WSUS - Approving Updates For Group Of Computers
It's a pretty straightforward process: Step 4: Approve and Deploy WSUS Updates
When you approve the updates, you choose which group. After my test group has run with the updates for a few days with no problems, I just approve for all computers.
First of all...I'm new to WSUS. My question...if you have a computer group for Test computers and approve a list of updates for them, is there an easy way to approve the same group of updates for another group of computers once the updates have been tested?
I have a GPO setup that I will apply to all computers and I have a GPO just for IT computers that I will use to test updates. Is that the correct way to do it?
This topic first appeared in the Spiceworks Community
Similar Messages
-
Help Powershell and Wsus Approve Updates By Computer Group
I've found this script to ApproveUpdatesByComputerGroupt and it works, my problem is now, I only need to approve Classification Critical, because I will not approve service packs for OS / SQL, etc.
I'm using SCCM, but Failover Cluster should I use WSUS, and my support team is already running a script, to set maintenance mode.
But no matter what I've tried, I can not really get it to work, so ..
Help Help
# ApproveUpdatesByComputerGroup.ps1
[void][reflection.assembly]::LoadWithPartialName("Microsoft.UpdateServices.Administration")
$wsus = [Microsoft.UpdateServices.Administration.AdminProxy]::getUpdateServer()
$ComputerTargetGroups = $wsus.GetComputerTargetGroups()
Write-Host "Warning: This will approve all NotApproved updates for a Computer Group" -ForegroundColor Red
Write-Host "Computer Groups"
$Count = 0
foreach ($ComputerTargetGroup in $ComputerTargetGroups) {
Write-Host $Count - $ComputerTargetGroup.Name
$Count++
$ComputerGroupToUpdate = Read-Host "Select Computer Group to update. [0 - $($Count-1)]"
Write-Host "Finding all updates needing approval and approving them"
$ComputerGroupName = $ComputerTargetGroups[$ComputerGroupToUpdate].Name
$ComputerGroupId = $ComputerTargetGroups[$ComputerGroupToUpdate].Id
$ComputersToScan = $wsus.GetComputerTargetGroup($ComputerGroupId).GetComputerTargets()
foreach ($ComputerToScan in $ComputersToScan) {
$ComputerTargetToUpdate = $wsus.GetComputerTargetByName($ComputerToScan.FullDomainName)
# Get all Not Installed updates available to the computer
$NeededAndNotInstalled = $ComputerTargetToUpdate.GetUpdateInstallationInfoPerUpdate() | where {
($_.UpdateInstallationState -eq "NotInstalled") `
-and ($_.UpdateApprovalAction -eq "NotApproved")}
foreach ($UpdateToApprove in $NeededAndNotInstalled)
Approve-WsusUpdate -Action Install -TargetGroupName $ComputerGroupName -Update $(Get-WsusUpdate -UpdateId $UpdateToApprove.UpdateId) -Verbose
Write-Host "Done approving updates"
sleep -Seconds 5This is what you are looking for:
http://blogs.technet.com/b/heyscriptingguy/archive/2012/01/22/use-the-free-poshwsus-powershell-module-for-wsus-administrative-work.aspx
¯\_(ツ)_/¯ -
CUP 5.3: Mass approver update for roles
Hello all,
Is there any way to do mass approvers update for roles in CUP? For instance mass change ApproverA to ApproverB for all roles. Or add ApproberC to all roles in process "Basis"?
Thanks, Anton.That's actually quite easy to do:
- go to roles / serach
- do an empty search
- export
- open the excel file and do a search/replace on the approver
- save the excel file
- upload the excel file with overwrite option turned on
Done.
Frank. -
Central flash update for my client computers
Hi there!
Is there a way to distribute the updates for the flash player over a central station / server? We have 50 client computers in my company and I have to update every single machine.
(I have the same problem with the Acrobat Reader)Flash Player download page for distribution (including MSI installers): http://www.adobe.com/products/flashplayer/fp_distribution3.html
Flash Player Admin Guide: http://www.adobe.com/devnet/flashplayer/articles/flash_player_admin_guide.html
Adobe Reader enterprise download page: http://get.adobe.com/reader/enterprise/ (or if you need the MSI installers, navigate the Adobe FTP site from ftp://ftp.adobe.com/pub/adobe/reader/
Deploying Adobe Reader 9: http://www.adobe.com/content/dam/Adobe/en/devnet/reader/pdfs/deploying_reader9.pdf
Other resources: http://www.adobe.com/devnet/acrobat/enterprise_deployment.html -
Alert Subscriptions - creating subscriptions for groups of computers and alerts from monitors
I've run into something kind of odd.
We want to "tone down" some of our alerts. Let me explain.
We monitor, roughly, 300 servers. We created an alert subscription to notify us of alerts for the monitor "Computer Not Reachable".
We found that we often received false positives. I made sure our check interval was 60 seconds and the heartbeat was set to 3 missed heartbeats and then set the delay to a period of time.
