Update file size issuse in WSUS server

[johnsonlim027]

1. I had find out the file size for each individual update is very big.By having 5 updates to download, it take about 300MB something.But from I know, Windows XP SP4 patch file take about 130MB something but can update many bugs and enhancement at a same time .I would like to ask that does the update file size in WSUS is huge for each individual update? I list down the file size of some update here:
Update Size
a. Security update for Windows 2000 (KB896424) 33.39MB
b.Windows 2000 SP4 rollup 35MB
c. Security Update for Windows XP (KB896424) 59.5MB

2. Is there a way for me to know the update file size for each individual update rather than going to the home page and deduct from the total update file size to be downloaded?

3.By not allow downloading any update, I can see in Home page that My WSUS server is downloading something.Why does this happen and where can I go to see the update that it is downloading?I have checked in Update page but do not see any update is downloaded.

 

[madmatt]

Firstly, I would recommend getting your entire network at some sort of a baseline. Whether that be Windows 2000 Professional SP4 or Windows XP Professional SP1.

Then you won't need to worry about approving SP4 or any thing older than SP4 for Windows 2000. Or any thing older than SP1.

You should also make sure all W2K machines are up-to-date with IE6 SP1 and OE6 SP1 so you don't have to approve older IE and OE updates.

The same goes for WMP9 on W2K.

The only large update that I have my WSUS server set to push out was SP4-Rollup 1.

By forcing your server to download large updates such as service packs you are asking it to use a lot of bandwidth (regardless of BITS) and then when it comes time to clients needed to update they have to use a lot of bandwidth (regardless of BITS) to download the update. You're only asking for problems especially if you don't have a lot of bandwidth to use.

 

[kcnychief]

Madmatt makes an incredibly important point there, baseline is very key.

A few other things I should point out, which more than likely go without saying, is that any huge updates like SP installation over the network to your clients should be done off peak hours if possible. It is ideal to let these installations perform themselves with little to no user interaction.

Also, you may want to play with the Microsoft Base Security Analyzer, which is a VERY sexy tool:

http://www.microsoft.com/technet/security/tools/mbsahome.mspx

 

[johnsonlim027]

All the machine on the network are of Windows XP Service Pack 1. I had come out with the following plan:
1.The file size of Security Update and Service Pack is huge and should be
installed to the client after the office hour.
2.The other updates that are not of huge file siza can be installed to the
client.

Am I correct for that?

MadMatt and Kcnychief, May I know how you control the total update file size of updates to be installaed to the client due to the bandwidth issuse?May I know how you control the bandwidth?

Thanks

 

[madmatt]

As I said, I have a baseline for my network.

Windows 2000 workstations are at least SP4, IE6SP1, WMP9
Windows XP workstations are at least SP2, IE6SP2, WMP10

So any thing older isn't approved for installation. Service Packs are never approved since they are so large. Update Rollups are approved.

Office 2003 Service Packs are distributed through GPO (not Update Services).

I have fiber running through the building, so bandwidth is of no concern to me.

However, I have my clients set to update at 3:00 AM daily (when and if an update is available). I have to do my servers manually (for obvious reasons).

 

[johnsonlim027]

Thanks , MadMatt.

I would like to ask a question here.

1.All the critical and security update are automatically approved for detection after the synchronization.So do I have the approval right such as remove, decline, all update, detect only,any approval, not approved for other update during synchronization as we see in the view menu for filter purpose? Does it means that the approval status for each update that I see in the Update Page after synchronization is set during synchronization and we as an administrator have no access to change the approval status for synchronization?From what I know, currently we only have install, detect only and not approved option to ally for computer groups after synchronization.

 

[madmatt]

Critical and Security Updates are approved for detection. Normally I set updates for products I don't have in my environment (such as IA64 and x64 products) to "Not Approved".

When you install WSUS it creates a "WSUS Administrators" user group in Active Directory. Any administrator who is going to make changes to WSUS should be a member of this group.

