|
|
I just finished installing WSUS 3.0 on Win2k3 and completed the wizard.
Initial sync completed successfully. I have not approved anything for
installation other than the default 4 critical updates (BITS 2.0 for
Win2000/WinXP, Windows installer 3.1, and KB898461).
I pick a test machine. Install WinXP SP1, restart it. Then I apply XP SP2.
At this point I have a fresh installed (standalone) WinXP with SP2. I use
gpedit.msc on this machine to configure the following:
- Configure Automatic Updates (Enabled) - selection is set to 4 - auto
download and schedule the install
- Specify intranet Microsoft update service location (Enabled) - both boxes
set to http://192.168.15.5 (IP of WSUS 3)
Restart WinXP and check WSUS 3, under Computers - All Computers - Unassigned
Computers, I don't see my WinXP machine there. I check WinXP
WindowsUpdate.log. It does have 192.168.15.5 in it so that means it does
contact WSUS box.
Why does WSUS 3.0 have no record of my WinXP? What am I missing? Am I
supposed to approve updates for installation first?
|
|
Fixed my own problem. It turns out my firewall drops packets from client box
to WSUS 3. I forgot to create a new rule to allow connection from client
machine to WSUS (machines are positioned in LAN and DMZ respectively).
Btw, Client Diagnostics Tools is my hero. It pretty much tells me "yo,
idiot! ... everything looks good but I can't establish a connection to WSUS"
:-) At that point I realized my firewall was the culprit. *DOH*
I can now see my WinXP box under WSUS "Unassigned Computers". Next step is
to decide which updates to approve for installation.
"John" <a> wrote in message news:OINUhZNuHHA.1212[ at ]TK2MSFTNGP05.phx.gbl...
[Quoted Text] >I just finished installing WSUS 3.0 on Win2k3 and completed the wizard. >Initial sync completed successfully. I have not approved anything for >installation other than the default 4 critical updates (BITS 2.0 for >Win2000/WinXP, Windows installer 3.1, and KB898461). > > I pick a test machine. Install WinXP SP1, restart it. Then I apply XP SP2. > At this point I have a fresh installed (standalone) WinXP with SP2. I use > gpedit.msc on this machine to configure the following: > > - Configure Automatic Updates (Enabled) - selection is set to 4 - auto > download and schedule the install > - Specify intranet Microsoft update service location (Enabled) - both > boxes set to http://192.168.15.5 (IP of WSUS 3) > > Restart WinXP and check WSUS 3, under Computers - All Computers - > Unassigned Computers, I don't see my WinXP machine there. I check WinXP > WindowsUpdate.log. It does have 192.168.15.5 in it so that means it does > contact WSUS box. > > Why does WSUS 3.0 have no record of my WinXP? What am I missing? Am I > supposed to approve updates for installation first? >
|
|
"John" <a> wrote in message news:OINUhZNuHHA.1212[ at ]TK2MSFTNGP05.phx.gbl...
[Quoted Text] >I just finished installing WSUS 3.0 on Win2k3 and completed the wizard.
>Initial sync completed successfully. I have not approved anything for
>installation other than the default 4 critical updates (BITS 2.0 for
>Win2000/WinXP, Windows installer 3.1, and KB898461).
>
> I pick a test machine. Install WinXP SP1, restart it. Then I apply XP SP2.
> At this point I have a fresh installed (standalone) WinXP with SP2.
You also now have an XP SP2 machine with a downlevel Windows Update Agent
installed over the WUA v7.0 client, which I have recently discovered is a
problematic situation. So far the best I've been able to get in the way of
help is the question: "Why would you want to downgrade the WUA?" -- but I'm
still plugging away.
In the meantime, download and install the WindowsUpdateAgent30.x86.exe
package from
http://download.windowsupdate.com/v7/windowsupdate/redist/standalone/WindowsUpdateAgent30-x86.exe
> I use gpedit.msc on this machine to configure the following:
>
> - Configure Automatic Updates (Enabled) - selection is set to 4 - auto
> download and schedule the install
> - Specify intranet Microsoft update service location (Enabled) - both
> boxes set to http://192.168.15.5 (IP of WSUS 3)
>
> Restart WinXP and check WSUS 3, under Computers - All Computers -
> Unassigned Computers, I don't see my WinXP machine there.
Patience, my friend, Patience. It may take up to 30 minutes after a reboot
before your machine appears.
That's not including the fact that you've downleveled the WUA, possibly
broken it, and the XP SP2 machine isn't even communicating with the WSUS3
server anymore.
