WSUS new feature wishlist
Ross
Give me an option to copy approval settings from one group to another:
If I create a new group a year after implementing WSUS it's likely I'm going
to want all the currently approved updates to apply here. I do not
particularly want to trawl through 600+ updates to find which ones I'd
applied to my general computers and manually add them to this list.
Make updates easier to apply / manage on a per group basis
I don't test updates one at a time, there are simply not enough hours in the
day. Instead our test network gets hit with a batch of updates which I'll
want to apply to the live network a week or two later. Managing this is
currently a nightmare. On the updates screen the approval status here often
says "Mixed" since we have a 3 stage process: Test machines first, then
workstations, then eventually servers.
Finding which patches are at which stage is nearly impossible
My suggestion to improve this in WSUS would be to give improved views /
filtering on the updates list:
- allow me to view all updates approved for a particular group
- allow me to view approval status for a selected group
That would allow me to see a single screen listing all the updates currently
approved on the test machines, with the approval status shown for the live
clients. Even better would be to allow filtering of the approval status so
it only showed patches currently live on the test servers but not applied to
the main clients.
This brings me to my 3rd point:
Change the way you approve updates!!!
When I've gone through the above process and selected a batch of updates to
apply to my general computers, I'm now ready to approve these for my main
clients only. Why oh why does WSUS insist on asking me what settings I want
to apply for every other group?
When I'm approving updates I *do not* want all my groups listed and
prompting me for actions. I want a blank screen there with the ability for
me to add groups as required.
ie: It's likely I just want to update one or two groups. Allow me to
select a group and an action and add it to the list.
That allows me to make changes to the approvals for one group without the
risk of changing the settings that currently apply to other groups.
Bobbie Harder (MSFT)
think your going to be very happy with the new UI coming out in the future
version. Most of your asks are under heavy consideration for the new
version and we've heard this feedback from many core customers.
Your not alone, and as more updates come down the pipe the approval process
needs to be much more efficient and streamlined. Im going to ask Craig
Marl our UI PM to jump in here in the next day or so and chat with you on
each or your asks and our current design thoughts! Thanks again for taking
the time - We LOVE to hear these pain points!
-cheers Bobbie
--
Bobbie Harder
Program Manager, WSUS
Microsoft
This posting is provided "As Is" with no warranties, and confers no rights.
Use of included script samples are subject to the terms specified at
http://www.microsoft.com/info/cpyright.htm
"Ross" <Ro...@discussions.microsoft.com> wrote in message
news:617A3CDC-AE2D-4538...@microsoft.com...
Lawrence Garvin (MVP)
"Ross" <Ro...@discussions.microsoft.com> wrote in message
news:617A3CDC-AE2D-4538...@microsoft.com...
>A short list of things I'd like to see in WSUS:
>
> Give me an option to copy approval settings from one group to another:
The tool is in the API Samples and Tools Kit.
> My suggestion to improve this in WSUS would be to give improved views /
> filtering on the updates list:
> - allow me to view all updates approved for a particular group
> - allow me to view approval status for a selected group
Both of these can be done in the current interface.
> This brings me to my 3rd point:
> Change the way you approve updates!!!
>
> When I've gone through the above process and selected a batch of updates
> to
> apply to my general computers, I'm now ready to approve these for my main
> clients only. Why oh why does WSUS insist on asking me what settings I
> want
> to apply for every other group?
>
> When I'm approving updates I *do not* want all my groups listed and
> prompting me for actions. I want a blank screen there with the ability
> for
> me to add groups as required.
>
> ie: It's likely I just want to update one or two groups. Allow me to
> select a group and an action and add it to the list.
>
> That allows me to make changes to the approvals for one group without the
> risk of changing the settings that currently apply to other groups.
An interesting interface modification, Ross. I'll bounce this suggestion up
to the development team and see if they can offer any feedback as to why the
interface is the way it is now, or why it can or cannot be accomodated to
work as you'd like.
--
Lawrence Garvin, M.S., MVP-Software Distribution
Everything you need for WSUS is at
http://technet2.microsoft.com/windowsserver/en/technologies/featured/wsus/default.mspx
And, eveything else is at
http://wsusinfo.onsitechsolutions.com
...