That worked. However, we wanted to change the delay based on the server "group". Example: Production group and Test Group. For production, delay 5 minutes, Test, delay 30 minutes.
As soon as tried to add the group criteria to the alert subscription, notifications ceased to function for those alerts. The alerts still occurred, but the notifications were never delivered.
So, I created new subscriptions and new groups as a test. Each time, if I included a group in the criteria, the alert notification failed.
Example:
Condition: Raised by any instance in a specific group. Checked, group name: Test
Condition: created by specific rules or monitors. checked, monitor: "Computer Not Reachable"
Subscriber: [email protected]
Channel: smtp channel set up to a relay
Alert Aging: 30 minutes (have set this as low as 5 minutes and send without delay).
In each case, if I remove the condition of group, the notification is sent.
Why would this behavior occur?Thanks Scott. I've tried this both with the computer object and the health service watcher object.
What I'm doing is trying to create a dynamic group based on OU. So, right now, the groups include the computer objects. If I view group members, the group membership does populate ok with all of the machines from the targeted OU's for the dynamic
membership.
This is an example of the dynamic membership conditions I'm trying to create:
( ( Object is Windows Server AND ( Organizational Unit Equals OU=Test,OU=Servers,DC=domain,DC=local ) OR ( Organizational Unit Equals OU=Development,OU=Servers,DC=domain,DC=local) ) AND ( Object is Health Service Watcher AND ( Display Name Greater than empty
value ) AND True ) )
However, I'm noticing that the dynamic membership includes health service objects from all windows servers from all OU's and ignores the OU membership conditions. But, I don't think that has anything to do with the failed notifications.
I could be wrong.
I've also tried the following with the same problem:
( ( Object is Health Service Watcher AND ( Health Service Name Greater than empty value ) AND True ) AND ( Object is Windows Server AND ( Organizational Unit Equals OU=Test,OU=Servers,DC=domain,DC=local ) OR ( Organizational Unit Equals OU=Development,OU=Servers,DC=domain,DC=local
Both of the above groups populate both the computer and health service objects when viewing the members of the group with the problem being it adds all health server objects instead of limiting it to the OU's specified.
So, that lead me to a dynamic group membership of:
( Object is Windows Server AND ( Organizational Unit Equals OU=Test,OU=Servers,DC=domain,DC=local ) OR ( Organizational Unit Equals OU=Development,OU=Servers,DC=domain,DC=local ) )
This is what I have now (this morning) after adding the condition for the class.
So, for the alert subscription rules, I added the group and the class and the monitor name:
Condition: Raised by any instance in a specific group. Checked, group name: Test
Condition: Raised by any instance of a specific class: Health Service Watcher
Condition: created by specific rules or monitors. checked, monitor: "Computer Not Reachable"
Subscriber: [email protected]
Channel: smtp channel set up to a relay
Alert Aging: 30 minutes (have set this as low as 5 minutes and send without delay).
But, again if the group condition is present, the alert subscription doesn't work.
So, I suppose what I need to do is find a way to ensure I can build a group that includes health service objects from computer objects reside within specific OU's. Perhaps I'm going about the dynamic membership conditions incorrectly?
Thanks
Ted -
How to get list of approved MSU for specified target group
Hello guys,
I have question about WSUS on windows server 2008 r2 sp1.
I need to get list of approved MSU for specified target group only for windows server 2008 r2 sp1, but I don't know whole syntax.
I can get list of approved updates for w2k8r2sp1:
$Title_r2='R2'
$Itanium='Itanium'
$wsus.GetUpdates() | Select Title | Where {
$_.Title -match $Title_r2 -and $_.Title -notmatch $Itanium -and $_.IsApproved -eq 'True'
But how can I get it for specified target group?
Please, help :)But how can I get it for specified target group?
Is there some reason you're not just using the native console reporting to do this?
Testing for 'R2' in the title will not guarantee getting all of the applicable updates, you need to query by Product Category to get all of them.
From my quick research, it appears that GetUpdates() does not return target group information, just a flag state on whether the update has been approved, or not. I don't have a working PS WSUS instance available to me at the moment, but my guess would be
that GetUpdateApprovals() (or something like it) is what you'll need to use to filter by Target Group.
Lawrence Garvin, M.S., MCSA, MCITP:EA, MCDBA
SolarWinds Head Geek
Microsoft MVP - Software Packaging, Deployment & Servicing (2005-2014)
My MVP Profile: http://mvp.microsoft.com/en-us/mvp/Lawrence%20R%20Garvin-32101
http://www.solarwinds.com/gotmicrosoft
The views expressed on this post are mine and do not necessarily reflect the views of SolarWinds. -
PLEASE suggest what I shall do with my IPad like, shall I dowgrade my IPad so it works properly? or try to find a iOS 6 or 7 upgrade from a different website
The apple approved updates for an iPad 1 max out at 5.1.1. If you find a way to put iOS6 or 7 on there you'll be jailbraking it, which means Apple washes their hands of your device.
unfortunately, software moves faster than hardware. You will likely find, if you manage to hack your device and put 6 or 7 on it that you'll end up with a non functioning brick. Apple doesn't put iOS6 on the iPad one because the one simply lacks the power to run the newer operating system. -
Approving WSUS updates for one computer group at a time
We have a WSUS server, and four computer groups (Alpha, Beta, Production, Workstations). Our patching process has us approve all "Not Approved" patches for the Alpha group, right after they're released by Microsoft. One week later, we approve all
of the updates from the previous week, for the Beta group. One week later, we do the same for Production.