What is logged to the WindowsUpdate.log?
> I check WinXP WindowsUpdate.log. It does have 192.168.15.5 in it so that
> means it does contact WSUS box.
No.. not necessarily. Since you didn't post the actual log entry I can only
speculate, but don't confuse the WUA recording the *settings* as an
indication of a successful data connection to the WSUS server.
> Why does WSUS 3.0 have no record of my WinXP?
Many reasons! Let's start by running the Client Diagnostic Tool on this XP
SP2 machine and make sure it can actually communicate with the WSUS server.
http://download.microsoft.com/download/9/7/6/976d1084-d2fd-45a1-8c27-a467c768d8ef/WSUS%20Client%20Diagnostic%20Tool.EXE
> Am I supposed to approve updates for installation first?
Well, yeah, that would certainly help -- but it's not required to get a
status report -- and it's only really relevent if there aren't any other
issues to be resolved.
--
Lawrence Garvin, M.S., MCTS, MCP
Independent WSUS Evangelist
MVP-Software Distribution (2005-2007)
https://mvp.support.microsoft.com/profile=30E00990-8F1D-4774-BD62-D095EB07B36E
Everything you need for WSUS is at
http://technet2.microsoft.com/windowsserver/en/technologies/featured/wsus/default.mspx
And, almost everything else is at
http://wsusinfo.onsitechsolutions.com
.....
|
|
"John" <a> wrote in message news:OBmjBkOuHHA.3368[ at ]TK2MSFTNGP02.phx.gbl...
[Quoted Text] > Fixed my own problem. It turns out my firewall drops packets from client
> box to WSUS 3. I forgot to create a new rule to allow connection from
> client machine to WSUS (machines are positioned in LAN and DMZ
> respectively).
>
> Btw, Client Diagnostics Tools is my hero. It pretty much tells me "yo,
> idiot! ... everything looks good but I can't establish a connection to
> WSUS" :-) At that point I realized my firewall was the culprit. *DOH*
<g>... I should have read your reply, before posting.
> I can now see my WinXP box under WSUS "Unassigned Computers". Next step is
> to decide which updates to approve for installation.
Suggestion... (there's going to be A LOT):
[1]. If you plan to install IE7, don't bother approving any Cumulative
Updates for IE6.
[2]. You will need to approve the latest Cumulative Update for Outlook
Express for Windows XP (June 2007) if you're going to use OE on this
machine. If you're not going to use OE, install the update at your
discretion. Ignore the rest of the superceded Cumulative Updates. In fact, I
suggest you mark them as Declined.
(Caution: The client will report *ALL* non-installed updates as Needed. At
this point you really need to interpret "Needed" as the simple factual
statement "Not Installed". Many of those updates (those that are superceded)
will cease to be "Needed" once the latest update is approved and installed.)
[3]. Approve all superceding Security and Critical Updates first. Do not
approve any superceded updates at all (They won't install anyway, and
approving them would only clog up your filesystem and pipeline with unneeded
content). Let the Security and Critical Updates install. Then, see if any
additional Security or Critical Updates are still needed, and approve those.
[4] Install the rest of the non-security/non-critical updates at your
leisure and convenience.
It is possible to install all of the updates in one pop (save for a couple
that are exclusive, like IE7), but with the volume of updates installing on
an XP SP2 system, you might want to consider this option very carefully.
--
Lawrence Garvin, M.S., MCTS, MCP
Independent WSUS Evangelist
MVP-Software Distribution (2005-2007)
https://mvp.support.microsoft.com/profile=30E00990-8F1D-4774-BD62-D095EB07B36E
Everything you need for WSUS is at
http://technet2.microsoft.com/windowsserver/en/technologies/featured/wsus/default.mspx
And, almost everything else is at
http://wsusinfo.onsitechsolutions.com
.....
|
|
I hate having to manually go through each item to decide whether it should
be approved or not. It gives me a headache :-(
What if I go thru the lazy route? My plan is to get 2 test machines, WinXP
Pro and Win2000Pro and manually set them up as follows:
- WinXP Pro with SP2
- Win2000 Pro with SP4, IE6 SP1 (manually installed)
- MSOffice XP with SP3 and/or MSOffice 2003 with SP2
Configure both to contact WSUS 3.0 for additional updates (post SP updates).
Check WSUS for updates needed by those 2 PCs. Approve all of the updates
needed by 2 client machines (including superseded updates).
