WSUS continually shows "No Status" for updates that don't apply

smcalabrese
smcalabrese used Ask the Experts™
on
I just recently started using WSUS within the last year and everytime I check into it, there are always about fifteen updates that show as "Not Approved."  When I check into them from the  Workstation's view, they show up on the report as "Updates with No Status."  Instead, I would expect them to appear as "Updates installed/not applicable" since they are associated with Exchange Server 2007, MS Security Essentials, and MS Endpoint Protection.  Eventually, they do appear as "not applicable" once the workstation has checked in.  Is this normal behavior?  Should I assume that WSUS assumes the products could be installed on the clients until it learns otherwise?  Does it make sense that I’m always seeing updates to these particular products in general because they are updated much more often than Patch Tuesday?  I should note that I do have “All Products” checked in the setup since I want to be sure that if a new product makes its way into the network, it won’t be neglected.  How best to make sure that my computers always show a 100% installed rate all the time unless there is a problem.  If I automatically approve them, they’ll be downloaded but still show as unknown until the computer checks in.  And if automatically decline them, they won’t be downloaded but again, they will still show as unknown until the computer checks in, and the downside will be that if we start using one of those products, we could inadvertently be declining necessary updates.  Is my best solution to have the clients check in at the minimum setting of 1hour using the GPO so that most of the time, the reporting is accurate?  Let me know if I’m off in my understanding…
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
You sound like you have bad reporting in you environment.

Delete a machine from WSUS and run this on the client:

net stop wuauserv

REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate" /v AccountDomainSid /f

REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate" /v PingID /f

REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate" /v SusClientId /f

net start wuauserv wuauclt /resetauthorization /detectnow

Pause

See if this helps resolves your issue.
DonNetwork Administrator

Commented:
Resetting the SID isnt gonna be of any help here.

"Eventually, they do appear as "not applicable" once the workstation has checked in."

This is all normal as WSUS does no "Pushing" of any sort. Clients check in with the WSUS server for updates that they need(and are approved) Since the default check in is 22 hours, this is why you see them as "No status"


"Is my best solution to have the clients check in at the minimum setting of 1hour using the GPO so that most of the time, the reporting is accurate? "


I recommend against it, You would just be putting too much unnecessary strain on the WSUS server. I wouldnt be too concerned with "No status"


Have you read these ?


Best Practices with Windows Server Update Services 3.0
http://technet.microsoft.com/en-us/library/cc720525%28v=ws.10%29.aspx

Managing the WSUS Automatic Updates Client Download, Install, and Reboot Behavior with Group Policy
http://technet.microsoft.com/en-us/library/cc512630.aspx
Distinguished Expert 2017

Commented:
Not approved means they did not match the auto approve unless you have and you need to either change their status to install for all, a group or decline.

I use the workstations rather than look at update status.  Each system will reflect the updates it detects as available to it. You can then choose to install or not depending on your needs. I.e custom applications have to be closely monitored/tested before installing all updates that are made available.

Author

Commented:
I'm still confused why these particular updates appear at all (Exchange Server 2007, MS Security Essentials, and MS Endpoint Protection, none of which are running/installed on the network).  It always seems to be "Definition updates" for these specific products and they show as "No Status" on every machine in the domain, until each machine checks-in...
Distinguished Expert 2017

Commented:
You can under the wsus options, products decide which products, categories you want to retrieve.
It sounds as though you are using all products and this is why you have those updates.

You should not be looking at updates and to which systems they appy, but look at the systems and see which updates they indicate they need. Then you need to decide whether to deploy these updates.  If you have a test group of a sample of your systems, first approve the update to the test/sample group.  This way if tere is an adverse impact of an update on the functionality, performance of the test system, you would uninstall from the test systems and not reply to the rest.

Author

Commented:
I think I want the "All Products" selected so that if something makes its way into the environment without my knowledge, it will be updated if necessary, correct?  What's throwing me through a loop is: should WSUS be thinking that this additional software or products are installed until it find out that they aren’t?  In my case, when WSUS sees that updates are available from Windows Update, it puts them right into the “No Status” category, when I think it should know what was installed on the particular machines as of last checkin, no?
Distinguished Expert 2017

Commented:
That is not how it works.
You select which products are in the environment, if you choose all, wsus on a regular interval will check in with ms and download information for all available updates for the products, categories that are configured. Information doe not mean it actually will download the update files. I.e. patch xxxxxxx applies to a specific os, or a specific product with some minimal information describing what the update is supposed to add, fix.
Depending on your auto approval rules which can auto approve recommended and security updates for some or all. At this point, wsus will download the update packages from ms for all approved (install) defined updates.

