locked
Why doesn't "automatic approval" rule work as I would expect? RRS feed

  • Question

  • Under "Options", and "Automatic Approvals" I have the following rule:

    When an update is in Critical Updates, Definition updates, Feature Packs, Security Updates, Service Packs, Tools, Update Rollups, Updates

    Approve the update for all computers

    But when I go into "Updates" and expand that out, I see "red" arrows showing "Critical Updates, Security Updates" and possibly others are not "green"....showing all sorts of updates that were not approve! I didn't notice this, so now after months of updates I have a ton of critical updates that have not been applied and I have to now go in and approve each one??? Seriously??

    What is the point of having a rule that states to "APPROVE" the updates if it's not going to do it??

    Any suggestions?

    Tuesday, September 15, 2015 5:55 PM

Answers

  • These are old updates. If you create an automatic rule it will not apply to updates older than when you created the rule.

    Rolf Lidvall, Swedish Radio (Ltd)

    • Proposed as answer by Steven_Lee0510 Sunday, October 11, 2015 2:33 PM
    • Marked as answer by Steven_Lee0510 Sunday, October 11, 2015 11:19 PM
    Thursday, October 8, 2015 6:48 AM
  • As Rolf says, the updates you've mentioned, are "old". They will have synchronised into your DB some time ago.
    Automatic approvals are not retrospective, auto-approval rules are only executed during synchronisation and only applied to new updates synchronised which match the rule.

    https://technet.microsoft.com/en-us/library/dd939929(v=ws.10).aspx

    You can create rules that your WSUS server will automatically apply during synchronization. You specify what updates you want to automatically approve for installation, by update classification, by product, and by computer group. This applies only to new updates, not to revised updates.


    Don

    • Proposed as answer by Steven_Lee0510 Sunday, October 11, 2015 2:33 PM
    • Marked as answer by Steven_Lee0510 Sunday, October 11, 2015 11:19 PM
    Thursday, October 8, 2015 7:45 AM
  • Hello - Perhaps you can enlighten me.

    These updates were discovered not to be downloaded even though "approve all updates" was selected. I believe that is why they are old.
    After approving each one individually many were downloaded to the clients and installed. So this doesn't seem to follow what you are saying unless I'm not understanding you.

    Are you saying that once these are approved that going forward all other critical updates should be sent to the clients with no issues??

    Perhaps you can also enlighten me if it makes any difference to create a group or just assign rules to the "unassigned computers".

    The creation of groups is optional, it is not related to auto-approval.

    When you build a WSUS, an initial sync is performed, this retrieves the current list of products and classifications from MSFT.
    Then you select (enable) the Products and classifications and languages etc, for which you wish to synchronise the metadata into your WSUS db.
    Then you synchronise again, which actually retrieves the metadata for all updates within the enabled products/classifications/languages/etc.
    At this point, your WSUS db now has all the information about those updates, but it has not yet begun to download the binaries (the actual update packages).
    If, at this point, you enable auto-approval for some products/classifications, this newly-created auto-approval rule will have no effect, because even if you immediately perform another synchronisation, there will be no *NEW* update metadata to synchronise yet. All *EXISTING* update metadata has been previously synchronised, so, until there are *NEW* updates metadata added by MSFT, you perform sync, the auto-approval rule will execute during sync, and any update metadata which matches your rule will become auto-approved.

    In another example;
    your WSUS db contains metadata for many thousands of updates.
    you have not approved all of these, perhaps because you do not wish to flood your network, or some other reason.
    you enable auto-approval, and at the next sync, your WSUS auto-approves many thousands of updates and begins to download all from MSFT and then deploy all to your fleet, flooding your network and thrashing your fleet, making your business suffer great impact.
    This would be very bad. So, MSFT do not provide easy access to this feature scenario in WSUS.


    Don

    • Proposed as answer by Steven_Lee0510 Sunday, October 11, 2015 2:33 PM
    • Marked as answer by Steven_Lee0510 Sunday, October 11, 2015 11:19 PM
    Thursday, October 8, 2015 8:27 PM
  • Each Update has many attributes (e.g. Product, Classification, Language, Architecture, IsABundle, etc)

    For a given KBarticle, there may be several different Updates.

    As a result, there are many Updates which may, or may not, be "needed" by clients in your organisation.
    If no clients "need" a particular Update (e.g. because that Product is not used in your organisation), then it is a waste for you to Synchronise the metadata for that Product, and, a waste to download the binary package for that Update, and, a waste for your clients to perform detection for Updates for that product.

    Also, when you install WSUS, you choose if you will download binary packages at all, or just let the clients download the binary packages from MSFT.

    You can also choose to configure various other options, perhaps to minimise or optimise what and when binary package downloads occur between your WSUS and MSFT.