I'm writing a script (which I can't test until next week), and wonder if there's a better way to get the list of updates that are approved for Alpha. Here is the code:
$updateScope = New-Object Microsoft.UpdateServices.Administration.UpdateScope
$updateScope.ApprovedStates = [Microsoft.UpdateServices.Administration.ApprovedStates]::LatestRevisionApproved
$updateScope.FromArrivalDAte = (Get-Date).AddMonths(-1)
$wsusGroup = $wsus.GetComputerTargetGroups() | Where {$_.Name -eq "$PatchingGroup"}
$updateScope
$updateScope.getType()
$updateScope.count
$updateScope.ApprovedComputerTargetGroups.add($wsusGroup)
$wsus.GetUpdates($updateScope)
$Updates = $wsus.GetUpdates($updateScope)
I assume I can take the $Updates variable and do the following for the Beta and Production groups:
Foreach ($update in $updates) {
$update.Approve(“Install”,$PatchingGroup)
Is this going to work, and is there a better way?For WSUS Scripts see this: http://poshwsus.codeplex.com/
¯\_(ツ)_/¯ -
Some computers download and install the two approved updates, others only download Windows Update Agent and not the approved updates.
UN-successful Windows Update Log:
2014-05-07 09:33:56:180
1036 e70
Misc =========== Logging initialized (build: 7.6.7600.256, tz: -0400) ===========
2014-05-07 09:33:56:220
1036 e70
Misc = Process: C:\Windows\system32\svchost.exe
2014-05-07 09:33:56:221
1036 e70
Misc = Module: c:\windows\system32\wuaueng.dll
2014-05-07 09:33:56:180
1036 e70
Service *************
2014-05-07 09:33:56:221
1036 e70
Service ** START ** Service: Service startup
2014-05-07 09:33:56:222
1036 e70
Service *********
2014-05-07 09:33:56:544
1036 e70
Agent * WU client version 7.6.7600.256
2014-05-07 09:33:56:545
1036 e70
Agent * Base directory: C:\Windows\SoftwareDistribution
2014-05-07 09:33:56:546
1036 e70
Agent * Access type: No proxy
2014-05-07 09:33:56:547
1036 e70
Agent * Network state: Connected
2014-05-07 09:33:57:315
1036 e70
Setup Service restarting after SelfUpdate
2014-05-07 09:33:57:545
1036 e70
Setup Client version: Core: 7.6.7600.256 Aux: 7.6.7600.256
2014-05-07 09:33:57:592
1036 e70
Report CWERReporter::Init succeeded
2014-05-07 09:33:58:326
1036 e70
Report *********** Report: Initializing static reporting data ***********
2014-05-07 09:33:58:376
1036 e70
Report * OS Version = 6.1.7601.1.0.65792
2014-05-07 09:33:58:376
1036 e70
Report * OS Product Type = 0x00000030
2014-05-07 09:33:58:394
1036 e70
Report * Computer Brand = Hewlett-Packard
2014-05-07 09:33:58:444
1036 e70
Report * Computer Model = HP Compaq 4000 Pro SFF PC
2014-05-07 09:33:58:455
1036 e70
Report * Bios Revision = 786H7 v02.00
2014-05-07 09:33:58:504
1036 e70
Report * Bios Name = Default System BIOS
2014-05-07 09:33:58:554
1036 e70
Report * Bios Release Date = 2011-01-31T00:00:00
2014-05-07 09:33:58:554
1036 e70
Report * Locale ID = 1033
2014-05-07 09:34:03:562
1036 f08
Report REPORT EVENT: {082D455B-6E51-4238-A997-1D27D9214A72}
2014-05-07 09:33:58:565-0400 1
199 101
{0011B9ED-9189-4D58-BE25-FA2F13FC3D6C}
1 240005
SelfUpdate Success
Content Install Installation successful and restart required for the following update: Windows Update Aux
2014-05-07 09:34:03:614
1036 f08
Report CWERReporter finishing event handling. (00000000)
2014-05-07 09:34:42:049
1036 e70
Agent *********** Agent: Initializing Windows Update Agent ***********
2014-05-07 09:34:42:049
1036 e70
Agent *********** Agent: Initializing global settings cache ***********
2014-05-07 09:34:42:049
1036 e70
Agent * WSUS server: http://csd26.csd.local:80
2014-05-07 09:34:42:049
1036 e70
Agent * WSUS status server: http://csd26.csd.local:80
2014-05-07 09:34:42:049
1036 e70
Agent * Target group: CO
2014-05-07 09:34:42:049
1036 e70
Agent * Windows Update access disabled: No
2014-05-07 09:34:42:063
1036 e70
DnldMgr Download manager restoring 0 downloads
2014-05-07 09:34:42:089
1036 e70
AU ########### AU: Initializing Automatic Updates ###########
2014-05-07 09:34:42:089
1036 e70
AU AU setting next detection timeout to 2014-05-07 13:34:42
