8 Replies Latest reply on Jul 24, 2014 7:44 PM by Lawrence Garvin

    Patch Manager Web Reporting in Orion

    ajr

      How do i get the pie chart to show a larger green slice? I am looking in patch manager and I have around 50 servers out of 600 that dont have any patches pending to be installed.  There is one patch that it reports as 'not installed' which is a WSUS 3.0 update but that patch is not approved for that group as none of them are WSUS boxes.  So there should be no pending installs!

       

      Thanks

       

      Andrew

        • Re: Patch Manager Web Reporting in Orion
          Lawrence Garvin

          Not having any patches "pending to be installed" is significantly different from "not needing any patches". I think you're on the right train of thought, just focusing on the wrong symptom. There are several reasons why updates that should be installed cannot yet be installed. The most common one that affects systems of this large a quantity is that a Service Pack or Service Stack Update has not been installed.

           

          The pie chart is an accurate reflection of reality; you get the green slice to be bigger by changing the reality. In order to change the reality, you have to accurately identify the problem. :-)

           

          You've given me a partial clue. The only update that's a WSUS update that would show as needed for ALL servers (even if WSUS isn't installed) is KB972493, which is the Server Manager update for Windows Server 2008 that installed the WSUS ROLE into Server Manager. The fact that this is the ONLY update shown as Needed for these servers, strongly suggests to me that these are Windows Server 2008 RTM servers (with KB940518 installed). This is the only logical explanation I can think of why this one update would be "Needed", but no other updates are needed.

           

          Installing the current Service Pack is a requirement to continue to receive updates. Legacy Service Packs are only supported for 2 years after the release of the newer service pack; after that point, updates will not detect as installable on the downlevel service pack. Service Pack 2 for Windows Server 2008 was released in April, 2009; Updates for WS2008RTM systems were no longer available after July 2011. (Please note there is no Service Pack 1 for Windows Server 2008. Windows Server 2008 RTM was built on the Windows 6.0.1 codebase, so effectively was the "SP1" product.)

           

          The best approach is to pick ONE server, and investigate the actual state of that server.

          • What Operating System is installed?
          • What Service Pack is installed? (And the corollary question: What Service Pack should be installed?)
          • Are you synchronizing Service Packs to your WSUS server? If so, what is the state of Service Pack 2 for Windows Server 2008?
            • Re: Patch Manager Web Reporting in Orion
              ajr

              Hi Lawrence,

               

              Thanks for you reply, the most common server is 2008 R2 Enterprise and they are all on SP1 - so to my knowledge there isnt an SP2. And we currently dont sync Service Packs via WSUS.

               

              The actual KB referenced is KB972493.

               

              When i run windows update on those boxes and then tell them to check into MS - it says the system is upto date.

               

              Thanks

               

              Andrew

                • Re: Patch Manager Web Reporting in Orion
                  Lawrence Garvin

                  So much for my speculation based on the information provided, and apparently my memory from oh so long ago is compromised, because the x64 version of that update will appear as NotInstalled on a Windows Server 2008 R2 SP1 system

                   

                  So... let's abandon the simple solutions, and dive into the more complex ones.

                  This is the question:

                  • Why would a Windows Server 2008 R2 Service Pack 1 machine report ONLY KB972493 as an available update and no others.

                   

                  And, actually, there is another well-known scenario and it involves HOW Service Pack 1 got installed onto the Windows Server 2008 R2 systems.

                  Around the time of release of Service Pack 1 for Windows 7 and Windows Server 2008 R2, there was also a Servicing Stack Update (SSU)... identified as KB2533552.

                  Microsoft had many issues getting a  *working* Service Pack 1 package into the WSUS catalog that spring of 2011, but in the end this is what we got:

                  • Windows Server 2008 R2 RTM systems patched with the May 31, 2011, update from WSUS got the SSU which was included in the 5/31/11 SP1 package for WSUS.
                  • Windows Server 2008 R2 RTM systems patched with an earlier version of SP1 from WSUS did NOT get the SSU.
                  • Windows Server 2008 R2 RTM systems patched with Service Pack 1 from Windows Update did NOT get the SSU.
                  • Windows Server 2008 R2 Service Pack 1 ISOs did not include the SSU.
                  • All of the above also applies to Windows 7 systems.

