locked
Searching and displaying old Unapproved Updates RRS feed

  • Question

  • I was recently tasked with creating an image for some old notebooks with Win7 x86 on them. During the image creation, with MDT 2013, I install the OS and then WSUS takes over updating the systems. Today, I noticed that after deploying the images, our SCCM 2012 server showed we needed over 60 updates, most of them old. I thought, how did WSUS miss those? I have automatic approvals setup for all these updates.

    After much searching I realized that when I setup the WSUS server, I did a sync well before creating my automatic approvals so that had to leave older update unapproved. That's ok, I thought. I'll just search for any of those old Unapproved update and manually set them to Approved. Well, the Search option doesn't show all the Unapproved updates. I can search for the old ones, one by one, and then find and approve them. Is there any other way to display absolutely every Unapproved update without searching by kb number?


    Orange County District Attorney

    Friday, June 20, 2014 9:28 PM

Answers

  • Is there any other way to display absolutely every Unapproved update without searching by kb number?

    The first misconception here is that you actually need EVERY Unapproved update... when what you actually need are the Unapproved updates that are actually NEEDED by a system .. and that capability is natively available in the WSUS console.

    1. Select the All Updates View.
    2. Set Approval filter to "Unapproved".
    3. Set Status filter to "Needed".
    4. Select updates and approve for the appropriate group(s).

    That's if you're actually patching with *WSUS*.

    But, if you're patching with Configuration Manager Software Updates, then an entirely different process applies, and for that you should inquire in the appropriate ConfigMgr software updates forum.


    Lawrence Garvin, M.S., MCSA, MCITP:EA, MCDBA
    SolarWinds Head Geek
    Microsoft MVP - Software Packaging, Deployment & Servicing (2005-2014)
    My MVP Profile: http://mvp.microsoft.com/en-us/mvp/Lawrence%20R%20Garvin-32101
    http://www.solarwinds.com/gotmicrosoft
    The views expressed on this post are mine and do not necessarily reflect the views of SolarWinds.


    Wednesday, June 25, 2014 8:08 PM
  • Well, then, the link to a forum post by none other than yourself lead me to believe........just sayin' ;)

    http://social.technet.microsoft.com/Forums/windowsserver/en-US/1376d4fe-adf5-49b3-93d8-e4db64eab7bf/wsus-30-sp2-automatic-approval-rules-bugs?forum=winserverwsus

    While the original poster claimed that such a bug existed, in fact it did not, and I thought I clearly stated that in that thread in my reply of Thu Jan 19.

    BUG 2: In the Automatic Approval Options Dialog, "Run Rule" does not Approve any Updates that already exist in WSUS.

    This most assuredly is not a true statement, as I have, on several occasions, used the option "Run Rule" to retroactively apply approvals to already synchronized updates.

    Furthermore, if you read all of the posts from that O.P., you'll perhaps find that the poster has a very misunderstood perspective on the use and operation of a WSUS Server. His intent was to download ALL of the binary files for ALL of the updates just in case "when manually updating any local system not connected to the Internet". Unfortunately, in that process he [a] missed the fact that there's a CHECKBOX option to do exactly that (although there's no sane reason to download 200+ GB of files these days), and [b] about 85% of those updates will NEVER actually be installed to any system at any time for any reason because they're superseded, so not only is it 200+ GB of file content, but about 170+ GB of totally useless file content.

    Lawrence Garvin, M.S., MCSA, MCITP:EA, MCDBA
    SolarWinds Head Geek
    Microsoft MVP - Software Packaging, Deployment & Servicing (2005-2014)
    My MVP Profile: http://mvp.microsoft.com/en-us/mvp/Lawrence%20R%20Garvin-32101
    http://www.solarwinds.com/gotmicrosoft
    The views expressed on this post are mine and do not necessarily reflect the views of SolarWinds.


    Friday, July 4, 2014 3:35 PM

All replies

  • If you don't have the view you need, you can create additional views:
    http://technet.microsoft.com/en-us/library/dd939874(v=ws.10).aspx

    Or am I misunderstanding your question?


    Don
    (Please take a moment to "Vote as Helpful" and/or "Mark as Answer", where applicable.
    This helps the community, keeps the forums tidy, and recognises useful contributions. Thanks!)