2014-05-07 09:34:42:090
1036 e70
AU AU setting next sqm report timeout to 2014-05-07 13:34:42
2014-05-07 09:34:42:090
1036 e70
AU # WSUS server: http://csd26.csd.local:80
2014-05-07 09:34:42:090
1036 e70
AU # Detection frequency: 22
2014-05-07 09:34:42:090
1036 e70
AU # Target group: CO
2014-05-07 09:34:42:090
1036 e70
AU # Approval type: Scheduled (Policy)
2014-05-07 09:34:42:090
1036 e70
AU # Scheduled install day/time: Every day at 3:00
2014-05-07 09:34:42:090
1036 e70
AU # Auto-install minor updates: Yes (User preference)
2014-05-07 09:34:42:105
1036 e70
AU Initializing featured updates
2014-05-07 09:34:42:116
1036 e70
AU Found 0 cached featured updates
2014-05-07 09:34:42:116
1036 e70
AU Successfully wrote event for AU health state:0
2014-05-07 09:34:42:117
1036 e70
AU Successfully wrote event for AU health state:0
2014-05-07 09:34:42:117
1036 e70
AU AU finished delayed initialization
2014-05-07 09:34:42:117
1036 e70
AU AU setting next sqm report timeout to 2014-05-08 13:34:42
2014-05-07 09:34:42:117
1036 e70
AU #############
2014-05-07 09:34:42:117
1036 e70
AU ## START ## AU: Search for updates
2014-05-07 09:34:42:117
1036 e70
AU #########
2014-05-07 09:34:42:291
1036 e70
AU <<## SUBMITTED ## AU: Search for updates [CallId = {5AA2F00A-8964-4543-A740-EC45C5FD5752}]
2014-05-07 09:34:42:341
1036 f08
Agent *************
2014-05-07 09:34:42:341
1036 f08
Agent ** START ** Agent: Finding updates [CallerId = AutomaticUpdates]
2014-05-07 09:34:42:341
1036 f08
Agent *********
2014-05-07 09:34:42:341
1036 f08
Agent * Online = Yes; Ignore download priority = No
2014-05-07 09:34:42:341
1036 f08
Agent * Criteria = "IsInstalled=0 and DeploymentAction='Installation' or IsPresent=1 and DeploymentAction='Uninstallation' or IsInstalled=1 and DeploymentAction='Installation' and RebootRequired=1 or IsInstalled=0
and DeploymentAction='Uninstallation' and RebootRequired=1"
2014-05-07 09:34:42:341
1036 f08
Agent * ServiceID = {3DA21691-E39D-4DA6-8A4B-B43877BCB1B7} Managed
2014-05-07 09:34:42:341
1036 f08
Agent * Search Scope = {Machine}
2014-05-07 09:34:42:341
1036 f08
Setup Checking for agent SelfUpdate
2014-05-07 09:34:42:342
1036 f08
Setup Client version: Core: 7.6.7600.256 Aux: 7.6.7600.256
2014-05-07 09:34:42:349
1036 f08
Misc Validating signature for C:\Windows\SoftwareDistribution\SelfUpdate\wuident.cab:
2014-05-07 09:34:42:392
1036 f08
Misc Microsoft signed: Yes
2014-05-07 09:34:44:669
1036 f08
Misc Validating signature for C:\Windows\SoftwareDistribution\SelfUpdate\wuident.cab:
2014-05-07 09:34:44:676
1036 f08
Misc Microsoft signed: Yes
2014-05-07 09:34:44:754
1036 f08
Misc Validating signature for C:\Windows\SoftwareDistribution\SelfUpdate\wsus3setup.cab:
2014-05-07 09:34:44:777
1036 f08
Misc Microsoft signed: Yes
2014-05-07 09:34:44:781
1036 f08
Misc Validating signature for C:\Windows\SoftwareDistribution\SelfUpdate\wsus3setup.cab:
2014-05-07 09:34:44:788
1036 f08
Misc Microsoft signed: Yes
2014-05-07 09:34:44:837
1036 f08
Setup Determining whether a new setup handler needs to be downloaded
2014-05-07 09:34:44:855
1036 f08
Misc Validating signature for C:\Windows\SoftwareDistribution\SelfUpdate\Handler\WuSetupV.exe:
2014-05-07 09:34:44:862
1036 f08
Misc Microsoft signed: Yes
2014-05-07 09:34:44:862
1036 f08
Misc WARNING: Digital Signatures on file C:\Windows\SoftwareDistribution\SelfUpdate\Handler\WuSetupV.exe are not trusted: Error 0x800b0001
2014-05-07 09:34:44:862
1036 f08
Setup WARNING: Trust verification failed for WuSetupV.exe. It will be deleted and downloaded, error = 0x800B0001
2014-05-07 09:34:44:863
1036 f08
Setup SelfUpdate handler update required: Current version: 7.6.7600.256, required version: 7.6.7600.256
2014-05-07 09:34:44:873
1036 f08
Setup Evaluating applicability of setup package "WUClient-SelfUpdate-ActiveX~31bf3856ad364e35~x86~~7.6.7600.256"
2014-05-07 09:34:44:932
1036 f08
Setup Setup package "WUClient-SelfUpdate-ActiveX~31bf3856ad364e35~x86~~7.6.7600.256" is already installed.
