Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

WSUS seemingly not correctly reporting update status

Posted on 2013-05-23
5
Medium Priority
?
1,072 Views
Last Modified: 2013-06-26
I have noticed for awhile a couple different issues with WSUS.

1. Servers always seem to report 99% of updates installed. Yet if you go to those servers and check for updates, it shows none available.

2. If you check for updates online (instead of WSUS), it almost always reports several updates but when you check for updates via WSUS, it shows not available.. almost like WSUS is a month behind what is on Windows Update. I checked the syncs and it successfully syncs each night and I have every Windows Server 2008r2 update category checked.

Any advice? it seems to be rather common from conversations I have had with other engineers.
0
Comment
Question by:Schuyler Dorsey
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
5 Comments
 
LVL 24

Expert Comment

by:Nagendra Pratap Singh
ID: 39194462
You need to select for unapproved updates in each category. Then you need to either approve or decline each of those.

If an update is not in either group, then it is likely to be shown as missing etc.

You may start by searching for the missing patch in the top part of the console. Until you approve it, the client devices will not know about it but WSUS report will nag you because this update is neither declined and nor installed.
0
 
LVL 10

Author Comment

by:Schuyler Dorsey
ID: 39194641
If I go to the All Updates category and filter by Approval:Unapproved and Status:Failed or Needed, none show up currently.

If I change it to Approval: Unapproved and Status:ANY, all updates here show as installed on 100% of the machines.

Are you saying that I should approve the updates that are already installed on 100% of my machines?
0
 
LVL 80

Expert Comment

by:arnold
ID: 39194825
Do you have auto approve rules, or decline?
Select the system and look at the updates it lists as needed. This way you can see which update is pending approval/decline.

WSUS list all updates within the same scope while windows updates has the optional/software/cpicom/silverlight etc. which could be what you are seeing.
I.e. wsus obtained the metadata for all categories.  A system checks for available updates which include optional driver, feature packs as available but not approved.
0
 
LVL 10

Author Comment

by:Schuyler Dorsey
ID: 39194935
For one client, I did note something just now.

If I go to the servers that list 99% (which is all of them), and go to the Updates Needed report, some of them do say Not Approved. I checked these updates and they match on my auto approval rule for workstations but not auto approval for servers. Because they are approved for workstations, I am guess that is why they do not show up for approval needed when I check that screen.

However on a few others, I have noted that WSUS reported a patch being installed on the box but manually checking the box revealed that it was not in fact installed.
0
 
LVL 80

Accepted Solution

by:
arnold earned 2000 total points
ID: 39195031
An update appears on the list available to any system that matches the restriction as long as it is not decline.  A declined update is hidden and is not seen by the client systems nor offered by wsus when the client connects and requests a list of all available updates for it.

Not sure which patch you mean, so hard to respond.  WSUS has periodically received an update to itself, i.e. an update on products/classifications (windows 8, windows 2012 as options and systems, etc.)
an update applicable to  WSUS  itself might be all encompassing.

Certain updates as you noted are available to both desktop and server environments as a single update windows 7,windows server 2008 etc. without any action the update will be listed as available to both types of systems. and will be a reason why 99% of updates applied given 1 is available.
 
You could setup an auto-approve rule for servers that deals with approving security and critical updates.  Presumably your settings are such that if an update has been previously approved an issued revision of said update will auto approve.
0

Featured Post

Are your AD admin tools letting you down?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I had a question today where the user wanted to know how to delete an SSL Certificate, so I thought that I would quickly add this How to! Article for your reference. WHY WOULD YOU WANT TO DELETE A CERTIFICATE? 1. If an incorrect certificate was …
I was prompted to write this article after the recent World-Wide Ransomware outbreak. For years now, System Administrators around the world have used the excuse of "Waiting a Bit" before applying Security Patch Updates. This type of reasoning to me …
This tutorial will walk an individual through the steps necessary to configure their installation of BackupExec 2012 to use network shared disk space. Verify that the path to the shared storage is valid and that data can be written to that location:…
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…

610 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question