DonNetwork Administrator

Commented:
There is no need to have users in the Admin group if the setting "Allow Non-administrators to Receive Update Notifications." is ENABLED
Can you open WSUS console and show status for any computer?
DonNetwork Administrator

Commented:
Are the computers showing up in the WSUS console??

Are there any errors in the windowsupdate.log?

Are there pending reboots ??<< if there is a pending reboot, successive updates wont be ready until a restart has taken place.

Author

Commented:
Yes, PCs are showing up in the WSUS console.  The PC I mentioned above shows Installed/Not Applicable % of 98%.  It shows updates needed: 94

Are the updates just not getting automatically approved?
DonNetwork Administrator

Commented:
What is the download status(in your WSUS console)?? are all updates downloaded yet??

What is the date/time that this PC last checked in??

run this short .bat on it and check again after 5 or more minutes

reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update" /v LastWaitTimeout /f
reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update" /v DetectionStartTime /f
reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update" /v NextDetectionTime /f



wuauclt /resetauthorization /detectnow
wuauclt /reportnow
If you open computer in WSUS console, what  status have updates?
Here is full batch for resetting wsus client settings:

REM Stop the Automatic Updates service
net stop wuauserv

REM Stop the Windows Management Instrumentation service
net stop winmgmt

REM Backup ReportingEvents.log. Then, delete the contents of
REM %systemroot%\SoftwareDistribution and
REM %systemroot%\system32\WBEM\Repository
REM copy %systemroot%\softwaredistribution\reportingevents.log %homedrive%\
del /f /q %systemroot%\softwaredistribution\*.*
move %homedrive%\reportingevents.log %systemroot%\softwaredistribution

REM Delete SusClientID and AccountDomainSid keys from
REM HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate
SET WU_KEY=HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate
reg delete %WU_KEY% /v SusClientID
reg delete %WU_KEY% /v AccountDomainSid
SET WU_KEY=

REM Start the Automatic Updates service
net start wuauserv

REM Start the Windows Management Instrumentation service
net start winmgmt

REM Force a group policy update
REM gpupdate /force

REM Roll the WU Client...
wuauclt /resetauthorization /detectnow

Open in new window

DonNetwork Administrator

Commented:
That .bat is for a duplicate Sid issue, this is not a duplicate sid issue!
DonNetwork Administrator

Commented:
dstewartjr: the .bat is for almost all client problems with WSUS, not only for duplicate SID
DonNetwork Administrator

Commented:
@als315

dont repeat what I have already said here http:#a37246203

"If you open computer in WSUS console, what  status have updates?"



Your .bat only fixes 2 issues

1. duplicate sid <<deleting the registry entries
2. corrupt download<<deleting the softwaredistribution folder

neither of which is the issue here.


Author

Commented:
What is the download status(in your WSUS console)?? are all updates downloaded yet??

What is the date/time that this PC last checked in??

run this short .bat on it and check again after 5 or more minutes

reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update" /v LastWaitTimeout /f
reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update" /v DetectionStartTime /f
reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update" /v NextDetectionTime /f
wuauclt /resetauthorization /detectnow
wuauclt /reportnow

The PC I was referring to above last checked in today @ 8:35am.  After I ran the script, it checked in @ 4:02pm (current time here).

Synchronizations have been succeeding - downloaded 4.660 new updates on 11/24/11.  Downloaded 6 new updates this morning.


DonNetwork Administrator

Commented:
Please post the windowsupdate.log from this pc

Author

Commented:
Here you go...
WindowsUpdate.log
Network Administrator
Commented:
Most likely these updates are not yet approved, within WSUS you can filter for "Needed" updates and then check their approval status.

Author

Commented:
Any way to get the Automatic Approval Rule to force the updates to be approved?
DonNetwork Administrator

Commented:
The rule is for newly synced updates, you can easily highlight all these updates(after you filter to just "Needed" updates) and right click and select approve.


In the WSUS console click on "All Updates" on the left, then on right select approval of "Any Except Declined" and status of "Needed"

Then you can highlight them all and approve them

Author

Commented:
Thanks!