    Saturday, June 21, 2014 7:06 AM
  • I did try and create a new view although it still doesn't display the older, unapproved updates I need. I'm sure what happened was I did an initial sync when setting up the WSUS box and didn't configure Auto Approvals until later. There are a bunch of needed updates that don't get installed during my image creation because of this.

    It's only later after I've imaged a few machines that I find out using SCCM that these machines need 60-70 older updates. I took the list of updates from SCCM and manually searched for each one in my WSUS box and approved them for my image creation. I hope I don't have to do that again soon!


    Orange County District Attorney

    Monday, June 23, 2014 4:59 PM
  • Is there any other way to display absolutely every Unapproved update without searching by kb number?

    The first misconception here is that you actually need EVERY Unapproved update... when what you actually need are the Unapproved updates that are actually NEEDED by a system .. and that capability is natively available in the WSUS console.

    1. Select the All Updates View.
    2. Set Approval filter to "Unapproved".
    3. Set Status filter to "Needed".
    4. Select updates and approve for the appropriate group(s).

    That's if you're actually patching with *WSUS*.

    But, if you're patching with Configuration Manager Software Updates, then an entirely different process applies, and for that you should inquire in the appropriate ConfigMgr software updates forum.


    Lawrence Garvin, M.S., MCSA, MCITP:EA, MCDBA
    SolarWinds Head Geek
    Microsoft MVP - Software Packaging, Deployment & Servicing (2005-2014)
    My MVP Profile: http://mvp.microsoft.com/en-us/mvp/Lawrence%20R%20Garvin-32101
    http://www.solarwinds.com/gotmicrosoft
    The views expressed on this post are mine and do not necessarily reflect the views of SolarWinds.


    Wednesday, June 25, 2014 8:08 PM
  • Appreciate the note back Lawrence. I think there's confusion in how I'm using WSUS and SCCM. A little background.

    I create base Windows 7 and Windows 8  images that I want to be fully patched when they're created. We do this with Microsoft's Deployment Toolkit (MDT 2013). This has nice hooks in it to point at a WSUS server and take care of all our updating during the automated image creation. Our ultimate goal is to have a fully patched system come out in the end.

    My issue was that I wasn't getting all the updates needed during this step. When we deployed the image to new hardware our SCCM 2012 world took over and did it's magic to scan and report the needed updates. That's when I found that I wasn't getting all the updates I needed from my image creation WSUS server.

    I should at that point have gone back to the All Computers view and noticed that the last imaged system was missing those updates and from there I could have approved them and then re-ran the base image creation. That would have been the quickest and easiest way to remedy my problem. I did take the SCCM scan results and manually searched for each update and approved them that way which is a solution, albeit the long way.

    I would still love to see some functionality in WSUS that would let Auto Approval 'approve' update that were synch'd before I created the Auto Approval rule. That would make my day.


    Orange County District Attorney

    Wednesday, June 25, 2014 8:29 PM
  • I would still love to see some functionality in WSUS that would let Auto Approval 'approve' update that were synch'd before I created the Auto Approval rule. That would make my day.


    But, you only need to do this one time, right?

    Auto-approval (and ADR's in ConfigMgr) are designed for recurring/cyclic/repetitive task automation) - which this isn't.

    /justsayin/


    Don
    (Please take a moment to "Vote as Helpful" and/or "Mark as Answer", where applicable.
    This helps the community, keeps the forums tidy, and recognises useful contributions. Thanks!)

    Wednesday, June 25, 2014 9:00 PM
  • Sure, if you go back and find which updates didn't install. I'd like to see a set-it-and-forget-it functionality with Auto-approval that will install whatever updates it detects regardless of when the setting was made.

    That would make me very happy!


    Orange County District Attorney

    Wednesday, June 25, 2014 9:09 PM
  • I would still love to see some functionality in WSUS that would let Auto Approval 'approve' update that were synch'd before I created the Auto Approval rule. That would make my day.

    That functionality DOES exist. Use the "Run Rule" option on the Auto Approval dialog's toolbar if you need to do this from a standalone WSUS server.

    NOTE: You should ***NOT*** be using the same WSUS server for MDT deployments that you are using as a Software Update Point for Configuration Manager!!


