Not Downloaded Security Updates being Installed on a Client Via WS

Hello,
We have recently updated our SMS 2003 SP1 infrastructure to System Center
Confguration Manager 2007 R2, and are now using WSUS via SCCM. Been
troubleshooting some issues experienced on users machines where updates are
failing to download and install. Re-seting the Software Distribution Point
resolved this issue, but we are are also seeing Security updates that are
within WSUS some of which are not installing on all machines. It is not the
same update in cases, this varies, so cannot be specific on an update. When
visiting the Windows Update website it lists the updates it requries, and the
same updates are within WSUS.

I am still new to WSUS world, and wondered if anyone else has experienced
where a client installs some but not all the updates it requires via WSUS,
also if there is resolution for this problem?
Thanks in advance

Ton182

"Ton182" <> wrote in message
news:71ABEED1-A053-4C81-95EA-...

> I am still new to WSUS world, and wondered if anyone else has experienced
> where a client installs some but not all the updates it requires via WSUS,
> also if there is resolution for this problem?

Quite often this is the result of misinterpreting the results of what the
WUAgent reports to WSUS as needed updates.

Initially the WUAgent will report ALL updates that have not been installed
as needed. This will likely include updates that are superceded (by other
updates in the same collection). When the WUAgent downloads these updates
for installation, it will only download and install the *newest* update in a
supercession chain. Once the update is installed and reported as installed,
you'll see the status change to Not Applicable for the older (superceded)
updates.



--
Lawrence Garvin, M.S., MCITP:EA, MCDBA
Principal/CTO, Onsite Technology Solutions, Houston, Texas
Microsoft MVP - Software Distribution (2005-2009)

MS WSUS Website: http://www.microsoft.com/wsus
My MVP Profile: http://mvp.support.microsoft.com/pro...awrence.Garvin

Thanks for the reply Garvin.

In most cases I agree with your reply, I should have mentioned the patches
that seem to be not showing are from 2009. Of the 2 machines I was checking
today, 1 machine was missing a patch release in June (and I know other
machines have installed this patch via WSUS by looking at our compliance
reports). The other machine was missing a patch released in Jan 09. I remove
from WSUS all superseded patches (pending on service pack level). On a test
machine that has recieved updates from WSUS, it has installed 12, and
nothing else is showing, when I run Windows Update via the net, its shows I
have 101 updates to install. I have checked our 2 WSUS packages, and
majority are in these packages (we do not deploy the Malicious update for
example). The odd ones that are not with WSUS I will address seperatly, I am
trying to figure out if we have an issue with WSUS or an issue on machines
not downloading and installing these updates.



"Lawrence Garvin [MVP]" wrote:

> "Ton182" <> wrote in message
> news:71ABEED1-A053-4C81-95EA-...
>
> > I am still new to WSUS world, and wondered if anyone else has experienced
> > where a client installs some but not all the updates it requires via WSUS,
> > also if there is resolution for this problem?
>
> Quite often this is the result of misinterpreting the results of what the
> WUAgent reports to WSUS as needed updates.
>
> Initially the WUAgent will report ALL updates that have not been installed
> as needed. This will likely include updates that are superceded (by other
> updates in the same collection). When the WUAgent downloads these updates
> for installation, it will only download and install the *newest* update in a
> supercession chain. Once the update is installed and reported as installed,
> you'll see the status change to Not Applicable for the older (superceded)
> updates.
>
>
>
> --
> Lawrence Garvin, M.S., MCITP:EA, MCDBA
> Principal/CTO, Onsite Technology Solutions, Houston, Texas
> Microsoft MVP - Software Distribution (2005-2009)
>
> MS WSUS Website: http://www.microsoft.com/wsus
> My MVP Profile: http://mvp.support.microsoft.com/pro...awrence.Garvin
>
>

"Ton182" <> wrote in message
news:203BD734-11B4-46EC-9B2F-...
> Thanks for the reply Garvin.
>
> In most cases I agree with your reply, I should have mentioned the patches
> that seem to be not showing are from 2009. Of the 2 machines I was
> checking
> today, 1 machine was missing a patch release in June (and I know other
> machines have installed this patch via WSUS by looking at our compliance
> reports). The other machine was missing a patch released in Jan 09. I
> remove
> from WSUS all superseded patches (pending on service pack level). On a
> test
> machine that has recieved updates from WSUS, it has installed 12, and
> nothing else is showing, when I run Windows Update via the net, its shows
> I
> have 101 updates to install. I have checked our 2 WSUS packages, and
> majority are in these packages (we do not deploy the Malicious update for
> example). The odd ones that are not with WSUS I will address seperatly, I
> am
> trying to figure out if we have an issue with WSUS or an issue on machines
> not downloading and installing these updates.

