locked
what should I do if updates cause problem? RRS feed

  • Question

  • Hi,

    We are about to start to use WSUS. My question is if a problem happens like some application not working after updates are installed, what should I do? If there are lot of updates installed and I don't know which one causes the problem, what should I do? we have over 1000 workstations, should I remove the updates from WSUS server for all of them at one time? How long will it take? Will the user need to do anything?

    Please advise!

    Thanks in advance!


    Grace

    Monday, February 5, 2018 11:09 PM

Answers

  • Hello Grace, 

    No need to uninstall updates from WSUS Server.... you should decline approved updates..

    or you can stop or disable WSUS service to prevent this or disconnect from network until clear server as you wish..

    WSUS should be configure correctly with your Group Policy Settings based on your environment and your requirement....

    It's better to test before installing updates on all Computers.. If you are going to install updates on a computer which run any application, Please get snapshot, System restore, Backup of that Computer before installing update.

    Then You can install update and you can proceed with other Computers unless there are any issue with that update..

    Other point... Don't install all updates at once time... Install Updates step by step... then you can identify what update will cause issues....

    Refer below guidance for WSUS troubleshooting....

    https://gallery.technet.microsoft.com/office/Troubleshooting-WSUS-d63da113

    • Marked as answer by graceyin39 Friday, February 9, 2018 5:24 PM
    Monday, February 5, 2018 11:38 PM
  • Hi,

    Generally , we may test every updates before pushing them into production environment .

    Further more , we may divide these "clients" into small groups to avoid send update to all computers at once .

     

    If it is true when some updates passed the test but they causes some issue , we can remove the removable updates through WSUS server .

    First , you may need to ensure that update is removable :

    Then, you can set "approved for removal " for that update (the client will get a new update for remove after "checking for update").

    In addition , if the updates caused "BSOD" or "failed to startup " we may need to manually remove these updates on these clients .

    Hope it is useful to you .

    Best Regards,

    Elton


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    • Marked as answer by graceyin39 Friday, February 9, 2018 5:36 PM
    Tuesday, February 6, 2018 7:01 AM
  • Hi there,

    My approach of updates rollup with WSUS is following:

    1. BIOS and drivers should be the most recent for each affected computer.

    2. Scan the component store and all system files for corrupted files and fix them out

    3. Windows Update client should be reset to the default state

    These plus some other steps are implemented by a script in my environment in order to reduce the risk of failed systems after the day X.

    For each approved update the technical description should be read, especially in the part of known issues and workarounds.

    Business applications should be checked one by one on a test computer before approved for all other users. The next step is to assign updates for a focus group and monitor them closely. 

    Regards,

    Slava

    • Marked as answer by graceyin39 Friday, February 9, 2018 11:58 PM
    Friday, February 9, 2018 10:03 PM
  • Am 09.02.2018 schrieb graceyin39:

    I guess there is no any easy way to do it. I just want to know how soon I can remove updates from 1000+ workstations after updates are approved to remove on WSUS? Will it generate a lot traffic on the network?

    You can set time for searching for updates to 1 hour by gpo, Default
    is 22 hours. Clients will after get the setting ~every hour for new
    updates.
    Other point is to write a Script for removal at computer Startup.

    Winfried


    WSUS Package Publisher: http://wsuspackagepublisher.codeplex.com/
    http://technet.microsoft.com/en-us/windowsserver/bb332157.aspx
    http://www.wsuswiki.com/Home

    • Marked as answer by graceyin39 Tuesday, February 13, 2018 7:05 PM
    Sunday, February 11, 2018 9:24 AM

All replies

  • Hello Grace, 

    No need to uninstall updates from WSUS Server.... you should decline approved updates..

    or you can stop or disable WSUS service to prevent this or disconnect from network until clear server as you wish..

    WSUS should be configure correctly with your Group Policy Settings based on your environment and your requirement....

    It's better to test before installing updates on all Computers.. If you are going to install updates on a computer which run any application, Please get snapshot, System restore, Backup of that Computer before installing update.

    Then You can install update and you can proceed with other Computers unless there are any issue with that update..

    Other point... Don't install all updates at once time... Install Updates step by step... then you can identify what update will cause issues....

