Solved

WSUS seemingly not correctly reporting update status

Posted on 2013-05-23
5
715 Views
Last Modified: 2013-06-26
I have noticed for awhile a couple different issues with WSUS.

1. Servers always seem to report 99% of updates installed. Yet if you go to those servers and check for updates, it shows none available.

2. If you check for updates online (instead of WSUS), it almost always reports several updates but when you check for updates via WSUS, it shows not available.. almost like WSUS is a month behind what is on Windows Update. I checked the syncs and it successfully syncs each night and I have every Windows Server 2008r2 update category checked.

Any advice? it seems to be rather common from conversations I have had with other engineers.
0
Comment
Question by:Schuyler Dorsey
  • 2
  • 2
5 Comments
 
LVL 23

Expert Comment

by:Nagendra Pratap Singh
ID: 39194462
You need to select for unapproved updates in each category. Then you need to either approve or decline each of those.

If an update is not in either group, then it is likely to be shown as missing etc.

You may start by searching for the missing patch in the top part of the console. Until you approve it, the client devices will not know about it but WSUS report will nag you because this update is neither declined and nor installed.
0
 
LVL 10

Author Comment

by:Schuyler Dorsey
ID: 39194641
If I go to the All Updates category and filter by Approval:Unapproved and Status:Failed or Needed, none show up currently.

If I change it to Approval: Unapproved and Status:ANY, all updates here show as installed on 100% of the machines.

Are you saying that I should approve the updates that are already installed on 100% of my machines?
0
 
LVL 76

Expert Comment

by:arnold
ID: 39194825
Do you have auto approve rules, or decline?
Select the system and look at the updates it lists as needed. This way you can see which update is pending approval/decline.

WSUS list all updates within the same scope while windows updates has the optional/software/cpicom/silverlight etc. which could be what you are seeing.
I.e. wsus obtained the metadata for all categories.  A system checks for available updates which include optional driver, feature packs as available but not approved.
0
 
LVL 10

Author Comment

by:Schuyler Dorsey
ID: 39194935
For one client, I did note something just now.

If I go to the servers that list 99% (which is all of them), and go to the Updates Needed report, some of them do say Not Approved. I checked these updates and they match on my auto approval rule for workstations but not auto approval for servers. Because they are approved for workstations, I am guess that is why they do not show up for approval needed when I check that screen.

However on a few others, I have noted that WSUS reported a patch being installed on the box but manually checking the box revealed that it was not in fact installed.
0
 
LVL 76

Accepted Solution

by:
arnold earned 500 total points
ID: 39195031
An update appears on the list available to any system that matches the restriction as long as it is not decline.  A declined update is hidden and is not seen by the client systems nor offered by wsus when the client connects and requests a list of all available updates for it.

Not sure which patch you mean, so hard to respond.  WSUS has periodically received an update to itself, i.e. an update on products/classifications (windows 8, windows 2012 as options and systems, etc.)
an update applicable to  WSUS  itself might be all encompassing.

Certain updates as you noted are available to both desktop and server environments as a single update windows 7,windows server 2008 etc. without any action the update will be listed as available to both types of systems. and will be a reason why 99% of updates applied given 1 is available.
 
You could setup an auto-approve rule for servers that deals with approving security and critical updates.  Presumably your settings are such that if an update has been previously approved an issued revision of said update will auto approve.
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
GPO for OU 2 40
Deleting objects from AD 3 35
Can’t delete a file 14 86
Migrate 2008 DNS server to Windows 2012 RS 8 34
Recently, I was asked to look into SCCM 2007 by my employer, having a degree of experience of earlier versions of SMS and some previous SCCM knowledge I didn't expect the procedure to involve to much time. I read a number of guides concerning it…
A procedure for exporting installed hotfix details of remote computers using powershell
This tutorial will give a short introduction and overview of Backup Exec 2012 and how to navigate and perform basic functions. Click on the Backup Exec button in the upper left corner. From here, are global settings for the application such as conne…
This tutorial will walk an individual through locating and launching the BEUtility application to properly change the service account username and\or password in situation where it may be necessary or where the password has been inadvertently change…

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

22 Experts available now in Live!

Get 1:1 Help Now