I am having real issues with WSUS!
There are literally hundreds of updates that need to start to go out.
The problem is.....I can sync fine with MS and it says its downloaded loads of updates. When approving them however, every single one has a red 'x' next to it and says "This update can be approved but will not be deployed until the files have downloaded" or something to that effect.
I have tried reinstalling WSUS, removing the Windows internal DB, everything I can think of.
This is on 2003 R2.
Pulling my hair out!
Is it still downloading them it takes ages when you first approve all of the patches.
Do you need to use a proxy to download files? If so, have you set it?
We do use ISA, but I have set that up. Like i said, it syncs fine but all the updates just say they have not been downloaded. Now I may be getting confused, but if its synced 100% with no errors, the files MUST of been downloaded.
All the updates were approved like 2 days a go and still have the red 'x' next to them.
It sounds like it's having trouble downloading the updates to me, syncing only downloads a list of the updates it downloads the patches as you approve them. I'd have a look at your ISA settings.
Maybe you banned .exe's and/or .msi files in ISA?
Any idea what sort of rule I need to make in ISA to allow WSUS through?
Try adding a rule so that that server is allowed straight through (put it near the top of the list and allow all protocols to all destinations for all users for that particular machine). You can tighten this down again later if you like.
Originally Posted by m1ddy
Syncing simply gets the list of updates, they are not downloaded until you approve them (saves space/bandwidth).
Thanks for all the responses guys.
We already have a computer set in ISA called servers with the servers address ranges added.
There is already a rule that allows all protocols outbound to internal/external networks. I would of thought this would of done the trick.
I feel your pain, after virtually reinstalling my entire wsus server, only to find out it was virus filtering on the proxy server causing issues.
As you are downloading everything again i suggest you do it a bit more systematically(just done this myself). at 1st our box wanted 35GB, managed to get this down to 5GB which still took 2 days to download!
1st off change all the current updates (view all) and set them all to unapproved.
Then cancel all the downloads
Then change the sync options just to small things like critical updates and set these for auto approval.
Set any other updates you think you might need to Detect Only, then you can review what computers actually need, so your not downloading too much crap.
In WSUS 3.0 to approve all updates you've downloaded, choose Options > Automatic Approvals
Specify what types of updates you want to approve - Critical, Security, Update Rollups etc then click Run Rule
As for the actual download of updates, it can take a while depending how many products you've selected and how many languages etc...
When you synchronise, initially a list of updates are downloaded (which is what you're seeing), but the actual updates (the content) is downloaded bit by bit. Creating a WSUS server from new is a long process.
For of those of you using WSUS 3.0 and maybe you wish to move WSUS to another server, it's much easier and quicker to move the existing database.
1. Firstly, install WSUS 3.0 on your new server. At this point, enter proxy information and tick what applications you wish WSUS to distribute:
For example: Office 2003, Windows Server 2003, Windows XP etc...
2. Copy the WsusContent folder from your existing server to your new server. Make sure you re-create the share and permissions correctly!
3. From the Run Menu, on your existing server run the following command:
4. Copy the export.cab file to C:\ on your new server
"%ProgramFiles%\Update Services\Tools\wsusutil" export c:\export.cab c:\exportlog.txt
5. From the Run Menu, on your new server run the following command:
When this process is complete, you should have WSUS 3.0 fully working as before. You now need to change your GPO, so clients look at your new WSUS server. Clients should start appearing within the Unassigned Computers group within a few hours.
"%ProgramFiles%\Update Services\Tools\wsusutil" import c:\export.cab c:\exportlog.txt
Once this is complete, you can uninstall and completely remove WSUS 3.0 from your original server.
Well, its been about 4 days since I synced with MS. All of my updates all say 'this update failed to download'
I have played with ISA and added a rule saying all networks, internal and external can send all traffic and this seemed to have no effect.
I have tried manually telling random updates to download and it thinks about it for a minute or two then reports it as the download failed, the same as above.
We are in hampshire, is anyone else in hampshire having the same problem? Do the council have an upstream server I can use to get the updates, rather than microsoft?
Within WSUS 3.0, under Proxy Settings there's an option to send passwords in clear text. Although technically this is insecure, I suggest you create an account such as "WSUS" and a random password so you can authenticate and connect to download updates.
It sounds like WSUS started to download data, but has stopped for whatever reason.