                   

                  The SSU is required to install many post-SP1 update (except KB972493, of course, because it was actually released before SP1). As it happens, I have a Windows 7 Service Pack 1 system on my lab network that was built from a WDS server, which was built from a Win7SP1 ISO, which does not have this SSU. That machine currently shows 91 NotInstalled/NotSuperseded updates in the past 38 months (by my estimates, a count that's probably pretty low). My personal Win7SP1 system, which is patched current through March 2014 (yeah, I'm a bit behind!) shows 161 *Installed* updates in that same period of time and 78 NotInstalled/NotApproved updates. The majority of those 78 updates are from April-July 2014. So, discounting those 78 updates from the 91 reported on the new system, that leaves only 13 NotInstalled for the period June 2011 through March 2014, and that indicates (to me) that the new system is missing somewhere in the neighborhood of 150-170 updates (that are currently evaluated as NotApplicable due to the absence of KB2533552).

                   

                  You can estimate pretty much the same behaviors for a Windows Server 2008 R2 system, since virtually every update for Win7 also applies to WS2008R2.

                   

                  So... the next question is this: What is the state of KB2533522 on these Windows Server 2008 R2 SP1 systems?

                  If that update is Installed, then my conclusion would be that your systems really are Up To Date.

                   

                  Finally..... all of the above may actually be a wild goose chase, because I started with the factual information provided (only one update is NotInstalled) and the premise that this was not an accurate state of things; now we can dig into the interpretive information.

                   

                  Your original question is about the green pie slice in the Web Console. The Green Pie Slice represents COMPUTERS UP TO DATE. This means the count of computers that have **ZERO** updates classified as NotInstalled. It's exactly the same question that WSUS Administrators have been asking about the pie charts in the WSUS console for eons as well. We already KNOW that your Windows Server 2008 R2 SP1 systems have at least one update NotInstalled -- That's KB972493! Now, the question is this: Do you ever plan to install WSUS on another Windows Server 2008 R2 SP1 system? If so, you probably need to keep this update in a NotDeclined/Approved state.

                   

                  If, however, you do not need this update, because you're never going to install the WSUS role on another Windows Server 2008 R2 SP1 system, then I would suggest that you *DECLINE* this update. Once that update is no longer identified as NotInstalled

                  AND IF, in fact, it is the only update missing from your systems, then magically, your Windows Server 2008 R2 SP1 systems will now have **ZERO** updates NotInstalled, and the Green Slice will magically grow bigger than you can imagine! :-)

                   

                  And if this is the ultimate resolution, then accept my apologies for taking the long way around to get here.

                  In my experiences, more often than not, the issue is that there really are missing updates, not that the systems really are 99.9% Installed, so that's the road I took.

                  1 of 1 people found this helpful
                    • Re: Patch Manager Web Reporting in Orion
                      ajr

                      The machines were installed from an MSDN VLK download which was preinstalled with SP1 - just to confuse the matter some more?

                       

                      I dont plan on installing WSUS in the future on 2008 boxes, we are deploying 2012 R2 through the environment so it looks like I am safe to decline the update.

                       

                      Thanks Lawrence!

                        • Re: Patch Manager Web Reporting in Orion
                          Lawrence Garvin
                          The machines were installed from an MSDN VLK download which was preinstalled with SP1


                          So they may or may not be missing KB2533552. You'll want to check on that as a separate investigation, because I'm pretty sure the SSU was never slipstreamed into those SP1 ISOs.


                           

                          so it looks like I am safe to decline the update

                           


                          Absolutely! :-)

                      • Re: Patch Manager Web Reporting in Orion
                        ajr

                        Just done some research and found a technet forums topic on this, it appears that the installer is needed for Server Manager - so should I install WSUS in the future its ready and upto date.  Credit to you on that as well - looks like I need to approve and install to get everything to 100% - Topic

                          • Re: Patch Manager Web Reporting in Orion
                            Lawrence Garvin
                            It appears that the installer is needed for Server Manager - so should I install WSUS in the future its ready and up to date.


                            No. No. No. That update *IS* the WSUS BINARIES. You CANNOT "install" that update.

                            You can approve it, but it will stay NotInstalled for all of eternity until you DO choose to install the WSUS role on a WS2008R2SP1 server, and THEN the WUA will download the bits from the WSUS server.

                            And your servers will continue to be 99.9% Installed until that day. (This is the significance of the words "Dynamic Installer" in the update title.)

                             

                            Someday when you have a few hours to kill, read ALL of that thread; during the course of the thread I describe about a half-dozen times that the update will never install UNTIL the WSUS Role is selected for installation.

                            1 of 1 people found this helpful