    In a typical WSUS implementation, you will always have some unapproved Updates. WSUS isn't intended to be fully auto-pilot of everything. WSUS is intended for where you need to manage/control the deployment of Updates, but you can automate a lot of it.

    If you have any unapproved updates (which is quite normal/expected), those unapproved Updates will *NEVER* become approved unless you manually perform approval.

    So if you don't create auto-approval rules at the time you install WSUS, all Updates metadata which comes in via sync prior to creating auto-approve rules will require manual approval.

    So your database isn't really 'dirty', but you have some approving to do, and you can't automate that via an auto-approval rule. If an Update metadata is synchronised and isn't auto-approved at the time of sync, you must manually approve it.

    If you wish to bulk-approve Updates, that's fine, just be mindful that doing so may cause a large binary package download queue between WSUS and MSFT, and, a large amount of network traffic in your organisation when clients begin to detect and download and install all those Updates.


    Don

    • Proposed as answer by Steven_Lee0510 Sunday, October 11, 2015 2:33 PM
    • Marked as answer by Steven_Lee0510 Sunday, October 11, 2015 11:19 PM
    Friday, October 9, 2015 7:19 AM

All replies

  • Did you have the checked box checked next to the automatic approval rule to specify it shoudl be active?

    By default WSUS only approves / downloads updates which are applicable to your environment based on what the clients have reported back to WSUS. Could these updates you are seeing be for products which you do not have connectng to your WSUS server?

    Wednesday, September 16, 2015 2:55 PM
  • Yes, I have the checkbox "checked" to ensure it is active and to be run.

    Could these updates you are seeing be for products which you do not have connectng to your WSUS server?

    I not sure I understand this question. The only clients connected to this server are clients requiring updates. Should we "approve" each update, they would be install. Many of the updates are "critical" yet didn't get installed.
    Either way...I have the box checked to approve ALL UPDATES...so I would think the WSUS would approve them regardless of what is reporting back.

    Wednesday, September 16, 2015 5:57 PM
  • I'm still hoping for an answer to this.

    Anyone??
    Monday, September 28, 2015 4:32 PM
  • I'm still hoping for an answer to this.

    Anyone??

    Make sure the computers in WSUS are in a properly configured WSUS group. If the computers are just in the Unapproved group you may get the results you are seeing now. Al least make one group for test and one group for production. For more details on how to create WSUS groups check out this article.

    https://technet.microsoft.com/en-us/library/hh328559(v=ws.10).aspx

    Hope this helps.

    Tuesday, September 29, 2015 7:11 PM
  • I didn't know any of this. Thanks for pointing me in the right direction...now I have to just figure it out.

    All my computers right now are in the "Unassigned" category. I made another catagory and my understanding is that I will have to move all the unassigned computers to this new catagory and set the parameters for it.
    I'm not sure about the Client-Side VS Server-Side...what is preferred or what the differences are.
    I'm assuming that you cannot just change the parameters for the unassigned group itself?
    I think having different "sections" where you can put computers in and assign parameters for each one is a nice feature, but all the servers we update all get the same patches...there is no heirarchary.

    Tuesday, September 29, 2015 10:23 PM
  • Ok...I created a group called "Itservices" and put one computer in it, thinking I could set the requirements for it. But now I'm lost.
    I'm not sure how moving computers from "Unassigned" to a group I create changes anything. Where do I set the parameters for all the computers in the Itservices?
    Wednesday, September 30, 2015 5:05 PM
  • I see under "Automatic Approvals" now the two groups are shown...unassigned computers and Itservices. However I can set "Approve the update for all "All computers" and when I check on ASll computers, both the unassigned and "Itservices" groups are checked....so obviously I must be missing something

    Wednesday, September 30, 2015 5:08 PM
  • Ok...I created a group called "Itservices" and put one computer in it, thinking I could set the requirements for it. But now I'm lost.
    I'm not sure how moving computers from "Unassigned" to a group I create changes anything. Where do I set the parameters for all the computers in the Itservices?

    The computer just have to be moved to the Itservices group manually if you choose server side targeting or use GP if you are using client side targeting. Here are the instructions from Microsoft on how to choose which targeting method you should use with WSUS. Sorry about the age of the link, but it still applies to today's modern WSUS servers.

    https://technet.microsoft.com/en-us/library/cc720450%28v=ws.10%29.aspx?f=255&MSPPError=-2147217396

    Hope this helps.


    • Edited by antwesor Thursday, October 1, 2015 8:10 PM
    Thursday, October 1, 2015 8:07 PM
  • Ok...I moved all the computers from the "Unassigned" to the "ITservices" group. But again, I'm not seeing what the difference is, even after reading that poorly writting article.

    Once I have all the computers in the Itservices group, I'm select "Automatic Appovals" and under "Update Rules", I have "Default Automatic Approval Rule" checked, should that be unchecked??