Well, unless a specific update is not detecting/installing on *ALL* systems,
it's not likely the issue exists at the WSUS Server.

Best approach is to pick *one* update for *one* computer, and let's do an
analysis on that specific scenario. Nine of ten times the resolution to that
one scenario will also address every other scenario.

I would suggest using this scenario since it involves one machine and a
June, 2009 update that you know have successfully installed on other
machines.

> Of the 2 machines I was checking
> today, 1 machine was missing a patch release in June (and I know other
> machines have installed this patch via WSUS by looking at our compliance
> reports).

Specifically which update does this issue involve?
Does this machine report this update as "Needed/Not Installed" or as
"Installed/Not Applicable"?
Has this machine installed other updates recently from this WSUS Server?

Please post the WindowsUpdate.log results from this procedure:

1. Note the system time of the machine.
2. Restart the Automatic Updates service (net stop/start wuauserv).
3. Run the command 'wuauclt /resetauthorization /detectnow'
4. Wait 30 minutes.
5. Post the log entries starting at the time recorded in Step #1.



--
Lawrence Garvin, M.S., MCITP:EA, MCDBA
Principal/CTO, Onsite Technology Solutions, Houston, Texas
Microsoft MVP - Software Distribution (2005-2009)

MS WSUS Website: http://www.microsoft.com/wsus
My MVP Profile: http://mvp.support.microsoft.com/pro...awrence.Garvin

Thanks for the reply again Garvin.

Yes the machines in question has downloaded and installed other updates from
the WSUS server in the past.
The updates are showing required in our compliance reports and also with the
Configuration Manager Console.
I will check the log file you have mentioned, and post the logs back on here??

It seems to be different 2009 patches on different machines that are not
installing, and not one particular patch.

Thank you for your patience and time...

Tony


"Lawrence Garvin [MVP]" wrote:

> "Ton182" <> wrote in message
> news:203BD734-11B4-46EC-9B2F-...
> > Thanks for the reply Garvin.
> >
> > In most cases I agree with your reply, I should have mentioned the patches
> > that seem to be not showing are from 2009. Of the 2 machines I was
> > checking
> > today, 1 machine was missing a patch release in June (and I know other
> > machines have installed this patch via WSUS by looking at our compliance
> > reports). The other machine was missing a patch released in Jan 09. I
> > remove
> > from WSUS all superseded patches (pending on service pack level). On a
> > test
> > machine that has recieved updates from WSUS, it has installed 12, and
> > nothing else is showing, when I run Windows Update via the net, its shows
> > I
> > have 101 updates to install. I have checked our 2 WSUS packages, and
> > majority are in these packages (we do not deploy the Malicious update for
> > example). The odd ones that are not with WSUS I will address seperatly, I
> > am
> > trying to figure out if we have an issue with WSUS or an issue on machines
> > not downloading and installing these updates.
>
> Well, unless a specific update is not detecting/installing on *ALL* systems,
> it's not likely the issue exists at the WSUS Server.
>
> Best approach is to pick *one* update for *one* computer, and let's do an
> analysis on that specific scenario. Nine of ten times the resolution to that
> one scenario will also address every other scenario.
>
> I would suggest using this scenario since it involves one machine and a
> June, 2009 update that you know have successfully installed on other
> machines.
>
> > Of the 2 machines I was checking
> > today, 1 machine was missing a patch release in June (and I know other
> > machines have installed this patch via WSUS by looking at our compliance
> > reports).
>
> Specifically which update does this issue involve?
> Does this machine report this update as "Needed/Not Installed" or as
> "Installed/Not Applicable"?
> Has this machine installed other updates recently from this WSUS Server?
>
> Please post the WindowsUpdate.log results from this procedure:
>
> 1. Note the system time of the machine.
> 2. Restart the Automatic Updates service (net stop/start wuauserv).
> 3. Run the command 'wuauclt /resetauthorization /detectnow'
> 4. Wait 30 minutes.
> 5. Post the log entries starting at the time recorded in Step #1.
>
>
>
> --
> Lawrence Garvin, M.S., MCITP:EA, MCDBA
> Principal/CTO, Onsite Technology Solutions, Houston, Texas
> Microsoft MVP - Software Distribution (2005-2009)
>
> MS WSUS Website: http://www.microsoft.com/wsus
> My MVP Profile: http://mvp.support.microsoft.com/pro...awrence.Garvin
>
>