2014-05-07 09:34:44:933
1036 f08
Setup Evaluating applicability of setup package "WUClient-SelfUpdate-Aux-TopLevel~31bf3856ad364e35~x86~~7.6.7600.256"
2014-05-07 09:34:45:048
1036 f08
Setup Setup package "WUClient-SelfUpdate-Aux-TopLevel~31bf3856ad364e35~x86~~7.6.7600.256" is already installed.
2014-05-07 09:34:45:048
1036 f08
Setup Evaluating applicability of setup package "WUClient-SelfUpdate-Core-TopLevel~31bf3856ad364e35~x86~~7.6.7600.256"
2014-05-07 09:34:45:234
1036 f08
Setup Setup package "WUClient-SelfUpdate-Core-TopLevel~31bf3856ad364e35~x86~~7.6.7600.256" is already installed.
2014-05-07 09:34:45:235
1036 f08
Setup SelfUpdate check completed. SelfUpdate is NOT required.
2014-05-07 09:34:48:415
1036 f08
PT +++++++++++ PT: Synchronizing server updates +++++++++++
2014-05-07 09:34:48:415
1036 f08
PT + ServiceId = {3DA21691-E39D-4DA6-8A4B-B43877BCB1B7}, Server URL = http://csd26.csd.local:80/ClientWebService/client.asmx
2014-05-07 09:34:48:424
1036 f08
PT WARNING: Cached cookie has expired or new PID is available
2014-05-07 09:34:48:424
1036 f08
PT Initializing simple targeting cookie, clientId = 97287ab2-5824-44d2-bf93-8a98da659f77, target group = CO, DNS name = c18714.csd.local
2014-05-07 09:34:48:424
1036 f08
PT Server URL = http://csd26.csd.local:80/SimpleAuthWebService/SimpleAuth.asmx
2014-05-07 09:34:48:454
1036 f08
PT WARNING: GetCookie failure, error = 0x8024400D, soap client error = 7, soap error code = 300, HTTP status code = 200
2014-05-07 09:34:48:454
1036 f08
PT WARNING: SOAP Fault: 0x00012c
2014-05-07 09:34:48:454
1036 f08
PT WARNING: faultstring:Fault occurred
2014-05-07 09:34:48:454
1036 f08
PT WARNING: ErrorCode:ConfigChanged(2)
2014-05-07 09:34:48:454
1036 f08
PT WARNING: Message:(null)
2014-05-07 09:34:48:454
1036 f08
PT WARNING: Method:"http://www.microsoft.com/SoftwareDistribution/Server/ClientWebService/GetCookie"
2014-05-07 09:34:48:454
1036 f08
PT WARNING: ID:cb5babad-3a1d-4e6b-946e-736ed4746e3f
2014-05-07 09:34:48:464
1036 f08
PT WARNING: Cached cookie has expired or new PID is available
2014-05-07 09:34:48:464
1036 f08
PT Initializing simple targeting cookie, clientId = 97287ab2-5824-44d2-bf93-8a98da659f77, target group = CO, DNS name = c18714.csd.local
2014-05-07 09:34:48:464
1036 f08
PT Server URL = http://csd26.csd.local:80/SimpleAuthWebService/SimpleAuth.asmx
2014-05-07 09:35:06:497
1036 e70
AU Forced install timer expired for scheduled install
2014-05-07 09:35:06:497
1036 e70
AU UpdateDownloadProperties: 0 download(s) are still in progress.