    Under that I have "Rule Properties (Click and underlined value to edit". And I have...

    When an update is in Critical Updates, Definition Updates, Feature Packs, Security Updates, Service Packs, Tools, Update Rollups, Updates"
    Approve the update fro "Itservices"

    What's the difference if instead it says "Itservices" if it says "Unassigned"??
    Could all this be because the "Default Automatic Approval Rule was checked"?

    Thursday, October 1, 2015 8:57 PM
  • I have also noticed this...

    Again, although I have checked to approval all updates for Unassigned Computers and now Itservices, when I go into "Updates -> All Updates  and I have the following...

    Approval: "Unapproved"
    Status: "Any"

    I see many updates...what I don't understand is not only are these being shown, but I have one that shows and update for "Itanium-based Systems" and it's a 76%....I don't even have any Itanium-based servers!

    And why is the updates Update for Windows Server 2008 (KB2999226) also 76%.

    This WSUS application is either very unreliable or I'm doing something wrong. This shouldn't be this hard. I mean if I select the computer group, and chose to install all updates, it should...why am I having to go in and approve them manually??

    Windows Internet Explorer 9 for Windows Server 2008 for x64-based systems Update Rollups 100% Not approved
    Windows Server 2008 Service Pack 2 Standalone x64-based Systems (KB948465) - English, French, German, Japanese, Spanish Service Packs 100% Not approved
    Windows Internet Explorer 9 for Windows Server 2008 Update Rollups 100% Not approved
    Project 2002 Service Pack 1 Service Packs 100% Not approved
    Visio 2002 Service Pack 2 Service Packs 100% Not approved
    Office XP Service Pack 3 for Multilingual User Interface Pack Service Packs 100% Not approved
    Update for Windows Server 2008 R2 for Itanium-based Systems (KB3080079) Updates 76% Not approved
    Update for Windows Server 2008 (KB2999226) Updates 76% Not approved
    Internet Explorer 11 for Windows Server 2008 R2 for x64-based Systems Update Rollups 100% Not approved
    Internet Explorer 10 for Windows Server 2008 R2 for x64-based Systems Update Rollups 100% Not approved
    Office XP Service Pack 3 for English User Interface Pack Service Packs 100% Not approved
    Thursday, October 1, 2015 10:04 PM
  • I'm still looking for some help on this. Very frustrating in that one would think if you select "approval all updates" for any group you have (even if it's unassigned), that it would do just that.

    What am I missing?
    Wednesday, October 7, 2015 6:42 PM
  • These are old updates. If you create an automatic rule it will not apply to updates older than when you created the rule.

    Rolf Lidvall, Swedish Radio (Ltd)

    • Proposed as answer by Steven_Lee0510 Sunday, October 11, 2015 2:33 PM
    • Marked as answer by Steven_Lee0510 Sunday, October 11, 2015 11:19 PM
    Thursday, October 8, 2015 6:48 AM
  • As Rolf says, the updates you've mentioned, are "old". They will have synchronised into your DB some time ago.
    Automatic approvals are not retrospective, auto-approval rules are only executed during synchronisation and only applied to new updates synchronised which match the rule.

    https://technet.microsoft.com/en-us/library/dd939929(v=ws.10).aspx

    You can create rules that your WSUS server will automatically apply during synchronization. You specify what updates you want to automatically approve for installation, by update classification, by product, and by computer group. This applies only to new updates, not to revised updates.


    Don

    • Proposed as answer by Steven_Lee0510 Sunday, October 11, 2015 2:33 PM
    • Marked as answer by Steven_Lee0510 Sunday, October 11, 2015 11:19 PM
    Thursday, October 8, 2015 7:45 AM
  • Hello - Perhaps you can enlighten me.

    These updates were discovered not to be downloaded even though "approve all updates" was selected. I believe that is why they are old.
    After approving each one individually many were downloaded to the clients and installed. So this doesn't seem to follow what you are saying unless I'm not understanding you.

    Are you saying that once these are approved that going forward all other critical updates should be sent to the clients with no issues??

    Perhaps you can also enlighten me if it makes any difference to create a group or just assign rules to the "unassigned computers".

    Thursday, October 8, 2015 6:23 PM
  • Hello - Perhaps you can enlighten me.

    These updates were discovered not to be downloaded even though "approve all updates" was selected. I believe that is why they are old.
    After approving each one individually many were downloaded to the clients and installed. So this doesn't seem to follow what you are saying unless I'm not understanding you.

    Are you saying that once these are approved that going forward all other critical updates should be sent to the clients with no issues??

    Perhaps you can also enlighten me if it makes any difference to create a group or just assign rules to the "unassigned computers".

    The creation of groups is optional, it is not related to auto-approval.

