Announcement

Collapse
No announcement yet.

WSUS Updates Fail

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • WSUS Updates Fail

    Please clarify for me the following

    I have some machines under my wsus reporting that 2 or 3 updates failed to install..\

    What can i do about this?

    Another thing...in the wsus synchronization happens every day and i can see the updates downloaded..Do i have to approve them each day for them to be installed?

    I read somewhere about creating a rule with a deadline of up to when an update should be installed..

    How do i go about creating this rules..i cant find an option to do that

    Thx

  • #2
    Re: WSUS Updates Fail

    OK, taking the question in turn:

    1) You will need to review update logs on the individual machines and treat them case by case. In some cases, updates conflict so they will install later. Note that if you expect a 100% green board, you are likely to be disappointed -- some updates will never install (e.g. WSUS updates on non-WSUS servers)

    2) The nature of WSUS is that it is a managed service so you need to approve updates for installation. I would suggest every day is too frequent -- I normally do weekly except for the rush around Patch Tuesday. Also remember to clean up WSUS and run the database maintenance script regularly (http://gallery.technet.microsoft.com...-f1d270ddea61/). I normally do this monthly (cleanup and maintenance)

    3) Rules are under WSUS options (Automatic Approval Rules or something like that -- use with care as you will lose your management role!

    Also, IMHO, don't automatically accept new updates unless you have a test environment which you can risk it. Microsoft have (gasp, shock) managed to release buggy updates (last Patch Tuesday did something nasty to video codecs) and it is probably worth checking the internet for adverse comments before diving in and letting them go
    Tom Jones
    MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
    PhD, MSc, FIAP, MIITT
    IT Trainer / Consultant
    Ossian Ltd
    Scotland

    ** Remember to give credit where credit is due and leave reputation points where appropriate **

    Comment


    • #3
      Re: WSUS Updates Fail

      Thanks Tom.

      Now I have my WSUS server up and running well, synchronization happens every day at 9pm.

      when i check the synchronization report to see if there are new updates for approval all i see are like 10 definition updates for microsoft security essentials.

      see attached pic

      Now, is this normal? i thought i should be able to see normal security/critical updates for win7, office and such... like the one i approved for install the 1st time i set up the wsus.
      Attached Files

      Comment


      • #4
        Re: WSUS Updates Fail

        I have set up an auto approval rule, along the lines of:

        when an update is in DEFINITION UPDATES
        when the update is for SECURITY ESSENTIALS
        Approve the update for <my client group>

        Seems to work happily enough
        Tom Jones
        MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
        PhD, MSc, FIAP, MIITT
        IT Trainer / Consultant
        Ossian Ltd
        Scotland

        ** Remember to give credit where credit is due and leave reputation points where appropriate **

        Comment


        • #5
          Re: WSUS Updates Fail

          Thanks.

          What about the other critical/security updates for windows systems.

          Is it that these updates aren't released oftenly compared to the Mse definition updates?

          Comment


          • #6
            Re: WSUS Updates Fail

            You can create rules for any categories you like but IMHO there is a vast difference between definition updates (which do not change the OS) and other patches, which do. I would never auto approve critical or security
            a) because MS have a nasty habit of sneaking e.g. new IE versions into "updates" and
            b) updates do not always work, and I prefer to test (or watch for comments on other people testing)
            Tom Jones
            MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
            PhD, MSc, FIAP, MIITT
            IT Trainer / Consultant
            Ossian Ltd
            Scotland

            ** Remember to give credit where credit is due and leave reputation points where appropriate **

            Comment


            • #7
              Re: WSUS Updates Fail

              Originally posted by Ossian View Post
              You can create rules for any categories you like but IMHO there is a vast difference between definition updates (which do not change the OS) and other patches, which do. I would never auto approve critical or security
              a) because MS have a nasty habit of sneaking e.g. new IE versions into "updates" and
              b) updates do not always work, and I prefer to test (or watch for comments on other people testing)
              This is definitely the best practice. But I would add that an organization needs to examine the cost associated with testing patches verses dealing with issues that arise from the patches. The smaller the organization the less cost effective testing becomes. Also, the added risk of compromise by not installing the patch if you have a long test window may start to swing things towards installing and then dealing with the aftermath if an issue occurs.
              Regards,
              Jeremy

              Network Consultant/Engineer
              Baltimore - Washington area and beyond
              www.gma-cpa.com

              Comment


              • #8
                Re: WSUS Updates Fail

                For me, as a "small organisation", the easiest way is to wait about 48 hours after the patch is released and have a quick look at for issues with the patch. I then approve to my upstream server (my organisation), install / check nothing major is broken, and then release to my downstream server (which goes out to clients)
                Tom Jones
                MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
                PhD, MSc, FIAP, MIITT
                IT Trainer / Consultant
                Ossian Ltd
                Scotland

                ** Remember to give credit where credit is due and leave reputation points where appropriate **

                Comment

                Working...
                X