Our organization of roughly 2000 endpoints has only recently started rolling out Windows 7 SP1 (KB976932) via WSUS. To make sure we don't break anything we're rolling it out slowly to one office each week. Its been a few weeks now and we're nearing the end so I'm running reports, via WSUS, to see what machines were missed, failed, etc. I can understand a margin of error to some extent, but I feel what I'm seeing is significant enough to warrant a deeper investigation. What am I seeing? The WSUS report says ~800 machines need to be updated, but upon further inspection, ~400 of them have SP1. Why is there such a difference?
The clients are all Windows 7 x86
Server is Windows Server 2003 R2 x64 running WSUS 3.2.7600.226
Although the 'Automatic Updates detection frequency' has been enabled for some time (via GPO), about a month ago I set the interval to '2' hours thinking maybe the numbers I were seeing were just delayed because of that 20% variance.
The WSUS report query configuration is as follows:
- Report View: Detailed
- Report is specifically for Windows SP1 (KB976932)
- Include computers from specific [target] groups (all of our offices; not servers)
- Include computers that have a status of: any
- Include status from replica downstream servers: All replica downstream servers (there are 4)
The status summary tells us that 807 machines (8+610+118) don't have SP1 for whatever reason so we'll need to look into what's going on. (Note: The numbers used in this posting are fresh, created today, 3/27/13, at the time of writing.)
I save the report as an Excel document, massage the data little so I can create a pivot table for office specific reporting. Then I subtract the 'Installed' number from the 'Grand Total' which gives me 808.
But that number includes:
- Machines with a status of 'Not Applicable', 2 - presumably these assets don't need SP1; maybe wrong OS or system/server in wrong OU?
- Machines with a status of 'Pending Reboot', also 2 - presumably these assets have installed SP1 but haven't rebooted?
So, subtract 4 from the total and I'm at 804. This gives us a difference of 3 (807-804); less than 1% of our assets - not enough of a difference to warrant a huge investigation.
Now I'm going to check each of the 804 machines that don't have a status of 'Installed' via a basic batch script I slapped together specifically for this:
for %%i in (machine1 machine2 ... machine803 machine804) do ( set system=%%i if exist "\\!system!\c$\windows\system32\cmd.exe" ( for /F "usebackq tokens=1" %%k in (`wmic /node:!system! os get version ^| find /i "6.1.76"`) do ( set systemVersion=%%k if [!systemVersion!] NEQ [6.1.7601] ( echo !system! not pached: !systemVersion! ) else ( echo !system! pached: !systemVersion! ) ) ) else ( echo !system! offline ) )(edited for brevity - scan takes a few hours to complete)
Those results are logged to a file so I can import into Excel where I report on machines with SP1, without SP1 and Offline/inaccessible machines. The results are quite a bit different than what WSUS is reporting.
For instance, referencing the chart above, of the 31 machines in Office o1, 30 are patched, not 7 as WSUS shows. I worked with our local resource to visit each machine in that office to confirm what my script reported, and the one that's not patched is out the office. What WSUS is 'seeing' is wildy different, and I'm seeing similar results for other offices.
Up until now I've been using real, current numbers, but because today's manual 'scan' is still running, I don't have fresh numbers. So for the bullets below I'm using results from a scan I did last week.
- WSUS said 784 machines needed SP1
- 379 actually had SP1
- 108 actually needed SP1
- The rest were inaccessible
Why are the WSUS report results off by so much?
Short of resetting the ID's, I'm not sure what to do.
echo. & echo Stopping Services... For %%i in (wuauserv) do ( echo. Stopping %%i net stop %%i >nul ) echo. & echo Clearing Registry Data For %%j in (AccountDomainSID PingID SusClientIdValidataion SusClientID) do ( echo. Removing %%j reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v %%j /f >nul ) echo. & echo Restarting Services... For %%i in (wuauserv) do ( echo. Starting %%i net start %%i >nul ) echo. & echo Forcing AU Discovery wuauclt.exe /resetauthorization /detectnow