The reporting on wsus has updates, which reports on all updates and whether they have been approved, then there are needed updates and whether there are some of those that have not been approved.

If you are basing your approach on an event where a system will make its way onto your network, you can ignore the unapproved updates stats and rely on systems and the updates needed by them.

If you do not have an Itanium based system, you could periodically search your updates for Itanium and decline those updates.

Author

Commented:
I got that.  Maybe I need an example to better illustrate my question:  Why do these show as unknown status when the computer checked in yesterday and had none of the pertinent software installed?  I'm not worried about space, just proper reporting.

And, to your point, if I decline IA-64 updates and one machine makes its way in, it won't be updated unless I remember to go back and approve those already declined updates, which doesn't seem safe...
1.jpg
2.jpg
Distinguished Expert 2017

Commented:
Unknown status means the system has no info on the update.
I.e. there is an xp update, that was not installed, but a newer superseding update later came out and wainstalled. The old xp update will be seen as not applicable.
The unknown means the workstation has no information on the status of the update in question even though it might be as the updates in the example deffender updates. Which are not os restricted and are made available to all systems.
The limiter is the under lying requirement if for the defender app to be installed.

Author

Commented:
Defender isn't installed anywhere in the network, so I would think these shouldn't be 'unknown' status, they should be 'not applicable' until WSUS sees Defender installed somewhere and then considers them then as "Needed."  

And what about this from above: if I decline IA-64 updates and one machine makes its way in, it won't be updated unless I remember to go back and approve those already declined updates, which doesn't seem safe...
Distinguished Expert 2017

Commented:
The report is not from the wus server, but from the workstation.
Wsus pulls data from ms and update packages when admins approve the update for install.
The workstation, system checks in and requests all available updates base on the system provide parameters for os, and other applications. The wsus responds with whatnt ha and what was approved.  The workstation then beginsownloadng the update files and schedules the install and reports back to the wsus. This is how a report reflects status of updates as downloaded.  Once the schedule is met and the system installs the update, it will dport back and if a reboot is require, the update status on the system's report will change from downloaded to pending reboot or failed as the case may be.

Wn 7, windows 2008 have defender included. D you have such systems on your network?

IA servers are usually HP special systems.
Do you have GPOs that sets the client targets? How do systems join the wsus repository?

If you do not want to decline updates for a system that you currently have, it is up to you.
I'm in your place would not try to maintain updates for a system that I do not have since shoud the system eer join, it may report 150 updates as needed. I would use the ms update report and then approve those only since they will negate the needed updates that have been super ended and this way should a system of the same vintage is added the updates will be present without the space usage of having 100 update files.
Hp is in litigation with oracle to compel them to keep offering oracle database version that will run on IA based systems.

Maintaining currently known unneeded updates for systems you do not have and currently have no plans of acquiring, is fine but you should be prepared for seeing a large number of unapproved updates. Specially for products that are application based and not limited by OS.
DonNetwork Administrator

Commented:
Again...I would not be concerned with "Unknown Status"

Terminology for Update Status
http://technet.microsoft.com/en-us/library/cc708497%28v=ws.10%29.aspx

No status
      

This usually means that since the time that the update was synchronized to the WSUS server, the computer has not contacted the WSUS server.
Distinguished Expert 2017

Commented:
The no status you referenced in the explanation deals with a computer and not an update.
I.e. a computer made an initial contact, but has not reported back since on its status i.e. which updates it needs, has installed, etc.

http://forums.techarena.in/server-update-service/742708.htm

this may shed light on the issue, In the event you have a system that has the update with no status, this will reflect the update as having no status.

i.e. a system was presented with the update with possibly matching the criteria, but the system has no status for the update. it is not installed, it is not "not applicable" it lacks status.

What is the issue that you are trying to resolve?
DonNetwork Administrator

Commented:
"The no status you referenced in the explanation deals with a computer and not an update."

?????????????????????????