2014-05-07 09:35:06:497
1036 e70
AU Setting AU scheduled install time to 2014-05-08 07:00:00
2014-05-07 09:35:06:498
1036 e70
AU Successfully wrote event for AU health state:0
2014-05-07 09:35:14:236
1036 f08
PT +++++++++++ PT: Synchronizing extended update info +++++++++++
2014-05-07 09:35:14:236
1036 f08
PT + ServiceId = {3DA21691-E39D-4DA6-8A4B-B43877BCB1B7}, Server URL = http://csd26.csd.local:80/ClientWebService/client.asmx
2014-05-07 09:35:20:118
1036 f08
Agent * Found 0 updates and 79 categories in search; evaluated appl. rules of 859 out of 1494 deployed entities
2014-05-07 09:35:20:194
1036 f08
Agent *********
2014-05-07 09:35:20:194
1036 f08
Agent ** END ** Agent: Finding updates [CallerId = AutomaticUpdates]
2014-05-07 09:35:20:194
1036 f08
Agent *************
2014-05-07 09:35:20:209
1036 f08
Report CWERReporter finishing event handling. (00000000)
2014-05-07 09:35:20:209
1036 f08
Report CWERReporter finishing event handling. (00000000)
2014-05-07 09:35:20:209
1036 bb8
AU >>## RESUMED ## AU: Search for updates [CallId = {5AA2F00A-8964-4543-A740-EC45C5FD5752}]
2014-05-07 09:35:20:209
1036 bb8
AU # 0 updates detected
2014-05-07 09:35:20:209
1036 bb8
AU #########
2014-05-07 09:35:20:209
1036 bb8
AU ## END ## AU: Search for updates [CallId = {5AA2F00A-8964-4543-A740-EC45C5FD5752}]
2014-05-07 09:35:20:209
1036 bb8
AU #############
2014-05-07 09:35:20:210
1036 bb8
AU Successfully wrote event for AU health state:0
2014-05-07 09:35:20:210
1036 bb8
AU Featured notifications is disabled.
2014-05-07 09:35:20:211
1036 bb8
AU AU setting next detection timeout to 2014-05-08 11:19:46
2014-05-07 09:35:20:211
1036 bb8
AU Setting AU scheduled install time to 2014-05-08 07:00:00
2014-05-07 09:35:20:212
1036 bb8
AU Successfully wrote event for AU health state:0
2014-05-07 09:35:20:212
1036 bb8
AU Successfully wrote event for AU health state:0
2014-05-07 09:35:25:183
1036 f08
Report REPORT EVENT: {C1B39107-F517-4477-AAE3-9B1F1D6002BF}
2014-05-07 09:35:20:193-0400 1
147 101
{00000000-0000-0000-0000-000000000000}
0 0 AutomaticUpdates
Success Software Synchronization
Windows Update Client successfully detected 0 updates.
2014-05-07 09:35:25:183
1036 f08
Report REPORT EVENT: {669B9537-BB71-4190-BA58-A97F725AE4D8}
2014-05-07 09:35:20:194-0400 1
156 101
{00000000-0000-0000-0000-000000000000}
0 0 AutomaticUpdates
Success Pre-Deployment Check
Reporting client status.
2014-05-07 09:35:25:184
1036 f08
Report CWERReporter finishing event handling. (00000000)
2014-05-07 09:37:32:440
1036 f08
Report Uploading 3 events using cached cookie, reporting URL = http://csd26.csd.local:80/ReportingWebService/ReportingWebService.asmx
2014-05-07 09:37:32:454
1036 f08
Report Reporter successfully uploaded 3 events. -
What means: Automatically approve updates to the WSUS product itself
Dear all,
on a WSUS server / Update Services / Options exists the "Automatic Approvals" Option.
Once you open it, advanced features will be shown.
One of the advanced feature is called:
"Automatically approve updates to the WSUS product itself"
Does it mean, that only updates for the WSUS server services
will be approved, or
does it mean, that the WSUS Server will also approve
WU Clients updates (f.e. wuauclt on Windows XP clients or higher, ...) ?
Thanks a lot,
HeikoHello,
I know this post is old but I need clarification about this specific question. When we want to approve an update, we can approve it for "all computers" of for specific group of computers. So I don't understand
how the automatic approval of WSUS updates works.
In the WSUS update window, there was an update that was needed on 1 computer even if there was a check in the "automatic approval of WSUS updates". And it was not approve.
I had to create a group called "WSUS update needing approval" and assign this computer to that group and then approve the WSUS update to that new group.
I am not sure that I understand it correctly.
Can someone clarify this for me please ?
Thank you very much. -
Managing updates for different groups
Hi
I have installed WSUS on a Server 2008 R2 VM and have configure WSUS computer groups using group policy. These groups have all updated and I can see the computers in there containers within WSUS.
Does anyone have any advice on how to manage the updates for each group?
I am just a bit confused, when I click on the updates section of the WSUS console and show all updates, how do I know what updates have been approved for what group of computers already?
Thanks in advance
ShaneHi Shane,
We can use Update View.
We can filter updates by classification, product, the group for which they have been approved, and synchronization date. We can sort the list by clicking the appropriate column heading in the title bar.
To create a new update view, please follow the steps below,
In the WSUS administration console, expand the Updates node, and then click
All Updates.
In the Actions pane, click New Update View.
In the Add Update View window, under
Step 1: Select properties, select the properties you need to filter the update view:
Select Updates are in a specific classification to filter on updates belonging to one or more update classifications.
Select Updates are for a specific product to filter on updates for one or more products or product families.
Select Updates are approved for a specific group to filter on updates approved for one or more computer groups.
