Microsoft puts out different versions of rollups/patches monthly via WSUS. One really bizarre one is "Preview of quality rollup for .Net framework". Preview? WTF does that mean? It appears to be an installable patch bundle like the others, but it's name has preview. How could I preview an installation by installing it? So, there is also "security only update for .Net framework" and I think there's a "security and quality rollup for .Net framework". So, there's "security and quality rollup", "security only update", and "preview of quality rollup". Microsoft couldn't make this any more confusing. And even though some appear to be a subset of others, I can select to install all of them. What happens if I do? I clicked the "more information" thing and it says nothing to describe what this means. I Googled and found nothing. Can anyone explain (particularly "preview" WTF!?) or point me to a good article? Thanks!!!
Anyone know of a way to completely wipe WSUS of updates and start again?
It seems as if I have loads of language packs and assorted rubbish in the list which we do not need. Having now removed all the unwanted Products, Classifications and Languages what I would like to do is completely clean out the WSUS database and start again. It appears that uninstalling the reinstalling the WSUS role does not help they are all still there. Have also tried the Server Cleanup wizard which seems to be mostly a waste of time, it didn't clean up any of the updates I was hoping it would remove.
I haven't yet installed any of these on a machines yet so if only I could work out how I could completely wipe all listed updates and start again but according to my new reduced Products list.
Thanks, Nick
I'v looked through all the settings in the Automatic Approval menu, but it could not find anything about automatically approve only the needed updates.
Because if I check, for instance, to auto-approve only the "Definition updates", it will approve any Definition updates, whether they are needed by my workstations or not.
This is because I dont want my WSUS server to download and store updates that are not needed by any of my workstations.
Also we are a lazy SMB, and we dont want to waste time to manually approve updates and stuff.
Is this even possible ?
We have WSUS pushing updates out to our user's workstations, and things are going relatively well with one annoying caveat: there seems to be an issue with a pop-up being displayed in front of some users informing them that their machine will be rebooted in 15 minutes, and they have nothing to say about it:
This may be because they did not log out the prior night. Nevertheless, this is a bit too much and is very counter-productive for our users.
Here is a bit about our environment: Our users are running Windows XP Pro and are part of an Active Directory Domain. WSUS is being applied via Group Policy. Here is a snapshot of the GPO that is enforcing the WSUS rules:
Here is how I want WSUS to work (ideally - I'll take whatever can get me close):
I want updates to automatically download and install every night. If a user is not logged in, I would like the machine to reboot. If a user is logged in, I would like their machine not to reboot, but instead wait until the next "installation period" where it can perform any other needed installations and reboot then (provided the a user account is not still logged in). If a user is to be prompted for reboot, it should only happen once per day (if possible), but every time they are prompted, they must have a way to postpone the reboot.
I do not want users to be forced to restart their computer whenever the computer thinks it should happen (unless it's after an update installation and there are no logged in users). That doesn't seem productive to force a system restart in the midst of a person's workday. Is there something that I can do with the GPO that would help make WSUS less intrusive? Even if it gave the user an option to Restart Later - that would be better than what is happening now.
edit
The goal is to be able to automatically download and install updates every night, and rebooting the machine only if there are no users logged on when the machine wants to reboot. If Windows has to nag the user about rebooting, this is perfectly fine - as long as they have an option to postpone that reboot.
edit
It turns out, we have some deadlines set on some updates (SP3, Client-Side Extensions, etc.), and with the post found below, some light has been shed on the situation:
I'm finding that most users ignore the "There are updates ready to be installed, click here to install" message that WSUS pushes out. Until now we haven't forced the install but I'm thinking about changing the group policy to enforce updates nightly. This will sometimes require a reboot which I want to enforce through GP as well.
I know there will be push-back from the users but am wondering if this is defendable best practice. It seems like the right thing to do to ensure PCs are up to date and secure.