Lawrence Garvin (MVP)
news:ebx1Wwn...@TK2MSFTNGP05.phx.gbl...
> "Ross" <Ro...@discussions.microsoft.com> wrote in message
> news:617A3CDC-AE2D-4538...@microsoft.com...
>>A short list of things I'd like to see in WSUS:
>> This brings me to my 3rd point:
>> Change the way you approve updates!!!
>>
>> When I've gone through the above process and selected a batch of updates
>> to
>> apply to my general computers, I'm now ready to approve these for my main
>> clients only. Why oh why does WSUS insist on asking me what settings I
>> want
>> to apply for every other group?
>>
>> When I'm approving updates I *do not* want all my groups listed and
>> prompting me for actions. I want a blank screen there with the ability
>> for
>> me to add groups as required.
>>
>> ie: It's likely I just want to update one or two groups. Allow me to
>> select a group and an action and add it to the list.
>>
>> That allows me to make changes to the approvals for one group without the
>> risk of changing the settings that currently apply to other groups.
>
> An interesting interface modification, Ross. I'll bounce this suggestion
> up to the development team and see if they can offer any feedback as to
> why the interface is the way it is now, or why it can or cannot be
> accomodated to work as you'd like.
Looks like Bobbie beat me to the punch. :-)
Ross
frustrating when you offer up suggestions for them to just disappear into the
ether...
Lawrence, you suggest that one of my requests can be done with the current
interface:
> - allow me to view all updates approved for a particular group
> - allow me to view approval status for a selected group
It may be that there are features I don't know of, or I may not have been
clear. What I want is to have both of the above in a single view, so I can
filter the list to show me just the approved updates for my "test" group, yet
with a column added showing me the status of those updates with regards to my
my "live" group.
From what Bobbie's saying this may be coming out with the next release, how
far away is that now? And any chance I could get myself on the beta
programme?
Ross
"Lawrence Garvin (MVP)" wrote:
> ....
>
>
>
Torgeir Bakken (MVP)
> A short list of things I'd like to see in WSUS:
>
> Give me an option to copy approval settings from one group to another:
> If I create a new group a year after implementing WSUS it's likely I'm going
> to want all the currently approved updates to apply here. I do not
> particularly want to trawl through 600+ updates to find which ones I'd
> applied to my general computers and manually add them to this list.
> (snip)
Hi,
An alternative to doing it manually:
You can use the WSUS API to copy update approvals from one
WSUS group to another.
See this post for details on how to create
CopyApprovalsBetweenGroups.exe:
http://groups.google.com/group/microsoft.public.windows.server.update_services/msg/0a62b129af4c8a7c?dmode=source&hl=en
Some additional notes about the utility:
1.
The utility is a command line based utility, you need to specify the
"from" and "to" group names on the command line.
2.
If a group name contains spaces, you need to surround it with quotes,
like this: "Test group".
3.
The naming of the groups is case sensitive so "Servers" is not equal
to "servers".
4.
The utility will mirror the approval status, so any additional
approved installations in the target group will be unapproved.
--
torgeir, Microsoft MVP Scripting, Porsgrunn Norway
Administration scripting examples and an ONLINE version of
the 1328 page Scripting Guide:
http://www.microsoft.com/technet/scriptcenter/default.mspx
Torgeir Bakken (MVP)
> "Ross" <Ro...@discussions.microsoft.com> wrote in message
> news:617A3CDC-AE2D-4538...@microsoft.com...
>
>>A short list of things I'd like to see in WSUS:
>>
>>Give me an option to copy approval settings from one group to another:
>
>
> The tool is in the API Samples and Tools Kit.
> (snip)
No such tool was in there last time I checked, but see my other post in
this thread on how you can create a copy approvals between groups tool
yourself...
Craig Marl [MSFT]
Thanks for the feedback. I can tell you that we're planning on addressing
some of these things in WSUS 3.0.
For 3.0 we're adding a new MMC UI that allows us to do a lot more than the
old web UI, one of these things is much richer views. In 3.0 you'll be able
to define custom views based on products, classifications, sync date, and
the groups the updates are approved for. This should make it much easier to
create views specifically for test to production scenarios - you'll be able
to have views specific to your test deployments. You can also filter the
views based on approvals and the status on your clients; so you can see
approved updates with failures, and with a single click see approved updates
that are still needed etc.
