none
WSUS Report inconsistent with amount of updates available on each server

    Question

  • I have a question related to WSUS that I am unable to find an answer for since 2 weeks.

    I have WSUS server and number of servers that are configured to download Windows Updates from WSUS server. I have client site targeting and computer groups configured and everything seems to be working fine however one thing bothers me.

    I generate WSUS Computers Report for my servers every month before installing the updates. The status summary for my servers always shows different value from actual number of updates that are available on each server. Just to make sure that you understand my question correctly - I just generated WSUS report for my servers and I have "34 updates have not been installed" on 'server X' in the WSUS report however when I log on to the 'server X' and click "check for updates" option the number of updates available is 20.

    The whole point in generating the report before installing updates is to keep record of how many updates are being installed every month for each server.

    Can you please let me know whether these two values ("34 updates have not been installed" and "20 important updates are available") should be the same or I misunderstood WSUS terminology?

    If I misunderstood WSUS terminology, how can I generate the report in WSUS that will show amount of updates available for each server (the exact same number that is being displayed in Windows Update Client on each server?

    Thanks in advance for your response.

    Monday, June 09, 2014 4:28 PM

Answers

  • One more question - Is there a way to generate report in WSUS which will only show the updates that are available for installation on each server?

    It would be simpler to just look in an update view of Approved Updates, sort by File Status, and handle the updates that are not yet downloaded.

    Since Approved -and- Downloaded-to-WSUS effectively makes an update "available", that's really all that matters.

    But, no, there is no way to obtain a report from *WSUS* that shows the updates that a WUA sees as "available". At best you could run a report for Approved/Needed, and presuming that all files are downloaded to the WSUS server, that would be the list of updates "available" to a client.


    Lawrence Garvin, M.S., MCSA, MCITP:EA, MCDBA
    SolarWinds Head Geek
    Microsoft MVP - Software Packaging, Deployment & Servicing (2005-2014)
    My MVP Profile: http://mvp.microsoft.com/en-us/mvp/Lawrence%20R%20Garvin-32101
    http://www.solarwinds.com/gotmicrosoft
    The views expressed on this post are mine and do not necessarily reflect the views of SolarWinds.

    Tuesday, June 17, 2014 8:12 PM
    Moderator
  • I generate WSUS Computers Report for my servers every month before installing the updates. The status summary for my servers always shows different value from actual number of updates that are available on each server.

    The first thing to understand is that there's a radical difference between an update displayed as NEEDED in the WSUS console (or in a report), and an update reported as AVAILABLE by an individual client. I've discussed this point ad naseum in this forum, but let's go over it one more time.

    First... updates that are NOT INSTALLED come in three flavors:

    1. Updates that are Not Approved for installation on the target system. These updates will NEVER be reported by the individual system as available for installation.
    2. Updates that are Approved for installation, but the files are not downloaded from Microsoft to the WSUS server. These updates are also not available to the individual system. Updates become available when they are Approved AND the FILES can be downloaded from the WSUS Server.
    3. Updates that are Superseded, but the newer update is not yet installed -- typically for one of the two previous reasons. This group most often contributes to the numerical discrepancies.

    All of the above, however, is mostly pedantic information. No matter what the reasons are, your response should be exactly the same: Identify the updates that are not installed and determine why they're not installed.

    Either they're

    • Not Approved,
    • Approved but not downloaded to WSUS
    • Superseded.

    Lawrence Garvin, M.S., MCSA, MCITP:EA, MCDBA
    SolarWinds Head Geek
    Microsoft MVP - Software Packaging, Deployment & Servicing (2005-2014)
    My MVP Profile: http://mvp.microsoft.com/en-us/mvp/Lawrence%20R%20Garvin-32101
    http://www.solarwinds.com/gotmicrosoft
    The views expressed on this post are mine and do not necessarily reflect the views of SolarWinds.

    Friday, June 13, 2014 7:02 PM
    Moderator

All replies

  • I faced this issue, I am not using WSUS righ now ........but what I was doing parameters during generating report. While generating report, choose wisely...there is wide range of parameters such as Operating system, updates (Critical,Important, Service packs etc) Go through it again... you will find where is the problem.
    Monday, June 09, 2014 4:57 PM
  • Hi Vijay MC, many thanks for swift reply!

    Here is what I've done:
    Generated 'Computer Tabular Status for Approved Updates' report by selecting:
    1. Any classification
    2. Any product
    3. Computer group that I was interested in (in my case "Servers")
    4. Needed, failed (in "Include computers that have status of" section)

    Once the report has been generated I have selected the server I am interested in from the list and went to next page to see detailed report. When arranged the update view by "status" I was able to see the actual number of updates awaiting installation. For anyone interested, the status you are after its "downloaded" - these are the updates that are being displayed as "[X] important updates are available" in windows update clients.

    However one question still persist - What are "updates have not been installed" from within summary report? It is very confusing that this number is being displayed at first page of every Computer Status Report in WSUS and I would like to know what are these updates if they are not updates available for install (downloaded). Anyone please?

    Monday, June 09, 2014 9:04 PM
  • Hi,

    If you click check online for updates from Microsoft update, this will trigger a detection from Microsoft update website.

    Check for updates managed by your system administrator or run wuauclt /detectnow will trigger a detection from WSUS server.

