locked
WSUS clients in a test group repoting updates needed that are not approved for install to that group RRS feed

  • Question

  • WSUS clients in a test group repoting updates needed that are not approved for install to that group, but aree approved for other groups.

    How do I remove/stop them from showing as needed updates in the test group?

    Tuesday, July 24, 2012 2:47 PM

Answers

  • How do I remove/stop them from showing as needed updates in the test group?

    You cannot. A "needed" update is a NotInstalled update -- that's a matter of factual reality, and you cannot change that.

    Although I am intrigued that you have updates approved for groups other than your test group - but not approved for the test group (and apparently not installed on the test group either).


    Lawrence Garvin, M.S., MCITP:EA, MCDBA, MCSA
    Product Manager, SolarWinds
    Microsoft MVP - Software Distribution (2005-2012)
    My MVP Profile: http://mvp.support.microsoft.com/profile/Lawrence.Garvin

    • Proposed as answer by antwesor Wednesday, July 25, 2012 4:11 PM
    • Marked as answer by Clarence Zhang Tuesday, July 31, 2012 6:40 AM
    Tuesday, July 24, 2012 7:46 PM

All replies

  • How do I remove/stop them from showing as needed updates in the test group?

    You cannot. A "needed" update is a NotInstalled update -- that's a matter of factual reality, and you cannot change that.

    Although I am intrigued that you have updates approved for groups other than your test group - but not approved for the test group (and apparently not installed on the test group either).


    Lawrence Garvin, M.S., MCITP:EA, MCDBA, MCSA
    Product Manager, SolarWinds
    Microsoft MVP - Software Distribution (2005-2012)
    My MVP Profile: http://mvp.support.microsoft.com/profile/Lawrence.Garvin

    • Proposed as answer by antwesor Wednesday, July 25, 2012 4:11 PM
    • Marked as answer by Clarence Zhang Tuesday, July 31, 2012 6:40 AM
    Tuesday, July 24, 2012 7:46 PM
  • Thanks for the quick answer. I understand a "needed update" is a not installed update, but , I thought the needed updates were based on whatever updates have been downloaded to the all updates folder, then approved. If they have not been approved for the test group, how can those machines show them as needed? Maybe you can help me understand how client machines in a group determine what updates are needed, or how does wsus tell clients in a group that they need updates? Thanks in advance and have a great day.
    Wednesday, July 25, 2012 1:57 PM
  • I thought the needed updates were based on whatever updates have been downloaded to the all updates folder, then approved.
    Nope. It's as simple as you and I have both said.. a "Needed" update is an update that is Not Installed. Period. No other conditions are relevant.
    If they have not been approved for the test group, how can those machines show them as needed?
    Because the two are totally unrelated situations. One is the STATE of the machine -- the other is a CHOICE a WSUS Administrator made to allow the client to perform an action.
    Maybe you can help me understand how client machines in a group determine what updates are needed, or how does wsus tell clients in a group that they need updates?

    I will try. First, understand, that there's no real difference between how things work in a WSUS environment and how they've worked with Windows Update for the past dozen years -- except the WSUS Administrator gets to choose which updates the client system can have access to -- so the first thing to understand is how Windows Updates works, generally speaking -- something that, arguably, every ITPro should know before they get hired on their first job. :-)

    The Windows Update Agent queries its update source for a list of updates, evaluates that list of updates and determines the state of each update on that system. State comes in six flavors: Installed, Not Applicable, Not Installed, Downloaded, Installed Pending Reboot, or Failed.

    • If the WUAgent is talking to AU, then it downloads any update that is in the "Not Installed" state, and installs anything that has been downloaded.
    • If the WUAgent is talking to WU/MU, then it gives the user the choice as to what updates are downloaded and/or installed.
    • If the WUAgent is talking to WSUS, then it reports that state information to the WSUS server and nothing else happens. WSUS, however, only displays four states in the console: Not Applicable, Installed, Failed, or Needed. In WSUS, the "Needed" state includes Not Installed, Downloaded, and Installed Pending Reboot.