 

[johnsonlim027]

1. I am log in as the server administrator.So when I go to WSUS console it do not prompt me for the password.Am I in the correct way? But I still can make changes in WSUs such as allow synchronization, allow for installation and even allow which update for synchronization.What I do not have is the approval right for updates to be synchronized.I can't a way to do as what you tell me that is " I set updates for products I don't have in my environment (such as IA64 and x64 products) to "Not Approved " "Can you show me the way on doing that?

2.How to login as WSUS administrator?I thought I am already an WSUS admiistrator by login as Windows 2000 server administrator, am I correct?While installing WSUS , I a using the default password.

 

[madmatt]

If you are a member of the "WSUS Administrators" user group then it shouldn't ask you for a username/password. If you don't have the ability to approve updates then you will need to make sure you are a member of that group. No other group has the ability to control WSUS.

I did a search for IA64 and x64 then highlighted those updates and selected not approved.

 

[johnsonlim027]

Do you mean that you go to the Update Page and manually search for the pafticular update and then manually selected not approve option by highlighting the update and then goto Update Task menu and change the approval status? :dead:

 

[madmatt]

Yes, I searched for "ia64" and it returned all of the updates available for IA64 versions of Windows. I selected all of them (holding CTRL and selecting each one individually) and changed them to "Not Approved". I did the same for "x64".

 

[johnsonlim027]

Thanks MadMatt... Then I am in the correct way.I have one more question to ask here.
1.In the Automatic Approval Option Page, there is a Automatic Installation option.By checking the checkbox that allow the automatic install for security update(for example), does it means that the kind of update will be installed to the client without my approval at a specific time?

 

[kcnychief]

That is correct johnson, however the automatic install approval rule will not deploy an update if the update requires the acceptance of a license agreement. If this occurs, WSUS logs an NT event to the event log. The event identifier is 422.

 

[madmatt]

I personally wouldn't use that option. You should be testing all updates against some sort of a test environment.

Regardless, I prefer to approve updates manually so I know what is going to be installed.

 

[kcnychief]

Yeah, auto update is bad, as I also agree, but I was just answering his question.

To expand off what Madmatt said, any environment that uses WSUS on any scale, should be monitored closely, thus launching manual approval to be acceptable. I have a small seperate VLAN with 25 computers that gets auto-approved for testing so I can deal with it when I have a chance, but NOTHING gets auto-deployed without testing on all Dev Platforms (win2k, xp).

Happened once, poop hit the fan, won't happen again

 

[johnsonlim027]

Thanks,I will take note of this seriously.E.. more question.....

1.My client is using Pentium 4 Processor 2.8 Ghz but why in the hardware information I see that the Processor model is x86? I see in BIOS but does not see any information such as x86.

2.There is not approved updates in the WSUS server.Why does it occur?I understand that this kind of update are all in unknown status to the client.The revision of the updates are also not approved automatically.Does it strange as Microsoft Microsoft release the update and WSUS synchronize with it and then the revision of the updates are not approved automatically?This means that the update are useless..

 

[madmatt]

x86 is a 32bit processor.
x64 is a 64bit processor.

If an update is not approved for detection or installation that the client doesn't bother checking to see if it is needed. Clients only check for needed updates if they are approved for detection or installation.

And that's not true. No update is useless. The reason you shouldn't automatically approve updates for installation is because you don't know how it is going to affect your environment. Every environment is different and Microsoft has no way of testing updates against every type of environment.

 

[johnsonlim027]

Oh , I see...but I still do not understand why after synchronization there are updates that are automatically in not approved status?What reason cause them to be in the not approved status?What kind of updates will be in not approved status

I see that Windows XP Service Pack 2 is in the not approved status.I do feel some contracdiction as I think that service pack update should be automatically in the detect status but why WSUS put in in the not approved status?

 

[madmatt]

Microsoft has a system for determining what classification an update falls in to.

Critical Updates
Security Updates
Update Rollups
Service Packs
etc.

Only critical updates and security updates are eligible for automatic detection. The reason service packs are not approved for automatic detection is because they are rather large and most administrators will prefer to roll these out differently.

Approving a 200MB update through WSUS could have serious issues, that's why it's not recommended.

 

[digima$ter]

I agree with madmatt