    Lawrence Garvin, M.S., MCSA, MCITP:EA, MCDBA
    SolarWinds Head Geek
    Microsoft MVP - Software Packaging, Deployment & Servicing (2005-2014)
    My MVP Profile: http://mvp.microsoft.com/en-us/mvp/Lawrence%20R%20Garvin-32101
    http://www.solarwinds.com/gotmicrosoft
    The views expressed on this post are mine and do not necessarily reflect the views of SolarWinds.

    Thursday, June 26, 2014 12:08 AM
  • I'd like to see a set-it-and-forget-it functionality with Auto-approval that will install whatever updates it detects regardless of when the setting was made.

    This is actually an unrealistic and practically infeasible scenario.. if you think about it.

    • Client systems require the binary files of an update to install the update.
    • The binary files are only downloaded when the updates are approved.
    • Approval is a DECISION POINT as to whether updates are allowed to be installed; there are MANY scenarios in which an update that CAN be installed on a system SHOULD NOT BE installed on that system, thus is NOT approved for that system.

    As such, it is functionally impossible for the WSUS server to know, in advance, which updates will be "needed" and SHOULD be installed on any given client system (vs those that SHOULD NOT!) such that the updates could be "AutoApproved" thus allowing the files to be downloaded which allows the client to install the update.

    Approval is designed and intended to be a HUMAN interaction with WSUS, and limited capabilities for automatically approving updates by product/classification are provided... but should be used with extreme caution. I can no longer count the number of organizations who have been catastrophically bitten in the backside because an update was approved for systems where it should not have been installed, or more often, the installation itself causes catastrophic results.

    If you want Set-It-And-Forget-It functionality... then point those clients to Automatic Updates and pull the plug on the WSUS server.


    Lawrence Garvin, M.S., MCSA, MCITP:EA, MCDBA
    SolarWinds Head Geek
    Microsoft MVP - Software Packaging, Deployment & Servicing (2005-2014)
    My MVP Profile: http://mvp.microsoft.com/en-us/mvp/Lawrence%20R%20Garvin-32101
    http://www.solarwinds.com/gotmicrosoft
    The views expressed on this post are mine and do not necessarily reflect the views of SolarWinds.

    Thursday, June 26, 2014 12:14 AM
  • Thanks for the spirited replies to my post! I'm honored to be the focus of your attention. In all honesty, I've been helped very much in my WSUS endeavors over the years by your posts in these forums.

    First off, you've done it again. You've brought my attention to another feature of WSUS that I had never noticed. The Run Rule. That's a good feature! It does appear to only have affect on updates that are already downloaded however. I'd like to be able to have the option to apply it to updates that are already downloaded. As you mentioned in this post, it doesn't have that capability

    http://social.technet.microsoft.com/Forums/windowsserver/en-US/1376d4fe-adf5-49b3-93d8-e4db64eab7bf/wsus-30-sp2-automatic-approval-rules-bugs?forum=winserverwsus

    As for what's feasible, I'd love have the ability to install ANY Security or Critical updates, say for Windows 7. Update rolloups, or just plain updates we decide later after a bit of testing. I can't imagine this is unrealistic. That said, the ability for a Microsoft Security or Critical update to break a system is real and can't be ignored. We are willing to take the risk of this if it means we have the chance to patch our systems with what Microsoft deems as necessary.

    I'm sure you're correct about the Set-It-And-Forget-It functionality. It doesn't look like we can get there from here. We're working now after some tweaking so what we need to see is happening.

    Thanks again for the help and the valuable input.

     


    Orange County District Attorney

    Thursday, June 26, 2014 2:32 PM
  • It does appear to only have affect on updates that are already downloaded however. I'd like to be able to have the option to apply it to updates that are already downloaded.

    ??? The "Run Rule" option applies the Automatic Approval rule to **ALL** updates currently synchronized to the WSUS server.

    I'd love have the ability to install ANY Security or Critical updates, say for Windows 7. Update rolloups, or just plain updates we decide later after a bit of testing. I can't imagine this is unrealistic.

    THIS is not unrealistic. The blind deployment of any and all updates to all systems on the day after Patch Tuesday is also not unrealistic.. it's just doomed.

    For more information on how to achieve the operation you've described, see my article: Duplicating Approvals from a Test Group to a Production Group.


