5 Replies Latest reply on Jan 7, 2015 6:04 AM by Lawrence Garvin

    Solarwinds Patch Manager Shows no "Needed Updates" yet check online for updates on client shows 250-300mb available

    grant.hathaway

      Hi everyone

       

      I have a question about patch manager and wsus in general.

       

      Windows environment overview:

      85 Servers

      450 Laptops/Desktops

       

      Since recently, the SW patch manager is showing no "Needed Updates" in the console (for All updates), I find this strange as I would expect to see several recently approved updates being deployed in the normal fashion. I have a view setup showing only "Needed updates" which I approve on the 2nd Wednesday of each month to test before deploying to all. However when i change the update status to "Needed" for all updates I get no results, I haven't declined these recently that I know of! It appears to be a problem with SW Patch manager/wsus downloading updates and distributing them correctly.

       

      My colleague advised that when he performed a "Check online for updates from Windows Update" in the control panel on several servers he found that there's 250-300mb of updates available. I ran the WSUS Solarwinds diagnostic tool on the servers in question and get green ticks for all confirming that the wsus client can connect back to the WSUS server (solarwinds patch manager server), the results are attached. All of our network servers/workstations updates are managed by the the one WSUS server controlled by group policy.

       

      I'm unsure how to troubleshoot this further can anyone help? I can provide further info as requested, sorry if the above is a bit vague.

       

      Thanks

       

      G

       

        • Re: Solarwinds Patch Manager Shows no "Needed Updates" yet check online for updates on client shows 250-300mb available
          grant.hathaway

          To clarify the question:

           

          Why would the Solarwinds patch manager show "No needed" updates (literally zero found!), even though lots of updates are found when doing a "Check online for updates with Microsoft" on the client?

           

          Thanks

            • Re: Solarwinds Patch Manager Shows no "Needed Updates" yet check online for updates on client shows 250-300mb available
              Lawrence Garvin
              Why would the Solarwinds patch manager show "No needed" updates (literally zero found!), even though lots of updates are found when doing a "Check online for updates with Microsoft" on the client?


              First note to consider is that comparing what's available online with "Windows Update" or "Microsoft Update" with what's available from WSUS is comparing apples to oranges. The updates available to a client from a WSUS server are determined by many factors that do not affect update availability from WU or MU. For example:

              • WU/MU contains all update classifications; WSUS only contains those that are being synchronized.
              • WU/MU contains all product categories; WSUS only contains those that are being synchronized.
              • WU/MU contains only the latest available updates (superseded updates are hidden); this may or may not be the case on a WSUS server depending on how the updates are being managed.
              • WU/MU has all updates "approved"; WSUS only contains those that have been explicitly approved by the administrator.
              • WU/MU shows all updates as "available"; WSUS only shows those updates that have actually downloaded files as "available" to clients.
              • WU/MU does not have the concept of "groups"; WSUS only shows those updates approved for the group(s) that a client is assigned to.
              • If the client is not opted into MU, then WU only shows operating system updates; WSUS shows both operating system and application updates regardless of the MU "opt-in" state.


              So be aware that hardly ever will these two lists match. So why are NO updates available to a client from the WSUS server:

              • It could be that there are no synchronized updates applicable to that client.
              • It could be that there are no approved updates applicable to that client.
              • It could be that there are no approved updates with downloaded files applicable to that client.
              • It could be that the client is in a group where the updates are not approved, or that the updates are approved for the wrong group(s).
              • It could be that the client is fully patched!


              Having said that, let's return to the original question:


               

              I have a view setup showing only "Needed updates" which I approve on the 2nd Wednesday of each month to test before deploying to all. However when i change the update status to "Needed" for all updates I get no results,

               


              If there actually are no "Needed Updates" on the WSUS server, that's absolutely consistent with the behavior observed in the Windows Update applet of the client.


              But let's check a couple of things to investigate. (Note: The below images are from the online Flash Demo of Patch Manager so the dates are not reflective of reality.)


              • What is the Refresh Date on the update view?

              1-6-2015 7-34-04 AM.png

              • What's the most recent synchronization date of the WSUS server? (This is available from the root server node under the "Update Services" node.)