We're also reducing the complexity around approving for detection. Basically
in 3.0 the whole notion of approved for detection goes away - so we'll
always have stats on which updates are needed etc. This allows us to build
views where you can see which updates are unapproved & needed by clients
which should help make it simpler to decide which updates to test 1st.
Copying approvals from one group to another isn't something that is
currently planned, but it's a neat idea and one that we will think about.
One other thing I'll mention is that we're beefing up targeting
significantly for 3.0 - we'll allow nested target groups. So you'll have
much more flexibility in how you organize your groups, and much improved
inheritance semantics.
I hope this help shed some light on our plans. Appreciate the feedback.
-craig.
"Ross" <Ro...@discussions.microsoft.com> wrote in message
news:617A3CDC-AE2D-4538...@microsoft.com...
Ross
will the new interface allow me to view the update status of the computers in
a particular group?
I'm basically thinking there's no quick way at the moment to look at a group
& see if all the recently selected updates have been applied to all members.
Right now I don't even know if my test network is up to date, let alone the
live network. Yeah, I can drill down into the detail for each computer & see
if any updates are flagged as 'needed', but I really want to be able to see
this at a glance. Something like:
[Selected group: test]
Computer Name OS Last Report Current Status
XXXX Windows XP 7am today Up to date
YYYY Windows XP 1 hour ago Needs 5 approved updates
The current status should only deal with approved updates for that group.
The updates screen is where I go to look at unapproved ones.
Thinking about it, this is kind of an extension of what I was asking for
before, but applied to the computer view instead of the update view. Again,
I'm filtering the list to a selected group, and viewing the status for a
particular group.
The nested group stuff sounds awesome, it'll do away with some of the
copying needs I've had. Will you allow groups to be moved & to assume the
inherited properties as they move?
Ross
PS. Put me down for the beta if you can - I've a good knack for breaking
things & finding bugs, just ask Veritas :D
Ross
any attention to WSUS, now I'm using it I'm finding there are all kinds of
features that would make life much easier).
When I'm updating computers and applying updates, I tend to group updates
into different categories. ie. I'll do windows fixes one day, a little
later when I'm happy they worked I'll apply office fixes. Often I'll have
different sets of updates being tested simultaneously on different groups of
computers.
Now to manage this I've created named views in the updates window (Windows
XP updates, Office updates, etc.). It would be really handy if these named
views could be used when looking at computers & groups.
ie: In the computers tab, let me pick the "test" group, then let me view
the current status of the updates contained in the view "Office 2002", as
applied to that group.
That lets me pick a group and at a glance see if the updates have been
installed. At a glance I can find out if Windows and/or Office are up to
date.
A lot of these ideas are essentially coming from a user customizable status
column:
- When on the updates screen, the status column wants to be able to show the
approval status for each update for a particular view and group (and not
necessarily the selected view).
- When viewing computers & groups, the status column wants to show an update
summary for a particular update view.
This is getting more complicated now, so I'm thinking I may need an example.
Assume that I have created update views called "Windows updates" and "Office
updates", and also have two computer groups "test computers" and "live
computers". The suggestions are aimed to allow views showing:
Viewing & applying Updates
- All new "Windows updates" needing approval
- All new "Windows updates" needing approval for "test computers"
- All "Windows updates" approved for "test computers" not approved for
"live computers"
(This last example can be achieved in a couple of ways, the simplest is to
allow filtering by using both a view & group to filter the list - ie filter
by "Windows updates" where update approved for "test computers". You can
then view which updates are not approved for live computers by choosing a
status column to show status for "live computers")
Viewing Computer / Group status
- Status of all approved updates for "test computers"
- Status of "Windows updates" for "test computers"
Ross
Ross
When I'm approving updates, let me know how many reboots are needed for the
selection I've chosen. This allows me to give staff an ETA before all the
patches are applied.
Also, instead of just configuring the client to install updates at 3pm, how
about allowing me to configure a time window, say 3am - 5am. If the computer
reboots but it still within that window it's free to install more patches &
reboot again.
