none
WSUS 3.0 SP2 - Workaround KB972493 update shows as 'Needed.'

    General discussion


  • I have recently observed my WSUS server reporting that some clients (Windows Server 2008 SP2) need the update "Windows Server Manager - Windows Server Update Services (WSUS) Dynamic Installer (KB972493)." The clients to not detect that they need this update, but the WSUS server label the client as needing the update regardless.

    Similar behavior for the WSUS SP1 dynamic installer was seen in the past. See the Microsoft Discussion Forum public.windows.server.updates_services --- see the thread titled "WSUS 3.0 SP1 KB948014 shows needed even though roll is not install" for details.


    Regardless, here is the workaround:

    On the client machine, install the WSUS30-KB972455-x86.exe or WSUS30-KB972455-x64.exe, but select the "Administrator Console only" during the install. This will install the Update Services MMC on the machine, but not enable WSUS on the client itself. After this, clients the WSUS server should no longer show the KB972493 as 'Needed.'


    • Edited by RJMPhD Thursday, October 29, 2009 12:32 PM Fixed terrible typo in post title
    Wednesday, September 02, 2009 1:20 PM

All replies

  • KB972445 only reports as NEEDED on *CLIENT* operating systems that already have the console installed. Installing the console on a client that doesn't need it is a pointless 'workaround' to a non-existent problem. Furthermore, it creates the risk of unnecessarily granting access to the WSUS Administration services that you might not want in the hands of an everyday user.

    As for the thread cited from the newsgroup -- that thread has absolutely nothing to do with WSUS3 Service Pack 2 or KB972455.

    That thread is about the unique circumstance where the DYNAMIC INSTALLER reports as NEEDED on a Windows Server 2008 SP2 system, or on a Windows Server 2008 SP1 system with KB940518 (the Server Manager update to allow WSUS as a role) installed. The WSUS3SP2 Dynamic Installer (KB972493) will behave in exactly the same way.

    I'd be interested in knowing more about the scenario in which you actually observed a Vista/Windows7 system report KB972455 as Needed when the console was not installed. (And consider the possibility that using the WSUS30-KB972455-x86.exe package merely upgraded an existing console to SP2!)


    Lawrence Garvin, M.S., MCITP:EA, MCDBA
    Principal/CTO, Onsite Technology Solutions, Houston, Texas
    Microsoft MVP - Software Distribution (2005-2009)
    Wednesday, September 02, 2009 2:55 PM
    Moderator
  • All of my 2008 and R2 servers show in WSUS that they need the WSUS 3.0 SP2 Dynamic Installer update, but the servers themselves never detect it to download and install. None of these servers have any WSUS components installed. I understand that the Dynamic Installer update will update the installation files on the systems so that if you decide to install WSUS later down the road, it will be SP2. Not sure why the servers are not installing it. I remember this update coming out for SP1, and the servers did install that fine.
    Thursday, September 10, 2009 2:53 PM
  • > All of my 2008 and R2 servers show in WSUS that they need the WSUS 3.0 SP2
    > Dynamic Installer update, but the servers themselves never detect it to download
    > and install. None of these servers have any WSUS components installed.


    Correct, this is the BY DESIGN behavior.

    The updates are reported as "Needed" because the package flag isInstallable=TRUE.

    The updates are not detected/downloaded/installed by the WUAgent, because installation *requires* selection of WSUS as a ROLE via Server Manager in order to initiate installation.

    Dynamic Installer packages do NOT behave like conventional update packages do.


    > I understand that the Dynamic Installer update will update the installation files on
    > the systems so that if you decide to install WSUS later down the road, it will be SP2.

    You understand this incorrectly. The "Dynamic Installer" update is the actual WSUS3SP2 installer. It is used to actually install WSUS on a Windows Server 2008 system *when* WSUS is selected from Server Manager for installation as a Role. If the Win2008 system is configured to use WSUS and the Dynamic Installer is approved for installation in the WSUS catalog, the Win2008 system can obtain the package from the local WSUS Server. If the Win2008 system is not configured to use a WSUS Server, it will get the package from Microsoft Update. (I have not tested what happens if the package is Not Approved and an existing WSUS Server is already assigned, but my gut tells me the installation will fail and report it cannot find the needed content.)

    Installing the "Dynamic Installer" is installing WSUS. They are one-and-the-same activity. There is no "pre-staging" of the WSUS installation files, as it seems might be your understanding.


    >  I remember this update coming out for SP1, and the servers did install that fine.

    Do not confuse the =Service Pack= update package with the =Dynamic Installer= package. For WSUS3SP1 there was some propensity for confusion because they were both published with the same KB article reference number (KB948014).

    For WSUS3SP2 the two packages are published under different KB article numbers. The =Service Pack= update (KB972455) will detect on any existing installation of WSUS (Win2003, Win2008, Vista, Win7, except consoles installed on Windows XP).

    The =Dynamic Installer= (KB972493) will only detect on Window Server 2008 systems, specifically:
    - All Windows Server 2008 R2 and Windows Server 2008 SP2 systems.
    - Any Windows Server 2008 SP1 (RTM) system which has KB940518 installed.
    but it will not download/install via conventional means of the WUAgent.
    You must use Server Manager to install KB972493 on a Windows Server 2008 system.

    Lawrence Garvin, M.S., MCITP:EA, MCDBA
    Principal/CTO, Onsite Technology Solutions, Houston, Texas
    Microsoft MVP - Software Distribution (2005-2009)
    Thursday, September 10, 2009 5:29 PM
    Moderator
  • This may be by design, but, as referenced in the SP1 thread, many consider this unexpected behavior --- especially by those
    whom are using targeting 100% as an indication of whether or not machines on the network need an update.
    Friday, September 11, 2009 7:44 PM
  • I appreciate that the behavior is "unexpected" -- things change, things evolve, and we all have to be willing to adapt to NEW behaviors of the systems and technologies we use.

    Those who are using "targeting 100%..." are doomed from the start unless it is their intention of installing *EVERY* available update onto their systems.

    As I've said numerous other times before, there are some updates that will never be installed on my servers: Silverlight, IE7 on Windows Server 2003, IE8 on Windows Server 2008, .NET Framework v3.5 on servers that aren't running WCF/WWF/WPF applications, and I'm sure there are several others.

    The *normal* indication of a healthy WSUS server and patch environment can never be reasonably expected to be at 100% Installed/Not Applicable, unless all of those such updates (Silverlight, IE7, IE8, NET35SP1) are marked as DECLINED the day they arrive.
    Lawrence Garvin, M.S., MCITP:EA, MCDBA
    Principal/CTO, Onsite Technology Solutions, Houston, Texas
    Microsoft MVP - Software Distribution (2005-2009)
    Saturday, September 12, 2009 2:09 AM
    Moderator
  • So the bottom line is that we need to file an RFE for WSUS that we get a collumn which states "xx% of Approved Updates have been installed".
    This would allow us to easily check if all our approved updates got installed, which is essentially what we want to achieve here.

    Right?

    Cheers
    Michel
    Tuesday, September 15, 2009 4:12 PM
  • So the bottom line is that we need to file an RFE for WSUS that we get a collumn which states "xx% of Approved Updates have been installed".
    This would allow us to easily check if all our approved updates got installed, which is essentially what we want to achieve here.

    Right?

    Cheers
    Michel

    I agree --- I think this would a welcome addition.
    Tuesday, September 15, 2009 6:14 PM
  • So the bottom line is that we need to file an RFE for WSUS that we get a collumn which states "xx% of Approved Updates have been installed".
    This would allow us to easily check if all our approved updates got installed, which is essentially what we want to achieve here.

    If you look at the WSUS SP2 Features and Fixes, you'll find that this capability has been added as a REPORT.
    Lawrence Garvin, M.S., MCITP:EA, MCDBA
    Principal/CTO, Onsite Technology Solutions, Houston, Texas
    Microsoft MVP - Software Distribution (2005-2009)
    My MVP Profile: http://mvp.support.microsoft.com/profile/Lawrence.Garvin
    My Blog: http://onsitechsolutions.spaces.live.com
    Tuesday, September 15, 2009 7:41 PM
    Moderator
  • <sarcasm>which will take forever to load...</sarcasm>   :)

    thanks for the info.
    However, SP2 is not yet supported on System Center Essentials.

    But would be cool to have it as a column, too. Would be easier instead of generating reports.

    Cheers
    Tuesday, September 15, 2009 7:53 PM
  • Then do it the way we've been doing it for the past four years.. build a Custom Update View based on "Updates approved for a specific group", and pick the group(s) you want to include in the view.
    Lawrence Garvin, M.S., MCITP:EA, MCDBA
    Principal/CTO, Onsite Technology Solutions, Houston, Texas
    Microsoft MVP - Software Distribution (2005-2009)
    My MVP Profile: http://mvp.support.microsoft.com/profile/Lawrence.Garvin
    My Blog: http://onsitechsolutions.spaces.live.com
    Tuesday, September 15, 2009 9:49 PM
    Moderator
  • Boys let's get back to the REAL matter: Microsoft has made a mistake and we do have a WRONG behaviour: i've tried few fresh clean installation ok W2K8R2 and they all state that the "windows server update services 3.0 SP2 Dynamic Installer for server manager x64 Edition (KB972493)"  is needed, POINT!
    WE all pay good money for the sw, it's about time "Big Bill" fixes it and we can all go home, agree ??

    Wednesday, October 28, 2009 7:03 PM
  • Bagnoli

    This is not true.
    This is "Works as designed".

    This update is for the Server Manager which will be downloaded once you install WSUS 3.0 from scratch (it will install SP2 straight)
    This was the case with SP1, too.

    Try googling for it, and you will find an official statement from Microsoft.

    Cheers
    Thursday, October 29, 2009 6:16 AM
  • Boys let's get back to the REAL matter: Microsoft has made a mistake and we do have a WRONG behaviour: i've tried few fresh clean installation ok W2K8R2 and they all state that the "windows server update services 3.0 SP2 Dynamic Installer for server manager x64 Edition (KB972493)"  is needed, POINT!
    WE all pay good money for the sw, it's about time "Big Bill" fixes it and we can all go home, agree ??


    No, Microsoft has not made a MISTAKE!

    The behavior of teh DYNAMIC INSTALLER is =BY DESIGN=, and it works just like any other bloody update in the system.

    1. If the update *CAN* be installed it is reported as *NEEDED* by the Windows Update Agent.

    2. If the admin *WANTS* the update to be installed, the admin marks the update as APPROVED.

    3. If the admin does not want the update to be installed, the admin either marks the update as DECLINED, or the admin *IGNORES* the update.

    The problem here is that a number of people seem to not understand the concept of a DYNAMIC INSTALLER package, or that DYNAMIC INSTALLER packages are *NOT* installed by the Windows Update Agent during a normal scheduled installation event. In the case of KB972493, the DYNAMIC INSTALLER is installed *WHEN* an administrator choose to install WSUS on a Windows Server 2008 system as a Server Role.


    Otherwise, if you'd like to participate in this conversatio intelligently, that's fine, but your last sentence is unnnecesary, irrelevant, out-of-line, and isn't even based in any factual reality.

    Frankly, I'm tiring of this thread. The behavior is *BY DESIGN*, it's not -- never -- ever -- going to change, so the only solution here is:

    [a] Decline the update if you don't need to install WSUS3SP2 on Windows Server 2008 systems, or
    [b] Approve the update so that *WHEN* you do want to install WSUS3SP2 on a Windows Server 2008 system you'll actually be able to do this.

    Lawrence Garvin, M.S., MCITP:EA, MCDBA
    Principal/CTO, Onsite Technology Solutions, Houston, Texas
    Microsoft MVP - Software Distribution (2005-2009)
    My MVP Profile: http://mvp.support.microsoft.com/profile/Lawrence.Garvin
    My Blog: http://onsitechsolutions.spaces.live.com
    Thursday, October 29, 2009 6:19 AM
    Moderator

  • There seems to be a large number of users (including myself) that are surprised by this behavior. I would encourage Microsoft to usability test this behavior, and then revisit this design decision.
    Thursday, October 29, 2009 12:33 PM
  • Sorry Lawrence, no intent to offend anybody in any way,
    my last sentence was just a joke with the only intent to get to a solution, having said that:
    i still do not understand and it looks like, googleing, i am not the only one ...,

    i do not argue about the fact that the behaviour is "BY DESIGN", but this DOS NOT MEAN is correct !!??

    saying "it's not -- never -- ever -- going to change" is not just "unnnecesary" is just wrong:You, Microsoft are GOD ?
    if not you can make mistakes as we all do, just accept it, may be this is not the case, but please consider it (thanks)

    1. If the Windows Update Agent reports an update as *NEEDED* You say is bacause it *CAN* be installed (so far so good)

    2. if the administrator APPROVE it, a simple normal and expected behaviour is that the the update WILL BE INSTALLED! HAS TO BE !

    A far as i'm concerned (googleing the web is not just my concern ..) theh RIGHT behaviour is what normally happens:
    let's use a simple example assuming there is a sql2005 patch:

    - different servers on the same group
    - only 2 have sql2005 installed
    - the admin APPROVES tha patch for the group
    - only those 2 server will report needing that patch
    - ALL THE OTHERS WILL NOT REPORT ANYTHING ABOUT THAT PATCH a get the green light without any problem

    BY DESIGN OR NOT THIS IS IT,
    this has been going on for long,
    there's no need to be that smart to understand this
    this is what we, administrators, are looking for,
    can you get it now? still tiring ?? hope not
    warm regards
    ciao

    Thursday, October 29, 2009 6:37 PM
  • saying "it's not -- never -- ever -- going to change" is not just "unnnecesary" is just wrong:You, Microsoft are GOD ?
    <sigh>...  I'm not "Microsoft". I'm not a Microsoft employee. I'm an independent consultant, who *VOLUNTEERS* time to answer questions in this forum. The answers you get from me me have no "spin" on them. They're an accurate reflection of reality as I see it based on five years of experience working with WSUS and the WSUS team.

    While I grant that a lot of people think the behavior is "wrong", the fact is that the update behaves *EXACTLY* as Dynamic Installers are designed to behave. The fact that most people complaining that the behavior is "wrong" don't actually have any real experience working with a Dynamic Installer probably complicates the perceptions.


    > 2. if the administrator APPROVE it, a simple normal and expected behaviour is that the the update WILL BE INSTALLED! HAS TO BE !

    And this is the great fallacy of this whole discussion. The behavior of Dynamic Installers is *DIFFERENT* _BY DESIGN_ than normal updates. So.. NO.. you *cannot* expect that the update will be installed just because you've approved it. That is not the DESIGNED behavior of these updates.

    > BY DESIGN OR NOT THIS IS IT,
    > this has been going on for long,

    Actually, based on my observations, there are only two products that currently have a Dynamic Installer:
    Internet Explorer 8
    Windows Server Update Services

    so to claim this has been going on "for long" is simply not a true statement. WSUS v3 SP1 introduced the use of the Dynamic Installer in January, 2009. Prior to that time there were =ZERO= Dynamic Installers released via WSUS (there weren't any even published in the MU catalog), so *nobody* has any experience with Dynamic Installers prior to a month ago, except for that presented by Windows Server Updates Services. Since WSUS *is* the product, you can rest assured that the behavior of the WSUS Dynamic Installer in the *WSUS* product is exactly how it's designed to behave.


    Lawrence Garvin, M.S., MCITP:EA, MCDBA
    Principal/CTO, Onsite Technology Solutions, Houston, Texas
    Microsoft MVP - Software Distribution (2005-2009)
    My MVP Profile: http://mvp.support.microsoft.com/profile/Lawrence.Garvin
    My Blog: http://onsitechsolutions.spaces.live.com
    Thursday, October 29, 2009 10:19 PM
    Moderator
  • I do know you're not a Microsoft employee and i can only thank you for what you're doing,
    i'm just technically arguing, nothing personal.

    I do beleve You saying that "update behaves *EXACTLY* as Dynamic Installers are designed to behave",
    i probabily do not have experience with Dynamic Installer, i can live whit this,
    i'm just talking about a behaviour i do think (and i'm not the only one) is WRONG for my (our??) needs!
    when i say it's been like ( I want/like/should be) this for long timei , i'm talking not just about IE8 o WSUS,
    i'm talking about hundreds of updates to deply/install;
    i (we) neeed the Windows Update Agent to work in a "legacy" (if you like) mode.

    The idea  of Dynamic Installe itself might be fantastic, but in the real world here in the field (is 20 minute past midnight and i'm still working ...)
    i (we) need something that is easy to use, i need something that help me out to do my job better and faster,
    i do not need complicated technology if i thing i does not help me;

    I am with RJMPhD Users MedalsUsers MedalsUsers Medals"I would encourage Microsoft to usability test this behavior, and then revisit this design decision",
    help me (us) understand why the behaviour i described with an easy example is wrong !!
    What is the target? have all my servers (and client) patched! i do need the geern light.