    When you build a WSUS, an initial sync is performed, this retrieves the current list of products and classifications from MSFT.
    Then you select (enable) the Products and classifications and languages etc, for which you wish to synchronise the metadata into your WSUS db.
    Then you synchronise again, which actually retrieves the metadata for all updates within the enabled products/classifications/languages/etc.
    At this point, your WSUS db now has all the information about those updates, but it has not yet begun to download the binaries (the actual update packages).
    If, at this point, you enable auto-approval for some products/classifications, this newly-created auto-approval rule will have no effect, because even if you immediately perform another synchronisation, there will be no *NEW* update metadata to synchronise yet. All *EXISTING* update metadata has been previously synchronised, so, until there are *NEW* updates metadata added by MSFT, you perform sync, the auto-approval rule will execute during sync, and any update metadata which matches your rule will become auto-approved.

    In another example;
    your WSUS db contains metadata for many thousands of updates.
    you have not approved all of these, perhaps because you do not wish to flood your network, or some other reason.
    you enable auto-approval, and at the next sync, your WSUS auto-approves many thousands of updates and begins to download all from MSFT and then deploy all to your fleet, flooding your network and thrashing your fleet, making your business suffer great impact.
    This would be very bad. So, MSFT do not provide easy access to this feature scenario in WSUS.


    Don

    • Proposed as answer by Steven_Lee0510 Sunday, October 11, 2015 2:33 PM
    • Marked as answer by Steven_Lee0510 Sunday, October 11, 2015 11:19 PM
    Thursday, October 8, 2015 8:27 PM
  • Hi Don....thank you for taking the time to write everything you did to try to help me.

    There are some things you mentioned that I need some clarification on.

    1. You stated: When you build a WSUS, an initial sync is performed, this retrieves the current list of products and classifications from MSFT.
    Then you select (enable) the Products and classifications and languages etc, for which you wish to synchronise the metadata into your WSUS db.

    I believe what you are saying is that you have to MANUALLY approve the updates initially so that the database is built correctly and efficiently. What I did was select "Approve all updates" and I believe you are saying that in doing so, you can flood your network? I thought that even though you select "Approve all updates" the WSUS would only down load only those that are necessary...am I wrong?

    When I initially set up the WSUS, I selected "Approve all updates". But on one of the clients I had a network issue, so I went directly to Microsoft and go the updates instead of the WSUS. I noticed I had a lot more updates on this one server than the 6 I had just updated using the WSUS, and all the servers are the same. So, I went back on the WSUS and looked at why some of the updates were not approved and I selected updates "not approved" and saw many...some are the ones I cut and pasted in my previous POST. I still have not approved them because I'm looking for an answer to why this happened.

    If I understand you correctly, it is better to manuall approve the updates and continue doing so, until an accurate database is created that reflects the needs of the clients. I'm assuming at some point there will be no "unapproved" updates...is this correct??

    Right now I may have a "dirty" database with manually approved and automatically approved updates, should I clear the database and start fresh??

    Thursday, October 8, 2015 9:26 PM
  • Each Update has many attributes (e.g. Product, Classification, Language, Architecture, IsABundle, etc)

    For a given KBarticle, there may be several different Updates.

    As a result, there are many Updates which may, or may not, be "needed" by clients in your organisation.
    If no clients "need" a particular Update (e.g. because that Product is not used in your organisation), then it is a waste for you to Synchronise the metadata for that Product, and, a waste to download the binary package for that Update, and, a waste for your clients to perform detection for Updates for that product.

    Also, when you install WSUS, you choose if you will download binary packages at all, or just let the clients download the binary packages from MSFT.

    You can also choose to configure various other options, perhaps to minimise or optimise what and when binary package downloads occur between your WSUS and MSFT.

    In a typical WSUS implementation, you will always have some unapproved Updates. WSUS isn't intended to be fully auto-pilot of everything. WSUS is intended for where you need to manage/control the deployment of Updates, but you can automate a lot of it.

    If you have any unapproved updates (which is quite normal/expected), those unapproved Updates will *NEVER* become approved unless you manually perform approval.

    So if you don't create auto-approval rules at the time you install WSUS, all Updates metadata which comes in via sync prior to creating auto-approve rules will require manual approval.

    So your database isn't really 'dirty', but you have some approving to do, and you can't automate that via an auto-approval rule. If an Update metadata is synchronised and isn't auto-approved at the time of sync, you must manually approve it.

    If you wish to bulk-approve Updates, that's fine, just be mindful that doing so may cause a large binary package download queue between WSUS and MSFT, and, a large amount of network traffic in your organisation when clients begin to detect and download and install all those Updates.


    Don

    • Proposed as answer by Steven_Lee0510 Sunday, October 11, 2015 2:33 PM
    • Marked as answer by Steven_Lee0510 Sunday, October 11, 2015 11:19 PM
    Friday, October 9, 2015 7:19 AM