That would help a lot if like me you apply patches occasionally in large
batches, and would make it far quicker when installing new computers - they
can be brought up to speed automatically in a single day.
Craig Marl [MSFT]
of adding and removing columns, so you can see failed #'s, needed #s,
installed #'s etc =.
"Ross" <Ro...@discussions.microsoft.com> wrote in message
news:1FE93D16-59D9-42B0...@microsoft.com...
Bobbie Harder (MSFT)
with for future versions. Not sure where things will land for next but i
think you'll like some of the improvements you'll get just via the MMC based
new UI design. It will be good to have you give us feedback and participate
in our next beta slated for 3rd qtr this year (CY).
Now also i was thinking about your needs now and know you want a more
effective way to apply update approvals to multiple groups now. Not sure if
your aware of Rob Dunn's tool and script samples/Pages for WSUS but i see
he's looking for some beta testers for his new WSUS api tool called
CopyGroupApprovals 1.0 (beta). This should help you with the scenario where
you create a whole new group but dont want to go sloshing thru all the
updates to set them for this new group, you should be able using this tool
to just copy from an existing group. Anyway - thought it might be worth a
look for you:
http://www.vbshf.com/vbshf/forum/forums/thread-view.asp?tid=239&posts=2&start=1
and thanks again for the feedback - we have it all recorded!
-Bobbie
--
Bobbie Harder
Program Manager, WSUS
Microsoft
This posting is provided "As Is" with no warranties, and confers no rights.
Use of included script samples are subject to the terms specified at
http://www.microsoft.com/info/cpyright.htm
"Ross" <Ro...@discussions.microsoft.com> wrote in message
news:1F2BBDF4-7F4F-4607...@microsoft.com...
Gary Flynn
of or in addition to Netbios name would be useful to us.
--
Gary Flynn
Security Engineer
James Madison University
www.jmu.edu/computing/security
Bobbie Harder (MSFT)
manage your clients by IPs and how that will help you better manage them for
updating? Any impact with dynamic IPs and roaming laptops or are these
pretty static? Would you want to group them by IPs ? (sorry just need it
in your words what problem your looking to solve vs. my making any
assumptions to make sure i get a clear picture) :) thanks -Bobbie
--
Bobbie Harder
Program Manager, WSUS
Microsoft
This posting is provided "As Is" with no warranties, and confers no rights.
Use of included script samples are subject to the terms specified at
http://www.microsoft.com/info/cpyright.htm
"Gary Flynn" <fly...@jmu.edu> wrote in message
news:%23vN5xQn...@TK2MSFTNGP05.phx.gbl...
Blackura03
the testing stages of rolling out WSUS in our environment and alot of
the issues we've identified sound like they will be covered in 3.0. One
item I haven't heard discussed is Access Control. One of the challenges
we see is the ability to grant read-only access for reporting. To grant
upper-level management the ability to run a report requires them to
have full WSUS access. It keeps me up at night knowing they could
deploy or revoke patches also. Creepy. Can we expect any improvements
in this area?
Craig Marl [MSFT]
They'll get read only access for the server.
"Blackura03" <black...@yahoo.com> wrote in message
news:1145030102.4...@i40g2000cwc.googlegroups.com...
Gus
scheduled to be RTM? Last I heard the talk was about WSUS 2.0 SP1.
Hank Arnold
get refreshed instead of the current behavior of returning to he home
page every time I click on the "Refresh" button.... Very annoying...
Regards,
Hank Arnold
Asher_N
news:#LaQKPqX...@TK2MSFTNGP02.phx.gbl:
> got it - Can you tell me Gary how this would be useful to you and how
> you manage your clients by IPs and how that will help you better
> manage them for updating? Any impact with dynamic IPs and roaming
> laptops or are these pretty static? Would you want to group them by
> IPs ? (sorry just need it in your words what problem your looking to
> solve vs. my making any assumptions to make sure i get a clear
> picture) :) thanks -Bobbie
Off the top of my head, I'd say it would make it easier to see if a
particular location (subnet) is having trouble.
Craig Marl [MSFT]
(www.mms2006.com) mid next week.
"Gus" <egust...@rsis.com> wrote in message
news:1145070102....@i39g2000cwa.googlegroups.com...
