none
How can I force installation of 3rd party update by WSUS?

Answers

  • Forgetting for the moment the reference to SCUP, which as Kurt points out is an unlicensed use of that product in a standalone WSUS environment -- but not forgetting that you already have Local Updates Publisher which does the same thing anyway (so I'm not sure why SCUP is even part of this conversation, or why you even used it instead of LUP to publish the update)....

    The issue here is not that you need to force the installation of the update, but rather that the client does not see the update as available for installation. It reports the updates as NotInstalled, so we know it has evaluated the metadata, but either it cannot acquire that approval to install the update (because the target groups are mismatched), or the WSUS server is reporting that the update file is not available (because the update file is not present).

    The task here is to determine which is the case.

    • Confirm that the target group(s) where the update is approved match at least one of the target group(s) where the client has membership.
    • Confirm that the Options | Computers setting matches the configuration of the policy setting for Enable client-side targeting in the GPO assigned to this client.
    • Confirm that the files are available for download. The file process in local publishing involves two steps. First, the files must be transferred to the WSUS server during the publishing process. Second, the files must be renamed and copied by the WSUS server from the upload share into the ~\WSUSContent folder tree. SCUP supports a publication methodology known as "Metadata Only", which does not include the update installation file(s). "Metadata Only" updates cannot be downloaded/installed. Did you publish the Flash installer file to the WSUS server?

    Lawrence Garvin, M.S., MCITP:EA, MCDBA, MCSA
    Principal/CTO, Onsite Technology Solutions, Houston, Texas
    Microsoft MVP - Software Distribution (2005-2011)
    My MVP Profile: http://mvp.support.microsoft.com/profile/Lawrence.Garvin
    My Blog: http://onsitechsolutions.spaces.live.com
    Friday, October 07, 2011 4:51 PM
    Moderator

All replies

  • hi,

     

    SCUP is designed to be used with SCCM & SUP, not with a standalone WSUS

     

    K

    Friday, October 07, 2011 4:27 PM
  • Forgetting for the moment the reference to SCUP, which as Kurt points out is an unlicensed use of that product in a standalone WSUS environment -- but not forgetting that you already have Local Updates Publisher which does the same thing anyway (so I'm not sure why SCUP is even part of this conversation, or why you even used it instead of LUP to publish the update)....

    The issue here is not that you need to force the installation of the update, but rather that the client does not see the update as available for installation. It reports the updates as NotInstalled, so we know it has evaluated the metadata, but either it cannot acquire that approval to install the update (because the target groups are mismatched), or the WSUS server is reporting that the update file is not available (because the update file is not present).

    The task here is to determine which is the case.

    • Confirm that the target group(s) where the update is approved match at least one of the target group(s) where the client has membership.
    • Confirm that the Options | Computers setting matches the configuration of the policy setting for Enable client-side targeting in the GPO assigned to this client.
    • Confirm that the files are available for download. The file process in local publishing involves two steps. First, the files must be transferred to the WSUS server during the publishing process. Second, the files must be renamed and copied by the WSUS server from the upload share into the ~\WSUSContent folder tree. SCUP supports a publication methodology known as "Metadata Only", which does not include the update installation file(s). "Metadata Only" updates cannot be downloaded/installed. Did you publish the Flash installer file to the WSUS server?

    Lawrence Garvin, M.S., MCITP:EA, MCDBA, MCSA
    Principal/CTO, Onsite Technology Solutions, Houston, Texas
    Microsoft MVP - Software Distribution (2005-2011)
    My MVP Profile: http://mvp.support.microsoft.com/profile/Lawrence.Garvin
    My Blog: http://onsitechsolutions.spaces.live.com
    Friday, October 07, 2011 4:51 PM
    Moderator
  • When I started this "publishing" I did not know that the standard WSUS console is not able to work with 3rd party updates. Only later I discovered the LUP and its possibilities.

    • Yes, group where the update is approved matches the target group where the client has membership
    • Is setting "Enable client-side targeting" in the GPO a prerequisite?
    • "Full content" was published by SCUP. I suppose that it contains the installation files
    Saturday, October 08, 2011 3:10 PM
  • Is setting "Enable client-side targeting" in the GPO a prerequisite?
    It's not a prerequiste, but the setting in the GPO, and the effective setting on the client, are significant facts in evaluating this situation.
    "Full content" was published by SCUP. I suppose that it contains the installation files

    Yes, it should. So now you need to use the LUP console (if possible) to visually confirm that the appropriate file for that update is physically present in the ~\WSUSContent folder tree of the WSUS server.

    On a related note ... when is the last time this client successfully downloaded/installed any update from this WSUS server?


    Lawrence Garvin, M.S., MCITP:EA, MCDBA, MCSA
    Principal/CTO, Onsite Technology Solutions, Houston, Texas
    Microsoft MVP - Software Distribution (2005-2011)
    My MVP Profile: http://mvp.support.microsoft.com/profile/Lawrence.Garvin
    My Blog: http://onsitechsolutions.spaces.live.com
    Sunday, October 09, 2011 1:06 AM
    Moderator
  • I am not able to verify (by LUP console) that the installation files are published in WSUS. But looking to the WSUS directory - found it in \WSUS\UpdateServicesPackages folder.

    Today is the last time when this client successfully downloaded/installed any update from this WSUS server.

    Monday, October 10, 2011 11:33 AM
  • I am not able to verify (by LUP console) that the installation files are published in WSUS. But looking to the WSUS directory - found it in \WSUS\UpdateServicesPackages folder.

    That is the upload of the file from the LUP to the WSUS server during the publishing process. It is not the copy of the file that is made available to the WUAgent via the http://wsusserver/Content/* download URL.

    If the LUP does not provide the ability to inspect the File Status of the file associated with a published update, then that's a problem and severely complicates your ability to troubleshoot this issue. If the WSUS server failed to successfully copy and rename the file from UpdateServicesPackages to WSUSContent, then the client will not be able to download and install the update.

    (Note: I have seen this occur recently in one other environment, and we do not yet know what is causing the dysfunction in the copy/rename operation.)


    Lawrence Garvin, M.S., MCITP:EA, MCDBA, MCSA
    Principal/CTO, Onsite Technology Solutions, Houston, Texas
    Microsoft MVP - Software Distribution (2005-2011)
    My MVP Profile: http://mvp.support.microsoft.com/profile/Lawrence.Garvin
    My Blog: http://onsitechsolutions.spaces.live.com
    Monday, October 10, 2011 3:28 PM
    Moderator
  • >If the LUP does not provide the ability to inspect the File Status of the file associated with a published update,

    It doesn't; only because I've never really needed to.  It would be trivial to implement however so I'll throw it on the to-do list.  If you want to verify that the file made it into the WSUS content folder then search that folder for the MSI, MSP, or EXE you used to create the package.  Windows will search the CAB files and return results if the file is found.  If you don't get any results then it didn't make it there.

    I would triple check that you installed the certificates correctly on both the server and the clients.  My experience has been that 95% of all problems  boil down to this.  The less frequent problem is correctly setting the GPO or Local Policy to enable 3rd party content on the client.  You will find the most common problems with LUP and their resolutions here.

    Monday, October 10, 2011 4:37 PM
  • I would triple check that you installed the certificates correctly on both the server and the clients. 

    If there was a certificate issue on the WSUS server or LUP console machine, the file would have never been written to the UpdatePackagesFiles folder, the write to the share would have failed in the API call with a "File signature not verified" error.

    If there was a certiificate issue on the client system trying to download the file (which, btw, the client hasn't even *identified* the update as available/downloadable!), the WUAgent would log the 0x800B0109 error code.

    I see both of those scenarios on almost a daily basis in my client and customer's local publishing environments.


    Lawrence Garvin, M.S., MCITP:EA, MCDBA, MCSA
    Principal/CTO, Onsite Technology Solutions, Houston, Texas
    Microsoft MVP - Software Distribution (2005-2011)
    My MVP Profile: http://mvp.support.microsoft.com/profile/Lawrence.Garvin
    My Blog: http://onsitechsolutions.spaces.live.com
    Monday, October 10, 2011 7:19 PM
    Moderator