A patch has been approved for a system and it shows as "Needed" in the patch manager console. However, it does not show up in Windows Update on the system.
This is a very common scenario in WSUS environments, and I've discussed it several times in the TechNet WSUS forum. Generally it's a function of misunderstanding the differential between an update being needed (i.e. not installed), and that update actually being available to the client to actually get installed.
From the attached WindowsUpdate.log:
2014-04-24 15:03:51:953 968 212c Agent * Found 0 updates and 102 categories in search; evaluated appl. rules of 1207 out of 2806 deployed entities
The key here is to properly interpret this log entry as "Found 0 updates available".
There are a number of discrete events that must occur between the time a client first discovers an update and identifies it as "needed", and the time when that client can actually install it. Any one of these discrete events can be the subject of a breakdown in the process. The key is to trace through the process and identify where it's breaking down.
- The update must be approved for a WSUS Target Group of which the client computer is a member. This also implies that the client computer must be aware of it's actual and correct membership, There's an entire collection of subissues that can occur with respect to WSUS Target Group management and configuration that can complicate this.
- The update installation file must be successfully downloaded to the WSUS Server. This is, by far, the most common culprit in this sequence of events. The console reports the state of pending downloads, as well as the download status for individual updates. If the update file is not downloaded to the WSUS server, the update is not available to the client. Once the update installation file is available to the client, the previous log entry will show a non-zero value for "Found # updates..."
- The client system must be able to download the update installation file from the WSUS server.
- Once the update installation file is successfully downloaded, the update can be scheduled for installation according to the policy configuration.