              • Does the server have any pending downloads? (Best place to get this is from the WSUS native console, on the root node, details pane, right side under "Download Status".)


              • Does the client appear in the correct WSUS Group(s)?

               

               


                • Re: Solarwinds Patch Manager Shows no "Needed Updates" yet check online for updates on client shows 250-300mb available
                  grant.hathaway

                  Thanks Lawrence, that's very helpful. See below for the answer to your questions:

                   

                  • What is the Refresh Date on the update view?

                  06/01/2015 14:48 (present time and date)


                  • What's the most recent synchronization date of the WSUS server? (This is available from the root server node under the "Update Services" node.)

                  05/01/2015 02:00:06 (I have this set as a daily scheduled task)


                  • Does the server have any pending downloads? (Best place to get this is from the WSUS native console, on the root node, details pane, right side under "Download Status".)

                  Updates needing files:     0


                  • Does the client appear in the correct WSUS Group(s)?

                  Yes, I have 4 groups, Unassigned Computers, Servers, Test Machines, Workstations and machines are grouped accordingly, I move unassigned machines to the correct groups when they report in.


                  I'm thinking then that the issue here is that microsoft update finds all available update classifications which has caused the confusion, and the fact that there are no updates needed in WSUS is simply down to that very reason!

                  • Re: Solarwinds Patch Manager Shows no "Needed Updates" yet check online for updates on client shows 250-300mb available
                    grant.hathaway

                    Hi Lawrence, I'm almost ready to mark your answer as correct but can you clarify one last thing ...  Below is a screenshot of the updates that are found by WU/MU on one of our servers. I accept that some of the updates are for classifications not available in WSUS (controlled by our wsus administrator ) and so that is the reason they appear but the "Updates for Windows Server 2008 R2 x64" concern me. Could some of these be for updates that we have declined previously and therefore are no longer visible in WSUS however may still needed by our machines?

                     

                    How should we handle these?

                     

                    Thanks 

                    Capture.PNG

                      • Re: Solarwinds Patch Manager Shows no "Needed Updates" yet check online for updates on client shows 250-300mb available
                        Lawrence Garvin
                        Could some of these be for updates that we have declined previously and therefore are no longer visible in WSUS however may still needed by our machines?

                        It's certainly possible. If the Updates classification is being synchronized, but the WSUS Administrator is unilaterally declining them because a decision was made to never deploy them via WSUS, they would appear as available from WU, but not from WSUS. But also, they could be synchronized to WSUS, and simply Not Approved. A Not Approved update would also never appear in the Windows Update applet. The updates that appear in the listing presented in the image are updates that are available for installation -- this implies that such updates have been Approved on the WSUS server for a target group containing the client. It could also be that the WSUS server just isn't synchronizing this classification at all. I've seen many WSUS Admins only select Security Updates and Critical Updates when configuring a WSUS server.


                        How should we handle these?

                        That probably depends to some extent on your organizational IT and Patch Management policies.

                        • If the updates are not available via WSUS, but should be, then one approach is to remediate the configuration of the WSUS server.
                        • If the updates are not available via WSUS "by design" -- somebody decided NOT to deploy these type of updates via WSUS -- then it may simply be a question of whether any of these updates are actually desirable to be installed on your server(s), and if so, whether there's nothing in organizational policy precluding you from installing these from Windows Update. Of course, doing so completely defeats the whole idea of having centralized reporting, since the existence of these updates as installed.will never get reported to the WSUS server, and having server admins pick-and-choose updates from WU can really mess up a centralized deployment strategy for update classifications that are managed via WSUS.
                        • If the updates are prohibited from being installed because they're not made available via WSUS, then you have a bigger issue to deal with -- particularly if  you identify an update that is actually needed by your server(s).


                        FWIW, in my observations about 75% of these updates in the Updates classification are bugfixes to features that are not normally implemented on server operating systems. You'll want to evaluate these type of updates on a per-update basis before actually installing them. For example, I know that one of them is likely a USB Video update -- which is totally useless and meaningless on a virtual machine.

                        1 of 1 people found this helpful