> I had a feeling this was the way it was designed to work but the
> management like to see a nice field of green when looking at the
> console.
>
> Thanks for the excellent explanation which I'm sure will help the
> people who raised the question realise that it's not necessarily a bad
> thing that we aren't 100% green.
>
> kiv
>
> "Lawrence Garvin (MVP)" wrote:
>
>>
>> "Kiv" <Kiv[ at ]discussions.microsoft.com> wrote in message
>> news:AD5F0BF2-5736-4B9F-BE68-482BF514B91B[ at ]microsoft.com...
>> > We have moved to WSUS 3 recently and I have noticed that when an
>> > update is approved on a single group it then shows as needed even
>> > on the groups it is
>> > not approved for.
>>
>> Actually, it does that for any group, regardless of approval. It's
>> the default configuration, by design, of WSUS 3. All updates are
>> immediately detectable, and any computer that does not have that
>> update installed (and the update would be installable, if attempted),
>> will be reported as "Needed". If you want the update installed, set
>> the status to "Install", othewise, leave it at "Needed". But the
>> client will continue to report that the update is "Needed". (aka "Not
>> Yet Installed").
>>
>> > An example is that we have approved .NEt 2 framework to go to
>> > desktop machines but it is showing up as needed by every machine on
>> > the estate. Is
>> > there a way for WSUS 3 to show updates as not applicable on the
>> > groups that
>> > it is not approved on?
>>
>> Nope. For the aforementioned reason concerning the auto-detect design
>> of WSUS 3, plus the fact that "Installed/Not Applicable" is the same
>> status category in WSUS 3, and finally, because it's *not* a true
>> statement that the update is "Not Applicable". The only true
>> statement is that you, as a WSUS Administration, have determined for
>> whatever reason (and WSUS cannot possibly anticipate what those might
>> be), that you're not going to install that update.
>>
>> It does not, however, change the simple fact that it is an
>> installable update, and it's not installed.
>>
>> And... to borrow from my other post a few minutes ago, because I
>> think this point needs to be reinforced vis-a-vis this particular
>> quirk of WSUS 3.0:
>>
>> ======================
>> Also, consider the alternative scenario to how WSUS 3 currently
>> works:
>>
>> Consider that the report really did only show the status of the
>> updates
>> you had APPROVED for Installation. Consider that... ooops... you
>> forgot to approve a security update that should have been approved.
>> Well, in the alternative, your computer would show 100% GREEN,
>> because it's installed all of the =approved= updates, even though it
>> has not installed all of the =needed= updates. Now, answer this
>> question: The pie chart shows 100% GREEN. Is the computer compliant
>> with your security update policy? Or, would you rather see that
>> "Missing, but Not Approved" status reflected in the computer's
>> report?
>>
>> Personally, I'd rather *know* that I have to discount those three
>> updates that are making 2% of my pie chart yellow, and that I'm 98%
>> compliant BY CHOICE with the =available= updates, than to be misled
>> into believing I've installed 100% of the =needed= updates, only to
>> find out after a security breach that I missed a critical security
>> update that never got installed.
>>
>> ======================
>>
>>
>>
>> --
>> Lawrence Garvin, M.S., MCTS, MCP
>> Independent WSUS Evangelist
>> MVP-Software Distribution (2005-2007)
>>
https://mvp.support.microsoft.com/profile=30E00990-8F1D-4774-BD62-D095>> EB07B36E
>>
>> Everything you need for WSUS is at
>>
http://technet2.microsoft.com/windowsserver/en/technologies/featured/w>> sus/default.mspx
>>
>> And, almost everything else is at
>>
http://wsusinfo.onsitechsolutions.com>> .....
>>
>>
>>
>