# WSUS 3.0 Best Practices



## newhouse1390 (Jan 10, 2005)

In WSUS 3.0 I do not have the same features at my disposal as I did in previous versions (or maybe I don't realize it). I can see all the machines and that they need to have 5 updates installed but I cannot see what updates are required by an individual client.

I also noticed there is not "Detect Only" option, is there an equivalent in WSUS 3.0? 

How can you prepare for this senario: A new PC had been added to the domain and successfully connected to the WSUS server, however you don't know what updates are needed that you may have previously declined because all the computers in the domain before this new one did not need the update. I would always use the "Detect Only" option left for every update and if a new machine was connected I could approve the updates that were needed.

What is the best way? Approve every update?


----------



## newhouse1390 (Jan 10, 2005)

If an update is declined will there be somewhere that tells you that the declined update is needed?


----------



## MAQ_FR (Mar 17, 2005)

Hi Newhouse

One of our people had an issue similar to this just before Xmas, and I don't know if they actualy sussed it out (or if it was identical).

I did a bit of digging and i found this in Technet:

"Q.	What do the different update approval options mean, such as Detect Only, Not Approved, Install, Declined, and Remove?

A.	

Only updates that have the approval status Install will be downloaded to computers served by WSUS. By default, Critical and Security updates are already approved for detection (Detect Only), which means WSUS will determine if these updates are needed by any of your computers. These updates will still need to be approved for Install before WSUS downloads them to your computers.

All other new updates will show up as Not Approved until you decide to approve them for Install or decline them with the Declined approval. (You can also approve them for Detect Only or Remove). If you decline an update, it will no longer appear in your list of updates unless you filter by All updates or Declined updates. Remove will remove updates from computers that already have the update installed, providing that the update is compatible with this feature. For details, see the Installation Information on the Details tab of the update. "

Its all here :

http://www.microsoft.com/technet/windowsserver/wsus/20/evaluate/faqs.mspx

but you've probably seen this.


----------



## newhouse1390 (Jan 10, 2005)

What is required to run WSUS 3.0? All downloads on this months secuirty updates list did not download to the clients successfully. Is there a client install required?


----------



## newhouse1390 (Jan 10, 2005)

Communication error was due to the SSL configuration, since we are downloading the updates internally this should not be an immediate problem. But I will look at why this failed.

How would you configure the update server to ensure that all machines are scanned and all applicable updates are approved, even ones that are behind on the image. Leave them all un-approved? 

Take this for example, right now all PC's have SP2 insalled, but so the SP2 update is declined, if I bring a new machine in and SP2 is not installed, I want WSUS to tell me that and deploy that update or go to the machine and install it myself.

I could run MBSA scans and verify the updates against MS servers, but I would expect WSUS to tell me this.

There is no Detect Only feature in WSUS 3.0!!


----------



## MAQ_FR (Mar 17, 2005)

Hi Newhouse, I'm sorry, but as I said, I don't use WSUS enough to know much more about it, and our guy is working in the far east at the moment. 
But hey I found this........

http://www.microsoft.com/technet/pr...fa0-cbc7-4b42-9378-0a92a3be1201.mspx?mfr=true

for the client: WUA 3.0 Is Required

The WUA 3.0 client is required on clients to connect to the WSUS 3.0 server and retrieve the list of software updates that need to be scanned for compliance assessment. During initial setup for Configuration Manager client computers, WUA 3.0 is installed, if not already present. WUA 3.0 is available on the Configuration Manager 2007 CD at \SMSSETUP\CLIENT\<platform>. For information about how to verify the WUA version on client computers, see How to Check the Windows Update Agent Version on Clients.

I also found this interesting, I think you need SMS2003..........

No Microsoft Office updates are displayed when you use Microsoft Update or Windows Server Update Services

Basically, for all updates installed from a patched admin install point, you will not be able to use the ITMU to detect and deploy patches to that product. "Patched admin install point" means an admin install point that you have updated (e.g. with a service pack or hotfix using a .msp file).

From Microsoft KB article:
This behavior occurs if a client computer uses an update from an administrative installation point as the installation source. *Updates can only be correctly detected by Microsoft Update or by WSUS if the updated were applied directly to a client computer and not to an administrative installation point.*

Microsoft Update or WSUS can be used to update a client computer only if the installation source has not been updated.

The workaround for this issue is to:
1) Revert the updated admin install point to an unaltered installation source, or
2) Continue to detect and deploy updates to Office using the Microsoft Office Inventory Tool for Updates

here: http://www.microsoft.com/downloads/...40-2093-4276-910e-9ed1d3ae4a5e&DisplayLang=en

It seems to me from your info and what I've found that:
There is no Detect Only feature - so you need SMS2003.

For the clients, see also here:
http://technet2.microsoft.com/windo...17a0-440e-9cad-2eb881011f5f1033.mspx?mfr=true

hope it helps


----------



## newhouse1390 (Jan 10, 2005)

I will see what leaving the updates un-approved will do. I think if I can get to a point where all updates are unapproved, I can eventually get to the point where updates that have not been downloaded are still utilizing the "detect only" feature and the others will have been downloaded and approved for install already.


----------