Select Updates were synchronized within a specific time period to filter on updates synchronized at a specific time.
Select Updates are WSUS updates to filter on WSUS updates.
Under Step 2: Edit the properties, click the underlined words to pick the values you want.
Under Step 3: Specify a name, give your new view a name.
Click OK.
Your new view will appear in the tree view pane under Updates. It will be displayed, like the standard views, in the center pane when you select it.
Best Regards.
Steven Lee
TechNet Community Support -
Not Approved Updates Showing up for Install on Clients
I have a group of servers that have an update that was selected as "Not Approved" for the group they are located in on WSUS, yet they show up for install when doing a windows update. If the update was selected on WSUS as "Not Approved"
why is it showing up on the servers available for installation? I don't want to decline the update as it is approved for other groups on WSUS, I simply don't want some groups to get this particular update so I made it "Not Approved" for that group.
Thanks for the help.
YamilIf the update was selected on WSUS as "Not Approved" why is it showing up on the servers available for installation?
Because "NotApproved" is not a DENY condition; it's merely the absence of an ALLOW condition.
It only takes one approval in one group of which a computer is a member for it to have permission to install an update. If a computer belongs to multiple groups and you don't want the update deployed, the update must be NotApproved (i.e. not allowed) for
ALL groups of which that client system is a member
I strongly encourage the practice of creating group structures so that an update only has to be approved for ONE group (or one parent group), and then ensure that group (or group structure) only has computers that should get that update.
Sometimes this also involves creating custom groups just to handle individual updates.
Lawrence Garvin, M.S., MCSA, MCITP:EA, MCDBA
SolarWinds Head Geek
Microsoft MVP - Software Packaging, Deployment & Servicing (2005-2014)
My MVP Profile: http://mvp.microsoft.com/en-us/mvp/Lawrence%20R%20Garvin-32101
http://www.solarwinds.com/gotmicrosoft
The views expressed on this post are mine and do not necessarily reflect the views of SolarWinds. -
Any way to get only new updates for disconnected WSUS?
Greetings,
I have two servers set up. One is online, getting the new updates correctly. The other one is offline where I successfully was able to transfer the approve updates from the online WSUS. My work requires me to get new updates and transfer the new updates
from the online to offline WSUS once in a while. The problem is that I cannot use any external hard drive for data transfer due to security reasons. I can only use DVD of which we only have duel layer (8.5GB max) as our highest.
My question is any way to get the newest updates only and be able to plug them in the WSUScontent folder in the offline WSUS? I rather not have to span 7-8 DVDs for a 61GB folder of all the updates each time. I would love any method or advice that can
be offered. I'm limited on what third-party software I can use as well unfortunately.
Thanks,
Drake GallagherMy question is any way to get the newest updates only and be able to plug them in the WSUScontent folder in the offline WSUS? I rather not have to span 7-8 DVDs for a 61GB folder of all the updates each time. I would love any method or advice that can
be offered. I'm limited on what third-party software I can use as well unfortunately.
You could probably work something out, using ROBOCOPY and it's various comparison operators (such as Archive bit, or date/timestamp).
You'd need to have the "last file set prepared for the offline server" available, to do the comparison. Then, tinker with the comparison operators to determine the set which works for you. This should give you the "delta", and then you could
burn the "delta" files/folders to your media.
Depending on your OS in use, ROBOCOPY might already be built-in for you (so no third-party software needed)
Don
(Please take a moment to "Vote as Helpful" and/or "Mark as Answer", where applicable.
This helps the community, keeps the forums tidy, and recognises useful contributions. Thanks!) -
Disconnect WSUS server and Process of Approving Updates via Metadata.
Hi Folks:
I have recently setup 2 WSUS servers. The first one has connectivity to the Internet and of course has access to Microsoft updates. The second WSUS server is part of a disconnected network. Both WSUS servers are supporting client workstations
of various operating system versions. The connected WSUS server is fairly easy, from a management viewpoint. I simply check to see what updates are "Needed" and I approve them for download. However, the disconnected WSUS server
is the one that I need some advice on. I want to have a fairly simply procedure for the disconnected WSUS server, but here is the procedure that I think would work:
Transfer metadata and updates via disc from the connected WSUS server to the disconnected WSUS server (using documented export/import procedure).
Check to see what is "Needed" updates on the disconnected WSUS server, once the WSUS server has had a chance to absorb all the imported metadata and updates. This means that the disconnected WSUS server has determined from it's supported
client workstations, what updates are required.
Generate a list of those "Needed" updates in some form, so that I can now approve those updates on the CONNECTED WSUS server for download.
Once those updates have been downloaded to the connected WSUS server, transfer the updates and metadata again to the disconnected WSUS server. Approve those updates, so that they can now be sent out to the client workstations on the disconnected
network.
If that is my procedure (can someone like Lawrence Garvin), please let me know, if that sounds correct. I'm concerned about the double export/import of the metadata and updates.
Also, I'm wondering if it would be better to have separate connected WSUS server for supporting the disconnected WSUS to keep things straight.