    I may easly be wrong but there are 100 servers here wating to migrate to Win2K8R2,
    i do need things to go easy and not new tecnology that prevent me from getting the green light from a server
    that has installed ALL updates it needs for what it has installed!

    Nice talking anyway

    Ciao
    Thursday, October 29, 2009 11:37 PM
  • Okay... I hear what you're saying....

    but e'splain me this please....

    How is KB972493 any different from
    Silverlight (for Windows Server),
    or Internet Explorer 7 for Windows Server 2003
    or Internet Explorer 8 for Windows Server 2003
    or Internet Explorer 8 for Windows Server 2008
    or .NET Framework v3.5 for Windows Server 2003

    Do you install *every* available update to your servers? (Regardless of whether you *need* it or not?)
    And if not, what is the current status of the IE8 for Windows Server 2003 update on your WSUS server?
    Lawrence Garvin, M.S., MCITP:EA, MCDBA
    Principal/CTO, Onsite Technology Solutions, Houston, Texas
    Microsoft MVP - Software Distribution (2005-2009)
    My MVP Profile: http://mvp.support.microsoft.com/profile/Lawrence.Garvin
    My Blog: http://onsitechsolutions.spaces.live.com
    Friday, October 30, 2009 4:32 AM
    Moderator
  • I do not pretend to be able to answer all your questions ..., let me try anyway:

    As far as i know/understand/concerned Silverlight, Ie, .NET are all the same,
    here the real world:

    1. All server are Win2K3R3 (English language) (in a group)
    2. All on the same group (Win2K3R3EN)
    3. Different roles: Dc, Sql, Web server, File server , ecc...
    4. If an update i required/necessary even because only 1 server needs it in the group, which means all have the geern light but 1 ...
    5. i DO approve the update for the Group!
    6. Nobody complains
    7. The one that needs the update downloads and installs the update and get the green light
    8. All other server do nothing, or better:
    9. Approving the update for the Group has never affected the other servers, the agent (i think) just "understands"  what is going on and probabily thinks "i do not need that update so i ignore it, lets report back to WSUS i'm ok, green light"

    So:

    • i DO APPROVE every updates for all server but mind you:
    • in any group all the server have exactly the same operating system, same language as well
    • and i never ever had  any problem at all because of this
    • THIS is what has been going on forl long time,
    • THIS is what i need/want/like

    Hope to have made my point (as simple as it is)

    Ciao

    Friday, October 30, 2009 1:05 PM
  • Sorry for typing R3 instead of R2

    bye

    Friday, October 30, 2009 1:07 PM
  • >  i DO APPROVE every updates for all server

    Well, then, this is the difference between you and the rest of the world.

    You're installing everything everywhere (even if it's not actually needed) and now you're inconvenienced and challenged by the fact that *ONE* update (actually, two, if you include the IE8 Dynamic Installer) is going to show as NEEDED forever, because every other update on your system (including those several you probably did not need to install) have been installed and now show as Installed/Not Applicable.

    The rest of the world understands that there will always be some updates which are not going to be installed to some machines, even though they're "Applicable". On my server I have about a half dozen updates that are Not Installed/Not Approved, and that's intentional. The fact that they're not reported as "Installed/Not Applicable" is an accurate reflection of reality.


    >and i never ever had  any problem at all because of this
    >THIS is what has been going on forl long time,
    >THIS is what i need/want/like

    So, yes, I understand this is what you've been doing. The challenge you're running up against now is that:
    [a] You've been installing everything everywhere -- which is not a design premise of WSUS. (Organizations or Persons who wish to install everything everywhere should skip the overhead of managing a WSUS Server and just point those machines at Automatic Updates -- which is explicitly designed to install everything everywhere.)

    [b] Now when there's actaully an update that you cannot apply the philosophy of "everything, everywhere" to, you're blaming the product for being defective, rather than accepting the possibility that maybe your processes and procedure are flawed (or at least the primary contributing factor to what it is that you do not like).


    Lawrence Garvin, M.S., MCITP:EA, MCDBA
    Principal/CTO, Onsite Technology Solutions, Houston, Texas
    Microsoft MVP - Software Distribution (2005-2009)
    My MVP Profile: http://mvp.support.microsoft.com/profile/Lawrence.Garvin
    My Blog: http://onsitechsolutions.spaces.live.com
    Friday, October 30, 2009 10:18 PM
    Moderator
  • "Well, then, this is the difference between you and the rest of the world.":
    May be but i do know many other administrators that do as i do!

    "You're installing everything everywhere (even if it's not actually needed)":
    Not really
    : only if that specific update DOES pathc a software it is installed on that system,
    - if a sw (or a feature) is installed it is because i DO need it to be installed, if not it woul not be there
    - i install on my server ONLY what i REALLY need and disable all services i do not need
    - and i install /approve those patche ONLY after they've been tested in the lab to make sure they do not cause any problem
    - if there is a problem i do contact Microsoft support and they plot out a solution for me as soon as they can, tehy are ther for this purpose: support US.

    "and now you're inconvenienced and challenged by the fact that *ONE* update (actually, two, if you include the IE8 Dynamic Installer) is going to show as NEEDED forever":
    i may be wrong ..., so far even IE8 is installed on my servers (cause in the lab it was 100% ok) and ie7 is not there anymore, IE8 is out and  so far there is no patch showing as NEEDED forever !? all server and client have the green light !

    "because every other update on your system (including those several you probably did not need to install)":
     i (we) do check all patches that WSUS offers to my servers and so far i've found a god job to install them all,
    even Microsoft normally (i'm tempted to say ALWAYS ...) advises, in different manners, to install them, so whay not ??

    "The rest of the world understands that there will always be some updates which are not going to be installed to some machines, even though they're "Applicable". :
    Again: NOT the entire rest of the world, but could you give me (us) some example of patches that are flagged as needed but you do not install??
    Sorry but i may be getting lost ... i apologize

    "(Organizations or Persons who wish to install everything everywhere should skip the overhead of managing a WSUS Server and just point those machines at Automatic Updates ":
    - That would mean all machines (servers and clients, thousands!), will go to internet and generate network traffic when they can easily go to an internal server, the only one that downloads all patches at once for everybody !!?? WHAT A WASTE O EXSPENSIVE NETWORK BANDWIDTH! don't you think ??
    - if you do not use an internal WSUS how do you know that some servers o client have a problem and cannot be fully patched, i.e.: get maximum security ??, internal WSUS does give me reports all the time so that i can check!, whould you just relay on the fact that your client go to Microsoft update and forget about them??

    As far as i am concerned i do have enough reasons to use an internal WSUS

    "Now when there's actaully an update that you cannot apply the philosophy of "everything, everywhere" to, you're blaming the product for being defective":
    NOOOOOO!
    Mind You: I've never said it is defective, i said i don not agree with that philosophy!

    "rather than accepting the possibility that maybe your processes and procedure are flawed"
    NOOOOOO!
    (again)
    This was you saying "The behavior is *BY DESIGN*, it's not -- never -- ever -- going to change" without acceping to RE-consider the "by-design" behaviour that could not be the best solution (as others have pointed out to you !)

    i've alwas said and i do repeat it: i am not GOD, i may easily be wrong, but i do need to understand if i am wrong or not so that i can improve myself,
    my processes an procedure can easily be flawed/worng!,
    if for a second i'd thought i'm 100% right i would not even read/partecipate in this discussion,
    but i'm am here because i do thing i could be wrong and i do want/need/like to confront with the rest of the world where i've alwasy found people smarter than me (and i do belive it will alwasy be);
    or may be it's not just a matter of beeing wrong or right, but the real matter could be discussing which solution could be the best ( if there is one ..),
    and i'm aware of the fact that we could end up that what is the best for me is NOT the best for you and viceversa!
    and if this happens i'll be happy, as long as i understand that the fact that others do differently does not mean i'm doing something wrong,
    just different solution for different enviroment

    Thanks for your point
    Ciao


    Saturday, October 31, 2009 4:46 PM
  • Lawrence,

    I am reading both your arguments about it and I understand that this is the way Microsoft designed the dynamic updates to work, I think Bagnolim also sees that.
    What the issue is, is the fact that a percentage of administrators group their servers by type of OS and not necessarily by role.
    I also am one of those that group by OS and have this problem and it bugs the heck out of me not to see a zero next to the Server in the list.
    What Bagnolim is stating is that he (we) want the system to change how it does it to work for us and others that group by OS.
    Correct me if I am wrong Bagnolim, but what we are asking (and I know it is not your choice Lawrence, you are just statating how it is currently);

    When a Server has the role installed and the update is needed for that role, it will show up as needed, if the server does not have that role, then it won't show up, even if it is approved for that server.

    All in all, Lawrence you are correct in stating how it is and are either approving of this way or are powerless to change it, all you can do is argue the point of how it is.
    Bagnolim, you are agueing with Lawrence on how you and I want to see the system work to make our lives easier, but unfortunatly Lawrence has no ability to change this, he is just a volunteer helping with his expertise on the Microsoft product.

    Basically as a vote I would want Microsoft to change its ways on this.

    +1

    Saturday, October 31, 2009 9:00 PM
  • Correct Emmerdale1, this is the way i (we) work,
    hope microsoft will move to re-consider

    Thanks you all gays

    ciao
    Saturday, October 31, 2009 9:47 PM

  • "(Organizations or Persons who wish to install everything everywhere should skip the overhead of managing a WSUS Server and just point those machines at Automatic Updates ":
    - That would mean all machines (servers and clients, thousands!), will go to internet and generate network traffic when they can easily go to an internal server, the only one that downloads all patches at once for everybody !!?? WHAT A WASTE O EXSPENSIVE NETWORK BANDWIDTH! don't you think ??
    That's what a PROXY Server is for!
    Lawrence Garvin, M.S., MCITP:EA, MCDBA
    Principal/CTO, Onsite Technology Solutions, Houston, Texas
    Microsoft MVP - Software Distribution (2005-2009)
    My MVP Profile: http://mvp.support.microsoft.com/profile/Lawrence.Garvin
    My Blog: http://onsitechsolutions.spaces.live.com
    Sunday, November 01, 2009 5:34 AM
    Moderator

  • "(Organizations or Persons who wish to install everything everywhere should skip the overhead of managing a WSUS Server and just point those machines at Automatic Updates ":
    - That would mean all machines (servers and clients, thousands!), will go to internet and generate network traffic when they can easily go to an internal server, the only one that downloads all patches at once for everybody !!?? WHAT A WASTE O EXSPENSIVE NETWORK BANDWIDTH! don't you think ??
    That's what a PROXY Server is for!
    Lawrence Garvin, M.S., MCITP:EA, MCDBA
    Principal/CTO, Onsite Technology Solutions, Houston, Texas
    Microsoft MVP - Software Distribution (2005-2009)
    My MVP Profile: http://mvp.support.microsoft.com/profile/Lawrence.Garvin
    My Blog: http://onsitechsolutions.spaces.live.com

    I are 100% right, but as i pointed aout this is not the only reason,
    Status of the machines is the most important thing (AKA Reports), a proxy does not do it
    bye
    Sunday, November 01, 2009 3:20 PM
  • I ment "YOU" are 100% righ ....

    ciao
    Sunday, November 01, 2009 3:20 PM

  • "(Organizations or Persons who wish to install everything everywhere should skip the overhead of managing a WSUS Server and just point those machines at Automatic Updates ":
    - That would mean all machines (servers and clients, thousands!), will go to internet and generate network traffic when they can easily go to an internal server, the only one that downloads all patches at once for everybody !!?? WHAT A WASTE O EXSPENSIVE NETWORK BANDWIDTH! don't you think ??
    That's what a PROXY Server is for!
    Lawrence Garvin, M.S., MCITP:EA, MCDBA
    Principal/CTO, Onsite Technology Solutions, Houston, Texas
    Microsoft MVP - Software Distribution (2005-2009)
    My MVP Profile: http://mvp.support.microsoft.com/profile/Lawrence.Garvin
    My Blog: http://onsitechsolutions.spaces.live.com

    And more: is you use a proxy instead of WSUS if one day, as an example, e new client Windows XP SP2 is connected will this proxy stil have in cache SP3?
    WSUS DOES!, i.e. wsusu has all the patches i need ready to be downloaded even if internet connection is not running and normally it will "tell" the agent's client "here it it get it and install.
    NO: Proxy server is not the right "cacher" of all those patches, WSUS has been created for that purpose
    bye, ciao
    Sunday, November 01, 2009 9:07 PM
  • Allow me to interject my two cents here.

    It looks to me that BagnoliM's viewpoint is coming from the fact that he uses WSUS as both a software/patch installation tool and a SECURITY reporting tool to generate reports on how up-to-date his machines are.

    That is just plain wrong.

    WSUS is simply a software/patch installation tool.  That's it.  The reports from WSUS are only valid in the realm of WSUS.  You CANNOT prove that your machines are up-to-date and secure from a WSUS report simply because the ONLY thing that WSUS can report on is how well WSUS is working for machines that are using WSUS.

    If you're using WSUS as a security reporting tool, I HIGHLY recommend you stop using it that way and start using an actual security reporting tool.  You can start with the Microsoft Baseline Security Analyzer and see if that works for you.  It makes lots of great reports and will actually give you MUCH more security information on your computers than the WSUS reports will.  It can also help you identify problems with WSUS itself and the way it's configured.  If you need more than MBSA offers, there are also many 3rd-party products available.

    Using an additional security reporting tool will actually give you a security report instead of just telling you how WSUS is doing with installing patches.
    Monday, November 02, 2009 10:50 PM
  • Allow me to interject my two cents here.

    It looks to me that BagnoliM's viewpoint is coming from the fact that he uses WSUS as both a software/patch installation tool and a SECURITY reporting tool to generate reports on how up-to-date his machines are.

    That is just plain wrong.

    WSUS is simply a software/patch installation tool.  That's it.  The reports from WSUS are only valid in the realm of WSUS.  You CANNOT prove that your machines are up-to-date and secure from a WSUS report simply because the ONLY thing that WSUS can report on is how well WSUS is working for machines that are using WSUS.

    If you're using WSUS as a security reporting tool, I HIGHLY recommend you stop using it that way and start using an actual security reporting tool.  You can start with the Microsoft Baseline Security Analyzer and see if that works for you.  It makes lots of great reports and will actually give you MUCH more security information on your computers than the WSUS reports will.  It can also help you identify problems with WSUS itself and the way it's configured.  If you need more than MBSA offers, there are also many 3rd-party products available.

    Using an additional security reporting tool will actually give you a security report instead of just telling you how WSUS is doing with installing patches.

    Thanks CitizenRon,
    i do aggree with your point of view:
    if i used WSUS as THE ONLY reporting tool it would we wrong, 100%,
    in fact i'm not (GFI is there as well as something else . . .),
    but we've been double checking the reports from WSUS about patched system and so far when we have found that if we get a green light that's really true!,
    if we do not get a green light the we immediately go deep to see what problema we have and fix it;
    of course avery now and then we do scan systems even with green light, just in case ..;
    in other words: i still find WSUS very useful as a first line of automatic, non expensive report tool as well and we are very happy about this,
    hope microsoft will continue to support and improve it the way i (we) like
    Thanks again for your contribuition
    ciao
    ciao
    Tuesday, November 03, 2009 11:56 AM
  • Wow. This is fun.....

    I'd like to summarize (again) the multiple points of view.

    Frankly, Lawrence, it is your arrogance that has offended people. I am offended. You cannot possibly speak to what 'the entire world' wants and your obstinate belief that you do and subsequent refusal to accept what others wish to do as an acceptable option for them, or allow for the fact that Microsoft changed the behavior of WSUS and some WSUS users find this new behavior problematic, is offensive. You do not speak for me, nor for others that have participated in this form, so therefore, you can't possibly decree what is normal, acceptible, or desired for the entire world.

    Also for the record, no, Proxy servers do NOT work as you have described. WSUS was created for, among other reasons, downloading and managing updates from one machine rather than from dozens or hundreds. Also, Windows Update will only automatically install critical updates, and WSUS allows for a much broader set of updates to be managed, and usually very well.

    I use WSUS to keep several dozen machines in a lab up to date. WSUS greatly reduces the workload and I appreciate it. I also chose to install all patches/features/etc. (well, for the products I chose) because that was the easiest way to both keep everything updated that I chose to allow to be installed, as well as install new features without having to deal with the granluarities. Others choose different options and styles based on their needs and requirements.

