Re: WSUS - Not Seeing Patches Yet this Month

I wish I had a clearer understanding of what you're seeing. If WSUS is not
working as you intend, I would suspect it to be a setting rather than an
actual bug, since WSUS has been around for a while without much in the way
of approval or detection issues being reported.

What you're missing by abandoning MU is the ability to see, from one screen,
that all of the client PCs and servers are patched and current. For
example, I just went to my WSUS home page and saw that one PC has not yet
applied the Patch Tuesday updates (a laptop that's been turned off). If
something prevents one client PC from updating and you're not aware of it,
you put your whole network at risk from that one PC.

I think if you give a close look to the screen on Options -> Automatic
Approval Options, you'll see what's happening and why. You can
automatically approve certain classifications for detection and/or
approval - two separate functions - and you can choose what computer groups
the settings apply to. So for example, you could approve all updates for
detection for all groups. In that case, you just see in the WSUS console
which PCs need those updates. Then you could approve all updates for
installation, but only for computers in the Test group. That way, Test gets
everything approved for installation, while those same updates need manual
approval for the other computer groups.

There would be a way to configure WSUS to monitor the workstations while
still using MU. That would be to set everything to approve for detection,
then just look in WSUS to see what client PCs are detected as needing
updates. Of course you would then want to configure WSUS not to download
the updates. This seems like way too much work - manually configuring the
clients to use MU (or doing that in group policy), then separately
configuring WSUS to monitor. Personally, I'd just get WSUS working the way
you want it to.


"Neil Hoskins" <neilhremovethisbit@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx> wrote in
message news:%23WQdVOSvGHA.4384@xxxxxxxxxxxxxxxxxxxxxxx

"Dave Nickason [SBS MVP]" <gwdibble@xxxxxxxxxxxxxxxxxxxxxx> wrote in
message news:uqzZHnJvGHA.1436@xxxxxxxxxxxxxxxxxxxxxxx
So it sounds like you're seeing the expected behavior. The updates are
downloaded, and the critical and security ones probably approved
themselves. You can check this by going to the Updates page, viewing
updates with any approval synchronized in the last week, and seeing what
the approval level is.

All that "approve for detection" does is to let WSUS see which computers
would need the update if you approved it. In other words, in the WSUS
console, that update would show as Needed for each PC that called for the
patch. It does not do anything as far as installing it or anything - you
can't tell the status from the workstation, only from the WSUS console.

Last night I changed the "automatically approve for detection" setting
from just the test machine to all machines. This morning I have, waiting
for approval, a few Defender definition updates, and August's malicious
software removal tool, but all are marked as having been superseded and
recommended to be declined. The security updates still don't appear.

I checked a couple of workstations using Microsoft Update and they have
not been installing updates automatically without me approving them. So
the automatic approval settings are behaving as expected.


But right below that setting is the "automatically approve" section,
where IIRC by default all critical and security updates are approved
automatically. In that case, all critical and security updates would be
applied to the workstations according to their AU settings as controlled
by group policy. Almost (but not all) of this month's updates were
critical or security.



In that setting, only the test machine is set to automatically approve for
installation.




I really don't think the damned thing's working correctly. As we only
have around fifteen users and a decent broadband connection, I think I'll
ditch it and have workstations update automatically from Microsoft Update.
This probably means I'll take a hit on bandwidth but with the small number
of users I've got that shouldn't be too severe. Plus I'll save acres of
disk space on the server and have peace of mind.



.

Relevant Pages

  • Re: Assigning updates using WSUS
    ... In the WSUS Console, go to the Options page and click Automatic Approval ... Then in Approve for Installation, ... That way, all updates in the ... The problem I have is after installing ...
    (microsoft.public.windows.server.sbs)
  • Re: WSUS - Not Seeing Patches Yet this Month
    ... You can check this by going to the Updates page, ... Last night I changed the "automatically approve for detection" setting from ... The security updates still don't appear. ...
    (microsoft.public.windows.server.sbs)
  • Re: R2 Update Services
    ... approve update, and how to delete the unneeded revisions. ... below to automatically approve updates. ... copied to the file system of the WSUS server during WSUS Setup. ... This command is intended to remove old revisions of updates after newer ...
    (microsoft.public.windows.server.sbs)
  • Re: WSUS - Not Seeing Patches Yet this Month
    ... Changing the setting is not retroactive to updates that have already been ... print and read the WSUS deployment guide. ... All that "approve for detection" does is to let WSUS see which computers ... Last night I changed the "automatically approve for detection" setting ...
    (microsoft.public.windows.server.sbs)
  • WSUS expired updates
    ... I have SBS2003 SP1 standard. ... WSUS is installed. ... I have been getting a few of these "unapproved" updates every month. ... When I go to approve them, they have a note on them saying they have expired and recommending that the update be declined. ...
    (microsoft.public.windows.server.sbs)