    Lawrence Garvin, M.S., MCSA, MCITP:EA, MCDBA
    SolarWinds Head Geek
    Microsoft MVP - Software Packaging, Deployment & Servicing (2005-2014)
    My MVP Profile: http://mvp.microsoft.com/en-us/mvp/Lawrence%20R%20Garvin-32101
    http://www.solarwinds.com/gotmicrosoft
    The views expressed on this post are mine and do not necessarily reflect the views of SolarWinds.

    Sunday, June 29, 2014 7:00 PM
  • I'm glad to hear that the 'bug' has been fixed with the Run Rule. That's what my entire issue has been. In fixing it I'm going to guess that Microsoft wanted to lend the same functionality for everyone probably from user input. Good job Microsoft.

    We use SCCM for 98% of our deployment and patching. We've been fortunate to have a stable, well document methodology for deploying updates with SCCM. We only use our standalone WSUS for new Win7 deployments, not to blindly deploy updates to 1,000's  of machines. We're talking about 1-2 a day at most.

    I'm glad you agree that being able to update what I want IS not unrealistic. When we deploy an image, we want it to have the latest Microsoft Security updates on it. That is realistic. Unless of course the update breaks something. That's what testing is for and we do a lot of testing before deploying our update. Those who don't are truly doomed. Well put on that point.


    Orange County District Attorney

    Monday, June 30, 2014 2:42 PM
  • I'm glad to hear that the 'bug' has been fixed with the Run Rule.

    There was never a bug in the "Run Rule" functionality. It works in WSUS v6.x and WSUS v3.2.7600.261 exactly the same way it worked in the original release of WSUS v3.0 in 2007.

    What leads you to believe there was a bug?


    Lawrence Garvin, M.S., MCSA, MCITP:EA, MCDBA
    SolarWinds Head Geek
    Microsoft MVP - Software Packaging, Deployment & Servicing (2005-2014)
    My MVP Profile: http://mvp.microsoft.com/en-us/mvp/Lawrence%20R%20Garvin-32101
    http://www.solarwinds.com/gotmicrosoft
    The views expressed on this post are mine and do not necessarily reflect the views of SolarWinds.

    Tuesday, July 1, 2014 11:57 PM
  • Well, then, the link to a forum post by none other than yourself lead me to believe........just sayin' ;)

    http://social.technet.microsoft.com/Forums/windowsserver/en-US/1376d4fe-adf5-49b3-93d8-e4db64eab7bf/wsus-30-sp2-automatic-approval-rules-bugs?forum=winserverwsus


    Orange County District Attorney

    Wednesday, July 2, 2014 2:22 PM
  • Well, then, the link to a forum post by none other than yourself lead me to believe........just sayin' ;)

    http://social.technet.microsoft.com/Forums/windowsserver/en-US/1376d4fe-adf5-49b3-93d8-e4db64eab7bf/wsus-30-sp2-automatic-approval-rules-bugs?forum=winserverwsus

    While the original poster claimed that such a bug existed, in fact it did not, and I thought I clearly stated that in that thread in my reply of Thu Jan 19.

    BUG 2: In the Automatic Approval Options Dialog, "Run Rule" does not Approve any Updates that already exist in WSUS.

    This most assuredly is not a true statement, as I have, on several occasions, used the option "Run Rule" to retroactively apply approvals to already synchronized updates.

    Furthermore, if you read all of the posts from that O.P., you'll perhaps find that the poster has a very misunderstood perspective on the use and operation of a WSUS Server. His intent was to download ALL of the binary files for ALL of the updates just in case "when manually updating any local system not connected to the Internet". Unfortunately, in that process he [a] missed the fact that there's a CHECKBOX option to do exactly that (although there's no sane reason to download 200+ GB of files these days), and [b] about 85% of those updates will NEVER actually be installed to any system at any time for any reason because they're superseded, so not only is it 200+ GB of file content, but about 170+ GB of totally useless file content.

    Lawrence Garvin, M.S., MCSA, MCITP:EA, MCDBA
    SolarWinds Head Geek
    Microsoft MVP - Software Packaging, Deployment & Servicing (2005-2014)
    My MVP Profile: http://mvp.microsoft.com/en-us/mvp/Lawrence%20R%20Garvin-32101
    http://www.solarwinds.com/gotmicrosoft
    The views expressed on this post are mine and do not necessarily reflect the views of SolarWinds.


    Friday, July 4, 2014 3:35 PM