    Regardless of how any adminsitrator chooses to use WSUS, the original behavior (of only tracking and reporting any update as 'needed' when it was actually available and could be installed by WSUS) has been modified by the introduction of Dynamic Installers and this is what people are having a hard time with, including me. Personally, I don't understand why Dynamic Installers are treated by WSUS as any other product update would be nor why a different status of 'Available Option' or something wasn't added so that WSUS administrators had the choice for how to handle something that was not a 'pushed' update. Dynamic Installers are 'pulled' optional features that leverage the Role/Feature options of Windows Server 2008. Lumping the Dyanamic Installers in with the rest of the normally-pushed-by-WSUS patches and releases causes not only the normal WSUS reporting techniques to not work as expected, but the Windows Update clients on the machines don't work as expected, meaning that when I approve something to Install, it Installs, dammit!

    Yes, some WSUS administrators would like for Dynamic Installers to be handled differently by WSUS. Eventually they might. No, we don't expect Lawrence to enact those changes.

    There is another option, at least for now: Disable the Dyanamic Installer feature downloads in WSUS. Now, Microsoft stupidly lists these as Products instead of adding a separate Dynamic Installer category, which is what I think would work better for everyone.

    You can also simply decline those Dynamic Installer updates (as has been suggested). Personanally, I'm going to stop allowing WSUS to download Dynamic Installers because that is NOT WHAT I WANT TO USE WSUS TO DO!

    Microsoft, are you listening??
    Friday, November 06, 2009 7:31 PM
  • The argument being made on this update is the same as marking all my servers as needing Office 2007 SP1 - just in case I later decide to install Office 2007.  It's putting the cart before the horse.

    If I install WSUS then, and only then, show updates needed for WSUS.  And you argue that it is showing this because it shows all updates that "can be installed".  But it can't be installed.  It doesn't get installed.  The server won't take the install because you can't update WSUS when WSUS isn't installed.
    Sunday, November 08, 2009 8:17 AM
  • The argument being made on this update is the same as marking all my servers as needing Office 2007 SP1 - just in case I later decide to install Office 2007. 
    No, it's not.

    First, you don't mark a computer as "needing" an update, the WUAgent reports it as FACT; you merely authorize the installation of that update.

    Second, unless you already had Office 2007 installed, the WUAgent would never report Office 2007 SP1 as "needed".

    Third, the great misunderstood point here is that the Dynamic Installer technology is not an "update", it is an APPLICATION, which supports a FRESH installation on a machine that does not yet have that application installed. It is a *NEW* use of WSUS, to distribute Server Applications, and it's unfortunate that so many people are freaking out that somebody has moved their cheese.
    Lawrence Garvin, M.S., MCITP:EA, MCDBA
    Principal/CTO, Onsite Technology Solutions, Houston, Texas
    Microsoft MVP - Software Distribution (2005-2009)
    My MVP Profile: http://mvp.support.microsoft.com/profile/Lawrence.Garvin
    My Blog: http://onsitechsolutions.spaces.live.com
    Sunday, November 08, 2009 3:29 PM
    Moderator
  • The argument being made on this update is the same as marking all my servers as needing Office 2007 SP1 - just in case I later decide to install Office 2007. 
    No, it's not.

    First, you don't mark a computer as "needing" an update, the WUAgent reports it as FACT; you merely authorize the installation of that update.

    Second, unless you already had Office 2007 installed, the WUAgent would never report Office 2007 SP1 as "needed".

    Third, the great misunderstood point here is that the Dynamic Installer technology is not an "update", it is an APPLICATION, which supports a FRESH installation on a machine that does not yet have that application installed. It is a *NEW* use of WSUS, to distribute Server Applications, and it's unfortunate that so many people are freaking out that somebody has moved their cheese.
    Lawrence Garvin, M.S., MCITP:EA, MCDBA
    Principal/CTO, Onsite Technology Solutions, Houston, Texas
    Microsoft MVP - Software Distribution (2005-2009)
    My MVP Profile: http://mvp.support.microsoft.com/profile/Lawrence.Garvin
    My Blog: http://onsitechsolutions.spaces.live.com


    I do welcome a NEW use of WSUS to distribute applications !! as long as ....
    1.) the normal behaviour with "normal/legacy" patches dose not change
    2.) Microsoft makes to needed changes so that we can easly handle the new (welcome) feature
    3.) thes new feature is very well documented (may be is already and i missed it, if anyone knows the link please point it out)

    Hope Microsoft will listen to us
    "Microsoft are you there ??"

    Thanks everybody,
    ciao

    Monday, November 09, 2009 4:40 PM
  • Lawrence is right; this is a case of someone moved our cheese.  The problem, as it seems to me, is that they moved our cheese for the sake of moving our cheese.  They didn't add anything to it.  They didn't make it better.  They simply moved it.  It reminds me of many of the changes in Vista/Windows7/WMP11 and 12 where Microsoft changed things for the sake of change.  If sales get flat then you have to change something just to increase sales.  It isn't that the new thing is better; it's just new.  Moving the cheese.
    Monday, November 09, 2009 4:55 PM
  • Wow, this is definately an interesting one! I wanted to throw a different light on this to see if we can all finally agree there is something not quite right:

    Lawrence, I think the key point here is that this is, as you say, a new application not an update. Fine, however as such how can it ever be NEEDED? It can only ever be Wanted or Optional. People may want to approve the dynamic installer so that it is available to the servers, however once it is approved to be installed it should not be classified as needed and preventing a green light.

    I have been through the exact same argument with Silverlight, which in the end I got bored of the argument. In my case that kept showing up as needed as well for computers that do not meet the hardware pre-requisits for install. I simply wanted to approve the install of Silverlight for all my desktops/laptops and was very surprised to find out that WSUS kept saying needed on tablet PC's when the installer itself would bomb out saying the hardware was not able to run it - if the hardware can't run it, it should NOT be NEEDED! In the end I do not have the time to be a crusader and had to change my grouping strategy just for silverlight. Is this now what we have to do for Dynamic Installers?

    As has already been mentioned BY DESIGN does not mean right, as a very minimum the design here is gramatically incorrect. The design of this is currently flawed, you should not have to change your grouping strategy to get a green light simply because not enough thought has been put into some of the WSUS packages. Personally I want to achieve 100% as an indication that everything I APPROVE to be installed has been succesfully installed. For the most part this has worked, so far there are two exceptions I have come accross, this one and SilverLight. I do not approve everything automatically, I use groups to distribute what I want, to where I want, and have achieved 100% quite happily with these two exceptions. In both cases if the packages had been thought about more thouroughly I would not have found issues with them in WSUS and would not have to waste my time looking round to find out why they show up as needed and don't simply get flagged as not-needed or something else more pertinent.

    As you say you are not Microsoft and cannot influence them, I would suggest that also means you cannot speak for them in saying it is *BY DESIGN*, it's not -- never -- ever -- going to change. Microsoft do need to look at this thread and listen to what people are saying, WSUS is still evolving and has improved a lot since it's inception however it is not perfect and the design WILL change further as the product evolves, this thread needs to be considered in that process.

    Essentially all people are looking for here is recognition of the fact something is not quite right with this approach for Dynamic Installers and a rethink is necessary before we start getting more OPTIONAL components showing up as NEEDED and causing us all to spend more time investigating/administering it than would otherwise be necessary. Until that happens I will be declining Dynamic Installers as there is currenty no advantage in approving them.
    Friday, November 13, 2009 12:08 PM
  • Lawrence, I think the key point here is that this is, as you say, a new application not an update. Fine, however as such how can it ever be NEEDED? 
    <sigh>

    The problem *here* is your literal interpretataion of the word "Needed", rather than understanding what that label actually means and not getting caught up in the pedantic details.

    The Windows Update Agent, in combination with the package metadata, tests for two things:

    1. Whether the update isInstallable (true | false).
    2. Whether the update isInstalled (true | false).

    If an update isInstallable and NOT isInstalled, the WSUS server reports that update as "Needed".
    Other applications may use a different keyword, such as "Not Installed"
    Lawrence Garvin, M.S., MCITP:EA, MCDBA
    Principal/CTO, Onsite Technology Solutions, Houston, Texas
    Microsoft MVP - Software Distribution (2005-2009)
    My MVP Profile: http://mvp.support.microsoft.com/profile/Lawrence.Garvin
    My Blog: http://onsitechsolutions.spaces.live.com
    Friday, November 13, 2009 4:15 PM
    Moderator
  • In my case that kept showing up as needed as well for computers that do not meet the hardware pre-requisits for install.
    Since there are *NO* facilities in the Windows Update Agent or the SDP XML schema definition for package metadata for testing for "hardware requirements", you must understand that this is where the bridge between technology and humanity crosses the road. It's the responsibility of the WSUS Administrator to appropriately group systems and approve updates so that updates are installed where appropriate.

    For technical details on how these metadata applicability decisions are made, review these two Microsoft library collections:
    WSUS API: Creating Update Metadata
    SCUP: Updates Publisher Rules
    Lawrence Garvin, M.S., MCITP:EA, MCDBA
    Principal/CTO, Onsite Technology Solutions, Houston, Texas
    Microsoft MVP - Software Distribution (2005-2009)
    My MVP Profile: http://mvp.support.microsoft.com/profile/Lawrence.Garvin
    My Blog: http://onsitechsolutions.spaces.live.com
    Friday, November 13, 2009 4:22 PM
    Moderator
  • Lawrence, I think the key point here is that this is, as you say, a new application not an update. Fine, however as such how can it ever be NEEDED? 
    <sigh>

    The problem *here* is your literal interpretataion of the word "Needed", rather than understanding what that label actually means and not getting caught up in the pedantic details.

    The Windows Update Agent, in combination with the package metadata, tests for two things:

    1. Whether the update isInstallable (true | false).
    2. Whether the update isInstalled (true | false).

    If an update isInstallable and NOT isInstalled, the WSUS server reports that update as "Needed".
    Other applications may use a different keyword, such as "Not Installed"
    Lawrence Garvin, M.S., MCITP:EA, MCDBA
    Principal/CTO, Onsite Technology Solutions, Houston, Texas
    Microsoft MVP - Software Distribution (2005-2009)
    My MVP Profile: http://mvp.support.microsoft.com/profile/Lawrence.Garvin
    My Blog: http://onsitechsolutions.spaces.live.com


    Here we are again: "If an update isInstallable and NOT isInstalled, the WSUS server reports that update as "Needed".
    I an update is reported as isInstallable to this DOES MEAN that if i approve it the update MUST BE INSTALLED!
    but this is NOT the way it does! So put in a way or another either the Windows Update Agent and / or the WSUS are doing something wrong,
    i keep not understanding why i am so stupid not understanding ...???

    Let's keep the  focus on this!:
    -  NEEDED at the end i approved MUST be installed and get the green light!
    -  NEEDED and after i approve it but the update is not installed DOES MEAN  the Server DOS NOT NEED IT

    If I am wrong (could easily be) please someone help me
    (but it looks like i'm not the only one ..)

    Thanks averybody

    Monday, November 23, 2009 1:15 PM
  • Here we are again: "If an update isInstallable and NOT isInstalled, the WSUS server reports that update as "Needed".
    If an update is reported as isInstallable to this DOES MEAN that if i approve it the update MUST BE INSTALLED!
    Nope. It doesn't.

    But you have assumed that to be fact, and that's where the challenge exists.

    Lawrence Garvin, M.S., MCITP:EA, MCDBA
    Principal/CTO, Onsite Technology Solutions, Houston, Texas
    Microsoft MVP - Software Distribution (2005-2009)
    My MVP Profile: http://mvp.support.microsoft.com/profile/Lawrence.Garvin
    My Blog: http://onsitechsolutions.spaces.live.com
    Tuesday, November 24, 2009 2:56 AM
    Moderator
  • Here we are again: "If an update isInstallable and NOT isInstalled, the WSUS server reports that update as "Needed".
    If an update is reported as isInstallable to this DOES MEAN that if i approve it the update MUST BE INSTALLED!
    Nope. It doesn't.

    But you have assumed that to be fact, and that's where the challenge exists.

    Lawrence Garvin, M.S., MCITP:EA, MCDBA
    Principal/CTO, Onsite Technology Solutions, Houston, Texas
    Microsoft MVP - Software Distribution (2005-2009)
    My MVP Profile: http://mvp.support.microsoft.com/profile/Lawrence.Garvin
    My Blog: http://onsitechsolutions.spaces.live.com

    I do agree about the challenge, it looks like i'm not the only one with this assumption,
    and it looks like i am not the only one the would prefere "the easy way"
    Can we have Microsoft here our whishes ??
    ciao
    Wednesday, December 02, 2009 5:19 PM
  • I can't believe I actually read this whole thing, but like some sort of train wreck, I couldn't look away...

    Lawrence - I honestly think we could put this whole thing to rest if you can just accept the fact that, while you are technically correct (I don't think anyone is arguing that), the behavior of these dynamic installers, even if they are working as designed, does not fit the needs of most users.

    I would consider our WSUS implementation to be a fairly typical one.  We use group policy to apply all our update settings to all our computer objects, including their group membership.  Computer is joined to the domain, moved to the proper OU, and *BAM* the updates flow.  It's beautiful... especially for a company that used to manually patch their 500 PCs via Windows Update.  So, in other words, they didn't get patched.  In the past 9 months we've gone from only 30% of our clients (the newest ones) having XP SP3 installed to 97% (the stragglers are mobile laptops that rarely connect).  

    The % Installed/Needed and Needed Count columns are an incredibly useful, quick and dirty way to get an idea of your systems' update status.  I realize there are better tools (MSBA) for this, and that I may not be using WSUS as Microsoft intended, but whether I'm using WSUS 100% as it was intended to be used or not is irrelevant, really.  I believe that I am using this tool like most administrators - and, up until the update/patch/installer (whatever you want to call it) that sparked this thread arrived, everything about WSUS made sense.  

    Think about it.  You see a pie chart... green=good, yellow=warning, red=bad.  Right?  So simple... my boss even understands it!  If all my 2008 servers show yellow, the logical reaction would be to assume they need attention.  Up until this update (that's the classification), this was true (in practice).

    Can I decline this particular update?  Sure.  I only have 1 WSUS server.  I can install the update manually.  But I don't want to decline it.  What if I install additional WSUS servers down the road (which we're looking to do)?  What if I worked in a larger environment with many WSUS boxes?  I don't think declining it is the answer.

    I could create a separate OU (and, thus, WSUS computer group) for my WSUS servers.  But, I don't really think that helps me... from what I've seen, if I approve an update for just a few groups, it will still show as needed by the other groups because it still, is, technically needed by them, right?  I don't use WSUS this way really, so I'm not sure, but if I'm right then that solution doesn't get me anywhere either.

    So it's decline or deal with every applicable server needing 1 update.  Sorry, that just doesn't make sense to me - whether that's how it was designed or not.

    Yes, we do approve pretty much every update for both servers and workstations.  When we don't approve one, though, it usually isn't just an exception for a handful of machines - it's because of a larger issue that prevents us from rolling out the update to all computers.  So, when it comes to the other dynamic installers - IE8, Silverlight - yes, those were rolled out to all machines.  All machines were able to successfully install them.  So I get my 100%'s and 'green=good' status.  Makes sense.  The yellow (<100%) ones?  Oh, they still need IE8.  This is how some (many?  most?) are using WSUS... doesn't seem wrong to me.

    I guess the bottom line (took me a while to get here) is that maybe it doesn't make sense for Microsoft to release dynamic installers via WSUS that wouldn't be deployed across all (or most) computers.  To me, the exceptions should be the minority of machines that don't get the update report an issue, rather than the other way around.  Hopefully that makes sense.

    So, again, Lawrence - I (we) appreciate your feedback and expertise.  Your explanations did help me realize that, essentially, there's nothing I can do about how things are reporting if I continue to use WSUS the way I am.  I (we) just don't like how it works, and hope that someone out there is reading this and figures out a better way of doing it.
    Wednesday, December 16, 2009 8:58 PM
  • Hi all!

    Lawrence, i technically agree to your point, not to approve every update and manage Systems by their role.
    But your "the whole world" argument is not coherent. After spending an hour (or so) for reading the whole thread i found nobody who likes the behavior Dynamic Installers came up with or agreed to your way of using WSUS.
    Maybe all the users in this thread, who complained about the behavior, use WSUS different to how Microsoft WSUS Product Managers intended to use it.
    But: If someone in 1982 would have stated that Computers would ever have more than 640kb RAM nobody would have believed.
    SMTP was never intended to be used to transfer files, and so on.

    When we come down to a Small Business Server 2008 things become a little different to what Dynamic Installers where designed to.
    Im stuck here on a 2008 SBS - The decision towards it was made before i came to that particular Job and i can personally live with that.
    And sure, i can explain my bosses why the network status mail they receive every day shows yellow instead of green.
    But actually i dont want that. And i dont want to explain any Customer why things go yellow instead of green.