It's sorta like getting those 2 client machines to tell WSUS what they
"need". Then approve all needed updates. I hope the data size will be less
than 2GB.
How does that sound?
"Lawrence Garvin (MVP)" <onsitech[ at ]community.nospam> wrote in message
news:OsCyIlRuHHA.1184[ at ]TK2MSFTNGP04.phx.gbl...
[Quoted Text] > > Suggestion... (there's going to be A LOT): > > [1]. If you plan to install IE7, don't bother approving any Cumulative > Updates for IE6. > > [2]. You will need to approve the latest Cumulative Update for Outlook > Express for Windows XP (June 2007) if you're going to use OE on this > machine. If you're not going to use OE, install the update at your > discretion. Ignore the rest of the superceded Cumulative Updates. In fact, > I suggest you mark them as Declined. > > (Caution: The client will report *ALL* non-installed updates as Needed. At > this point you really need to interpret "Needed" as the simple factual > statement "Not Installed". Many of those updates (those that are > superceded) will cease to be "Needed" once the latest update is approved > and installed.) > > [3]. Approve all superceding Security and Critical Updates first. Do not > approve any superceded updates at all (They won't install anyway, and > approving them would only clog up your filesystem and pipeline with > unneeded content). Let the Security and Critical Updates install. Then, > see if any additional Security or Critical Updates are still needed, and > approve those. > > [4] Install the rest of the non-security/non-critical updates at your > leisure and convenience. > > It is possible to install all of the updates in one pop (save for a couple > that are exclusive, like IE7), but with the volume of updates installing > on an XP SP2 system, you might want to consider this option very > carefully. > > > -- > Lawrence Garvin, M.S., MCTS, MCP > Independent WSUS Evangelist > MVP-Software Distribution (2005-2007) > https://mvp.support.microsoft.com/profile=30E00990-8F1D-4774-BD62-D095EB07B36E> > Everything you need for WSUS is at > http://technet2.microsoft.com/windowsserver/en/technologies/featured/wsus/default.mspx> > And, almost everything else is at > http://wsusinfo.onsitechsolutions.com> .... >
|
|
"John" <a> wrote in message news:O%23jOFxauHHA.4504[ at ]TK2MSFTNGP05.phx.gbl...
[Quoted Text] >I hate having to manually go through each item to decide whether it should
>be approved or not. It gives me a headache :-(
Shucks.. man..that's the primary job description item of a "Patch
Administrator", either get used to it, or find somebody to delegate it to!
> What if I go thru the lazy route? My plan is to get 2 test machines, WinXP
> Pro and Win2000Pro and manually set them up as follows:
>
> - WinXP Pro with SP2
> - Win2000 Pro with SP4, IE6 SP1 (manually installed)
> - MSOffice XP with SP3 and/or MSOffice 2003 with SP2
One does not test updates for the sake of the Operating System, but rather
one tests updates for compatibility with Line Of Business applications, and
legacy software, and other things that Microsoft *cannot* test for.
I can pretty much guarantee you that testing updates on a bare OS-only
machine will never turn up any failures that haven't already been identified
and repaired by Microsoft long before the update hit the streets. And then,
when it does blow up on a production machine because it has some obscure
application installed, or some non-standard configuration -- none of which
you tested for -- what will you have achieved?
> Configure both to contact WSUS 3.0 for additional updates (post SP
> updates). Check WSUS for updates needed by those 2 PCs. Approve all of the
> updates needed by 2 client machines (including superseded updates).
>
> It's sorta like getting those 2 client machines to tell WSUS what they
> "need". Then approve all needed updates. I hope the data size will be less
> than 2GB.
Oh.. see, and here I thought we were discussing whether you should *INSTALL*
an update on a machine or set of machines, and you're just trying to
determine whether the update is really *NEEDED*.
So, here's a clue -- with WSUS 3.0:
[a] DECLINE all superceded updates.
[b] APPROVE all remaining updates that are reported as NEEDED by any system
in your network.
Go get a beer and come back the next day and observe the results.
Oh.. and to do *that*... you don't even need the test machines!!! :-)
--
Lawrence Garvin, M.S., MCTS, MCP
Independent WSUS Evangelist
MVP-Software Distribution (2005-2007)
https://mvp.support.microsoft.com/profile=30E00990-8F1D-4774-BD62-D095EB07B36E
Everything you need for WSUS is at
http://technet2.microsoft.com/windowsserver/en/technologies/featured/wsus/default.mspx
And, almost everything else is at
http://wsusinfo.onsitechsolutions.com
.....
|
|
|