    WSUS just introduces the concept of "Approval". "Approval" is nothing more than a human being giving consent to a group of computers (WSUS Target Group members) to allowing those computers to download and install an update. When an update is Approved for Install on a WSUS server, and the update installation file has been downloaded to the WSUS server from Microsoft, then the WUAgent will download those approved updates to the client system and install them.


    Lawrence Garvin, M.S., MCITP:EA, MCDBA, MCSA
    Product Manager, SolarWinds
    Microsoft MVP - Software Distribution (2005-2012)
    My MVP Profile: http://mvp.support.microsoft.com/profile/Lawrence.Garvin

    Wednesday, July 25, 2012 5:34 PM
  • First, thanks again for the response,

    second , lets put away the sarcasm, this fine tool and the wonderful Microsoft training resources werent around when I started my IT career 23 years ago and lets face it Microsoft is not known for its fine documentation.

    Now, I'm with you for most of this, its all understandable and mostly common sense so far, but , if all this were true (and I have no reason to beleive otherwise) then why do I not have hunreds of needed updates (presuming that all downloaded updates either wind up in not applicable or needed) the other choices being if you approve it to install , it either installs or fails.

    so  again the question comes back to how do I get my test group of machines to stop reporting "updates needed" on updates that have not been approved for theit group. If I go back to the updates and look up the kb numbers and pull up all updates in that release, I can mutiple select them and choose decline, but then that will remove the update from all approved groups as well, correct?

    I need to try and clean up a wsus environment that I have inherited and I have machine groups that mimic a.d. locations. My desktop test group machines (6 of them) are reporting updates needed, that have not been approved for their group, and there are no updates in any of the downloaded folders 

    Wednesday, July 25, 2012 8:42 PM
  • and lets face it Microsoft is not known for its fine documentation.

    In fact, the documentation for WSUS and for the Microsoft Update Management process is actually quite good and fairly extensive! I would highly recommend you invest time to review it. I suspect it will answer many of the questions you are going to ask during the course of exploring your newly inherited responsibilities.

    then why do I not have hunreds of needed updates (presuming that all downloaded updates either wind up in not applicable or needed)

    This revolves around the second part of the "What the WUAgent reports as state" discussion. Each update is evaluated independently, not within the context of whether it's superseded or not, so superseded updates that are not installed where no later update in that chain is also not installed, will all be reported as needed -- the scenario that you anticipate in your question. However, the WUAgent does evaluate the supersession chain when determining which update to download/install. The WUAgent will only download/install the newest approved update in a supersession chain, even though it has evaluated older updates as "Needed" (i.e. Not Installed). Then, when the newer (superseding) update is installed, the nature of that event now makes the older (superseded) updates evaluate as NotApplicable. A superseded update that is reported as 100% Installed/NotApplicable should be declined, as it is no longer needed for any purpose in the environment.

    But... I think your reference to 'downloaded' is still clouding the situation. The state of an update reported by the Windows Update Agent to the WSUS server is absolutely indepedent and totally unrelated to whether that update is approved for installation or not.

    Taking that a step further, with regards to download events. When an update is approved, the installation file for that update is downloaded to the WSUS Server. When the WUAgent sees an approved update with a downloaded installation file, the WUAgent then downloads the installation file to the client system and schedules the update for installation. A client with a downloaded update can only occur if, in fact, the update is Needed, and there is no Superseding update that has been Approved for Install.

    so again the question comes back to how do I get my test group of machines to stop reporting "updates needed" on updates that have not been approved for the group

    You eliminate the fact that those updates are not yet installed. You approve and install the missing updates.

    If I go back to the updates and look up the kb numbers and pull up all updates in that release, I can mutiple select them and choose decline, but then that will remove the update from all approved groups as well, correct?

    Correct. The question is: Do the update(s) need to be approved for the test group?, or Are the update(s) superseded and don't need to be approved for anybody at all?

    I need to try and clean up a wsus environment that I have inherited and I have machine groups that mimic a.d. locations. My desktop test group machines (6 of them) are reporting updates needed, that have not been approved for their group, and there are no updates in any of the downloaded folders

    The fact that you have updates approved for all other groups but not approved/installed in the test group is a critical failure in the patch management strategy that you inherited. But the solution really is simple: Approve and install the updates that are being reported as Needed that should be installed! Decline the updates that are superseded and no longer relevant.