    Yes, i can go and change the settings of WSUS manually but then i loose the state of updates in SBS Console and that is the tool customers use, when managing SBS2008.

    The result of that is, that yellow states loose the state of attention, thy should have to admins.
    When updates are always yellow i will one day stop investigating what's wrong.

    Here is my vote:
    Change the behavior!
    The particular installer should ask the local WSUS Server for a Dynamic Installer Update when it is started.

    Kind regards and thanks to all of you for this nice discussion - especially to Lawrence who defends his statement very brave.

    Christian
    Monday, December 21, 2009 4:02 PM
  • There was a particular reason why we decided to install WSUS in our environment - to be able to see which server(s) require updates. Now we also see there are some servers which conditionally require updates, and it gets more complicated this way. So I vote for making dynamic updates NOT NEEDED if the role is not installed. That would make life a lot easier for us admins.
    Monday, December 21, 2009 4:15 PM
  • Great Thread, haven’t read it all (Not enough Time) so my apologies if what I'm about to write is already be stated.

    I'm going to change my behaviour around WSUS. And I'm going to do it without whining about it because judging by the length of this thread it's not going to get me anywhere! 

    Up until now I've been logging into the console and looking at Computers View to see where I'm at.

      

    This doesn't work for me anymore and by all accounts it's not how MS intended WSUS to be used.

    Instead I'm going to Decline the Dynamic installer Updates and then totally ignore the yellow Exclamation Marks on devices that tell me an Update is needed even though I've declined it and the client doesn't actually want to install it. (Sarcasm….not whining……I think!)

    This is going to be very hard for me because I am (like a lot of you out there) a little bit obsessive compulsive about having a page full of Green Ticks. I think for a lot of us it feeds into our sense of challenge or Ego to obtain “All Green”. To have MS or anyone else say it’s not obtainable “By Design” feels like when your Mum said you had to come inside for Dinner in the middle of a game of Rugby with the neighbourhood kids.

     

    Anyway after I decline the Dynamic installers I’m gonna go into Reports and run “Computer Tabular Status For Approved Updates” and change the “Include computers that have status of:”   to  “Any”

    This will give me a list of Devices and the number of updates it requires:

     

    PC00001 – 3

    PC00002 – 0

    Server01 – 5

    Server02 – 0

     

    So if there are 0 updates required (not including updates that I have declined) the Device is up to date. Then it can be my challenge to get all zero’s in this report instead of “all Green” on the main page. Great....... Ego taken care of!  And if I was really ____ I could export the data into Excel and make my own stupid graph!

     

    That’s my  Ten cents worth.

     

    Merry Christmas everybody!

     

    Matt




    Monday, December 21, 2009 9:20 PM
  • To have MS or anyone else say it’s not obtainable “By Design” feels like when your Mum said you had to come inside for Dinner in the middle of a game of Rugby with the neighbourhood kids.

    Just for the record.. it's not Microsoft, or any specific vendor, making such statements.

    In fact, it's been a fundamental tenet of patch management since the very first patches for early Unix systems were released in the 1970s, and maybe even earlier if one wants to include PDP systems, Vaxen, or IBM mainframes.

    This fundamental tenet of patch management says: You should only install patches that your specific environment *NEEDS* in order to address a *KNOWN* issue that will be remediated or eliminated by the application of the patch.

    The decision to decline the "Dynamic Installer" updates is one possible reaction to this scenario, and certainly more constructive than engaging in a pointless conversation about redesigning the fundamental architecture of the Windows Update Agent and the Software Distribution Package (SDP) XML Schema; but even more appropriate would be to simply not SYNC the product categories that publish the Dynamic Installers! Specifically those would be:
    • Windows Internet Explorer 7 Dynamic Installer
    • Windows Internet Explorer 8 Dynamic Installer
    • Windows Server Manager - Windows Server Update Services (WSUS) Dynamic Installer
    To that point, there are several updates in the WSUS catalog that probably should not be applied to the majority of Windows Server systems, and as a result, de facto, the idea of having an "all green" WSUS console is fundamentally contradictory to the basic principles of "patch management".

    However, to your point, there are those who, since the dawn of time, have been more interested in pretty green pie charts than they are a reflection of reality, so for those persons, the technique of "Approved Only" custom update views was developed over three years ago (concurrent with the release of the first WSUS v3 public beta), and WSUS v3 SP2 now provides for "Approved Only" REPORTS, which should be used for exactly that purpose.

    But the first step is to properly configure the product for the needs of the organization -- which includes *NOT* synchronizing product categories that are not needed.


    Lawrence Garvin, M.S., MCITP:EA, MCDBA, MCSA
    Principal/CTO, Onsite Technology Solutions, Houston, Texas
    Microsoft MVP - Software Distribution (2005-2009)
    My MVP Profile: http://mvp.support.microsoft.com/profile/Lawrence.Garvin
    My Blog: http://onsitechsolutions.spaces.live.com
    Monday, December 21, 2009 10:54 PM
    Moderator
  • It seems I've joined the fray rather late but I'd like to add my thoughts.

    Change the behavior. It runs counter to basic logic and common sense. I don't care about all the technical arguments because they mean naught. Software behaves the way it's designed (hopefully) so the only logical solution to this issue is to change the design and quit referring to outdated and outmoded principles.

    Green pie charts rule the world which is why the WSUS product team saw the need to create a dashboard full of them. Think, people, think!

    In the meantime, I've sworn of the dynamic installer as a poorly implemented solution and removed those product categories from my sync list.

    2¢ deposited.

    Tuesday, March 23, 2010 1:03 PM
  • Pretty simple to me why the behavior is wrong.  The Update shows as 'Needed', when in fact it is not needed by my systems at all.  I have the same issue, and do not have the WSUS role installed on any of my 2008 machines, yet WSUS still shows them needing that update...which they do not.

    Tuesday, April 27, 2010 3:08 PM
  • Pretty simple to me why the behavior is wrong.  The Update shows as 'Needed', when in fact it is not needed by my systems at all. 
    Would you be happier if the column title were "Not Installed Count" ???

    Lawrence Garvin, M.S., MCITP:EA, MCDBA, MCSA
    Principal/CTO, Onsite Technology Solutions, Houston, Texas
    Microsoft MVP - Software Distribution (2005-2010)
    My MVP Profile: http://mvp.support.microsoft.com/profile/Lawrence.Garvin
    My Blog: http://onsitechsolutions.spaces.live.com
    Tuesday, April 27, 2010 8:49 PM
    Moderator
  • Pretty simple to me why the behavior is wrong.  The Update shows as 'Needed', when in fact it is not needed by my systems at all.  I have the same issue, and do not have the WSUS role installed on any of my 2008 machines, yet WSUS still shows them needing that update...which they do not.

    And, back to my fundamental point since the start of this conversation ever-so-many-months ago . . . .

    What is your take on the status being reported for SILVERLIGHT on your servers?

    Do your servers *NEED* to have Silverlight installed? Or have you simply accepted that you're not going to install Silverlight on your servers?

    (Or worse.. maybe you actually have installed Silverlight on all of your servers???)


    Lawrence Garvin, M.S., MCITP:EA, MCDBA, MCSA
    Principal/CTO, Onsite Technology Solutions, Houston, Texas
    Microsoft MVP - Software Distribution (2005-2010)
    My MVP Profile: http://mvp.support.microsoft.com/profile/Lawrence.Garvin
    My Blog: http://onsitechsolutions.spaces.live.com
    Tuesday, April 27, 2010 8:51 PM
    Moderator
  • Pretty simple to me why the behavior is wrong.  The Update shows as 'Needed', when in fact it is not needed by my systems at all. 
    Would you be happier if the column title were "Not Installed Count" ???


    Exactly.   That is the desired and expected behavior.

    Expected as defined by 1. "other patches that are not required on a system, such as Silverlight, are  listed in this category" and 2.  "quality of reporting is expected to be accurate and free of defect."

    This is a quality issue.   Whether it is by design is irrelevant.    The design is flawed.   This is the Corvair design.   We demand more as professionals.

    Monday, May 03, 2010 6:10 PM
  • Pretty simple to me why the behavior is wrong.  The Update shows as 'Needed', when in fact it is not needed by my systems at all. 
    Would you be happier if the column title were "Not Installed Count" ???


    Exactly.   That is the desired and expected behavior.


    Then I suggest you pretend that's what it says and invest your time in more productive activites than complaining about the name of a column which you, apparently, fully understand the meaning of, and really only have an issue with the nomenclature.
    Lawrence Garvin, M.S., MCITP:EA, MCDBA, MCSA
    Principal/CTO, Onsite Technology Solutions, Houston, Texas
    Microsoft MVP - Software Distribution (2005-2010)
    My MVP Profile: http://mvp.support.microsoft.com/profile/Lawrence.Garvin
    My Blog: http://onsitechsolutions.spaces.live.com
    Tuesday, May 04, 2010 3:33 AM
    Moderator
  • Lawrence,

    With all due respect, If Microsoft is going to take the time and effort to design an application, then why wouldn't they label the fields in a less confusing manner.

    I always enjoy traffic metaphors. If the DOT is going to pay some poor soul to paint the lines on the road, wouldn't they want him to paint them in a manner that isn't confusing to the drivers? I mean sure, he could go out and lay down some figure eights, but the end result would be ugly, confusing and dangerous.

    If a job is worth doing, it's worth doing right. And beauty of software is that when it comes to design, there are no limits except the will to get it right. It's not like concrete and steel, which are permanent structures. Software can (and should) be CHANGED. That's why MS just released Office version 14. Because the other 13 versions weren't good enough...right? But I guess when it comes to free software, the will to get it right just isn't there.

    • Edited by John Homer Tuesday, May 04, 2010 12:27 PM clarity
    Tuesday, May 04, 2010 12:26 PM
  • With all due respect, If Microsoft is going to take the time and effort to design an application, then why wouldn't they label the fields in a less confusing manner.

    I don't disagree with your point ... but after FIVE years .. why is it that the only people who appear to be "confused" by this column header are those who do not understand the functionality and purpose of a Dynamic Update package?

    I submit that it's not the column header that is the problem, but rather the general misunderstanding of how to interpret the status of the Dynamic Update, combined with people expecting their applications to feed them on silver spoons, rather than apply some human intelligence into the process.

    Furthermore, it's triply surprising because those updates have their own Product Category -- so if a WSUS Server does not *need* the WSUS Server Manager Dynamic Update, then why is the product category selected for synchronization. Ultimately the real problem is WSUS Administrators who improperly selected product categories they obviously do not need.

    For those who have selected the category, DECLINE the update and get on with your life. Frankly, I'd much rather be writing replies right now to persons with *real* issues, rather than continuing to respond in this thread -- which has been pretty much pointless since I wrote my original reply back on September 10, 2009.
    Frankly, complaining over a column label at this point in the lifecycle of the product is pointless. Anybody who's spent more than 30 minutes with WSUS knows what the meaning of the columns are in the interface. The interface was written from the perspective that uninstalled updates will be installed, thus the use of the moniker =NEEDED=. The fact that a Dynamic Installer doesn't fit into that perfect little mold does require some adjustment on the part of the humans operating the application, but the Microsoft WSUS product group is not going to rewrite the User Interface to accomodate a half dozen of several thousand updates that are "confusing" people.
    As noted . . . it's not the UI that's the problem; it's WSUS Administrators understanding the purpose and functionality of a Dynamic Update. (And, ironically, a dynamic update for the very product they're supposed to be an expert with.)

    Lawrence Garvin, M.S., MCITP:EA, MCDBA, MCSA
    Principal/CTO, Onsite Technology Solutions, Houston, Texas
    Microsoft MVP - Software Distribution (2005-2010)
    My MVP Profile: http://mvp.support.microsoft.com/profile/Lawrence.Garvin
    My Blog: http://onsitechsolutions.spaces.live.com
    Tuesday, May 04, 2010 1:08 PM
    Moderator
  • We can certainly agree to disagree but I stand by my earlier comments. I will say your tone comes across as somewhat elitist. This is not a personal attack, just an observation. I know I sound the same from time to time. ;)

    I'm very much a MS fanboy. In fact, my employer is a MS Gold Certified Partner, mostly due to my efforts. Having said that, I do find a wealth of inspiration in Apple's philosophy that software is meant to improve and enhance our lives. Do machines work for us, or is it the other way around? If we have to adapt our routines and expectations to overcome a perceived design flaw, then what value is gained?

    The whole concept of patch management to me seems to be a Rube Goldberg contraption. What's next...management software for the patch management software to manage the software patches?

    I realize you're bored with this discussion, and I fully agree. I just wanted to give my final thoughts.

    Tuesday, May 04, 2010 3:44 PM
  • I will say your tone comes across as somewhat elitist.

    I don't think so much as that of an "elitist" but rather one of a *REALIST*!

    It's not going to change, and outside of the few dozen in this thread who have complained...  the greatest majority (numbered in the hundreds of thousands, btw), seem not to have an issue with this functionality.

    Continuing to beat the dead horse simply wastes the precious time of all of us talking about something that is what it is.

    I believe somewhere else in this thread I referred to "Who Moved My Cheese?". This continues to be a great example of that book. Some people are freaked out because *ONE* update does not behave (or report) exactly as the several thousand before it have done -- and instead of recognizing that this one update is *DIFFERENT* than all the rest before it ... and making the necessary minor adjustments to deal with it -- they want to condemn the product for their own inflexible responses.

     

    Then again.. maybe I am elitist. I take great pride in the fact that I don't let such trivial stuff bend my whole life out of shape - or that I still have to comment about it eight months after it first occurred!


    Lawrence Garvin, M.S., MCITP:EA, MCDBA, MCSA
    Principal/CTO, Onsite Technology Solutions, Houston, Texas
    Microsoft MVP - Software Distribution (2005-2010)
    My MVP Profile: http://mvp.support.microsoft.com/profile/Lawrence.Garvin
    My Blog: http://onsitechsolutions.spaces.live.com
    Wednesday, May 05, 2010 3:16 AM
    Moderator
  • Thanks RJMPhd for your suggested work around.

    Installing the WSUS 3.0 as "Admin Console only" did the trick for those of us wanting green lights and can't be bothered with change about the cheese being moved but rather have the cheese placed back where the fat cat could watch from a distance.

    Thursday, May 06, 2010 12:48 AM
  • Thanks RJMPhd for your suggested work around.

    Installing the WSUS 3.0 as "Admin Console only" did the trick for those of us wanting green lights and can't be bothered with change about the cheese being moved but rather have the cheese placed back where the fat cat could watch from a distance.

    Installing unneeded software, in order to cause a package to be reported as "Not Applicable", when all one reallly needs to do is DECLINE the unneeded update, is a wholly inappropriate solution, IMNSHO.

    Are you also installing SILVERLIGHT to all of your SERVERS so that update does not show as "Not Installed" as well?

     


    Lawrence Garvin, M.S., MCITP:EA, MCDBA, MCSA
    Principal/CTO, Onsite Technology Solutions, Houston, Texas
    Microsoft MVP - Software Distribution (2005-2010)
    My MVP Profile: http://mvp.support.microsoft.com/profile/Lawrence.Garvin
    My Blog: http://onsitechsolutions.spaces.live.com
    Thursday, May 06, 2010 4:24 PM
    Moderator
  • First. i want to thank all of you who contribute to help us out.

     

    In my case no i do not want to install every update. But i do need the green light or 100%.

    heres why So that in every meeting i dont have to explain these things to the higher ups who bless them they are brilliant people just not in this field. why our audit reports show anything less than 100%.We also have clients who like to watch their update status from time to time and continue to email us often regarding the updates status.

     

    Can I ask if i decline update will i then get the 100% or the elusive green light?

    Or has there been a development in a workaround without installing every update?

     

    thanks for your time.

    Ray

    Friday, June 25, 2010 7:26 PM
  • In my case no i do not want to install every update. But i do need the green light or 100%.

    heres why So that in every meeting i dont have to explain these things to the higher ups who bless them they are brilliant people just not in this field. why our audit reports show anything less than 100%.We also have clients who like to watch their update status from time to time and continue to email us often regarding the updates status.