Ross
automatically and e-mail them out as a scheduled task?
I'd imagine most managers would be more comfortable with a quick PDF or HTML
report than learning the WSUS interface.
Ross
Ross
attending?
MartijnP
For specific enterprises it would be nice being to add another WSUS
server role (Master WSUS Library). The feature I'm currently missing is
being able to set language options, express files feature etc. while
synchronizing from an upstream WSUS server. These settings can only be
set when synchronizing from Microsoft directly.
I see the problem where the central managed downstream wsus server does
not 'know' which updates are available on the upstream-server where it
is syncronizing from, thus making it impossible to set specific
features on the downstream wsus server.
Perhaps it is an idea to add another wsus server role. The only
function this server has is to serve as a library for downstream wsus
servers. The downstream wsus servers synchronizing from the library
server should have the opportunity to set synchronizing options based
on the content available on the library server...
The organization I'm implementing WSUS for has a VERY strict internet
policy. There is 1 WSUS server serving as the master library for all
sectors within the organization. Only this server is permitted to
download content from Microsoft Update. These sectors however want to
be able to decide for themselves which features to use without being
forced to use the entire library available on the master WSUS server.
One sector for example has 1 central managed downstream WSUS server
(syncing from the master) and 36 replica's. you can see how much data
is stored on each WSUS server without it ever being used. And no,
syncing directly from Microsoft for each sector is not an option! :)
Sorry for my english.. I'll add other wishes soon. A lot of them all
most certainly known by now.
If possible I'd like to participate in betatesting upcoming versions
(3) of WSUS.
It's cool to see you MS guys proactively seeking input to make things
better!
--
MartijnP
------------------------------------------------------------------------
Posted via http://www.mcse.ms
------------------------------------------------------------------------
View this thread: http://www.mcse.ms/message2254114.html
twofingers
and update. (Instead of having to run the "wuauclt /detectnow" command on
each client)
2. Maybe some sort of Wake On Lan ability? It could become a one stop
patching tool with this.
3. Integrated WSUS admin features into future SMS releases or Service Pack.
4. Enhance and standardise the reporting interfaces/windows in WSUS. It is a
little clunky atm but still very useable.
PS: In my opinion, WSUS is one of the best free tools to come out of MS. Our
admin overhead of patching is significantly lower using WSUS. MS got this one
almost perfect.
:)
tf
Dave Mills
are detected by the client. For the under construction group this would mean I
do not need to set deadlines for each update. It is all too easy to get this
wrong using deadlines and miss the odd one.
2) An easy way to extract/access the downloaded update so I can "integrate" it
into the RIS/CD image. I have just integrated most of the XP security and
critical updates into my image and it look likes it will reduce build time by
about 1 hour but to get the hotfixes I needed to download them again (yes I know
there are ways to get the data from WSUS but they are not easy). Even better
would be an integrate option where I right click the update and choose
"integrate" and can browse for the image folder and have it run "hotfixnn.exe
/integrate:<path>"
--
Dave Mills
There are 10 type of people, those that understand binary and those that don't.
Ross
easier to implement client side?
1. Allow admins access to a setting on the client: "catch up: install all
updates immediately". Have the client install updates & reboot as needed
until all updates are installed, then reset this turn this off once all
updates are done. For my network I would want this setting to override the
standard 3am time set by group policy. How about a group policy setting to
automatically turn on this setting the very first time the update client is
started?
2. How about a custom client / utility that runs on the RIS server and can
take the appropriate list of updates from WSUS and apply them to a RIS image.
I'd probably just run this from time to time & slipstream the updates but it
might be possible to have this running continuously so the RIS images are as
up to date as the rest of the network.
Ross
Dave Mills
>Great suggestions, I could use both of these. I'm wondering if they would be
>easier to implement client side?
>
>1. Allow admins access to a setting on the client: "catch up: install all
>updates immediately". Have the client install updates & reboot as needed
>until all updates are installed, then reset this turn this off once all
>updates are done. For my network I would want this setting to override the
>standard 3am time set by group policy. How about a group policy setting to
>automatically turn on this setting the very first time the update client is
>started?
That would be another good way, especially if it was implemented as the default
for a new computer and turned off by adding a registry entry the first time that
there were no updates to install. This would mean that a re-install from RIS or
other image would kick off without the reg entry and quickly update then slow
down to once a day.