    That is a different thing.

    You can disable it if you want all updates that installed are managed by yourself, you can disable it.

    Windows Update, Automatic Updates, and Internet Communication

    http://technet.microsoft.com/en-us/library/cc775792(v=ws.10).aspx

    Subtitle Procedures for Controlling Windows Update and Automatic Updates

    Hope this helps.

    Tuesday, June 10, 2014 5:53 AM
    Moderator
  • Select custom options in product and classification according to your need. Like instead of 'Any prodcut' you can choose Windows 7, Vista...whatever you have client side. And on Classification option tab you can chosse 'critical' and 'security' (General custom options). Then you will get correct figure.

    If you will go client side on windows update console, you will find these 20 updates will be either 'critical' or 'security'. And on WSUS side it is 32 because you have choosed 'Any Classification' which making WSUS server to check target against all updates.

    • Proposed as answer by Vijay MC Tuesday, June 10, 2014 11:03 AM
    Tuesday, June 10, 2014 11:02 AM
  • Hi and thanks again for your replies.

    I have Products and Classifications configured and also client side targeting configured.

    went to Reports and Generated 'Computer Tabular Status for Approved Updates' report by selecting:
    1. Same classifications as I have selected in WSUS options
    2. same products as I have selected in WSUS options
    3. Computer group that I was interested in (in my case "Servers")
    4. Needed, failed (in "Include computers that have status of" section)

    And then still, when report is generated I can see "21 updates have not been installed" for 'server X' in the report but Windows Update Client on this server shows "16 important updates are available"

    Also Daniel, you are wrong - I checked 'windowsupdate.log' file and regardless of whether I am forcing server to check for updates via "check for updates" or 'wuauclt /detectnow' command the client is contacting my WSUS server not the Microsoft update server. I can't understand why would my server contact Microsoft updates server if I have GPO correctly configured.

    Thursday, June 12, 2014 5:48 PM
  • I know that if you select 'Windows Update' in Server 2003 you are being redirected to Microsoft website but Server 2008 contacting WSUS server regardless (if you have GPO correctly configured). 
    Thursday, June 12, 2014 5:52 PM
  • I generate WSUS Computers Report for my servers every month before installing the updates. The status summary for my servers always shows different value from actual number of updates that are available on each server.

    The first thing to understand is that there's a radical difference between an update displayed as NEEDED in the WSUS console (or in a report), and an update reported as AVAILABLE by an individual client. I've discussed this point ad naseum in this forum, but let's go over it one more time.

    First... updates that are NOT INSTALLED come in three flavors:

    1. Updates that are Not Approved for installation on the target system. These updates will NEVER be reported by the individual system as available for installation.
    2. Updates that are Approved for installation, but the files are not downloaded from Microsoft to the WSUS server. These updates are also not available to the individual system. Updates become available when they are Approved AND the FILES can be downloaded from the WSUS Server.
    3. Updates that are Superseded, but the newer update is not yet installed -- typically for one of the two previous reasons. This group most often contributes to the numerical discrepancies.

    All of the above, however, is mostly pedantic information. No matter what the reasons are, your response should be exactly the same: Identify the updates that are not installed and determine why they're not installed.

    Either they're

    • Not Approved,
    • Approved but not downloaded to WSUS
    • Superseded.

    Lawrence Garvin, M.S., MCSA, MCITP:EA, MCDBA
    SolarWinds Head Geek
    Microsoft MVP - Software Packaging, Deployment & Servicing (2005-2014)
    My MVP Profile: http://mvp.microsoft.com/en-us/mvp/Lawrence%20R%20Garvin-32101
    http://www.solarwinds.com/gotmicrosoft
    The views expressed on this post are mine and do not necessarily reflect the views of SolarWinds.

    Friday, June 13, 2014 7:02 PM
    Moderator
  • Long story short - I have misunderstood WSUS terminology by thinking that "updates have not been installed" (WSUS report) and "important updates are available" (WU client) are the same thing and these two values might be different even in healthy systems.

    One more question - Is there a way to generate report in WSUS which will only show the updates that are available for installation on each server?

    Friday, June 13, 2014 11:10 PM
  • One more question - Is there a way to generate report in WSUS which will only show the updates that are available for installation on each server?

    It would be simpler to just look in an update view of Approved Updates, sort by File Status, and handle the updates that are not yet downloaded.

    Since Approved -and- Downloaded-to-WSUS effectively makes an update "available", that's really all that matters.

    But, no, there is no way to obtain a report from *WSUS* that shows the updates that a WUA sees as "available". At best you could run a report for Approved/Needed, and presuming that all files are downloaded to the WSUS server, that would be the list of updates "available" to a client.


    Lawrence Garvin, M.S., MCSA, MCITP:EA, MCDBA
    SolarWinds Head Geek
    Microsoft MVP - Software Packaging, Deployment & Servicing (2005-2014)
    My MVP Profile: http://mvp.microsoft.com/en-us/mvp/Lawrence%20R%20Garvin-32101
    http://www.solarwinds.com/gotmicrosoft
    The views expressed on this post are mine and do not necessarily reflect the views of SolarWinds.

    Tuesday, June 17, 2014 8:12 PM
    Moderator