none
WSUS 3.0 Approval Figure and Update Settings Strange - Is this after Server Error?

    Soru

  • A decision was made to not update Win XP machines anymore, just Win 7 PCs.

    To use some of the old group names for Win 7 PCs, to reduce the number of groups, I created a group ‘XP PCs ‘and started to change the membership of the XP machines to the ‘XP PCs’ group.

    As I also wanted to keep the XP Updates on the server, in case this decision was changed, I created a Computer group called ‘XP Updates’.  This would contain no PCs, but the XP updates would all have ‘install’ associated with this group to increase the approval figure to 2 – this group and a group called ‘Default Auto Approval – place no PCs in here’. The default group is my approval group for updates so that they are downloaded on to the server and WSUS can then go off and check whether the PC requires the update.

    My ‘All Updates’ area is ordered by ‘Approval’ so that all of the new updates with 1 of 26 groups are at the top, so I know that I have to deal with them in some way.  I remove any inherited connection to ‘All Computers’ and approve them into the first test group of PCs.

    During the changing of group membership, although this particular group had only two PCs in it, the system hung.  After a few minutes I closed down the console and re-opened it.  The PCs had moved across to the new group.  However, when carrying out the next move it errored.  I was not in a position to write the error down, but believe that it was a timeout error message, which appears to be associated with high CPU utilization.  The amount of memory in the server has never been totally used, and the pagefile has never been needed.

    At the end of the day the helpdesk called down to say that some people were having messages that updates were ready to download.  This did not make sense with my normal process, so I started to change all of the updates to not approved, as it was late on Friday when it happened.  We have also changed the group policy to stop the PCs finding the server.

    Looking further into the problem, there are some old Office updates showing ‘1 of 26 ‘groups in the approval figure which had install in the ‘All Computer’ area rather than my default group.  The new groups I had created took the (Inherited) setting from the ‘All Computers’ group, hence the PCs in the new ‘XP PCs’ group required these updates.

    If I physically change the ‘Install (inherited)’ to ‘Install’ my approval figure changes to ‘2 of 26 ‘groups.

    So, I now have a few issues:

    1. Does the Approval Figure for other people say ‘1 of n even when other groups say inherited – i.e. if 12 other groups have inherited from the ‘All Computers’ group does your Approval figure say ’13 of n’ rather than ‘1 of n’?
    2. Has anyone found that after errors have occurred that updates appear to have different settings to the ones they believe they had?

    I find it quite bizarre that the inherited groups do not figure in the Approval figure.  As I have not consciously seen whether this is normal, because of my update system, I need to know whether this is normal.

    Although I will not rule out user error, I thought that I was meticulous with my update system, so I am very surprised that a group of updates were associated with the ‘All Computers’ group and they were set to ‘Install’, rather than my Default group.

    The server did not cleanly shut down on the Friday night, so we are in a situation of do we trust the server, or do we rebuild with the latest OS and SQL database and put more memory in the server.  I cannot see any errors in the server logs to help me with this decision.  Any feedback regarding the issues above would be most grateful while we try and place a backup on another server to see what the updates were saying before the errors occurred.

    13 Haziran 2012 Çarşamba 10:57

Yanıtlar

  • A decision was made to not update Win XP machines anymore, just Win 7 PCs.

    Yikes!!! **ALL** machines should be updated if updates are still being published for them.

    The default group is my approval group for updates so that they are downloaded on to the server and WSUS can then go off and check whether the PC requires the update.

    It is not necessary to approve updates so that the PC can check whether the update is needed. Status is reported for ALL updates synchronized to the WSUS server that are not expired or declined.

    Note also that WSUS does not do this check, the *CLIENT* does this check.

    So, I now have a few issues:

    • Does the Approval Figure for other people say ‘1 of n even when other groups say inherited – i.e. if 12 other groups have inherited from the ‘All Computers’ group does your Approval figure say ’13 of n’ rather than ‘1 of n’?
    The Approval count only includes direct approvals; it does not include inherited approvals.
    • Has anyone found that after errors have occurred that updates appear to have different settings to the ones they believe they had?

    No.

    I will make the observation, though, that you seem to have a very complex grouping structure, and simplifying the group structure might help in terms of eliminating unwanted approvals.


    Lawrence Garvin, M.S., MCITP:EA, MCDBA, MCSA
    Product Manager, SolarWinds
    Microsoft MVP - Software Distribution (2005-2012)
    My MVP Profile: http://mvp.support.microsoft.com/profile/Lawrence.Garvin

    19 Haziran 2012 Salı 14:56

Tüm Yanıtlar

  • A decision was made to not update Win XP machines anymore, just Win 7 PCs.

    Yikes!!! **ALL** machines should be updated if updates are still being published for them.

    The default group is my approval group for updates so that they are downloaded on to the server and WSUS can then go off and check whether the PC requires the update.

    It is not necessary to approve updates so that the PC can check whether the update is needed. Status is reported for ALL updates synchronized to the WSUS server that are not expired or declined.

    Note also that WSUS does not do this check, the *CLIENT* does this check.

    So, I now have a few issues:

    • Does the Approval Figure for other people say ‘1 of n even when other groups say inherited – i.e. if 12 other groups have inherited from the ‘All Computers’ group does your Approval figure say ’13 of n’ rather than ‘1 of n’?
    The Approval count only includes direct approvals; it does not include inherited approvals.
    • Has anyone found that after errors have occurred that updates appear to have different settings to the ones they believe they had?

    No.

    I will make the observation, though, that you seem to have a very complex grouping structure, and simplifying the group structure might help in terms of eliminating unwanted approvals.


    Lawrence Garvin, M.S., MCITP:EA, MCDBA, MCSA
    Product Manager, SolarWinds
    Microsoft MVP - Software Distribution (2005-2012)
    My MVP Profile: http://mvp.support.microsoft.com/profile/Lawrence.Garvin

    19 Haziran 2012 Salı 14:56
  • Hi Lawrence,

    Thank you for answering and confirming that the approval count only includes direct approvals.  Hopefully Microsoft can make this better in their next version.

    We are moving to Windows 7 machines only, hence the decision to stop updating the XP machines. Not my decision if this means some are not updated during the changes.

    Yes, I said it wrong, I know that the client does the check. Sorry.

    We had another issue between the reporting and the amount of groups some updates had been placed into.  The report said the installs were associated with two groups rather than the one group we had said 'install' to.  As we cannot trust the server in this state I have rebuilt it.

    I will just synchronize for updates in future and not have any automatically approved. This way, I will not be downloading unnecessary 64-bit versions and updates I do not require. 

    Thanks again,

    Robert.


    • Düzenleyen RB33 26 Haziran 2012 Salı 11:21
    21 Haziran 2012 Perşembe 15:46