>
>2. How about a custom client / utility that runs on the RIS server and can
>take the appropriate list of updates from WSUS and apply them to a RIS image.
> I'd probably just run this from time to time & slipstream the updates but it
>might be possible to have this running continuously so the RIS images are as
>up to date as the rest of the network.
I thought of that but there are many updates that would/should not be
integrated, e.g Windows Defender patterns. So we would need quite a few
additional controls. As I see it too the deployment plan is usually Test group
-> pilot group -> production then if there are still no issues integrate to
RIS. Also Service Packs are problem as you cannot apply the SP to the RIS image
or to an image with hotfixes installed. So we need to apply the new SP to a CD
image and then build a new RIS CD image then apply Hotfixes again when they are
issued..
Ross
True, it's almost more important to test anything going to a RIS image than
to a workstation. After all you're not likely to know if it'll work for some
time and it's likely to be used on a mix of hardware. With regards the
choice of updates, provided the current filtering abilities are built into
the client it should be relatively simple to select the updates you want to
apply.
Good point about service packs, I wasn't aware of that. My first thought
would be to roll back the image but that could be horribly messy. If it's
that big a problem I guess you'd need a way to re-create the image when
service packs are released, but that will need to include all the drivers,
templates, etc...
I wonder if it would be feasible for MS to create a generic program that
automates the creation & management of RIS images? When a new SP comes out
it could quickly create a new image, slipstream the SP, copy all settings &
drivers from an existing image & applying patches as needed. That'd save a
lot of time.
Saying that, it might be nice if that program could also create images from
scratch, including drivers. It'd save a lot of messing about with ini files,
etc... In theory something could be written that could take a source CD,
grab patches (inc SP's) from WSUS and apply drivers as needed. Just the
patches would be useful, automating driver installs would be a godsend. I've
got the knack now but it took a lot of googling to get it working (MS' own
guides simply weren't enough).
I'd have thought it would be a fairly straightforward step for a RIS wizard
to prompt for drivers, although they might want splitting into categories.
From my experience you'd need separate treatment for network drivers, disk
controller drivers & then all the generic stuff.
Of course, MS hopefully know enough about drivers to automate the whole
thing. It'd be great to just point the RIS wizard at the driver CD for a
machine & just have the whole lot pre-installed for you.
Anyone at MS care to let us know what they think of this idea?
Ross
Display updates in the order they will be installed on the client computer.
I've just had a user call to ask how many more times his computer will need
to reboot. I think I've already asked in this thread for WSUS to be updated
so we can see how many reboots are needed, but I decided I would see if I
could give him an educated guess by having a look at how many updates are
remaining for his machine.
His registry clearly shows me which updates were installed last night, and I
can filter WSUS to just show me the office updates applied and sort by
release date, yet it's all but impossible to tally the two lists. The first
update installed last night was about 5 from the top of the WSUS list, the
2nd about 20 updates further down.
If this list could be sorted in install order it would make it a lot easier
to see how many updates are left when questions like this are asked.
Gary Flynn
Sorry. I missed the followup question.
Unfortunately, our Windows netbios computer names are of little
direct value in finding or identifying a particular computer
and its not likely things are going to change any time soon.
Having results sorted by IP address in the display and
reports would give me immediate feedback about the general
area where a computer is located. It also makes it easier
to use the IP address to query our registration database
( Cisco/Perfigo network access control system ) to find
the registered owner. Admittedly I could do some netbios
name to IP address translation but that is an unnecessary
step and doesn't solve the problem of looking at a reporting
screen full of nonsensical netbios names.
I haven't looked at the WSUS API yet so maybe I could do
this on my own and create a separate reporting system but
I thought I'd mention the IP address option as it would
seem to be just a matter of offering an option that uses
a different query to generate the reports and display.
Our DHCP server lease times and client behavior that renews
the same IP address when the lease expires makes dynamic
addressing a null issue.
Thanks for listening.
MartijnP
I'd like to see an additional tab 'Notes' next to 'Details, Status and
Revisions' under Patches for making notes about a specific update. This
way I can for example add a reason for declining a specific update.