    Lawrence Garvin, M.S., MCITP:EA, MCDBA, MCSA
    Product Manager, SolarWinds
    Microsoft MVP - Software Distribution (2005-2012)
    My MVP Profile: http://mvp.support.microsoft.com/profile/Lawrence.Garvin

    Thursday, July 26, 2012 3:36 PM
  • Hi,

    I have a similar problem with WSUS and getting the reports that I want from it.

    I approved Silverlight and its updates to group that includes some client computers (win7), now I have other groups (for Other client computers and servers)

    I don´t want to install Silverlight (and I wont need updates for it) for these other client computers and servers but now all of them are reporting as needed.

    When I go to my WSUS console if I see a server that needs updates I want to know so I can patch it, but now my servers are up to date and dont need any of these but they still come up as they are missing updates. 

    I really dont want to start installing silverlight on the servers, neither some versions of .net framework that some systems dont need. As well as servers roles that are not installed reporting needing the updates too.

    I think this is a big design flaw that needs to be fixed

    Is there a way around this?

    Thanks,


    Thursday, June 27, 2013 10:43 AM
  • now I have other groups (for Other client computers and servers)

    I don´t want to install Silverlight (and I wont need updates for it) for these other client computers and servers but now all of them are reporting as needed.

    Which is a TRUE statement. Silverlight is not installed on those systems. Period. That's all this information means, nothing more, nothing less. You've chosen not to install Silverlight, so you don't approve the update for those groups. That's it.

    When I go to my WSUS console if I see a server that needs updates I want to know so I can patch it, but now my servers are up to date and dont need any of these but they still come up as they are missing updates.

    As previously discussed in this very thread.. this is a matter of distinguishing between your personal definition of "needed", and the product's (WSUS) definition of Needed I'll grant that you don't like the defintion; I don't either. But it is what it is, and that's how it's been for ten years.

    I really dont want to start installing silverlight on the servers, neither some versions of .net framework that some systems dont need.

    Then don't. It's really that simple.

    Lawrence Garvin, M.S., MCITP:EA, MCDBA, MCSA
    SolarWinds Head Geek
    Microsoft MVP - Software Packaging, Deployment & Servicing (2005-2013)
    My MVP Profile: http://mvp.support.microsoft.com/profile/Lawrence.Garvin
    http://www.solarwinds.com/gotmicrosoft
    The views expressed on this post are mine and do not necessarily reflect the views of SolarWinds.

    Thursday, June 27, 2013 9:19 PM
  • Quote from Lawrence Garvin:

    As previously discussed in this very thread.. this is a matter of distinguishing between your personal definition of "needed", and the product's (WSUS) definition of Needed I'll grant that you don't like the defintion; I don't either. But it is what it is, and that's how it's been for ten years.

    ----------------

    Yes - that's a bug that's been there for ten years. Just like blue screens have been there for long. :)

    Short example - I use a patch that corrects the time zone in one country. It is NOT a critical or security patch - I had to download it separately.

    It is not required on one thousand of critical servers in other countries (WSUS would not even download it by default) . So I approve it just for that specific country and decline for the rest of the world. It is a basic functionality of WSUS, but - guess what - it does not work. And it's been so for many years. This could be easily corrected, but maybe such a feature should be available only in System Center. :)

    It seems that you're not even working directly for MS, so please quit telling "it's not bug, it's a feature." :)

    Thursday, September 19, 2013 3:36 PM
  • Short example - I use a patch that corrects the time zone in one country. It is NOT a critical or security patch - I had to download it separately.

    It is not required on one thousand of critical servers in other countries (WSUS would not even download it by default) . So I approve it just for that specific country and decline for the rest of the world. It is a basic functionality of WSUS, but - guess what - it does not work. And it's been so for many years. This could be easily corrected, but maybe such a feature should be available only in System Center. :)

    Please do not confuse the (mis)behavior of ONE patch with the operation of the infrastructure used to deliver that patch, nor with the decision process that the Windows team made with respect to whether that update is, or is not, published to WSUS. (Personally I'm not aware of any TimeZone updates that have not been published.)

    Second, if you want to make an argument with me, you'll have to use accurate terminology. You cannot approve an update for some group and decline it for the rest. Maybe you didn't Approve the update for the rest of the groups, and that's exactly how the product is supposed to be used if you want to deploy updates to some machines and not others.

    I'm not really grasping what your gripe is with respect to this example.

    It seems that you're not even working directly for MS, so please quit telling "it's not bug, it's a feature." :)

    Look.. the behavior is the result of an explicit design decision in the product. It works exactly as designed. You don't like how the product is designed. That's a legitimate perspective, but it doesn't make it a bug just because you don't like it.

    The behavior that is observed in the product is exactly how it was designed to behave.


    Lawrence Garvin, M.S., MCITP:EA, MCDBA, MCSA
    SolarWinds Head Geek
    Microsoft MVP - Software Packaging, Deployment & Servicing (2005-2013)
    My MVP Profile: http://mvp.support.microsoft.com/profile/Lawrence.Garvin
    http://www.solarwinds.com/gotmicrosoft
    The views expressed on this post are mine and do not necessarily reflect the views of SolarWinds.

    Friday, September 20, 2013 11:25 PM
  • Hi,

     

    So we don't have any solutions to have a better view for our servers.

    So for example Microsoft has 10 updates for a product. I approved 8. Always in console I will see that the servers need 2 updates. If I decline this 2 updates, my servers still "needs" this updates ?

    Thank you.

    Wednesday, June 18, 2014 3:38 PM
  • So we don't have any solutions to have a better view for our servers.

    You're new to the thread so I have no idea what your particular needs are, which makes it impossible for me to respond to this statement with any real value.

    Perhaps if you started a NEW thread with your particular objectives, challenges, and problems.... ??

    So for example Microsoft has 10 updates for a product. I approved 8. Always in console I will see that the servers need 2 updates. If I decline this 2 updates, my servers still "needs" this updates?

    Hard to say.. there is insufficient information in this example. There are many other variables that apply, most notably the supersession status of those 10 updates, and which 8 you actually approved.


    Lawrence Garvin, M.S., MCSA, MCITP:EA, MCDBA
    SolarWinds Head Geek
    Microsoft MVP - Software Packaging, Deployment & Servicing (2005-2014)
    My MVP Profile: http://mvp.microsoft.com/en-us/mvp/Lawrence%20R%20Garvin-32101
    http://www.solarwinds.com/gotmicrosoft
    The views expressed on this post are mine and do not necessarily reflect the views of SolarWinds.

    Thursday, June 19, 2014 3:01 AM
  • Hi, 

    Thanks for yout time.

    I dont want to enter to many information. To make more easy, my example is:

    I have 1 server , for this server I have 10 updates available from Microsoft. I approved and installed 8. The rest of 2 are unapproved. Is any way to see in reports that server is up to date 100% not 80%. 

    Friday, June 20, 2014 9:21 AM
  • I have 1 server , for this server I have 10 updates available from Microsoft. I approved and installed 8. The rest of 2 are unapproved. Is any way to see in reports that server is up to date 100% not 80%. 

    I don't know. It might not actually be up to date.

    As I previously said, this is insufficient information to answer this question, even hypothetically.

    Now, if you want to stipulate that the 2 unapproved updates are superseded by one or more of the approved updates, then we've got something to work with. In fact, if that's the actual scenario, you don't have to do anything because the server WILL display as having 100% updates Installed-or-NotApplicable.


    Lawrence Garvin, M.S., MCSA, MCITP:EA, MCDBA
    SolarWinds Head Geek
    Microsoft MVP - Software Packaging, Deployment & Servicing (2005-2014)
    My MVP Profile: http://mvp.microsoft.com/en-us/mvp/Lawrence%20R%20Garvin-32101
    http://www.solarwinds.com/gotmicrosoft
    The views expressed on this post are mine and do not necessarily reflect the views of SolarWinds.

    Saturday, June 21, 2014 1:03 AM