24 updates have unknown status

No Status *ALWAYS* refers to updates, not computers....if it was computers it would then be "Not yet Reported"


wsus
Distinguished Expert 2017

Commented:
Right click on the update and request a status report. On the second of three page it will list the computers and their reported status or this update. At least one computer will reflect the status of this update with the no status moniker. Delete the computers that no status for the update and the updates with no status moniker will disappear as well.
DonNetwork Administrator

Commented:
Much easier to completely ignore "No Status" altogether
Distinguished Expert 2017

Commented:
I believe I indicated that before, did not realize that I was responding to another expert earlier.
I take the approach of checking what reporting systems need rather than epwhat updates are available on the wsus in total.  I have security, recommended and previously approved updates to approved. I.e. if a new revision of a previously aproved update is released, it will be auto approve or install. New security or recommended update will be approved or a test group of computers that represent a type of workstation in the environment.

Any new release I.e .net 4.0 will wait for approval.

Author

Commented:
On the images I added a few posts' back, the computer report shows updates that don't apply to the system (Windows XP) in question...and this is just an example.  I understand WSUS, I just want to clean up the reporting and don't understand why all these "definition updates" occur this way.  It doesn't happen with critical updates and etc...

Defender isn't installed anywhere in the network, so I would think these shouldn't be 'unknown' status, they should be 'not applicable' until WSUS sees Defender installed somewhere and then considers them then as "Needed."  

And back to this: If I decline IA-64 updates and one machine makes its way in, it won't be updated unless I remember to go back and approve those already declined updates, which doesn't seem safe.  It won't re-prompt me once it sees an IA-64 machine is on the network, right?  Simply having a product selected in the configuration justs means that it will be included in the DB and check for updates, taking very little resources and nearly zero disk space, so I see no harm in that...
Distinguished Expert 2017
Commented:
You can rack you brain trying to figure this thing out, or accept it as is and move on.

That is correct in relationship to Ia-64.
The benefit would be that you might not be auto approving security and recommended updates for system that are currently do not exist on your system.

If your enterprise does not currently have an ia-64 system now, the cost may be what is precluded those systems from being included.
DonNetwork Administrator

Commented:
"If I decline IA-64 updates and one machine makes its way in, it won't be updated unless I remember to go back and approve those already declined updates,"


It's not necessary to decline these, it would be better to have them unchecked in "Products and classifications"

Author

Commented:
@arnold - Truer words were probably never spoken...I was just hoping that someone could confirm that this is typical behavior in WSUS for any updates classified as "Definition Updates."  My hunch is that these go right to the "unknown" status because a product like Windows Defender, for example, is only effective when it has access to the latest updates.

I manually approve all updates regularly and would rather have everything under "Products and Classifications" selected.  And I don't decline anything, though sometimes I will hold off approving for a while.  I'd rather know that my systems are 100% covered and nothing will slip thru the cracks, besides, it's easy to filter the updates list to display only those applicable updates (unfortunately along with those pesky Definition Updates) to my machines.  The way I see it, no harm in selecting everything and never declining anything...

WSUS Computer Detailed Status
Distinguished Expert 2017

Commented:
Ok, I can confirm that the no status on an update relates directly on whether there are computers with no status for the particular update.

The listing under updates are:

When clicking on updates in the left pane Unser the wsus server, do you get a splash screen listing the various update groups you have and each group's info dealing with
Updates with errors (meaning a computer had an error installing this update)
Needed by computers
Installed/not applicable reflects zero if there are no pending updates for install
And updates with no status.

Under all updates the breakdown is 5,399,0,4027
Security 5,244,0,3003
Critical 0,39,386

There is no unknown status for an update.
DonNetwork Administrator

Commented:
"Not Approved" updates will  have an "No Status"  if they are needed

Look at:

How to use Windows Server Update Services (WSUS) to deploy definition updates to computers that are running Windows Defender

http://support.microsoft.com/kb/919772

Author

Commented:
Mine is a lot more succinct (smaller network).  But, yes, and in my case, I will approve/test the "Updates need by computers 3", Ignore the "Updates installed/not applicable XXXXX", and review the "Updates with no status" (though these are typically the "definition updates" I'm speaking about...

I see "X updates have unknown status" when I run the "Status Report" from the Computers view for a particular workstation/machine.  (it shows at the top of the image I attached a few posts ago)
WSUS-Status-Overview.jpg

Author

Commented:
I'm not worried about approvals/deploying updates, my question is trying to hash out why computers' aren't reporting a logical status back to the WSUS server.  And it always seems to relate to "definition updates" whether they be for Defender, MS Security Essentials, and MS Endpoint Protection...
Distinguished Expert 2017

Commented:
DonNetwork Administrator

Commented:
@arnold

Oh really ???


http:#a37849727
Distinguished Expert 2017
Commented:
I have no explanation for the no status ..... Nor how to get systems toproperly report them.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial