Windows Server TechCenter >
Windows Server Forums
>
WSUS
>
WSUS 3.0 SP2 - Workaround KB972493 update shows as 'Needed.'
WSUS 3.0 SP2 - Workaround KB972493 update shows as 'Needed.'
I have recently observed my WSUS server reporting that some clients (Windows Server 2008 SP2) need the update "Windows Server Manager - Windows Server Update Services (WSUS) Dynamic Installer (KB972493)." The clients to not detect that they need this update, but the WSUS server label the client as needing the update regardless.
Similar behavior for the WSUS SP1 dynamic installer was seen in the past. See the Microsoft Discussion Forum public.windows.server.updates_services --- see the thread titled "WSUS 3.0 SP1 KB948014 shows needed even though roll is not install" for details.
Regardless, here is the workaround:
On the client machine, install the WSUS30-KB972455-x86.exe or WSUS30-KB972455-x64.exe, but select the "Administrator Console only" during the install. This will install the Update Services MMC on the machine, but not enable WSUS on the client itself. After this, clients the WSUS server should no longer show the KB972493 as 'Needed.'
All Replies
KB972445 only reports as NEEDED on *CLIENT* operating systems that already have the console installed. Installing the console on a client that doesn't need it is a pointless 'workaround' to a non-existent problem. Furthermore, it creates the risk of unnecessarily granting access to the WSUS Administration services that you might not want in the hands of an everyday user.
As for the thread cited from the newsgroup -- that thread has absolutely nothing to do with WSUS3 Service Pack 2 or KB972455.
That thread is about the unique circumstance where the DYNAMIC INSTALLER reports as NEEDED on a Windows Server 2008 SP2 system, or on a Windows Server 2008 SP1 system with KB940518 (the Server Manager update to allow WSUS as a role) installed. The WSUS3SP2 Dynamic Installer (KB972493) will behave in exactly the same way.
I'd be interested in knowing more about the scenario in which you actually observed a Vista/Windows7 system report KB972455 as Needed when the console was not installed. (And consider the possibility that using the WSUS30-KB972455-x86.exe package merely upgraded an existing console to SP2!)
Lawrence Garvin, M.S., MCITP:EA, MCDBA
Principal/CTO, Onsite Technology Solutions, Houston, Texas
Microsoft MVP - Software Distribution (2005-2009)- All of my 2008 and R2 servers show in WSUS that they need the WSUS 3.0 SP2 Dynamic Installer update, but the servers themselves never detect it to download and install. None of these servers have any WSUS components installed. I understand that the Dynamic Installer update will update the installation files on the systems so that if you decide to install WSUS later down the road, it will be SP2. Not sure why the servers are not installing it. I remember this update coming out for SP1, and the servers did install that fine.
- > All of my 2008 and R2 servers show in WSUS that they need the WSUS 3.0 SP2
> Dynamic Installer update, but the servers themselves never detect it to download
> and install. None of these servers have any WSUS components installed.
Correct, this is the BY DESIGN behavior.
The updates are reported as "Needed" because the package flag isInstallable=TRUE.
The updates are not detected/downloaded/installed by the WUAgent, because installation *requires* selection of WSUS as a ROLE via Server Manager in order to initiate installation.
Dynamic Installer packages do NOT behave like conventional update packages do.
> I understand that the Dynamic Installer update will update the installation files on
> the systems so that if you decide to install WSUS later down the road, it will be SP2.
You understand this incorrectly. The "Dynamic Installer" update is the actual WSUS3SP2 installer. It is used to actually install WSUS on a Windows Server 2008 system *when* WSUS is selected from Server Manager for installation as a Role. If the Win2008 system is configured to use WSUS and the Dynamic Installer is approved for installation in the WSUS catalog, the Win2008 system can obtain the package from the local WSUS Server. If the Win2008 system is not configured to use a WSUS Server, it will get the package from Microsoft Update. (I have not tested what happens if the package is Not Approved and an existing WSUS Server is already assigned, but my gut tells me the installation will fail and report it cannot find the needed content.)
Installing the "Dynamic Installer" is installing WSUS. They are one-and-the-same activity. There is no "pre-staging" of the WSUS installation files, as it seems might be your understanding.
> I remember this update coming out for SP1, and the servers did install that fine.
Do not confuse the =Service Pack= update package with the =Dynamic Installer= package. For WSUS3SP1 there was some propensity for confusion because they were both published with the same KB article reference number (KB948014).
For WSUS3SP2 the two packages are published under different KB article numbers. The =Service Pack= update (KB972455) will detect on any existing installation of WSUS (Win2003, Win2008, Vista, Win7, except consoles installed on Windows XP).
The =Dynamic Installer= (KB972493) will only detect on Window Server 2008 systems, specifically:
- All Windows Server 2008 R2 and Windows Server 2008 SP2 systems.
- Any Windows Server 2008 SP1 (RTM) system which has KB940518 installed.
but it will not download/install via conventional means of the WUAgent.
You must use Server Manager to install KB972493 on a Windows Server 2008 system.
Lawrence Garvin, M.S., MCITP:EA, MCDBA
Principal/CTO, Onsite Technology Solutions, Houston, Texas
Microsoft MVP - Software Distribution (2005-2009) - This may be by design, but, as referenced in the SP1 thread, many consider this unexpected behavior --- especially by those
whom are using targeting 100% as an indication of whether or not machines on the network need an update. - I appreciate that the behavior is "unexpected" -- things change, things evolve, and we all have to be willing to adapt to NEW behaviors of the systems and technologies we use.
Those who are using "targeting 100%..." are doomed from the start unless it is their intention of installing *EVERY* available update onto their systems.
As I've said numerous other times before, there are some updates that will never be installed on my servers: Silverlight, IE7 on Windows Server 2003, IE8 on Windows Server 2008, .NET Framework v3.5 on servers that aren't running WCF/WWF/WPF applications, and I'm sure there are several others.
The *normal* indication of a healthy WSUS server and patch environment can never be reasonably expected to be at 100% Installed/Not Applicable, unless all of those such updates (Silverlight, IE7, IE8, NET35SP1) are marked as DECLINED the day they arrive.
Lawrence Garvin, M.S., MCITP:EA, MCDBA
Principal/CTO, Onsite Technology Solutions, Houston, Texas
Microsoft MVP - Software Distribution (2005-2009) - So the bottom line is that we need to file an RFE for WSUS that we get a collumn which states "xx% of Approved Updates have been installed".
This would allow us to easily check if all our approved updates got installed, which is essentially what we want to achieve here.
Right?
Cheers
Michel So the bottom line is that we need to file an RFE for WSUS that we get a collumn which states "xx% of Approved Updates have been installed".
This would allow us to easily check if all our approved updates got installed, which is essentially what we want to achieve here.
Right?
Cheers
Michel
I agree --- I think this would a welcome addition.So the bottom line is that we need to file an RFE for WSUS that we get a collumn which states "xx% of Approved Updates have been installed".
This would allow us to easily check if all our approved updates got installed, which is essentially what we want to achieve here.
If you look at the WSUS SP2 Features and Fixes, you'll find that this capability has been added as a REPORT.
Lawrence Garvin, M.S., MCITP:EA, MCDBA
Principal/CTO, Onsite Technology Solutions, Houston, Texas
Microsoft MVP - Software Distribution (2005-2009)
My MVP Profile: http://mvp.support.microsoft.com/profile/Lawrence.Garvin
My Blog: http://onsitechsolutions.spaces.live.com- <sarcasm>which will take forever to load...</sarcasm> :)
thanks for the info.
However, SP2 is not yet supported on System Center Essentials.
But would be cool to have it as a column, too. Would be easier instead of generating reports.
Cheers - Then do it the way we've been doing it for the past four years.. build a Custom Update View based on "Updates approved for a specific group", and pick the group(s) you want to include in the view.
Lawrence Garvin, M.S., MCITP:EA, MCDBA
Principal/CTO, Onsite Technology Solutions, Houston, Texas
Microsoft MVP - Software Distribution (2005-2009)
My MVP Profile: http://mvp.support.microsoft.com/profile/Lawrence.Garvin
My Blog: http://onsitechsolutions.spaces.live.com Boys let's get back to the REAL matter: Microsoft has made a mistake and we do have a WRONG behaviour: i've tried few fresh clean installation ok W2K8R2 and they all state that the "windows server update services 3.0 SP2 Dynamic Installer for server manager x64 Edition (KB972493)" is needed, POINT!
WE all pay good money for the sw, it's about time "Big Bill" fixes it and we can all go home, agree ??- Bagnoli
This is not true.
This is "Works as designed".
This update is for the Server Manager which will be downloaded once you install WSUS 3.0 from scratch (it will install SP2 straight)
This was the case with SP1, too.
Try googling for it, and you will find an official statement from Microsoft.
Cheers Boys let's get back to the REAL matter: Microsoft has made a mistake and we do have a WRONG behaviour: i've tried few fresh clean installation ok W2K8R2 and they all state that the "windows server update services 3.0 SP2 Dynamic Installer for server manager x64 Edition (KB972493)" is needed, POINT!
WE all pay good money for the sw, it's about time "Big Bill" fixes it and we can all go home, agree ??
No, Microsoft has not made a MISTAKE!
The behavior of teh DYNAMIC INSTALLER is =BY DESIGN=, and it works just like any other bloody update in the system.
1. If the update *CAN* be installed it is reported as *NEEDED* by the Windows Update Agent.
2. If the admin *WANTS* the update to be installed, the admin marks the update as APPROVED.
3. If the admin does not want the update to be installed, the admin either marks the update as DECLINED, or the admin *IGNORES* the update.
The problem here is that a number of people seem to not understand the concept of a DYNAMIC INSTALLER package, or that DYNAMIC INSTALLER packages are *NOT* installed by the Windows Update Agent during a normal scheduled installation event. In the case of KB972493, the DYNAMIC INSTALLER is installed *WHEN* an administrator choose to install WSUS on a Windows Server 2008 system as a Server Role.
Otherwise, if you'd like to participate in this conversatio intelligently, that's fine, but your last sentence is unnnecesary, irrelevant, out-of-line, and isn't even based in any factual reality.
Frankly, I'm tiring of this thread. The behavior is *BY DESIGN*, it's not -- never -- ever -- going to change, so the only solution here is:
[a] Decline the update if you don't need to install WSUS3SP2 on Windows Server 2008 systems, or
[b] Approve the update so that *WHEN* you do want to install WSUS3SP2 on a Windows Server 2008 system you'll actually be able to do this.
Lawrence Garvin, M.S., MCITP:EA, MCDBA
Principal/CTO, Onsite Technology Solutions, Houston, Texas
Microsoft MVP - Software Distribution (2005-2009)
My MVP Profile: http://mvp.support.microsoft.com/profile/Lawrence.Garvin
My Blog: http://onsitechsolutions.spaces.live.com
There seems to be a large number of users (including myself) that are surprised by this behavior. I would encourage Microsoft to usability test this behavior, and then revisit this design decision.Sorry Lawrence, no intent to offend anybody in any way,
my last sentence was just a joke with the only intent to get to a solution, having said that:
i still do not understand and it looks like, googleing, i am not the only one ...,
i do not argue about the fact that the behaviour is "BY DESIGN", but this DOS NOT MEAN is correct !!??
saying "it's not -- never -- ever -- going to change" is not just "unnnecesary" is just wrong:You, Microsoft are GOD ?
if not you can make mistakes as we all do, just accept it, may be this is not the case, but please consider it (thanks)
1. If the Windows Update Agent reports an update as *NEEDED* You say is bacause it *CAN* be installed (so far so good)
2. if the administrator APPROVE it, a simple normal and expected behaviour is that the the update WILL BE INSTALLED! HAS TO BE !
A far as i'm concerned (googleing the web is not just my concern ..) theh RIGHT behaviour is what normally happens:
let's use a simple example assuming there is a sql2005 patch:
- different servers on the same group
- only 2 have sql2005 installed
- the admin APPROVES tha patch for the group
- only those 2 server will report needing that patch
- ALL THE OTHERS WILL NOT REPORT ANYTHING ABOUT THAT PATCH a get the green light without any problem
BY DESIGN OR NOT THIS IS IT,
this has been going on for long,
there's no need to be that smart to understand this
this is what we, administrators, are looking for,
can you get it now? still tiring ?? hope not
warm regards
ciaosaying "it's not -- never -- ever -- going to change" is not just "unnnecesary" is just wrong:You, Microsoft are GOD ?
<sigh>... I'm not "Microsoft". I'm not a Microsoft employee. I'm an independent consultant, who *VOLUNTEERS* time to answer questions in this forum. The answers you get from me me have no "spin" on them. They're an accurate reflection of reality as I see it based on five years of experience working with WSUS and the WSUS team.
While I grant that a lot of people think the behavior is "wrong", the fact is that the update behaves *EXACTLY* as Dynamic Installers are designed to behave. The fact that most people complaining that the behavior is "wrong" don't actually have any real experience working with a Dynamic Installer probably complicates the perceptions.
> 2. if the administrator APPROVE it, a simple normal and expected behaviour is that the the update WILL BE INSTALLED! HAS TO BE !
And this is the great fallacy of this whole discussion. The behavior of Dynamic Installers is *DIFFERENT* _BY DESIGN_ than normal updates. So.. NO.. you *cannot* expect that the update will be installed just because you've approved it. That is not the DESIGNED behavior of these updates.
> BY DESIGN OR NOT THIS IS IT,
> this has been going on for long,
Actually, based on my observations, there are only two products that currently have a Dynamic Installer:
Internet Explorer 8
Windows Server Update Services
so to claim this has been going on "for long" is simply not a true statement. WSUS v3 SP1 introduced the use of the Dynamic Installer in January, 2009. Prior to that time there were =ZERO= Dynamic Installers released via WSUS (there weren't any even published in the MU catalog), so *nobody* has any experience with Dynamic Installers prior to a month ago, except for that presented by Windows Server Updates Services. Since WSUS *is* the product, you can rest assured that the behavior of the WSUS Dynamic Installer in the *WSUS* product is exactly how it's designed to behave.
Lawrence Garvin, M.S., MCITP:EA, MCDBA
Principal/CTO, Onsite Technology Solutions, Houston, Texas
Microsoft MVP - Software Distribution (2005-2009)
My MVP Profile: http://mvp.support.microsoft.com/profile/Lawrence.Garvin
My Blog: http://onsitechsolutions.spaces.live.com- I do know you're not a Microsoft employee and i can only thank you for what you're doing,
i'm just technically arguing, nothing personal.
I do beleve You saying that "update behaves *EXACTLY* as Dynamic Installers are designed to behave",
i probabily do not have experience with Dynamic Installer, i can live whit this,
i'm just talking about a behaviour i do think (and i'm not the only one) is WRONG for my (our??) needs!
when i say it's been like ( I want/like/should be) this for long timei , i'm talking not just about IE8 o WSUS,
i'm talking about hundreds of updates to deply/install;
i (we) neeed the Windows Update Agent to work in a "legacy" (if you like) mode.
The idea of Dynamic Installe itself might be fantastic, but in the real world here in the field (is 20 minute past midnight and i'm still working ...)
i (we) need something that is easy to use, i need something that help me out to do my job better and faster,
i do not need complicated technology if i thing i does not help me;
I am with RJMPhD
"I would encourage Microsoft to usability test this behavior, and then revisit this design decision",
help me (us) understand why the behaviour i described with an easy example is wrong !!
What is the target? have all my servers (and client) patched! i do need the geern light.
I may easly be wrong but there are 100 servers here wating to migrate to Win2K8R2,
i do need things to go easy and not new tecnology that prevent me from getting the green light from a server
that has installed ALL updates it needs for what it has installed!
Nice talking anyway
Ciao - Okay... I hear what you're saying....
but e'splain me this please....
How is KB972493 any different from
Silverlight (for Windows Server),
or Internet Explorer 7 for Windows Server 2003
or Internet Explorer 8 for Windows Server 2003
or Internet Explorer 8 for Windows Server 2008
or .NET Framework v3.5 for Windows Server 2003
Do you install *every* available update to your servers? (Regardless of whether you *need* it or not?)
And if not, what is the current status of the IE8 for Windows Server 2003 update on your WSUS server?
Lawrence Garvin, M.S., MCITP:EA, MCDBA
Principal/CTO, Onsite Technology Solutions, Houston, Texas
Microsoft MVP - Software Distribution (2005-2009)
My MVP Profile: http://mvp.support.microsoft.com/profile/Lawrence.Garvin
My Blog: http://onsitechsolutions.spaces.live.com I do not pretend to be able to answer all your questions ..., let me try anyway:
As far as i know/understand/concerned Silverlight, Ie, .NET are all the same,
here the real world:- All server are Win2K3R3 (English language) (in a group)
- All on the same group (Win2K3R3EN)
- Different roles: Dc, Sql, Web server, File server , ecc...
- If an update i required/necessary even because only 1 server needs it in the group, which means all have the geern light but 1 ...
- i DO approve the update for the Group!
- Nobody complains
- The one that needs the update downloads and installs the update and get the green light
- All other server do nothing, or better:
- Approving the update for the Group has never affected the other servers, the agent (i think) just "understands" what is going on and probabily thinks "i do not need that update so i ignore it, lets report back to WSUS i'm ok, green light"
So:
- i DO APPROVE every updates for all server but mind you:
- in any group all the server have exactly the same operating system, same language as well
- and i never ever had any problem at all because of this
- THIS is what has been going on forl long time,
- THIS is what i need/want/like
Hope to have made my point (as simple as it is)
CiaoSorry for typing R3 instead of R2
bye- > i DO APPROVE every updates for all server
Well, then, this is the difference between you and the rest of the world.
You're installing everything everywhere (even if it's not actually needed) and now you're inconvenienced and challenged by the fact that *ONE* update (actually, two, if you include the IE8 Dynamic Installer) is going to show as NEEDED forever, because every other update on your system (including those several you probably did not need to install) have been installed and now show as Installed/Not Applicable.
The rest of the world understands that there will always be some updates which are not going to be installed to some machines, even though they're "Applicable". On my server I have about a half dozen updates that are Not Installed/Not Approved, and that's intentional. The fact that they're not reported as "Installed/Not Applicable" is an accurate reflection of reality.
>and i never ever had any problem at all because of this
>THIS is what has been going on forl long time,
>THIS is what i need/want/like
So, yes, I understand this is what you've been doing. The challenge you're running up against now is that:
[a] You've been installing everything everywhere -- which is not a design premise of WSUS. (Organizations or Persons who wish to install everything everywhere should skip the overhead of managing a WSUS Server and just point those machines at Automatic Updates -- which is explicitly designed to install everything everywhere.)
[b] Now when there's actaully an update that you cannot apply the philosophy of "everything, everywhere" to, you're blaming the product for being defective, rather than accepting the possibility that maybe your processes and procedure are flawed (or at least the primary contributing factor to what it is that you do not like).
Lawrence Garvin, M.S., MCITP:EA, MCDBA
Principal/CTO, Onsite Technology Solutions, Houston, Texas
Microsoft MVP - Software Distribution (2005-2009)
My MVP Profile: http://mvp.support.microsoft.com/profile/Lawrence.Garvin
My Blog: http://onsitechsolutions.spaces.live.com - "Well, then, this is the difference between you and the rest of the world.":
May be but i do know many other administrators that do as i do!
"You're installing everything everywhere (even if it's not actually needed)":
Not really: only if that specific update DOES pathc a software it is installed on that system,
- if a sw (or a feature) is installed it is because i DO need it to be installed, if not it woul not be there
- i install on my server ONLY what i REALLY need and disable all services i do not need
- and i install /approve those patche ONLY after they've been tested in the lab to make sure they do not cause any problem
- if there is a problem i do contact Microsoft support and they plot out a solution for me as soon as they can, tehy are ther for this purpose: support US.
"and now you're inconvenienced and challenged by the fact that *ONE* update (actually, two, if you include the IE8 Dynamic Installer) is going to show as NEEDED forever":
i may be wrong ..., so far even IE8 is installed on my servers (cause in the lab it was 100% ok) and ie7 is not there anymore, IE8 is out and so far there is no patch showing as NEEDED forever !? all server and client have the green light !
"because every other update on your system (including those several you probably did not need to install)":
i (we) do check all patches that WSUS offers to my servers and so far i've found a god job to install them all,
even Microsoft normally (i'm tempted to say ALWAYS ...) advises, in different manners, to install them, so whay not ??
"The rest of the world understands that there will always be some updates which are not going to be installed to some machines, even though they're "Applicable". :
Again: NOT the entire rest of the world, but could you give me (us) some example of patches that are flagged as needed but you do not install??
Sorry but i may be getting lost ... i apologize
"(Organizations or Persons who wish to install everything everywhere should skip the overhead of managing a WSUS Server and just point those machines at Automatic Updates ":
- That would mean all machines (servers and clients, thousands!), will go to internet and generate network traffic when they can easily go to an internal server, the only one that downloads all patches at once for everybody !!?? WHAT A WASTE O EXSPENSIVE NETWORK BANDWIDTH! don't you think ??
- if you do not use an internal WSUS how do you know that some servers o client have a problem and cannot be fully patched, i.e.: get maximum security ??, internal WSUS does give me reports all the time so that i can check!, whould you just relay on the fact that your client go to Microsoft update and forget about them??
As far as i am concerned i do have enough reasons to use an internal WSUS
"Now when there's actaully an update that you cannot apply the philosophy of "everything, everywhere" to, you're blaming the product for being defective":
NOOOOOO!
Mind You: I've never said it is defective, i said i don not agree with that philosophy!
"rather than accepting the possibility that maybe your processes and procedure are flawed"
NOOOOOO! (again)
This was you saying "The behavior is *BY DESIGN*, it's not -- never -- ever -- going to change" without acceping to RE-consider the "by-design" behaviour that could not be the best solution (as others have pointed out to you !)
i've alwas said and i do repeat it: i am not GOD, i may easily be wrong, but i do need to understand if i am wrong or not so that i can improve myself,
my processes an procedure can easily be flawed/worng!,
if for a second i'd thought i'm 100% right i would not even read/partecipate in this discussion,
but i'm am here because i do thing i could be wrong and i do want/need/like to confront with the rest of the world where i've alwasy found people smarter than me (and i do belive it will alwasy be);
or may be it's not just a matter of beeing wrong or right, but the real matter could be discussing which solution could be the best ( if there is one ..),
and i'm aware of the fact that we could end up that what is the best for me is NOT the best for you and viceversa!
and if this happens i'll be happy, as long as i understand that the fact that others do differently does not mean i'm doing something wrong,
just different solution for different enviroment
Thanks for your point
Ciao Lawrence,
I am reading both your arguments about it and I understand that this is the way Microsoft designed the dynamic updates to work, I think Bagnolim also sees that.
What the issue is, is the fact that a percentage of administrators group their servers by type of OS and not necessarily by role.
I also am one of those that group by OS and have this problem and it bugs the heck out of me not to see a zero next to the Server in the list.
What Bagnolim is stating is that he (we) want the system to change how it does it to work for us and others that group by OS.
Correct me if I am wrong Bagnolim, but what we are asking (and I know it is not your choice Lawrence, you are just statating how it is currently);
When a Server has the role installed and the update is needed for that role, it will show up as needed, if the server does not have that role, then it won't show up, even if it is approved for that server.
All in all, Lawrence you are correct in stating how it is and are either approving of this way or are powerless to change it, all you can do is argue the point of how it is.
Bagnolim, you are agueing with Lawrence on how you and I want to see the system work to make our lives easier, but unfortunatly Lawrence has no ability to change this, he is just a volunteer helping with his expertise on the Microsoft product.
Basically as a vote I would want Microsoft to change its ways on this.
+1- Correct Emmerdale1, this is the way i (we) work,
hope microsoft will move to re-consider
Thanks you all gays
ciao
That's what a PROXY Server is for!
"(Organizations or Persons who wish to install everything everywhere should skip the overhead of managing a WSUS Server and just point those machines at Automatic Updates ":
- That would mean all machines (servers and clients, thousands!), will go to internet and generate network traffic when they can easily go to an internal server, the only one that downloads all patches at once for everybody !!?? WHAT A WASTE O EXSPENSIVE NETWORK BANDWIDTH! don't you think ??
Lawrence Garvin, M.S., MCITP:EA, MCDBA
Principal/CTO, Onsite Technology Solutions, Houston, Texas
Microsoft MVP - Software Distribution (2005-2009)
My MVP Profile: http://mvp.support.microsoft.com/profile/Lawrence.Garvin
My Blog: http://onsitechsolutions.spaces.live.com
That's what a PROXY Server is for!
"(Organizations or Persons who wish to install everything everywhere should skip the overhead of managing a WSUS Server and just point those machines at Automatic Updates ":
- That would mean all machines (servers and clients, thousands!), will go to internet and generate network traffic when they can easily go to an internal server, the only one that downloads all patches at once for everybody !!?? WHAT A WASTE O EXSPENSIVE NETWORK BANDWIDTH! don't you think ??
Lawrence Garvin, M.S., MCITP:EA, MCDBA
Principal/CTO, Onsite Technology Solutions, Houston, Texas
Microsoft MVP - Software Distribution (2005-2009)
My MVP Profile: http://mvp.support.microsoft.com/profile/Lawrence.Garvin
My Blog: http://onsitechsolutions.spaces.live.com
I are 100% right, but as i pointed aout this is not the only reason,
Status of the machines is the most important thing (AKA Reports), a proxy does not do it
bye- I ment "YOU" are 100% righ ....
ciao
That's what a PROXY Server is for!
"(Organizations or Persons who wish to install everything everywhere should skip the overhead of managing a WSUS Server and just point those machines at Automatic Updates ":
- That would mean all machines (servers and clients, thousands!), will go to internet and generate network traffic when they can easily go to an internal server, the only one that downloads all patches at once for everybody !!?? WHAT A WASTE O EXSPENSIVE NETWORK BANDWIDTH! don't you think ??
Lawrence Garvin, M.S., MCITP:EA, MCDBA
Principal/CTO, Onsite Technology Solutions, Houston, Texas
Microsoft MVP - Software Distribution (2005-2009)
My MVP Profile: http://mvp.support.microsoft.com/profile/Lawrence.Garvin
My Blog: http://onsitechsolutions.spaces.live.com
And more: is you use a proxy instead of WSUS if one day, as an example, e new client Windows XP SP2 is connected will this proxy stil have in cache SP3?
WSUS DOES!, i.e. wsusu has all the patches i need ready to be downloaded even if internet connection is not running and normally it will "tell" the agent's client "here it it get it and install.
NO: Proxy server is not the right "cacher" of all those patches, WSUS has been created for that purpose
bye, ciao- Allow me to interject my two cents here.
It looks to me that BagnoliM's viewpoint is coming from the fact that he uses WSUS as both a software/patch installation tool and a SECURITY reporting tool to generate reports on how up-to-date his machines are.
That is just plain wrong.
WSUS is simply a software/patch installation tool. That's it. The reports from WSUS are only valid in the realm of WSUS. You CANNOT prove that your machines are up-to-date and secure from a WSUS report simply because the ONLY thing that WSUS can report on is how well WSUS is working for machines that are using WSUS.
If you're using WSUS as a security reporting tool, I HIGHLY recommend you stop using it that way and start using an actual security reporting tool. You can start with the Microsoft Baseline Security Analyzer and see if that works for you. It makes lots of great reports and will actually give you MUCH more security information on your computers than the WSUS reports will. It can also help you identify problems with WSUS itself and the way it's configured. If you need more than MBSA offers, there are also many 3rd-party products available.
Using an additional security reporting tool will actually give you a security report instead of just telling you how WSUS is doing with installing patches. Allow me to interject my two cents here.
It looks to me that BagnoliM's viewpoint is coming from the fact that he uses WSUS as both a software/patch installation tool and a SECURITY reporting tool to generate reports on how up-to-date his machines are.
That is just plain wrong.
WSUS is simply a software/patch installation tool. That's it. The reports from WSUS are only valid in the realm of WSUS. You CANNOT prove that your machines are up-to-date and secure from a WSUS report simply because the ONLY thing that WSUS can report on is how well WSUS is working for machines that are using WSUS.
If you're using WSUS as a security reporting tool, I HIGHLY recommend you stop using it that way and start using an actual security reporting tool. You can start with the Microsoft Baseline Security Analyzer and see if that works for you. It makes lots of great reports and will actually give you MUCH more security information on your computers than the WSUS reports will. It can also help you identify problems with WSUS itself and the way it's configured. If you need more than MBSA offers, there are also many 3rd-party products available.
Using an additional security reporting tool will actually give you a security report instead of just telling you how WSUS is doing with installing patches.
Thanks CitizenRon,
i do aggree with your point of view:
if i used WSUS as THE ONLY reporting tool it would we wrong, 100%,
in fact i'm not (GFI is there as well as something else . . .),
but we've been double checking the reports from WSUS about patched system and so far when we have found that if we get a green light that's really true!,
if we do not get a green light the we immediately go deep to see what problema we have and fix it;
of course avery now and then we do scan systems even with green light, just in case ..;
in other words: i still find WSUS very useful as a first line of automatic, non expensive report tool as well and we are very happy about this,
hope microsoft will continue to support and improve it the way i (we) like
Thanks again for your contribuition
ciao
ciao- Wow. This is fun.....
I'd like to summarize (again) the multiple points of view.
Frankly, Lawrence, it is your arrogance that has offended people. I am offended. You cannot possibly speak to what 'the entire world' wants and your obstinate belief that you do and subsequent refusal to accept what others wish to do as an acceptable option for them, or allow for the fact that Microsoft changed the behavior of WSUS and some WSUS users find this new behavior problematic, is offensive. You do not speak for me, nor for others that have participated in this form, so therefore, you can't possibly decree what is normal, acceptible, or desired for the entire world.
Also for the record, no, Proxy servers do NOT work as you have described. WSUS was created for, among other reasons, downloading and managing updates from one machine rather than from dozens or hundreds. Also, Windows Update will only automatically install critical updates, and WSUS allows for a much broader set of updates to be managed, and usually very well.
I use WSUS to keep several dozen machines in a lab up to date. WSUS greatly reduces the workload and I appreciate it. I also chose to install all patches/features/etc. (well, for the products I chose) because that was the easiest way to both keep everything updated that I chose to allow to be installed, as well as install new features without having to deal with the granluarities. Others choose different options and styles based on their needs and requirements.
Regardless of how any adminsitrator chooses to use WSUS, the original behavior (of only tracking and reporting any update as 'needed' when it was actually available and could be installed by WSUS) has been modified by the introduction of Dynamic Installers and this is what people are having a hard time with, including me. Personally, I don't understand why Dynamic Installers are treated by WSUS as any other product update would be nor why a different status of 'Available Option' or something wasn't added so that WSUS administrators had the choice for how to handle something that was not a 'pushed' update. Dynamic Installers are 'pulled' optional features that leverage the Role/Feature options of Windows Server 2008. Lumping the Dyanamic Installers in with the rest of the normally-pushed-by-WSUS patches and releases causes not only the normal WSUS reporting techniques to not work as expected, but the Windows Update clients on the machines don't work as expected, meaning that when I approve something to Install, it Installs, dammit!
Yes, some WSUS administrators would like for Dynamic Installers to be handled differently by WSUS. Eventually they might. No, we don't expect Lawrence to enact those changes.
There is another option, at least for now: Disable the Dyanamic Installer feature downloads in WSUS. Now, Microsoft stupidly lists these as Products instead of adding a separate Dynamic Installer category, which is what I think would work better for everyone.
You can also simply decline those Dynamic Installer updates (as has been suggested). Personanally, I'm going to stop allowing WSUS to download Dynamic Installers because that is NOT WHAT I WANT TO USE WSUS TO DO!
Microsoft, are you listening?? - The argument being made on this update is the same as marking all my servers as needing Office 2007 SP1 - just in case I later decide to install Office 2007. It's putting the cart before the horse.
If I install WSUS then, and only then, show updates needed for WSUS. And you argue that it is showing this because it shows all updates that "can be installed". But it can't be installed. It doesn't get installed. The server won't take the install because you can't update WSUS when WSUS isn't installed. The argument being made on this update is the same as marking all my servers as needing Office 2007 SP1 - just in case I later decide to install Office 2007.
No, it's not.
First, you don't mark a computer as "needing" an update, the WUAgent reports it as FACT; you merely authorize the installation of that update.
Second, unless you already had Office 2007 installed, the WUAgent would never report Office 2007 SP1 as "needed".
Third, the great misunderstood point here is that the Dynamic Installer technology is not an "update", it is an APPLICATION, which supports a FRESH installation on a machine that does not yet have that application installed. It is a *NEW* use of WSUS, to distribute Server Applications, and it's unfortunate that so many people are freaking out that somebody has moved their cheese.
Lawrence Garvin, M.S., MCITP:EA, MCDBA
Principal/CTO, Onsite Technology Solutions, Houston, Texas
Microsoft MVP - Software Distribution (2005-2009)
My MVP Profile: http://mvp.support.microsoft.com/profile/Lawrence.Garvin
My Blog: http://onsitechsolutions.spaces.live.comThe argument being made on this update is the same as marking all my servers as needing Office 2007 SP1 - just in case I later decide to install Office 2007.
No, it's not.
First, you don't mark a computer as "needing" an update, the WUAgent reports it as FACT; you merely authorize the installation of that update.
Second, unless you already had Office 2007 installed, the WUAgent would never report Office 2007 SP1 as "needed".
Third, the great misunderstood point here is that the Dynamic Installer technology is not an "update", it is an APPLICATION, which supports a FRESH installation on a machine that does not yet have that application installed. It is a *NEW* use of WSUS, to distribute Server Applications, and it's unfortunate that so many people are freaking out that somebody has moved their cheese.
Lawrence Garvin, M.S., MCITP:EA, MCDBA
Principal/CTO, Onsite Technology Solutions, Houston, Texas
Microsoft MVP - Software Distribution (2005-2009)
My MVP Profile: http://mvp.support.microsoft.com/profile/Lawrence.Garvin
My Blog: http://onsitechsolutions.spaces.live.com
I do welcome a NEW use of WSUS to distribute applications !! as long as ....
1.) the normal behaviour with "normal/legacy" patches dose not change
2.) Microsoft makes to needed changes so that we can easly handle the new (welcome) feature
3.) thes new feature is very well documented (may be is already and i missed it, if anyone knows the link please point it out)
Hope Microsoft will listen to us
"Microsoft are you there ??"
Thanks everybody,
ciao- Lawrence is right; this is a case of someone moved our cheese. The problem, as it seems to me, is that they moved our cheese for the sake of moving our cheese. They didn't add anything to it. They didn't make it better. They simply moved it. It reminds me of many of the changes in Vista/Windows7/WMP11 and 12 where Microsoft changed things for the sake of change. If sales get flat then you have to change something just to increase sales. It isn't that the new thing is better; it's just new. Moving the cheese.
- Wow, this is definately an interesting one! I wanted to throw a different light on this to see if we can all finally agree there is something not quite right:
Lawrence, I think the key point here is that this is, as you say, a new application not an update. Fine, however as such how can it ever be NEEDED? It can only ever be Wanted or Optional. People may want to approve the dynamic installer so that it is available to the servers, however once it is approved to be installed it should not be classified as needed and preventing a green light.
I have been through the exact same argument with Silverlight, which in the end I got bored of the argument. In my case that kept showing up as needed as well for computers that do not meet the hardware pre-requisits for install. I simply wanted to approve the install of Silverlight for all my desktops/laptops and was very surprised to find out that WSUS kept saying needed on tablet PC's when the installer itself would bomb out saying the hardware was not able to run it - if the hardware can't run it, it should NOT be NEEDED! In the end I do not have the time to be a crusader and had to change my grouping strategy just for silverlight. Is this now what we have to do for Dynamic Installers?
As has already been mentioned BY DESIGN does not mean right, as a very minimum the design here is gramatically incorrect. The design of this is currently flawed, you should not have to change your grouping strategy to get a green light simply because not enough thought has been put into some of the WSUS packages. Personally I want to achieve 100% as an indication that everything I APPROVE to be installed has been succesfully installed. For the most part this has worked, so far there are two exceptions I have come accross, this one and SilverLight. I do not approve everything automatically, I use groups to distribute what I want, to where I want, and have achieved 100% quite happily with these two exceptions. In both cases if the packages had been thought about more thouroughly I would not have found issues with them in WSUS and would not have to waste my time looking round to find out why they show up as needed and don't simply get flagged as not-needed or something else more pertinent.
As you say you are not Microsoft and cannot influence them, I would suggest that also means you cannot speak for them in saying it is *BY DESIGN*, it's not -- never -- ever -- going to change. Microsoft do need to look at this thread and listen to what people are saying, WSUS is still evolving and has improved a lot since it's inception however it is not perfect and the design WILL change further as the product evolves, this thread needs to be considered in that process.
Essentially all people are looking for here is recognition of the fact something is not quite right with this approach for Dynamic Installers and a rethink is necessary before we start getting more OPTIONAL components showing up as NEEDED and causing us all to spend more time investigating/administering it than would otherwise be necessary. Until that happens I will be declining Dynamic Installers as there is currenty no advantage in approving them. Lawrence, I think the key point here is that this is, as you say, a new application not an update. Fine, however as such how can it ever be NEEDED?
<sigh>
The problem *here* is your literal interpretataion of the word "Needed", rather than understanding what that label actually means and not getting caught up in the pedantic details.
The Windows Update Agent, in combination with the package metadata, tests for two things:
1. Whether the update isInstallable (true | false).
2. Whether the update isInstalled (true | false).
If an update isInstallable and NOT isInstalled, the WSUS server reports that update as "Needed".
Other applications may use a different keyword, such as "Not Installed"
Lawrence Garvin, M.S., MCITP:EA, MCDBA
Principal/CTO, Onsite Technology Solutions, Houston, Texas
Microsoft MVP - Software Distribution (2005-2009)
My MVP Profile: http://mvp.support.microsoft.com/profile/Lawrence.Garvin
My Blog: http://onsitechsolutions.spaces.live.comIn my case that kept showing up as needed as well for computers that do not meet the hardware pre-requisits for install.
Since there are *NO* facilities in the Windows Update Agent or the SDP XML schema definition for package metadata for testing for "hardware requirements", you must understand that this is where the bridge between technology and humanity crosses the road. It's the responsibility of the WSUS Administrator to appropriately group systems and approve updates so that updates are installed where appropriate.
For technical details on how these metadata applicability decisions are made, review these two Microsoft library collections:
WSUS API: Creating Update Metadata
SCUP: Updates Publisher Rules
Lawrence Garvin, M.S., MCITP:EA, MCDBA
Principal/CTO, Onsite Technology Solutions, Houston, Texas
Microsoft MVP - Software Distribution (2005-2009)
My MVP Profile: http://mvp.support.microsoft.com/profile/Lawrence.Garvin
My Blog: http://onsitechsolutions.spaces.live.comLawrence, I think the key point here is that this is, as you say, a new application not an update. Fine, however as such how can it ever be NEEDED?
<sigh>
The problem *here* is your literal interpretataion of the word "Needed", rather than understanding what that label actually means and not getting caught up in the pedantic details.
The Windows Update Agent, in combination with the package metadata, tests for two things:
1. Whether the update isInstallable (true | false).
2. Whether the update isInstalled (true | false).
If an update isInstallable and NOT isInstalled, the WSUS server reports that update as "Needed".
Other applications may use a different keyword, such as "Not Installed"
Lawrence Garvin, M.S., MCITP:EA, MCDBA
Principal/CTO, Onsite Technology Solutions, Houston, Texas
Microsoft MVP - Software Distribution (2005-2009)
My MVP Profile: http://mvp.support.microsoft.com/profile/Lawrence.Garvin
My Blog: http://onsitechsolutions.spaces.live.com
Here we are again: "If an update isInstallable and NOT isInstalled, the WSUS server reports that update as "Needed".
I an update is reported as isInstallable to this DOES MEAN that if i approve it the update MUST BE INSTALLED!
but this is NOT the way it does! So put in a way or another either the Windows Update Agent and / or the WSUS are doing something wrong,
i keep not understanding why i am so stupid not understanding ...???
Let's keep the focus on this!:
- NEEDED at the end i approved MUST be installed and get the green light!
- NEEDED and after i approve it but the update is not installed DOES MEAN the Server DOS NOT NEED IT
If I am wrong (could easily be) please someone help me
(but it looks like i'm not the only one ..)
Thanks averybodyHere we are again: "If an update isInstallable and NOT isInstalled, the WSUS server reports that update as "Needed".
Nope. It doesn't.
If an update is reported as isInstallable to this DOES MEAN that if i approve it the update MUST BE INSTALLED!
But you have assumed that to be fact, and that's where the challenge exists.
Lawrence Garvin, M.S., MCITP:EA, MCDBA
Principal/CTO, Onsite Technology Solutions, Houston, Texas
Microsoft MVP - Software Distribution (2005-2009)
My MVP Profile: http://mvp.support.microsoft.com/profile/Lawrence.Garvin
My Blog: http://onsitechsolutions.spaces.live.com