For example:
One connected WSUS servers supporting the set of client workstations, that are on the connect WSUS server's network.
One disconnected WSUS server supporting the set of client workstations that are on the disconnected WSUS server's network.
One more connected WSUS server, that would be used to download and transfer metadata and updates to the disconnect WSUS server. The advantage in keeping this separate, is that you would never confuse approved updates between the connected network
client workstations and the disconnected network client workstations. Especially, if they have different versions of software, that require updating.
Any input would be appreciated.You will likely also want to configure your WSUS server to "Download express installation files." under the "Update Files and Languages," setting on your options.
I will unequivocally disagree with this statement, for several reasons:
First, there's nothing that needs to be deployed that would use Express Installation Files anyway. Express Installation Files were designed to facilitate the deployment of Very Large Updates (read: SERVICE PACKS) across slow-speed links by significantly
reducing the size of the binary that must be downloaded by the CLIENT. There are NO service packs in the catalog that won't already be installed on any client system.
Second, in exchange for that ability of clients to download less, it significantly increased the size of the binary that must be downloaded by the SERVER from Microsoft. Express Installation Files will cause hundreds of gigabytes of extra binaries to be
downloaded, which will need to be transferred to the disconnected server. None of which will actually ever be used.
Third, most disconnected networks do not include WAN links, so the primary purpose of Express Installation File is contra-indicated by the very scenario being discussed.
Otherwise by default you might get just an installer downloaded onto the WSUS server and clients might still need internet access to download the actual package contents.
It would seem that you do not correctly understand Express Installation Files.
There is an in-depth explanation of Express Installation Files in the WSUS Deployment Guide. For additional information see
https://technet.microsoft.com/en-us/library/dd939908(v=ws.10).aspx#express
I also would not recommend a internet facing WSUS server just to provide updates to the disconnected WSUS server as that will also need to download a full copy of the content to that server when it is likely already downloaded onto your internet
/ production WSUS server anyway.
Seemingly you are also not actually familiar with the documented guidance for how to manage disconnected networks. An Internet-facing (connected) WSUS server is *exactly* how this is done.
You may also find this part of the Deployment Guide to be useful reading:
Configure a Disconnected Network to Receive Updates
Lawrence Garvin, M.S., MCSA, MCITP:EA, MCDBA
SolarWinds Head Geek
Microsoft MVP - Software Packaging, Deployment & Servicing (2005-2014)
My MVP Profile: http://mvp.microsoft.com/en-us/mvp/Lawrence%20R%20Garvin-32101
http://www.solarwinds.com/gotmicrosoft
The views expressed on this post are mine and do not necessarily reflect the views of SolarWinds. -
Any easy way to approve updates exactly equal to the old Server / WSUS
Hello,
Did you check the following link:http://social.technet.microsoft.com/wiki/contents/articles/508.how-to-move-wsus-from-one-server-to-another.aspxAlso i found out another site you could check:http://exchangeserverpro.com/how-to-move-wsus-30-to-a-new-server/Hallo Experts,
We have a customer with an WSUS Server 2008 (not R2) that is crashing and cannot be migrated. The Server has also lot of file corruptions. There is also no backup from the Server.
The customer has about 62 Departments. Each department has self developed Software. All Security updates have been approved to all. But other updates that made problems are not approved to most of departments. If we will approve all updates one by one exactly equal to the old Server we will need many weeks. Is there any easy way to do this? I don’t think there is a way that we can export a file and import all approved updates to the new 2012 R2 Server?
Thank you for helping me,
This topic first appeared in the Spiceworks Community
Maybe you are looking for
-
The URL field for iPhone Calendar Events is missing?
iCal on my Mac and my MobileMe Calendar both include a URL field for Events. I don't see the URL field on my iPhone Calendar events??? Am I missing something. I can't automatically have that link sync from iCal or MobileMe? I don't want to always hav
-
Loading sql client oci.dll failed
I am trying to install SAP R/3 Enterprise 4.70 on Windows Server 2000, database Oralce 9.2 and I want to install entire SAP system in 1 Computer. I have been installed Oracle 9.2 and SAP's center service successfully. But when i install SAP's databas
-
Scheduling procedure with remote db = logon denied
I´m having two DBs (db1 and db2) which are connected by a database link and a non-dba user "xyz" in both DBs. I´m starting a procedure in db1, which catches data from a table in db2 and combines it with data from db1 - it works perfectly fine. Now I
-
On running an ECC plan with resource constraint only, planned orders are getting generated at the end of planning horizon, though there is demand next week. Details Demand for a bom item of qty 2 on 28th May. Routing for this item has a resource with
-
Apps lose icon/function when backed up to PPC G5 ... Can we correct?
Hi, My daughter's MacBook Pro recently had a harddrive failure where the drive was replaced by Apple. I had made copies of everything via Target mode to my G5 Desktop. Now that I'm reloading everything back to her new drive, I'm noticing some Applica