    This is a perfectly reasonable situation, but dealing only with this one update won't help your situation. In your case you need to be showing your "higher ups" the new WSUS 3 SP2 reports "...for Approved Updates", which will provide you the opportunity to show a 100% green pie chart (assuming you have installed all approved updates)
    Can I ask if i decline update will i then get the 100% or the elusive green light?
    Yes, because the update status will no longer be reported by the WUAgent.
    Or has there been a development in a workaround without installing every update?
    Other than using the intended reports, No.
    Lawrence Garvin, M.S., MCITP:EA, MCDBA, MCSA
    Principal/CTO, Onsite Technology Solutions, Houston, Texas
    Microsoft MVP - Software Distribution (2005-2010)
    My MVP Profile: http://mvp.support.microsoft.com/profile/Lawrence.Garvin
    My Blog: http://onsitechsolutions.spaces.live.com
    Friday, June 25, 2010 8:15 PM
    Moderator
  • "In your case you need to be showing your "higher ups" the new WSUS 3 SP2 reports "...for Approved Updates",

    this works for me.

    Thanks

    Lawrence

    Monday, June 28, 2010 3:31 PM
  • The conversation isn't about Silverlight...it's about WSUS showing alleged needed updates, when in fact they aren't needed.  To quote you later on in this thread:

    "Furthermore, it's triply surprising because those updates have their own Product Category -- so if a WSUS Server does not *need* the WSUS Server Manager Dynamic Update, then why is the product category selected for synchronization. Ultimately the real problem is WSUS Administrators who improperly selected product categories they obviously do not need."

    The product category ISN'T selected for synchronization...nor has it ever been.  The only dynamic installers that are checked in the environment that I manage are for IE7 and IE8...across the board.  But these other dymanic installer packages are still showing up as "needed" and being synchronized to the update repository.  The functionality isn't correct.  So it seems to me that if that indeed is "feature functionality" as you are asserting, then the "feature functionality" is confusing at best.  I would assert it's undesirable if not wrong.  And I don't believe this functionality has been in the product for 5 years, as the dynamic installers in question (for us) are all for Windows 2008.

    For me, because I am the management, it's not a showstopper...just a minor annoyance.  But in the spare time we've been looking around to see how to eliminate this annoyance, and apparently there is no way to do it other than to decline the update that shouldn't be synchronized in the first place.

    Thursday, July 01, 2010 2:34 PM
  • The conversation isn't about Silverlight...it's about WSUS showing alleged needed updates, when in fact they aren't needed. 

    No.. Victor.. to be blunt and rude, it's about WSUS administrators expecting the product to spoon feed them instructions on how to do their job that is beyond the design scope of the product, and failing to understand HOW the product actually functions at the architectural level.

    Silverlight is just a convenient example I use to demonstrate the logical inconsistencies of those who continue to whine about this scenario which is now NINE MONTHS old.

    The Windows Update Agent does NOT tell the WSUS Server what updates are NEEDED -- it never has; it never will! Whether an update is "Needed" is a HUMAN interpretation based on other factual information that is provided by the WUAgent. The complication comes in the unfortunate use of the word "Needed" as a column title in the WSUS Admin Console -- the column title should be Not Installed.

    For anybody that spends a few minutes studying the methodologies of how update package rulesets are constructed and applied, it will be determined fairly quickly that it is impossible for the WUAgent to make a subjective determination of whether an update is needed. The WUAgent evalutes three things:

    • Prerequisite Rules -- should the WUAgent even consider this update. If the update is for x64 systems and this is an x86 system, ignore it. If the update is for Spanish-language systems and this is an English-language system, ignore it. If the update is for Windows Server 2008 and this is a Windows XP system, ignore it.
    • Applicability Rules -- determine one Boolean fact -- do the necessary criteria for this update exist on this machine such that the update can be successfully installed? For a security update, usually this is the presence of a downlevel version of a file with known vulnerabilities. For IE7, this is the absence of IE7 already on the machine. For the Dynamic Installer, it's the presence of Win2008SP2 or KB940518 (on a Win2008RTM system).
    • Installed Rules -- determine one Boolean fact -- is the update already installed?

    The decision whether to actually install the update -- which is driven by a subjective determination of whether the update is NEEDED -- is a HUMAN decision and it is exactly why WSUS Administrators exist. Your job, as a WSUS Administrator, or Patch Administrator, at its most basic level, is to make an intelligent determination based on available information whether an update should be installed or not -- ergo, whether an update is NEEDED or NOT NEEDED -- and that's why Silverlight is part of this discussion, because for me --- Silverlight is NOT NEEDED on my Domain Controllers; but it will be, forever and always (and gladly so), reported by the WUAgent as Not Installed. It is a perfect example of why this discussion on the Dynamic Installer update is a NON-ISSUE.

    The Dynamic Installer for WSUS COULD BE INSTALLED on any Windows Server 2008 server in the world. Just like Silverlight COULD BE INSTALLED on a Domain Controller. The scenarios are exactly the same! The difference is that in the case of Silverlight, nobody is freaking out, and probably very few are actually installing Silverlight on their Domain Controllers. Silverlight will forever be shown as NOT INSTALLED on those Domain Controllers -- but everybody seems content with that situation.

    Why there is so much discontent over the exact same scenario for the Dynamic Installers just boggles my mind.


    Lawrence Garvin, M.S., MCITP:EA, MCDBA, MCSA
    Principal/CTO, Onsite Technology Solutions, Houston, Texas
    Microsoft MVP - Software Distribution (2005-2010)
    My MVP Profile: http://mvp.support.microsoft.com/profile/Lawrence.Garvin
    My Blog: http://onsitechsolutions.spaces.live.com
    Thursday, July 01, 2010 6:19 PM
    Moderator
  • I'm actually not discontent at all...the verbiage is just misleading.  Even if the complication is the word "Needed", that tells me a change should be made.  There's actually nothing wrong with the software itself or the updates getting pushed to machines by your explanation.  But the verbiage makes the reports vs actual behavior misleading.  I also wanted to annoy you by making another post about it.

    Thursday, July 01, 2010 7:30 PM
  • :-)

    I agree the UI could be improved by changing the use of the word "Needed" to the more objective "NotInstalled".

    I'll lobby the product group and see if that can happen.


    Lawrence Garvin, M.S., MCITP:EA, MCDBA, MCSA
    Principal/CTO, Onsite Technology Solutions, Houston, Texas
    Microsoft MVP - Software Distribution (2005-2010)
    My MVP Profile: http://mvp.support.microsoft.com/profile/Lawrence.Garvin
    My Blog: http://onsitechsolutions.spaces.live.com
    Friday, July 02, 2010 12:40 PM
    Moderator
  • Or even better... "Installable" :D

     

    Friday, July 02, 2010 3:56 PM
  • Or even better... "Installable" :D
    Perhaps! :-)

    Lawrence Garvin, M.S., MCITP:EA, MCDBA, MCSA
    Principal/CTO, Onsite Technology Solutions, Houston, Texas
    Microsoft MVP - Software Distribution (2005-2010)
    My MVP Profile: http://mvp.support.microsoft.com/profile/Lawrence.Garvin
    My Blog: http://onsitechsolutions.spaces.live.com
    Friday, July 02, 2010 7:10 PM
    Moderator
  • Great, I love this thread. At first it addresses exactly the confusion I had with the specific update and then if gives a lot of different opinions and practices how to (or not to) use WSUS.

    Beside the handling of dynamic installers I pretty much like the WSUS. Our company is small and slightly distributed, so I'm aware that my situation is not the same as an administrator who is responsible for hundreds or even thousands of productive machines. We do have only few servers, a couple of clients and some virtual environments (mainly for development purposes). Administration is done by 2 people in addition to their regular job. So:

    Our general decision is to install all available updates.

    As stated above, normally we would use the Windows Update feature, but WSUS makes it easier to track update status and install more updates (we're event not using the download function of WSUS). Regarding the often stated Silverlight Update (which I guess stands for "stupid server update"): If MS is releasing Silverlight as an Update for a Windows Server, well, why not installing it? I do understand the risk of changing a productive System and the thought that Silverlight it is at first obviously useless on a server. On the other side: Nobody is probably going to use it on that server until some software decides to use it, so what? Since Silverlight and WPF is becoming increasingly important in the product line (Visual Studio 2010 went WPF) I would not be suprised to see one of the next Windows Server Versions having Silverlight Consoles for some feature. Anyway: None of our servers died after an update in the last 5-6 years. Maybe we're damn lucky .... ;)

    Anyway the thread is not about Silverlight or who is doing "something icredible wrong" or "something soooo stupid". The one thing everyone should have realized is that there are a lot of people with different problems and administration philosophies.

    TO THE TOPIC: I created a roled based group and changed the approval for the update.

    Friday, July 09, 2010 9:51 AM
  • Great, I love this thread. At first it addresses exactly the confusion I had with the specific update and then if gives a lot of different opinions and practices how to (or not to) use WSUS.

    Beside the handling of dynamic installers I pretty much like the WSUS. Our company is small and slightly distributed, so I'm aware that my situation is not the same as an administrator who is responsible for hundreds or even thousands of productive machines. We do have only few servers, a couple of clients and some virtual environments (mainly for development purposes). Administration is done by 2 people in addition to their regular job. So:

    Our general decision is to install all available updates.

    As stated above, normally we would use the Windows Update feature, but WSUS makes it easier to track update status and install more updates (we're even not using the download function of WSUS). Regarding the often stated Silverlight Update (which I guess stands for "stupid server update"): If MS is releasing Silverlight as an Update for a Windows Server, well, why not installing it? I do understand the risk of changing a productive System and the thought that Silverlight it is at first obviously useless on a server. On the other side: Nobody is probably going to use it on that server until some software decides to use it, so what? Since Silverlight and WPF is becoming increasingly important in the product line (Visual Studio 2010 went WPF) I would not be suprised to see one of the next Windows Server Versions having Silverlight Consoles for some feature. Anyway: None of our servers died after an update in the last 5-6 years. Maybe we're damn lucky .... ;)

    Anyway the thread is not about Silverlight or who is doing "something icredible wrong" or "something soooo stupid". The one thing everyone should have realized is that there are a lot of people with different problems and administration philosophies.

    TO THE TOPIC: I created a roled based group and changed the approval for the update.

    Friday, July 09, 2010 9:55 AM
  • If MS is releasing Silverlight as an Update for a Windows Server, well, why not installing it? I do understand the risk of changing a productive System and the thought that Silverlight it is at first obviously useless on a server. On the other side: Nobody is probably going to use it on that server until some software decides to use it, so what?

    Your points are valid. However, here's something to consider as well:

    Silverlight is installable on Windows Server because some developers actually use a Server Operating System as their primary desktop development environment. This really has nothing to do with Silverlight, but with some other tools that were not architected well to support distributed development environments, so the easiest way to develop on them is by installing the dev tools on the Server OS.

    As to "Why not just install it?", this goes to the security management principles of "least privilege" and "minimization of the footprint". You don't install something you don't need. If you do, it's one more thing that potentially may have a security vulnerability. It's one more thing that may need to be patched. It's one more thing that may cause a "problem" when you do patch it.

    Having a server offline because an update to an unneeded software product failed is not a Good Thing! Thus, your servers should only have *NEEDED* software installed -- that is, software that is needed to perform the function for which the server is specifically intended.

    You are right that this conversation is not about Silverlight. Silverlight is but one unavoidable example because of the poor way in which it was packaged. (Ideally Silverlight would be published in separate product categories, and then Silverlight for Servers could easily be declined. For that mattter, so can the Dynamic Installers!).

    But Silverlight is not the only example. Dozens abound, and are handled with similar methodologies. Consider Internet Explorer 8 for Windows Server 2003. While some organizations might decide to upgrade all Win2003 machines to IE8 -- I see no useful purpose in doing so. I don't generally allow browsing from my servers, and even where I do, it's solely for the purpose of administering that specific server. IE6 is capable of doing the job, and it's as secure as IE8 for that task; it just doesn't have the advanced feature set. Why add unneeded features sets to a server -- one more thing to patch to keep secure -- when they're not needed and will not be used. There are other examples as well. The point is not about the specific example - the point is that WSUS already provides appropriate methodologies for managing Dynamic Installer updates -- they just need to be used.


    Lawrence Garvin, M.S., MCITP:EA, MCDBA, MCSA
    Principal/CTO, Onsite Technology Solutions, Houston, Texas
    Microsoft MVP - Software Distribution (2005-2010)
    My MVP Profile: http://mvp.support.microsoft.com/profile/Lawrence.Garvin
    My Blog: http://onsitechsolutions.spaces.live.com
    Friday, July 09, 2010 2:14 PM
    Moderator
  • Lawrence, first let me start by saying I appreciate you taking the time to hang in there on this conversation and thanks to all the other contributors.  I, myself, was about to give up reading this thread because I definitely sympathized with the majority of posters because I too have been scratching my head about my 2008 servers and this update.  I admit I'm not an expert on WSUS like yourself and I did start feeling like you were coming across rather hard for those that didn't understand; ok and some that refused to understand.  :-)

    My biggest problem is I don't wear the title WSUS administrator; it is just one of the many responsibilities I've been given along with constantly answering the phone calls because I'm also the helpdesk.  I'm sure I'm not the only one out here like that and in a company that is not quite big enough to have separate roles for everyone, but not small enough for everyone to have ample time to become the expert on all the MS technologies.  So I probably come from the same line of thought, check for needed updates, get them installed, and move on; the green pie mentality.  Fortunately, I do not have any higher-ups demanding to see those pie charts looking all green.

    So over the whole period of months where I'm sure you felt like you were arguing with walls, I still was learning from most all of your posts along with some of the other contributions.  So now I finally see where my understanding of the WSUS function was flawed in comparison to how MS sees it.  I will adjust how our WSUS syncs dynamic updates and learn to use the proper reports.  Hopefully I didn't state anything above that deserves rebuttal because I just wanted to put in my $.02 of why some of us may not be experts in WSUS and mainly to say thanks to all the people that helped contribute constructively to this thread.

    -Scott

    Sunday, September 05, 2010 4:38 PM
  • Hi all...

    I see nobody is posting anything new but anyway...

    I was parecipating in the first debate with Lawrence about the WSUS SP1 Dynamic Installer. No need to tell you how it ended ;)

    I see that Lawrence is still arguing about telling people that the idiotic behavior of these updates is actually right. Can't keep myself from replying ;)

    1) What is WSUS?

    I see that Lawrence and others are telling people that they do not understand the concept of WSUS...

    Let's take a look at Microsoft definition of WSUS:

    Windows Server Update Services

    Windows Server Update Services (WSUS) enables information technology administrators to deploy the latest Microsoft product updates to computers that are running the Windows operating system. By using WSUS, administrators can fully manage the distribution of updates that are released through Microsoft Update to computers in their network.

    As you see, we are talking about PRODUCT UPDATES. Dynamic Isntallers are, by definition, something that ADDS to a system a piece of software that wasn't there.

    2) Lawrence was talking about "The complication comes in the unfortunate use of the word "Needed" as a column title in the WSUS Admin Console":

    WRONG, that wasn't an error but is BY DESIGN: the use of color and symbols proves it (Green sign: OK, "!" on Yellow triangle: Warning, "X" on Red circle: Critical... pretty UNIVERSAL!!!). Also in the Windows Update Agent we have the same use of colors/symbols. So, basically, WSUS is not telling me that, if I like, I could maybe when I have some extra time and I am in a very good mood install WSUS on some servers... it's saying "Hey, you have to take a look at a situation here, pal".

    So, at some point, Microsoft made the decision to match "isInstallable" with "is needed"

    I simply don't want to be unnecessarily bothered by a tool I'm supposed to use to ease my job, would you?

    And guys... the machines are working for us, not the other way around! ;) I prefer to adjust the machine behavoiur rather than mine (and I like to use the decimal system when I think rather than the binary or exadecimal...)

    3) In Windows Update (locally on the servers), we don't have the same update pending. Incoherent at least. And this is the reason because you don't have MILLIONS of complainers (if every server reported 1 pending update imagine the panic ;) ). And, to be clear, it's only the WUA that evaluates the "update situation" so the incoherence in reporting locally and on the wsus server is all his.

    Maybe the misunderstaning is about the concept of UPDATE (same for the silverlight example)

    Bye,

    Dario


    Dario Palermo
    Tuesday, December 14, 2010 10:49 AM
  • So - and I have read a lot of the postings above on the topic - is there a way (a proper one I mean) to actually clear the "Needed Update" status from one of my machines?

    I have approved it, declined it, searched for a download of the KB#, looked in C:\Windows\windowsupdate.log for evidence of KB972493 and checked online using MS update (instead of through WSUS). Nowhere does my machine mention the need for the KB yet WSUS still thinks my machine needs it. I am of the group of people who like to see 100% on my machines and this is now really starting to cheese me off.


    You can't dangle the bogus carrot of possible reconciliation in front of me whilst riding some other donkey
    Thursday, December 16, 2010 1:03 PM
  • Let me be very clear: there isn't a way to deny the update per machine (or per group).

    You can actually "not authorize" updates per group, but it's something different and will not solve the 100% report problem.

