locked
Updates approved under different RRS feed

  • Question

  • I brought up a new server (wsus2) to be replica with (wsus1), everything synch seems to be OK. I changed wsus2 to be primary to sync with MS and shutdown wsus1. Here come the problems

    1. Updates listed approved under local admin account on wsus1, how do I change it to admin account on wsus2?

    2. It seems those updates approved by admin (wsus1) are not installing on clients reported in wsus2

    3. Some clients reported Windows is up-to-date (ran Windows Update in controll panel) but manually check resulted 11 missing updates.

    Troubleshoot I have performed:

    1. GPO reflects correct wsus2 server

    2. Client registry key record correct wsus2 server

    3. Executed wuauclt /detecnow

    Nothing seems to work right, clients still report as 99% complete instead of 100. Any help is appreciated.

    Is there a way to force multiple wsus clients to check in?


    Thang Mo

    Friday, June 7, 2013 4:43 PM

Answers

  • 1. Updates listed approved under local admin account on wsus1, how do I change it to admin account on wsus2?

    I have no idea what this means. Approvals are not associated with a user account.

    2. It seems those updates approved by admin (wsus1) are not installing on clients reported in wsus2

    This would have absolutely nothing to do with who approved the update, but is more likely the case that the clients have not been properly configured to use wsus2 as their new WSUS server. (You've failed to expressly mention reconfiguring the clients in your migration process.) It could also be some other client-side communications issue. Standard WUAgent-to-WSUS diagnostics apply here, just like you would have used when originally deploying wsus1.

    3. Some clients reported Windows is up-to-date (ran Windows Update in controll panel) but manually check resulted 11 missing updates.

    Manual check with what? You cannot compare Windows Update to a WSUS Server, there are several differences between the update repository available at =WU= and the update repository available in a =WSUS Server=. These differences are discussed in several threads in this forum over the past few years.

    2. Client registry key record correct wsus2 server

    Excellent. That's a fact that matters.

    clients still report as 99% complete instead of 100.

    So we can infer here that the WUAgent is finding an update on the WSUS server that is Needed, but isn't finding that update via WU. It could be a non-Windows update (only available via MU). It also could be an update not available via WU/MU at all.

    In any event, this is an ancient behavior discussed multitudes of times in this forum... you have one or more updates that are NEEDED but NOT APPROVED. Sort the All Updates view by Approval="Not Approved" and Status="Needed" and approve (or decline) the update that is still needed and not approved!


    Lawrence Garvin, M.S., MCITP:EA, MCDBA, MCSA
    SolarWinds Head Geek
    Microsoft MVP - Software Packaging, Deployment & Servicing (2005-2013)
    My MVP Profile: http://mvp.support.microsoft.com/profile/Lawrence.Garvin
    http://www.solarwinds.com/gotmicrosoft
    The views expressed on this post are mine and do not necessarily reflect the views of SolarWinds.

    Saturday, June 8, 2013 7:50 PM
  • those 8 updates are approved by wsus1 admin account

    As previously noted, who approved the update is entirely irrelevant. Might I suggest these two resources to provide a better understanding of WSUS operations fundamentals:

    WSUS Overview -- actually the overview from v2, but the WSUS v3 documentation lacks the thoroughness of this document, and 90% of this document is still accurate for WSUS v3 (Ignore the parts about "Approve for Detection"... this function is enabled for all updates all of the time.)

    WSUS Operations Guide: Manage Updates -- an overview of managing updates and using the console


    Lawrence Garvin, M.S., MCITP:EA, MCDBA, MCSA
    SolarWinds Head Geek
    Microsoft MVP - Software Packaging, Deployment & Servicing (2005-2013)
    My MVP Profile: http://mvp.support.microsoft.com/profile/Lawrence.Garvin
    http://www.solarwinds.com/gotmicrosoft
    The views expressed on this post are mine and do not necessarily reflect the views of SolarWinds.

    Saturday, June 8, 2013 7:55 PM

All replies

  • I manually ran windows update on one client which reported in wsus2 for missing 8 updates. I ran updates all manually till there is no more updates, but wsus2 still report this client missing 8 updates, those 8 updates are approved by wsus1 admin account, is this possible the problem? thanks.

    Thang Mo

    Friday, June 7, 2013 4:59 PM
  • 1. Updates listed approved under local admin account on wsus1, how do I change it to admin account on wsus2?

    I have no idea what this means. Approvals are not associated with a user account.

    2. It seems those updates approved by admin (wsus1) are not installing on clients reported in wsus2

    This would have absolutely nothing to do with who approved the update, but is more likely the case that the clients have not been properly configured to use wsus2 as their new WSUS server. (You've failed to expressly mention reconfiguring the clients in your migration process.) It could also be some other client-side communications issue. Standard WUAgent-to-WSUS diagnostics apply here, just like you would have used when originally deploying wsus1.

    3. Some clients reported Windows is up-to-date (ran Windows Update in controll panel) but manually check resulted 11 missing updates.

    Manual check with what? You cannot compare Windows Update to a WSUS Server, there are several differences between the update repository available at =WU= and the update repository available in a =WSUS Server=. These differences are discussed in several threads in this forum over the past few years.

    2. Client registry key record correct wsus2 server

    Excellent. That's a fact that matters.

    clients still report as 99% complete instead of 100.

    So we can infer here that the WUAgent is finding an update on the WSUS server that is Needed, but isn't finding that update via WU. It could be a non-Windows update (only available via MU). It also could be an update not available via WU/MU at all.

    In any event, this is an ancient behavior discussed multitudes of times in this forum... you have one or more updates that are NEEDED but NOT APPROVED. Sort the All Updates view by Approval="Not Approved" and Status="Needed" and approve (or decline) the update that is still needed and not approved!


    Lawrence Garvin, M.S., MCITP:EA, MCDBA, MCSA
    SolarWinds Head Geek
    Microsoft MVP - Software Packaging, Deployment & Servicing (2005-2013)
    My MVP Profile: http://mvp.support.microsoft.com/profile/Lawrence.Garvin
    http://www.solarwinds.com/gotmicrosoft
    The views expressed on this post are mine and do not necessarily reflect the views of SolarWinds.

    Saturday, June 8, 2013 7:50 PM
  • those 8 updates are approved by wsus1 admin account

    As previously noted, who approved the update is entirely irrelevant. Might I suggest these two resources to provide a better understanding of WSUS operations fundamentals:

    WSUS Overview -- actually the overview from v2, but the WSUS v3 documentation lacks the thoroughness of this document, and 90% of this document is still accurate for WSUS v3 (Ignore the parts about "Approve for Detection"... this function is enabled for all updates all of the time.)

    WSUS Operations Guide: Manage Updates -- an overview of managing updates and using the console


    Lawrence Garvin, M.S., MCITP:EA, MCDBA, MCSA
    SolarWinds Head Geek
    Microsoft MVP - Software Packaging, Deployment & Servicing (2005-2013)
    My MVP Profile: http://mvp.support.microsoft.com/profile/Lawrence.Garvin
    http://www.solarwinds.com/gotmicrosoft
    The views expressed on this post are mine and do not necessarily reflect the views of SolarWinds.

    Saturday, June 8, 2013 7:55 PM