    Refer below guidance for WSUS troubleshooting....

    https://gallery.technet.microsoft.com/office/Troubleshooting-WSUS-d63da113

    • Marked as answer by graceyin39 Friday, February 9, 2018 5:24 PM
    Monday, February 5, 2018 11:38 PM
  • Hi,

    Generally , we may test every updates before pushing them into production environment .

    Further more , we may divide these "clients" into small groups to avoid send update to all computers at once .

     

    If it is true when some updates passed the test but they causes some issue , we can remove the removable updates through WSUS server .

    First , you may need to ensure that update is removable :

    Then, you can set "approved for removal " for that update (the client will get a new update for remove after "checking for update").

    In addition , if the updates caused "BSOD" or "failed to startup " we may need to manually remove these updates on these clients .

    Hope it is useful to you .

    Best Regards,

    Elton


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    • Marked as answer by graceyin39 Friday, February 9, 2018 5:36 PM
    Tuesday, February 6, 2018 7:01 AM
  • Hi Udara,

    Thank you for your reply. It is very hard to test because we have 200+ applications used by my company. Most time the updates are fine, but there are a couple of times that updates caused problem in the past. 

    I guess there is no any easy way to do it. I just want to know how soon I can remove updates from 1000+ workstations after updates are approved to remove on WSUS? Will it generate a lot traffic on the network?

    Please advice!

    Thanks,


    Grace

    Friday, February 9, 2018 9:39 PM
  • Hi Elton,

    Thank you for your reply. We have 200+ applications used by my company. I think that might be good idea to send updates to small group one at a time. Just want to know how other company handle this situation. What is the best practice? What does Microsoft recommend?

    Please advice!

    Thanks,


    Grace

    Friday, February 9, 2018 9:45 PM
  • Hi there,

    My approach of updates rollup with WSUS is following:

    1. BIOS and drivers should be the most recent for each affected computer.

    2. Scan the component store and all system files for corrupted files and fix them out

    3. Windows Update client should be reset to the default state

    These plus some other steps are implemented by a script in my environment in order to reduce the risk of failed systems after the day X.

    For each approved update the technical description should be read, especially in the part of known issues and workarounds.

    Business applications should be checked one by one on a test computer before approved for all other users. The next step is to assign updates for a focus group and monitor them closely. 

    Regards,

    Slava

    • Marked as answer by graceyin39 Friday, February 9, 2018 11:58 PM
    Friday, February 9, 2018 10:03 PM
  • Hi Slava,

    Good points. I noted down.

    Thank you for your advice!


    Grace

    Friday, February 9, 2018 11:59 PM
  • Am 09.02.2018 schrieb graceyin39:

    I guess there is no any easy way to do it. I just want to know how soon I can remove updates from 1000+ workstations after updates are approved to remove on WSUS? Will it generate a lot traffic on the network?

    You can set time for searching for updates to 1 hour by gpo, Default
    is 22 hours. Clients will after get the setting ~every hour for new
    updates.
    Other point is to write a Script for removal at computer Startup.

    Winfried


    WSUS Package Publisher: http://wsuspackagepublisher.codeplex.com/
    http://technet.microsoft.com/en-us/windowsserver/bb332157.aspx
    http://www.wsuswiki.com/Home

    • Marked as answer by graceyin39 Tuesday, February 13, 2018 7:05 PM
    Sunday, February 11, 2018 9:24 AM
  • Hi Winfreid,

    Thank you for your reply. I think change GPO will work for me, but if you have the script for removal updates, can you share to me?

    Thanks a lot!


    Grace

    Tuesday, February 13, 2018 7:08 PM
  • Am 13.02.2018 schrieb graceyin39:


    Thank you for your reply. I think change GPO will work for me, but if you have the script for removal updates, can you share to me?

    Here you find a PS-Script for removal:
    https://trevorsullivan.net/2011/05/31/powershell-removing-software-updates-from-windows/

    Or on Commandline:

    wusa.exe /kb:12345678 /uninstall /quiet /norestart

    Both Scriptes you have to test. As a Computerstartupscript is IMO the
    best place.

    Winfried


    WSUS Package Publisher: http://wsuspackagepublisher.codeplex.com/
    http://technet.microsoft.com/en-us/windowsserver/bb332157.aspx
    http://www.wsuswiki.com/Home

    Wednesday, February 14, 2018 5:56 AM