    If you deny the update, instead, it will be removed entirely from the WSUS system and you will again see the 100% status in the dashboard (and yes, I'm also one of the "100% substainers"). To deny an update, you need to go to the updates section in the WSUS control panel.

    In my opinion, these two updates are useless. Guys at Microsoft wants us to use their products so they "push" us in every way they can, even by using the updating system to deploy new products and not just updates. And this isn't just about WSUS (SilverLight, IE, and so on).

    If I want to install a WSUS server, I can surely do without the Dynamic Update...

    Bye


    Dario Palermo
    Thursday, December 16, 2010 11:59 PM
  • So - and I have read a lot of the postings above on the topic - is there a way (a proper one I mean) to actually clear the "Needed Update" status from one of my machines?

    In the case of the Dynamic Installer(s) for Windows Server Update Services, the correct solution would be to NOT select the Product Category which contains those updates.

    If you know that you do not need the updates, or know that you will never install another WSUS server in your network, it would be appropriate to DECLINE those updates.


    Lawrence Garvin, M.S., MCITP:EA, MCDBA, MCSA
    Principal/CTO, Onsite Technology Solutions, Houston, Texas
    Microsoft MVP - Software Distribution (2005-2010)
    My MVP Profile: http://mvp.support.microsoft.com/profile/Lawrence.Garvin
    My Blog: http://onsitechsolutions.spaces.live.com

    Friday, December 17, 2010 9:53 PM
    Moderator
  • If I want to install a WSUS server, I can surely do without the Dynamic Update...

    Yes, you can.

    But for organizations installing several, dozens, or hundreds of Replica Servers, this is an exceptionally useful update.

    Again, the whole solution revolves around exercising choice. Nothing is being forced on anybody. WSUS Servers that have this update where it isn't needed is a result of having selected the Product Category that should not have been selected.

    DECLINE the update and be done with it.


    Lawrence Garvin, M.S., MCITP:EA, MCDBA, MCSA
    Principal/CTO, Onsite Technology Solutions, Houston, Texas
    Microsoft MVP - Software Distribution (2005-2010)
    My MVP Profile: http://mvp.support.microsoft.com/profile/Lawrence.Garvin
    My Blog: http://onsitechsolutions.spaces.live.com
    Friday, December 17, 2010 9:56 PM
    Moderator
  • I just stumbled upon this thread doing a google search since I had the wsus dynamic installer listed as needed for most of my servers. Instead of having the column labeled Needed get renamed to Not Installed, tweak the software so Needed really means that.

    Microsoft making the decision to allow Silverlight to show in the Needed column for a server is the real problem. The only thing that should show in the Needed column are those udpates that everyone should install. This makes the life of a sys admin a lot easier. Critical updates, security updates, etc. can show as Needed and updates like the WSUS dynamic installer should never end up in the Needed category unless and older version of WSUS has already been installed on a server.

    Saturday, February 12, 2011 1:40 AM
  • Instead of having the column labeled Needed get renamed to Not Installed, tweak the software so Needed really means that.

    It is NOT the responsibility of the software to identify which patches SHOULD be installed.

    That is the responsibility, exclusively, of the Patch Administrator.

    The responsibility of the software is to merely report factual information. There are only three FACTS that can be reported with respect to an update:

    • The update is already Installed.
    • The update is Not Applicable. (meaning it cannot be installed on this system -- there are several possible reasons why this may be the case)
    • The update is Not Installed. (whether it is **NEEDED** is a question to be determined by humans).

    FACT: The .NET Framework v4.0 is NOT INSTALLED on 100% of my systems.

    OPINION: The .NET Framework 4.0 is not NEEDED on 100% of my systems.

    DECISION: I will not approve the .NET Framework 4.0 update for installation and the WUAgent will continue to report the FACT that the update is Not Installed.

    Microsoft making the decision to allow Silverlight to show in the Needed column for a server is the real problem. The only thing that should show in the Needed column are those udpates that everyone should install.

    And herein lies the fundamental issue. You, for some reason, want to put your full faith and trust in the vendor determining whether an update should be installed on your systems, rather than merely identifying than an update can be installed on your systems.

    The fact is that Silverlight is a perfectly viable product to be installed on a Server Operating System, and many organizations may choose to do exactly that. I can think of two scenarios where this is immediately beneficial:

    • Developers using Server operating systems as their primary development environment.
    • Terminal Servers supporting Internet connectivity (a viable option, but not necessarily a "best practice").

    However, most organizations will CHOOSE to not install Silverlight on a server operating system, for exactly the same reasons they have probably chosen not to install Internet Explorer 7 or Internet Explorer 8 on those server operating systems (and yet, where was all the whining when IE7 and IE8 were released)?

    In reality, the case with Silverlight is a unique circumstance brought about because the Silverlight product was not published as individual OS-specific packages (one package for desktop operating systems; another package for server operating systems). In this instance, the flaw is with the update not WSUS.


    Lawrence Garvin, M.S., MCITP:EA, MCDBA, MCSA
    Principal/CTO, Onsite Technology Solutions, Houston, Texas
    Microsoft MVP - Software Distribution (2005-2011)
    My MVP Profile: http://mvp.support.microsoft.com/profile/Lawrence.Garvin
    My Blog: http://onsitechsolutions.spaces.live.com
    Sunday, February 13, 2011 11:54 PM
    Moderator
  • Lawrence,

    You make lots of good points but there is one thing you have not taken into account. Many large and medium size organizations have IT personnel having a great deal of expertise in the products/services being delivered. Typically these organizations have people on staff with certifications such as yourself: MCSA, MCDBA, etc. with multiple years of experience under their belts.

    In the K-12 education market, and my guess is many small and even medium size businesses, the IT staff is much smaller, wear many more hats, and often do not have certifications. The level of expertise of K-12 Technology Coordinators, Director's of Technology, and CTOs in my area is huge. You state:

    "It is NOT the responsibility of the software to identify which patches SHOULD be installed. That is the responsibility, exclusively, of the Patch Administrator."

    This is at least a shared responsibility and taking into account the level of IT knowledge in many organizations, it is not a stretch to have Microsoft assist less experienced IT staff. Certainly there are critical and security updates that everybody can agree should be installed no matter what. These are the type of items that could be included in the Needed category.

    Yes, you can't make this foolproof and some human intervention and expertise is necessary but any product, WSUS included, could be improved. One nice improvement would be to divided updates into Needed and Optional, almost like a manual update shows it. This would at least help in getting systems getting crucial updates in a timely fashion when there might be a lack of in house IT expertise.

     

     

    Monday, February 14, 2011 12:35 AM
  • Hello All,

    I don't know if this will be useful or not, but just my "2 cents".  I found this thread because I had the same "problem".  I've read through most (but not all) of this thread and discovered that the only real problem was that I had "APPROVED" the dynamic installer update for a machine that I never intend to run WSUS on. 

    I don't approve other applications for machines that I don't want to have running the app. (a dynamic updater is an application installer, not just a patch...), so it didn't really make sense to approve this WSUS dynamic updater for all "Servers" that could run WSUS.  As a matter of fact, I've never approved a dynamic installer, like the ones for IE7 or IE8 until I wanted those apps. installed on the machines that would get the dynamic installers - makes sense unless I'm forgetting something...  Anyway, I've broken out the group of servers that WILL (or do) run WSUS, and will approve dynamic installers for WSUS only for those machines.  Concurrently, I'll not approve the WSUS dynamic installer for machines that should not be running WSUS.  If I change my mind, all I have to do is make the machine a member of the right server group, and it will get the dynamic installer that it needs.

    That is my "work around" for this, but there is a bit more to say:  Finally, regardless of what anyone else thinks, I tend to agree that if an update is approved and can be installed, then the status should be "Needed" until it IS installed.  However, in a case like this one, where an update is approved but will not be installed because the Server Manager (acting like a 3rd party in this scenario) doesn't place a demand for the patch, then the update should not show a status that leads us to believe that an approved update has failed to install.  This is a special case which should be addressed in the WSUS program logic.  This is a case where the patch is specifically for use by an installed service or application (the server manager) which can essentially deny/ignore the available patch because the patch is truly only "needed" when the WSUS role is installed.

    For this case, the behavior should be such that, because the role is not installed, the patch logicallly is "NOT Needed" - that is the same behavior we see when an update for something like "Office 2007" or "Project 2003" or other applications, is approved for "All Computers".  The patch is tagged as "Not Applicable" because the application or service that would use it, is not installed.  In this case, Server Manager does not have the integrated WSUS Role installed, so the update should be tagged as "Not Applicable" instead of "Needed" (when it is obviously not needed).  Put another way: If the update were tagged correctly, the affect would be the same as if an Office update were approved for a machine that didn't have Office installed.  The update would be approved and ready to be deployed for whenever there was a demand for it on the machine (when the corresponding Office application is installed), and in the meantime, the machine status would indicate that all updates which are both applicable AND approved, are installed = the Holy Grail of Windows Updates... the Big GREEN dot.  :0)

    HR

     

    Tuesday, April 12, 2011 9:11 PM
  • That is my "work around" for this,

    That's not a "workaround"; that is exactly how those packages should be implemented!

    ...then the update should not show a status that leads us to believe that an approved update has failed to install

    But it does not. When an approved update has failed to install the status is explicitly reported as FAILED. When an update continues to be reported as NOT INSTALLED, then that is all it is -- not Installed.

    For this case, the behavior should be such that, because the role is not installed, the patch logicallly is "NOT Needed"

    And the problem continues to be the misuse and misinterpretation of the subjective terms Needed/NotNeeded, rather than understanding and using the objective terms Installed and Not Installed. Whether an update is Needed or Not Needed is a HUMAN decision - based upon the intent to install or not install, the WSUS role on any particular server. Wether an update is Installed, or Not Installed, is a factual state determined by the Windows Update Agent. When the WSUS role is not installed, then the correct and factual state of the Dynamic Installer is Not Installed.

    In this case, Server Manager does not have the integrated WSUS Role installed, so the update should be tagged as "Not Applicable" instead of "Needed"

    This, also, is an erroneous interpretaion of the state Not Applicable, and I'll leave the further understanding of that state to the student. :-)


    Lawrence Garvin, M.S., MCITP:EA, MCDBA, MCSA
    Principal/CTO, Onsite Technology Solutions, Houston, Texas
    Microsoft MVP - Software Distribution (2005-2011)
    My MVP Profile: http://mvp.support.microsoft.com/profile/Lawrence.Garvin
    My Blog: http://onsitechsolutions.spaces.live.com
    Wednesday, April 13, 2011 2:22 PM
    Moderator
  • Below is a collection of four of your posts in this thread, Lawrence.

    things change, things evolve, and we all have to be willing to adapt to NEW behaviors

    No, Microsoft has not made a MISTAKE!


    1. If the update *CAN* be installed it is reported as *NEEDED* by the Windows Update Agent.


    The behavior is *BY DESIGN*, it's not -- never -- ever -- going to change


    I appreciate your input in all of these threads and I will follow your advice and simply decline this update. If I install a new WSUS server later on 2008R2 then either I will remember that this update needs to be approved or I will install the old version and get an update that way. It doesn't matter; I'll get what I need in the end.

     

    But let's look at this logically rather than emotionally.

     

    1. We should not blindly adapt to anything. We should voice our opinions to any supplier, even Microsoft, when we think there is a better or different way we want any product to work. But you are right. Things change.

    2. Microsoft clearly made a mistake here. It may be intentional or by-design but the design is poor. I have been designing applications for 20+ years and I know that anyone can make a mistake in design. Just because something is by design does not mean it was not a mistake. They made a bad choice to use "needed" when they mean "can". See definitions below.

    3. See the definitions of "need" and "can" below.

    4. Since you have a double-negative mixed with a positive, so the literal definitions of your statement is that it is absolutely going to change, I suppose you can opt out of this argument.  But I assume you meant, "It's never, ever, going to change." If that was your statement then I have to disagree. But I agree with the literal meaning: it is absolutely going to change. In fact, I will bet my retirement fund that it changes before 25 years pass. In fact, I will bet that dynamic installers won't exist as we know them today. If Microsoft fixes this by adding an option for "can" or "available" updates, or by changing the behavior of dynamic installers in WSUS, it won't be the first or the last time that Microsoft does something and then reverses claiming the fix was some brilliant new way to do things.  Things change, things evolve.

    Definition of CAN:
    1 obsolete : know, understand
    2 archaic : to be able to do, make, or accomplish
    < br/>intransitive verb
    archaic : to have knowledge or skill

    verbal auxiliary
    1 a : know how to
    b : be physically or mentally able to
    c :used to indicate possibility ; sometimes used interchangeably with may
    d : be permitted by conscience or feeling to
    e : be made possible or probable by circumstances to
    f : be inherently able or designed to
    g : be logically or axiologically able to <2 + 2 can also be written 3 + 1>
    h : be enabled by law, agreement, or custom to 2 : have permission to —used interchangeably with may
    Definition of NEED:

    intransitive verb
    1 : to be needful or necessary
    2 : to be in want

    transitive verb
    : to be in need of
    : require verbal auxiliary
    : be under necessity or obligation to


    There is a difference between "can" and "need". It is a mistake to report what can be done as what is needed to be done.
    Saturday, May 14, 2011 7:58 PM
  • The fact is, when Microsoft decided to use their updatw system to distribute not only updates but also new products, they went again the original purpose of the software itself, intriducing a not perfectly fitting feature: deployment of additional software.

     

    PS

    When WSUS told us an update was needed, it meant "you NEED to install this update to fix something", an objective statement: Lawrence is wrong when he says that is human's decision to rule if an update is needed because the concept of need is subjective. The human decision is, instead, to not install the update and leave the security hole, but the update remains to be needed to its purpose. Now, with new product deployment through WSUS, the question it should ask us would be: "would you like to install this new product?" and, obviously, the new product updates should be treated separately in the report section.

    PPS

    Windows Update has an "optional" (can't remember the correct name) section right?... maybe they should introduce the same mechanism in WSUS.

     


    Dario Palermo
    Sunday, May 15, 2011 12:59 AM
  • I was having issues with WSUS and ran across this.  Total waste of time reading this.  I *know* I am not the only administrator, whether it's a dumb decision or not, that is using WSUS to save bandwidth, to test updates, and to release them to their workstations and servers.  And, to generate reports that the *needed* updates have been cleared (green), and the yellow and red ones have been corrected.  I read *needed* as *needed* by the client machine, not as available, optional, or otherwise not really needed.  Maybe those tools aren't intentional.  Then I need a replacement for WSUS with one that does what many of us had come to expect.  Simple approval of what's needed by client machines, reports of computers needing these but not yet installed (problems), and optional (separate) components available.  I'll approve manually the optional ones.

    Not coming back here but just wanted to let everyone know what I feel are how most administrators are using WSUS, whether incorrectly per Microsoft or not.  It's a tool many administrators need.  I'll check back just to see if there's such a replacement tool for WSUS that does exactly what I expected.

     

    Regards,

     

    John

    Wednesday, August 31, 2011 1:40 AM
  • I read *needed* as *needed* by the client machine, not as available, optional, or otherwise not really needed.

    Anybody who is applying this philosphy to their patch management methodology needs to seriously reconsider that choice.

    Whether an update is *NEEDED* by a system or not is a decision that can only be made by a HUMAN -- the Patch Administrator!

    Interpreting a pie chart legend label as Gospel Truth (without actually researching the design or intent of the product or display), is a fast track to this very problem. The status of "NEEDED" isn't even defined in the Microsoft patch management methodology. "Needed" is a composite of three defined states: Not Installed, Downloaded, and Installed Pending Reboot - and exists soley for display purposes to segregate it from the other three significant states: Not Applicable, Failed, and No Status.

    Then I need a replacement for WSUS with one that does what many of us had come to expect. 

    And herein is the core part of the rest of the problem -- expecting a SOFTWARE PRODUCT to confirm to your particular practices, which themselves may not be conformant to established "best practices" in the world. This situation is not unique to WSUS either -- I've seen it with accounting systems, supply chain management systems, and many others.

    When you implement a SOFTWARE PRODUCT -- you have two choices:

    1. Customize the product to meet your existing processes and philosphies.
    2. Modify your processes and philosophies to make use of the product.

    FWIW, most of the organizations I have seen that opted for #1 later regretted that decision. The expense, and negative impact, were simply too much in the end -- but generally not recoverable, and additional expense and negative impact were encountered to "undo" that initial (bad) decision. These decision were almost always a result of perpetuating defective processes and practices in the first place, rather than recognizing that the reason the product did it a certain way is because that is how MOST healthy processes actually work -- and maybe the organization needed to re-evaluate how they were doing certain processes and practices.

