none
Should the "Unapproved" category be tidy?

    Frage

  • Hello all,

    I have done a fair amount of searching for an answer similar to my question but I haven't found something that quite fits what I'm looking for. In advance, I apologize if this is a re-post.

    I just recently took over responsibility of a WSUS server and my experience with one is next to nothing. I see that whomever was managing it before me has about 1,600 updates listed in the "Unapproved" section. Wanting to make this look as neat as possible, this pains me! Is this normal? Should the majority of the updates (if not all) be listed under "Approved" or "Declined" ? I wanted just "Approve" the updates that are at 95% Installed/Not Applicable but after doing some reading, I don't think this is the correct thing to do.

    Please help me with the best thing I can do to clean this up (if it is necessary) as I'd really like to get a good grip on this and be able to manage it successfully.

    Thank you!

    Dennis

    Freitag, 6. Juni 2014 17:31

Antworten

  • Hello all,

    I have done a fair amount of searching for an answer similar to my question but I haven't found something that quite fits what I'm looking for. In advance, I apologize if this is a re-post.

    I just recently took over responsibility of a WSUS server and my experience with one is next to nothing. I see that whomever was managing it before me has about 1,600 updates listed in the "Unapproved" section. Wanting to make this look as neat as possible, this pains me! Is this normal? Should the majority of the updates (if not all) be listed under "Approved" or "Declined" ? I wanted just "Approve" the updates that are at 95% Installed/Not Applicable but after doing some reading, I don't think this is the correct thing to do.

    Please help me with the best thing I can do to clean this up (if it is necessary) as I'd really like to get a good grip on this and be able to manage it successfully.

    Thank you!

    Dennis

    Sometimes there is a reason behind NOT approving an update. Some Microsoft .NET updates come to mind. My experience is that there should be some (not a lot) of updates that are NOT approved. I have IE 11 not approved since some web based programs will not work properly. 1,600 seems like a lot. I usually decline the itanium updates, not just leave them unapproved.

    Since you are just taking over someone elses responsibility for managing WSUS I would approve a few updates for a test group of computers, wait a couple of days after testing the computers then approve them for production. That is usually the best practice.

    It could very well be that the 5% that do not have the updates installed needed them NOT installed for a REASON. But, I am just guessing at this point.

    Good luck with the new responsibilities. Hope this helps a little.

    Freitag, 6. Juni 2014 19:14

Alle Antworten

  • Hello all,

    I have done a fair amount of searching for an answer similar to my question but I haven't found something that quite fits what I'm looking for. In advance, I apologize if this is a re-post.

    I just recently took over responsibility of a WSUS server and my experience with one is next to nothing. I see that whomever was managing it before me has about 1,600 updates listed in the "Unapproved" section. Wanting to make this look as neat as possible, this pains me! Is this normal? Should the majority of the updates (if not all) be listed under "Approved" or "Declined" ? I wanted just "Approve" the updates that are at 95% Installed/Not Applicable but after doing some reading, I don't think this is the correct thing to do.

    Please help me with the best thing I can do to clean this up (if it is necessary) as I'd really like to get a good grip on this and be able to manage it successfully.

    Thank you!

    Dennis

    Sometimes there is a reason behind NOT approving an update. Some Microsoft .NET updates come to mind. My experience is that there should be some (not a lot) of updates that are NOT approved. I have IE 11 not approved since some web based programs will not work properly. 1,600 seems like a lot. I usually decline the itanium updates, not just leave them unapproved.

    Since you are just taking over someone elses responsibility for managing WSUS I would approve a few updates for a test group of computers, wait a couple of days after testing the computers then approve them for production. That is usually the best practice.

    It could very well be that the 5% that do not have the updates installed needed them NOT installed for a REASON. But, I am just guessing at this point.

    Good luck with the new responsibilities. Hope this helps a little.

    Freitag, 6. Juni 2014 19:14
  • I see that whomever was managing it before me has about 1,600 updates listed in the "Unapproved" section.

    Actually that number sounds low, but it somewhat depends on what products/classifications are enabled for synchronization.

    Wanting to make this look as neat as possible, this pains me!

    Truly, I hope the motivation is not to make it look pretty, but rather to configure it correctly.

    Should the majority of the updates (if not all) be listed under "Approved" or "Declined" ?

    Again, this depends on which products/classifications you have selected for synchronization.

    A couple of examples on opposite ends of the spectrum.

    • If you have Windows XP or Windows Server 2003 enabled for synchronization, then you've got 10-12 years of updates synchronized for those two platforms. But the number of updates applicable to the current Service Pack levels is probably only about a quarter of that number. In this case, it would be absolutely normal for 75% of those updates to be DECLINED, and maybe 25% (or less) to be Approved.
    • On the opposite end, if you have Windows 8 or Windows Server 2012 enabled... likely ALL of those updates are still Approved, except for a small percentage that have been superseded and thus should be declined.

    As a point of reference, but again -- Your Mileage *WILL* Vary -- I have 7,847 updates on my server. Of those, 2,999 are declined and 998 are approved. That approval number is probably high because I've not cleaned up superseded approvals in a few months. But this also does not include approvals for the May or June updates. (I was out of town for two weeks in May, and there are known issues with a couple of June updates, so I'm not deploying updates in my lab yet.) So, doing the math then, there are 3,850 Not Approved updates -- about HALF of the total number of updates synchronized to my server.

    However, the key focus here should not be on minimizing the number of UNapproved updates, but rather on minimizing the number of APPROVED updates.

    I wanted just "Approve" the updates that are at 95% Installed/Not Applicable but after doing some reading, I don't think this is the correct thing to do.

    Unilaterally, it's not, and in most cases it's not going to make any difference at all. To Pat's point, it depends on why these updates are at 95% Installed/Not Applicable. It also depends whether these updates are superseded or not. It also depends on why the number is 95% ... if you have computers listed in the console that don't actually exist, then it's impossible for those computers to report an update as installed, and thus the number will never reach 100% -- which is the goal, no doubt. Finally, there's also the rare exception where some updates will NEVER be installed on some systems -- for example, Silverlight on Domain Controllers (or servers in general, to be frank).

    Please help me with the best thing I can do to clean this up (if it is necessary) as I'd really like to get a good grip on this and be able to manage it successfully.

    So here's what I would do:

    1. DELETE any computers that no longer exist.
    2. INVESTIGATE any computers that have a Last Reported Date more than a few days old .. either they don't exist or they're broken.
    3. FIX any computers that exist but are not working. You'll know you've achieved this objective when the "Last Reported Date" values are less than 24 hours old.
    4. Follow the guidance in my five-part blog series about dealing with unneeded updates and unneeded update approvals.
    5. Once you've minimized the number of approved updates, then run the Server Cleanup Wizard.

    Lawrence Garvin, M.S., MCSA, MCITP:EA, MCDBA
    SolarWinds Head Geek
    Microsoft MVP - Software Packaging, Deployment & Servicing (2005-2014)
    My MVP Profile: http://mvp.microsoft.com/en-us/mvp/Lawrence%20R%20Garvin-32101
    http://www.solarwinds.com/gotmicrosoft
    The views expressed on this post are mine and do not necessarily reflect the views of SolarWinds.


    Freitag, 13. Juni 2014 18:52
  • Wow, Lawrence, I like your answer much better than mine.
    Montag, 16. Juni 2014 20:47