Solved

WSUS seemingly not correctly reporting update status

Posted on 2013-05-23
5
811 Views
Last Modified: 2013-06-26
I have noticed for awhile a couple different issues with WSUS.

1. Servers always seem to report 99% of updates installed. Yet if you go to those servers and check for updates, it shows none available.

2. If you check for updates online (instead of WSUS), it almost always reports several updates but when you check for updates via WSUS, it shows not available.. almost like WSUS is a month behind what is on Windows Update. I checked the syncs and it successfully syncs each night and I have every Windows Server 2008r2 update category checked.

Any advice? it seems to be rather common from conversations I have had with other engineers.
0
Comment
Question by:Schuyler Dorsey
  • 2
  • 2
5 Comments
 
LVL 23

Expert Comment

by:Nagendra Pratap Singh
ID: 39194462
You need to select for unapproved updates in each category. Then you need to either approve or decline each of those.

If an update is not in either group, then it is likely to be shown as missing etc.

You may start by searching for the missing patch in the top part of the console. Until you approve it, the client devices will not know about it but WSUS report will nag you because this update is neither declined and nor installed.
0
 
LVL 10

Author Comment

by:Schuyler Dorsey
ID: 39194641
If I go to the All Updates category and filter by Approval:Unapproved and Status:Failed or Needed, none show up currently.

If I change it to Approval: Unapproved and Status:ANY, all updates here show as installed on 100% of the machines.

Are you saying that I should approve the updates that are already installed on 100% of my machines?
0
 
LVL 78

Expert Comment

by:arnold
ID: 39194825
Do you have auto approve rules, or decline?
Select the system and look at the updates it lists as needed. This way you can see which update is pending approval/decline.

WSUS list all updates within the same scope while windows updates has the optional/software/cpicom/silverlight etc. which could be what you are seeing.
I.e. wsus obtained the metadata for all categories.  A system checks for available updates which include optional driver, feature packs as available but not approved.
0
 
LVL 10

Author Comment

by:Schuyler Dorsey
ID: 39194935
For one client, I did note something just now.

If I go to the servers that list 99% (which is all of them), and go to the Updates Needed report, some of them do say Not Approved. I checked these updates and they match on my auto approval rule for workstations but not auto approval for servers. Because they are approved for workstations, I am guess that is why they do not show up for approval needed when I check that screen.

However on a few others, I have noted that WSUS reported a patch being installed on the box but manually checking the box revealed that it was not in fact installed.
0
 
LVL 78

Accepted Solution

by:
arnold earned 500 total points
ID: 39195031
An update appears on the list available to any system that matches the restriction as long as it is not decline.  A declined update is hidden and is not seen by the client systems nor offered by wsus when the client connects and requests a list of all available updates for it.

Not sure which patch you mean, so hard to respond.  WSUS has periodically received an update to itself, i.e. an update on products/classifications (windows 8, windows 2012 as options and systems, etc.)
an update applicable to  WSUS  itself might be all encompassing.

Certain updates as you noted are available to both desktop and server environments as a single update windows 7,windows server 2008 etc. without any action the update will be listed as available to both types of systems. and will be a reason why 99% of updates applied given 1 is available.
 
You could setup an auto-approve rule for servers that deals with approving security and critical updates.  Presumably your settings are such that if an update has been previously approved an issued revision of said update will auto approve.
0

Featured Post

Efficient way to get backups off site to Azure

This user guide provides instructions on how to deploy and configure both a StoneFly Scale Out NAS Enterprise Cloud Drive virtual machine and Veeam Cloud Connect in the Microsoft Azure Cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

I was asked if I could set up a fax machine so that incoming faxes were delivered to people's Exchange inboxes and so that they could send faxes from their desktops without needing to print the document first.  I knew it was possible but I had no id…
Sometimes drives fill up and we don't know why.  If you don't understand the best way to use the tools available, you may end up being stumped as to why your drive says it's not full when you have no space left!  Here's how you can find out...
To efficiently enable the rotation of USB drives for backups, storage pools need to be created. This way no matter which USB drive is installed, the backups will successfully write without any administrative intervention. Multiple USB devices need t…
This tutorial will walk an individual through configuring a drive on a Windows Server 2008 to perform shadow copies in order to quickly recover deleted files and folders. Click on Start and then select Computer to view the available drives on the se…

740 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question