    Patch Management is not a new discipline, and there's twenty years of experience and practices that pre-dates Microsoft's first release of an update to Windows Update merely a dozen years ago. WSUS is a tool. It provides information. Interpreting that information correctly is the responsibility of the IT Professional assigned to use that tool. That also requires that the IT Pro not "assume" how something works, but to actually LEARN how the product ACTUALLY works.

    SO.. yes.. if you want a product that confirms to YOUR existing philosphies and methodologies -- then you probably need to get out your checkbook.


    Lawrence Garvin, M.S., MCITP:EA, MCDBA, MCSA
    Principal/CTO, Onsite Technology Solutions, Houston, Texas
    Microsoft MVP - Software Distribution (2005-2011)
    My MVP Profile: http://mvp.support.microsoft.com/profile/Lawrence.Garvin
    My Blog: http://onsitechsolutions.spaces.live.com
    Wednesday, August 31, 2011 5:02 PM
    Moderator
  • I read *needed* as *needed* by the client machine, not as available, optional, or otherwise not really needed.

    Anybody who is applying this philosphy to their patch management methodology needs to seriously reconsider that choice.

    Whether an update is *NEEDED* by a system or not is a decision that can only be made by a HUMAN -- the Patch Administrator!

    This is simply not true, Lawrence.

    An update is NEEDED to fix, add, remove or change iny way some piece of software, and it stays that way either if the administrator applies it or not.

    In case of a security patch, for example, an Administrator could decide to not apply it because some other factors mitigate the risk addressed by the patch in his enviroment (a firewall, for example). Still, the patch is *needed* by the server to fix the vulnerability.

    Update is needed by a system to fix/change something > SYSTEM DECISION

    Fixing/changing that something is needed or could be left as it is? > HUMAN DECISION

    Interpreting a pie chart legend label as Gospel Truth (without actually researching the design or intent of the product or display), is a fast track to this very problem. The status of "NEEDED" isn't even defined in the Microsoft patch management methodology. "Needed" is a composite of three defined states: Not Installed, Downloaded, and Installed Pending Reboot - and exists soley for display purposes to segregate it from the other three significant states: Not Applicable, Failed, and No Status.

    Sorry again, Lawrence, bu the status of "NEEDED" is veery well defined by Microsoft in WSUS, as it is displayed in the reports and, based on needed updates, server are reported in a RED STATE, that is WORLDWIDE COLOR FOR DANGER. It's true that the Windows Update Client doesn't have a NEEDED status in itself, but WSUS is a management software that ANALYZE THE STATUS OF THE SERVER USING THE WUCLIENT. So what's not in the client, could (and actually is) defined in the server software.

    Let's talk about the WUACLIENT and the Security Center every home user: a security patch is released by MS, the WUCLIENT on your home PC reports "Applicable" and "Not installed" and the security center issues a BIG WARNING, telling you that YOU NEED AN IMPORTANT UPDATE TO STAY SAFE!!!

     WSUS is doing the exact same thing in a corporate enviroment, but interacting with the patch administrator and not with the end users, so he can take the HUMAN DECISIONS you were talking about and leave big holes in security for any kind of reason (incompatibility with production sw, etc.), on his responsability.

    Then I need a replacement for WSUS with one that does what many of us had come to expect. 

    And herein is the core part of the rest of the problem -- expecting a SOFTWARE PRODUCT to confirm to your particular practices, which themselves may not be conformant to established "best practices" in the world. This situation is not unique to WSUS either -- I've seen it with accounting systems, supply chain management systems, and many others.

    When you implement a SOFTWARE PRODUCT -- you have two choices:

    1. Customize the product to meet your existing processes and philosphies.
    2. Modify your processes and philosophies to make use of the product.

    FWIW, most of the organizations I have seen that opted for #1 later regretted that decision. The expense, and negative impact, were simply too much in the end -- but generally not recoverable, and additional expense and negative impact were encountered to "undo" that initial (bad) decision. These decision were almost always a result of perpetuating defective processes and practices in the first place, rather than recognizing that the reason the product did it a certain way is because that is how MOST healthy processes actually work -- and maybe the organization needed to re-evaluate how they were doing certain processes and practices.

    Patch Management is not a new discipline, and there's twenty years of experience and practices that pre-dates Microsoft's first release of an update to Windows Update merely a dozen years ago. WSUS is a tool. It provides information. Interpreting that information correctly is the responsibility of the IT Professional assigned to use that tool. That also requires that the IT Pro not "assume" how something works, but to actually LEARN how the product ACTUALLY works.

    SO.. yes.. if you want a product that confirms to YOUR existing philosphies and methodologies -- then you probably need to get out your checkbook.

    Nice words.. let's talk about WSUS philosopy then, remembering what caused this thread in the start: a DYNAMIC UPDATE TO INSTALL A PRODUCT (WSUS itself).

    What in the does a new install to do with deploying patches??? And, infact, this kind of packages in WSUS are relatively new. The original purpose of the product was just to deploy updates. I agree with you to adapt my practices and philosophies to the product I use, but I cannot change it every time the producer decides to change is mind.

    Do I have to add that MS is altering the WSUS concept only to push as hard as it can the use of it's free products? IE, WSUS, SILVERLIGHT, etc...

    And, infact, can't we use WSUS to install Office products, right? ;)

    Dario


    Dario Palermo
    Friday, September 02, 2011 9:28 AM
  • Here is a question from one of us backwards thinkers that still want to try for all green 100%.  If I decline the update, and eventually need to install WSUS on a 2008 server, can I do it the old way (download and install Windows Server Update Services 3.0 SP2) without any problems?  I saw something you posted a couple of years ago (see below) that indicated the application might not be converted to a role.  Would that be a problem or just different?

    Thanks

    "But, in short, installing WSUS3SP2 on a Windows Server 2008 R2 system as a
    role with Server Manager integration requires either access to the Internet
    (Microsoft Update) or access to a WSUS Server with KB972493 approved for
    installation.

    Presumably you can still use the standalone installer to install WSUS3SP2 as
    an *application* on Windows Server 2008 R2, but I've not actually tried
    that, so this is mere speculation. Even if you could, I'm not sure how you
    would convert it from an application installation to a role. On Win2008RTM
    this was achieved by installing KB950418, but KB950418 was included in
    Win2008SP2 and Win2008R2, so the 'conversion' mechanism is already baked in.

    If you really need to install WSUS3SP2 on a Windows Server 2008 R2 machine
    that has no connectivity, this is the only possible choice that could exist,
    though."

    Saturday, September 03, 2011 11:01 PM
  • If I decline the update and eventually need to install WSUS on a 2008 server, can I do it the old way (download and install Windows Server Update Services 3.0 SP2) without any problems?

    Yes.

    Please note also, as it bears repeating again and again, because it seems nobody is getting this point -- you could also NOT SYNCHRONIZE the Product Category named Window Server Manager - Windows Server Update Services (WSUS) Dynamic Installer. The only reason this problem comes about in the first place is because WSUS admins are selecting Product Categories that they obviously do not need!

    You can also download/install the Role from an active Internet connection using the bits hosted on Microsoft Update, which is still the preferred methodology.

    I saw something you posted a couple of years ago (see below) that indicated the application might not be converted to a role.

    As noted in the quote you cited -- I had not personally done that, so the answer was speculative, and I stated so in my response. I do not state things in my posts as factual unless I have personally observed it to actually occur, or there is factual information to support such a statement. Sufficient empirical evidence exists today from thousands of other installations on disconnected servers to confirm that this is a non-issue.

    The standalone installer will install WSUS as a Role if it is used.


    Lawrence Garvin, M.S., MCITP:EA, MCDBA, MCSA
    Principal/CTO, Onsite Technology Solutions, Houston, Texas
    Microsoft MVP - Software Distribution (2005-2011)
    My MVP Profile: http://mvp.support.microsoft.com/profile/Lawrence.Garvin
    My Blog: http://onsitechsolutions.spaces.live.com
    Sunday, September 04, 2011 6:42 PM
    Moderator
  • So trying to catch up here.  I did read through all posts and while entertaining I'm still trying to get a solution for the 100 percenters, as I am one of them also.  The solution to this may not be as bad as it seems.

    The understanding of what a Dynamic Installer is and what you would miss without having them delivered through WSUS may be the entire problem.

    By choosing not to have Dynamic Installers delivered through WSUS would not mean that I would miss out on updates to the products themselves, but just updates to install them through the Roles and Features of Server Manager?

    Thanks,

    Chris

     

    Friday, September 23, 2011 12:42 AM
  • By choosing not to have Dynamic Installers delivered through WSUS would not mean that I would miss out on updates to the products themselves, but just updates to install them through the Roles and Features of Server Manager?

    You don't even lose the ability to install them, merely to install them using a LOCAL source for the installation bits. In fact, that is the exact purpose of having published the Dynamic Installers to WSUS -- so that client systems do not need to individiually download the bits via the Internet to do the installation -- they can get them locally.

    Otherwise, you can always download the bits from Microsoft Update when installing WSUS (or any other product that offers a Dynamic Installer).


    Lawrence Garvin, M.S., MCITP:EA, MCDBA, MCSA
    Principal/CTO, Onsite Technology Solutions, Houston, Texas
    Microsoft MVP - Software Distribution (2005-2011)
    My MVP Profile: http://mvp.support.microsoft.com/profile/Lawrence.Garvin
    My Blog: http://onsitechsolutions.spaces.live.com

    Friday, September 23, 2011 2:56 PM
    Moderator
  • So that sounds like a perfectly fine solution.  For those who use WSUS for patch management and want the green pie charts and don't care about this new functionality, simply exclude "Windows Server Manager -- Windows Server Update Services (WSUS) Dynamic Installer".  You will still get your pataches and updates for the WSUS product.

    It seems you will also have to decline this particular update since this update will remain even after you have excluded the above product.

    Thanks very much,

    Chris

    Friday, September 23, 2011 5:25 PM
  • Hi everyone

    I just found this conversation because I'm bothered by this 99% Installed/Not Applicable Percentage on 99% of my servers.

    I have always enabled all patches regardless of the "Does this server need it or not" consideration that the current moderator seems to love.

    I never had any problem with this and never will waste any time on choosing which update I need to apply or not on a server.

    WSUS is a patch deployment server and we don't need to know which patch needs to be installed or not.... We need to update everything that can be updated or installed on the server.

    This "BY DESIGN" behavior of Dynamic Updates is really idiot.

    If the server doesn't have WSUS SP2 installed then, I consider that the BY DESIGN  behavior should be "Do not show this update as needed" and wait for the WSUS  to be installed on the server to become "This update is needed".

    I'll decline this update but it's the first time I need to decline an update to be happy and see all my servers being green.

    So please, Microsoft, just think of changing this.....

    To come back on this BY DESIGN thing, I remember Microsoft saying that we wouldn't need to administer a server from a Workstation computer (Windows 7 for example) but RDP it to administer it and .... they had to create RSAT packages because everyone didn't accept this BY DESIGN thing.... maybe MS will rethink this particular BY DESIGN idiot behavior for this particular package... I hope (but they usually don't listen a lot to us network managers).

    Also, dear Moderator, I find your answers very unnecessarily aggressive... it looks like you are tired of moderating things here... think of maybe taking holidays away from this forum :)

    Thanks



    • Edited by Tof06 Wednesday, April 18, 2012 5:37 PM
    Wednesday, April 18, 2012 5:25 PM
  • I just found this conversation because I'm bothered by this 99% Installed/Not Applicable Percentage on 99% of my servers.

    I have always enabled all patches regardless of the "Does this server need it or not" consideration that the current moderator seems to love.

    I never had any problem with this and never will waste any time on choosing which update I need to apply or not on a server.

    Everybody has their own opinions and methodologies, but it needs to be noted that this philosphy contravenes every "best practice" about patch mangement that has existed for the past 40 years.

    For those who choose this methodology, I can promise you three things:

    • You will always have patches NOT installed. (Dynamic Installers are permanent fixture in WSUS. Learn how to manage them.)
    • You will install packages you should not install. (Does your Domain Controller really need Silverlight?)
    • Eventually some machine will CRASH because you installed a patch that some application on that machine doesn't like.

    The purpose of this forum -- one of the purposes of this forum -- is to discuss the right way to do patch management with WSUS. As frustrating as it may be, sometimes that's not the same thing as the easiest way.

    For those that simply install a WSUS server and then approve and install *everything*, I ask you this: Why did you install WSUS in the first place?


    Lawrence Garvin, M.S., MCITP:EA, MCDBA, MCSA
    Microsoft MVP - Software Distribution (2005-2012)
    My MVP Profile: http://mvp.support.microsoft.com/profile/Lawrence.Garvin


    Wednesday, April 18, 2012 9:51 PM
    Moderator
  • Again Garvin, WSUS it's patch management system. New products shouldn't be deployed (by Microsoft I mean) with that. It contravenes the simple meaning of "patch management system".

    Maybe you like it, some others surely don't.

    the only point you made is that eventually some machine will crash because of a patch. But, as I already said in other posts, not everyone have the time and the resources to really test the patches against their specific software setup. The amletic choice is to update (and eventually deal with problems) or to not update (and deal with vulnerable systems). I'm usually going with the second one, and Im not having troubles since a long time ago. WSUS is good for me at least as "download caching" and reporting tool.

    PS

    Some times ago, however, following your suggestion I excluded some categories from autoapproval and did not have anymore the dynamic updates problem.


    Dario Palermo

    Thursday, April 19, 2012 6:58 AM
  • Everybody has their own opinions and methodologies, but it needs to be noted that this philosphy contravenes every "best practice" about patch mangement that has existed for the past 40 years.

    For those who choose this methodology, I can promise you three things:

    • You will always have patches NOT installed. (Dynamic Installers are permanent fixture in WSUS. Learn how to manage them.)
    • You will install packages you should not install. (Does your Domain Controller really need Silverlight?)
    • Eventually some machine will CRASH because you installed a patch that some application on that machine doesn't like.

    The purpose of this forum -- one of the purposes of this forum -- is to discuss the right way to do patch management with WSUS. As frustrating as it may be, sometimes that's not the same thing as the easiest way.

    For those that simply install a WSUS server and then approve and install *everything*, I ask you this: Why did you install WSUS in the first place?


    Lawrence Garvin, M.S., MCITP:EA, MCDBA, MCSA
    Microsoft MVP - Software Distribution (2005-2012)
    My MVP Profile: http://mvp.support.microsoft.com/profile/Lawrence.Garvin


    Hi again,

    I totally agree with Dario on this one : if a DC doesn't need Silverlight, why would MS use a Patch Management Server to deploy it ? In a logical usage, it would only be deployed to computers or servers that have Silverlight installed and not take the initiative to install it.... This behavior is SCCM's job, not WSUS's.... Also, if you have time to test every patch MS is publishing... then you're lucky (but it's your job at MS if I'm not mistaking)

    In the real life, here's how it works : my department is only made of 4 persons and we are in charge of 15 foreign offices (from Japan to the US including South America and Asia) and 6 different sites in France. We really don't have time to deal with patch testing. Again, in the real life, when you have a problem and call a publisher, they all ask you if you updated your computer with the latests patches.... so do we have any choice ?

    Also, why do I use WSUS ? Because my network is composed of 230 Windows 2003 to 2008R2 servers and 1500 Windows XP / 7 computers. This is a small network compared to MS's or big NASDAQ companies (which we are not) but managed by only 4 persons...... According to me, not updating is out of a question. I would rather deal with crashes than with security holes.

    If you start thinking like this, I would ask you why would I install SP1 / SP2 or SP3 on Windows XP or Windows 7 ?

    Finally, in the past 15 years, I NEVER had any crash due to patches or updates...... and if it would happen, then I would blame the developer or software manufacturer rather than the patch....

    I also don't have patches that are not installed.... all my servers and computers are now (after declining this KB972493 patch) 100 % installed.

    I don't want to learn how to use Dynamic Installers because I don't understand the point in this... I have installed a supplemental WSUS server last week and it installed WSUS SP2 without the need of this Dynamic Installer... So what is it used for ?

    These are my 2 cents thoughts... :)

    Saturday, April 28, 2012 8:30 PM
  • I'm sorry Lawrence Garvin from Texas, but after reading this thread, your input into answering the question has been absolute trash.

    You may aswell have not replied to any posts here as you really have not helped anyone. I have wasted my time reading your useless replies which have annoyed me so muchthat I have taken a moment out of my ever so busy schedule to write this.

    How about replying when you actually have an answer that's going to help someone.

    All the very best

    Keef Boombastic

    Thursday, May 17, 2012 10:17 AM
  • This is incredibly helpful information. Thanks!
    Thursday, May 24, 2012 4:36 PM
  • Wow what a thread, over two years. I thought you were giving up after a few months Lawrence! Based on this thread I have changed my display to exclude the "Installed/Not Applicable Percentage" and to include the "Needed Count" column which is more meaningful and if I have a 2008/R2 server needing one patch I interpret that as 100% and my small little admin mind is happy :-)
    Tuesday, July 03, 2012 8:13 AM
  • However, for Windows 2008 servers that do not have the WSUS Role installed, it might be nice to have the status be reported with something other than the "Needed" status that currently is used.

    I don't disagree with you, but the status option are what they are. An update is either Installed, NotApplicable, or "Needed" (which actually includes three states: NotInstalled, Downloaded, and InstalledPendingReboot). And while you've effectively refuted my argument about Silverlight (except that by declining the Silverlight update you've denied it to *ALL* systems in your enterprise), not all updates will be able to be handled in such a manner.

    The basic issue here is one of interpretation and reporting:

    • "Needed" does not mean that an update should be installed. It means that an update CAN BE installed.
    • Everybody wants to see 100% Installed on their status reports, but the reality is that 100% Installed is an *unrealistic* expectation in any patch management environment.

    There is rarely a situation where *ALL* available updates *SHOULD* be installed on any given system. Thus, a more simple solution is to simply accept that some systems are going to report some updates as "Needed" and that's just the way it's gonna be because those updates are not going to be installed on those systems. It's an *accurate* reflection of reality, and should not be construed as a negative indication.

    Maybe Microsoft could add an "Available" status for Dynamic Installers and new applications such as Silverlight and Skype that would not prevent the green light.

    It's a legitimate request --- but, in reality, it's not going to happen. WSUS is a "feature complete" product, and has been for over five years. It's in "maintenance mode". And unless something earth-shattering happens in the patch management discipline or the Microsoft Update infrastructure, there are not likely to be any more feature enhancements to WSUS.

    In your examples, you mention changing the "Needed" status to a "Not Installed" status which I agree is more appropriate.

    Yes, it has always annoyed me that the WSUS developers chose to consolidate those three actual states (NotInstalled, Downloaded, InstalledPendingReboot) into this pseudo-state of "Needed", which has caused many more headaches and heartaches than was necessary.

    However, if we create a whole new "Available" status, we can then leave the existing "Needed" status and have it truly mean that the update is needed to ensure that we as administrators are able to use WSUS as a better indicator of a system's update status.

    The irony here is that this is how WSUS v2 (2005-2007) actually operated. In WSUS v2 there was an option to set an update to "Detect Only", and if that option was set, then the WUAgent would report the Needed/Installed staus for that update. Otherwise, an update that was not set to "Detect Only" or "Approved" was always reported as "Not Applicable".

    There's a whole horde of discussions that went on in 2007 in the WSUS newsgroup about this change (and you may be able to find thim in a Google Groups search), and initially I didn't agree with the decision either -- but after many months of discussion, I came around. The primary benefit of setting all updates inherently to "Detect Only" in WSUS v3 was that it prevented Security Updates from being accidentally missed in the scans. The *one* disadvantage in these five years is that it has the effect of creating "false positives" on KB972473.

    Now, for *most* organizations, the simple remedy is to decline (or, truly, to not synchronize in the first place) the update and be done with it. You and I, however, represent a very small microcosm of the WSUS community that recognizes the value of this package for installing replica servers, and so, being in the minority, we get the joy of "sucking it up". I have Win2008 systems flagged by this update also. I've just learned to ignore that data (as I have the Silverlight 5.01 security update, and IE9 -- which ain't never gonna see the light of day on my servers).

    Tuesday, October 09, 2012 9:59 PM
  • Based on this thread I have changed my display to exclude the "Installed/Not Applicable Percentage" and to include the "Needed Count" column which is more meaningful and if I have a 2008/R2 server needing one patch I interpret that as 100% and my small little admin mind is happy :-)

    That's an excellent approach! Truth is, I do everything on my system based on a RAW count of NEEDED systems as well.

    But why not just DECLINE KB972493, since you'll never need that update, and then your Needed count for Win2008 systems will accurately reflect *ZERO*.

    The only thing I use "Installed/NotApplicable Percentage" for is identifying superseded updates that are candidates for being declined.


    Lawrence Garvin, M.S., MCITP:EA, MCDBA, MCSA
    SolarWinds Head Geek
    Microsoft MVP - Software Distribution (2005-2012)
    My MVP Profile: http://mvp.support.microsoft.com/profile/Lawrence.Garvin


    Saturday, October 13, 2012 12:54 AM
    Moderator
  • Or how abot, if something shows up in WSUS as 'needed' and I approve it, the client picks it up and installs it. Because i had that update approved, showed needed, but the server never picked it up.
    Wednesday, October 17, 2012 8:45 PM
  • If this thread *CAN* be reanimated it *NEEDED* to be reanimated.
    If uninstalled roles reside in %SYSTEMROOT%\winsxs, why cannot some update silently place there WSUS3.0SP2 files without so called Dynamic Installers?

    Thursday, January 31, 2013 7:26 PM
  • If uninstalled roles reside in %SYSTEMROOT%\winsxs, why cannot some update silently place there WSUS3.0SP2 files without so called Dynamic Installers?

    It's a great question Mikhail, and the answer is because the installation file for WSUS did not ship with Windows Server 2008 R2 (or Windows Server 2008 SP2). Thus, there are no bits from the installation media to pre-cache in the WinSxS folder. The release date of WSUS3SP2 and Win2008R2 were the same day, so those bits were not available to burn onto the Win2008R2 media when Win2008R2 was RTMed.

    It is, in fact, the purpose of the Dynamic Installer to get those bits into the WinSxS folder.



    Lawrence Garvin, M.S., MCITP:EA, MCDBA, MCSA
    SolarWinds Head Geek
    Microsoft MVP - Software Distribution (2005-2013)
    My MVP Profile: http://mvp.support.microsoft.com/profile/Lawrence.Garvin
    The views expressed on this post are mine and do not necessarily reflect the views of SolarWinds.

    Sunday, February 03, 2013 1:01 AM
    Moderator
  •  Thus, there are no bits from the installation media to pre-cache in the WinSxS folder.

    It is, in fact, the purpose of the Dynamic Installer to get those bits into the WinSxS folder.


    So why
    1) WSUS detects issue if there are no bits ...?
    2) Dynamic Installer does not get those bits into the WinSxS folder?!..
    Sunday, February 03, 2013 6:55 PM
  •  Thus, there are no bits from the installation media to pre-cache in the WinSxS folder.

    It is, in fact, the purpose of the Dynamic Installer to get those bits into the WinSxS folder.


    So why
    1) WSUS detects issue if there are no bits ...?
    2) Dynamic Installer does not get those bits into the WinSxS folder?!..

    The update is reported as "NotInstalled" because that's a factual statement. The WSUS Role is not installed; the Dynamic Installer was not used to install the update.

    The purpose of a Dynamic Installer is to do it when requested by the system where it is to be installed. This is not an "install on every Win2008R2" system type of update. There is no need for the WSUS bits to be installed onto a machine that won't be a WSUS server.

    1. Approve the Dynamic Installer update on an existing WSUS server. I suggest creating a Target Group called "WSUSServers" for this purpose.

    2. Configure a Windows Server 2008 R2 system as a WSUS client and put it in the group where the Dynamic Installer is approved. (e.g. "WSUSServers")

    3. Launch "Roles & Features" from Server Manager and install the WSUS role. The bits are downloaded from the local WSUS server.

    The primary purpose/advantage of the Dynamic Installer is for an organization that needs to deploy replica servers. A replica server can be installed from a local instance of the bits stored on the upstream WSUS server, rather than having to be downloaded from Microsoft across the Internet every time the server needs to be installed.


    Lawrence Garvin, M.S., MCITP:EA, MCDBA, MCSA
    SolarWinds Head Geek
    Microsoft MVP - Software Distribution (2005-2013)
    My MVP Profile: http://mvp.support.microsoft.com/profile/Lawrence.Garvin
    The views expressed on this post are mine and do not necessarily reflect the views of SolarWinds.

    Monday, February 04, 2013 11:06 PM
    Moderator
  • Are all MVPs jerks to Microsoft customers?  I have yet to be in a thread where the MVP didn't tell the user they were Doing It Wrong, no matter how valid the gripe.  I'm going through a WSUS audit process on our network and this is absolutely unexpected and a terrible end user experience to the administrator.  So an admin is supposed to know that it's normal and "expected" that servers show up as a "yellow warning" status on the WSUS dashboard simply because they might someday in the future install a role that is not yet installed?  What brilliant software engineer designed that?  There needs to be another state, other than needed, because that implies that the update is ready and the server is either ready to install it (because it was recently approved) or is failing to detect it.
    Monday, June 17, 2013 7:37 PM
  • Are all MVPs jerks to Microsoft customers?  I have yet to be in a thread where the MVP didn't tell the user they were Doing It Wrong, no matter how valid the gripe.

    Maybe, the problem isn't "All MVPs", but your hypersensitivity to our frankness?

    So an admin is supposed to know that it's normal and "expected" that servers show up as a "yellow warning" status on the WSUS dashboard simply because they might someday in the future install a role that is not yet installed?

    No, I don't think it's an unreasonable expectation at all that a PAID IT PROFESSIONAL know how to use the Administration Console that it is their *JOB* to use, or understand the processes and realities related to the discipline they're responsible for working within. I think that anybody who understands anything at all about patch management, or even looks at the updates available for installation, ought to be able to draw a reasonable conclusion that it will never be the case that 100% of all available updates will be installed to every system at any given time. This is not new stuff; it's been the case for servers since the release of Windows 2000 Server over 13 years ago, long before the creation of WSUS!

    Do you install Silverlight on your Domain Controllers?

    There needs to be another state, other than needed, because that implies that the update is ready and the server is either ready to install it (because it was recently approved) or is failing to detect it.

    Your design thoughts are noted, but you're barking up the wrong tree. That "feature" was built into the original version of WSUS (v2 in 2005) and had catastrophic results. It was removed from v3, in 2007, because of those catastrophic results.

    The problem here is the dichotomy between expecting a product to operate the way you want it to operate, and understanding the way a product actually operates and adjusting accordingly .. even when you don't like how it operates. Yes, I'm sympathetic to the fact that things are not the way you want them ... but they're the way they are, and the topic of this forum, and more specifically the four-year old discussion in this thread, is to answer questions within the design realities of the product, not pine about all the things that we wish were different.


    Lawrence Garvin, M.S., MCITP:EA, MCDBA, MCSA
    SolarWinds Head Geek
    Microsoft MVP - Software Packaging, Deployment & Servicing (2005-2013)
    My MVP Profile: http://mvp.support.microsoft.com/profile/Lawrence.Garvin
    http://www.solarwinds.com/gotmicrosoft
    The views expressed on this post are mine and do not necessarily reflect the views of SolarWinds.

    Monday, June 17, 2013 10:33 PM
    Moderator
  • Hi,

    But relay the topic is about "Needed" and the KB972493 isn't!

    Is't a dynamic installation that can be needed perhaps maybe if, whuu:

    I call that pedagogical mistake by Microsoft and it doesn't matter if its "By design"/"dynamic installation" or not.

    And I personal don't like Silverlight on Domain Controllers or servers but i have computer groups for that  =O)and they are declined for server, which is a "Good  design"

    No more dynamic installations because there is a design mismatch with WSUS and an SP2 (with KB972493) on that and we are back to good times.

    Just my 2 bitcoints,

    ::beep



    • Edited by Beppe beep Tuesday, October 29, 2013 3:35 PM
    Tuesday, October 29, 2013 3:07 PM
  • But relay the topic is about "Needed" and the KB972493 isn't!

    And, as I've written elsewhere in this thread several times... this interpretation of the word "Needed" is the fallacy in your statement. If you continue to interpret the word "Needed" in the way you want to, you'll continue to be confused by the state of things. If you accept that "Needed" merely means CAN BE INSTALLED -- then you'll have no problems at all. The only change that needs to be made here is how you choose to interpret the term "Needed".

    And I personal don't like Silverlight on Domain Controllers or servers but i have computer groups for that =O) and they are declined for server, which is a "Good design"

    There's your second misunderstanding. You CANNOT decline the Silverlight package for some systems because

    • You cannot DECLINE an update by group.
    • There is only ONE Silverlight package which applies to ALL systems.

    Perhaps you should take a look at that Silverlight package. Either you've declined it for ALL systems (in which case your Silverlight v5 installations currently have a critical security vulnerability, or you declined it after installing it to the systems you wanted to),

    Or you have systems reporting that update as NEEDED, where you've correctly chosen to NotApprove the update for those groups. It doesn't change how the update is reported; only changes the fact that the system won't install the update.


    Lawrence Garvin, M.S., MCITP:EA, MCDBA, MCSA
    SolarWinds Head Geek
    Microsoft MVP - Software Packaging, Deployment & Servicing (2005-2013)
    My MVP Profile: http://mvp.microsoft.com/en-us/mvp/Lawrence R Garvin
    http://www.solarwinds.com/gotmicrosoft
    The views expressed on this post are mine and do not necessarily reflect the views of SolarWinds.

    Saturday, November 02, 2013 4:49 PM
    Moderator
  • Lawrence, let me tell you that it's all about interpretation!

    We teach through life, from our parents and from schools to meet a common understanding and a common interpretation so we don't get confused or misunderstand each other.
    Systems must meet the real world or things like this will keep happening.
    I also have to tell you that it's not only me that get confused here =O)
    The only thing i can accept is my wife saying one thing and meaning something else =O)

    I still call that a pedagogical mistake by Microsoft! "NEDDED" and "CAN BE" (as you interpret it) are not the same! (in the real world)

    And you are right. We can't decline to a single group. Stupid system isn't?
    So if you like to decline Silverlight for your servers you have a choice to setup another WSUS for you selection to do so, but who in the world would do that?

    Monday, November 04, 2013 3:07 PM
  • I still call that a pedagogical mistake by Microsoft! "NEDDED" and "CAN BE" (as you interpret it) are not the same! (in the real world)

    I absolutely agree with you!

    If you read my comments throughout this thread, I'm a very vocal critic of the use of the term "NEEDED" in the WSUS console in the context in which it is used.

    But whining in this thread about how people WISH it would be, isn't going to change anything, and it's not going to help use WSUS correctly unless the term is properly interpreted in the way in which it is ACTUALLY being used in *THAT* product.

    Like it or not, that's what the display means. Work with it. Adapt.

    Just like being married, I might add. ;-)


    Lawrence Garvin, M.S., MCITP:EA, MCDBA, MCSA
    SolarWinds Head Geek
    Microsoft MVP - Software Packaging, Deployment & Servicing (2005-2013)
    My MVP Profile: http://mvp.microsoft.com/en-us/mvp/Lawrence R Garvin
    http://www.solarwinds.com/gotmicrosoft
    The views expressed on this post are mine and do not necessarily reflect the views of SolarWinds.

    Friday, November 08, 2013 8:53 PM
    Moderator
  • And you are right. We can't decline to a single group. Stupid system isn't?

    No. Unless you fail to understand the purposes and distinctions of: Approved NotApproved Declined

    So if you like to decline Silverlight for your servers you have a choice to setup another WSUS for you selection to do so, but who in the world would do that?

    You might consider that your only choice. I don't. The question remains one of whether people get all bent out of shape because the display shows what is factual, rather than what they WANT it to display.

    Truth is, if you need to know about COMPLIANCE, then create two groups: Desktops and Servers. Approve Silverlight for Desktops. Don't approve it for Servers. Run a report based on APPROVED UPDATES and exclude the Servers group... voila! Valid compliance data for Silverlight as relates to only Desktop systems. Who cares what's displayed in the console!?

    It's all simply a matter of knowing the proper way to use the product, which requires one to accept the quirks, particularly those you may not like, and work within those constraints. I'm sure there are MANY software products in your environment that don't work exactly like you wish they did. You can either invest your energies in complaining about how they work, and get no real work accomplished, or you can work with how they work and get the work done and still be home for dinner at the end of each day. All in all it's nothing but a matter of personal choice where one chooses to invest their energies. Me... I've got lots of things I'd rather be doing than whine because some piece of FREE software isn't exactly to my liking. :-)


    Lawrence Garvin, M.S., MCITP:EA, MCDBA, MCSA
    SolarWinds Head Geek
    Microsoft MVP - Software Packaging, Deployment & Servicing (2005-2013)
    My MVP Profile: http://mvp.microsoft.com/en-us/mvp/Lawrence R Garvin
    http://www.solarwinds.com/gotmicrosoft
    The views expressed on this post are mine and do not necessarily reflect the views of SolarWinds.

    Friday, November 08, 2013 9:00 PM
    Moderator