WSUS: So why do updates offered on Windows Update differ from those WSUS reports as needed?

WSUS: So why do updates offered on Windows Update differ from those WSUS reports as needed?

  • Comments 5
  • Likes

Joe Tindale, one of our top gun WSUS Support Escalation Engineers, recently wrote up a good explanation on why the updates offered by Windows Update or Microsoft Update may differ from the number reported by WSUS as being 'Needed'.  If you've ever seen this and wondered why then take a look below:

========

Issue: You may see a difference in between the number of updates offered via Microsoft Update and the updates reported by WSUS as needed. 

Example: We took a machine and scanned that machine against Microsoft Update (MU) and then created a report within WSUS to list all the "needed" updates. WSUS reported 31 updates as "needed" but MU offered less. Here are some examples of where they differed:

907417 <------ this shows up because it was a duplicate on the server - two different versions of the same update.  MU offers 1
890830 <------ this update is superseded by a later version (MU only offers the latest)
890830 <------ this update is superseded by a later version (MU only offers the latest)
890830 <------ this update is superseded by a later version (MU only offers the latest)

So to summarize, WSUS is going to label all updates within a supersedence chain (ie, MSRTv1, MSRTv2, MSRTv3) as needed whereas MU will only offer the latest update within that chain (ie MSRT v3). Also, when scanning against MU, if you use the
"express" scan you will only be offered "high-priority updates" whereas if you use the "custom" scan you can view both "high-priority updates" and "optional updates.

WSUS reports on updates within both of the MU categories. High-priority updates will be security fixes and critical bug fixes while optional updates are going to be tools, drivers, add-ins and other non-security/critical fixes. Another variable could be the fact that a WSUS server may have duplicate updates. In the above example, we had two KB907417 updates on the server. Even though they have the same KB article number they had different update ID's so they are treated as two totally different updates. You can get in this state by syncing from various servers such as syncing with MU and then an upstream server, etc.

To verify in your environment, perform a "custom" scan against MU and copy and paste the updates offered (high-priority and optional) and then create a report for this client with all the updates labeled as "needed". Use the export option within that report to export the report to Excel. Now you can research the differences and add any notes to the Excel spreadsheet as to why these differences exist. 

The bottom line is  while you may see a different number of updates depending on how you scan, each is technically correct in their own way and each should ensure you get the updates you need.

========

Thanks Joe!

J.C. Hornbeck | Manageability Knowledge Engineer

Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment
  • 132 Microsoft Team blogs searched, 98 blogs have new articles in the past 31 days. 608 new articles found

  • There is a discrepancy between how WSUS detects the needed updates and Windows Update detects them.  Case in point: We ran the Microsoft Baseline Security Analyzer against a workstation right after we released the current batch of Microsoft patches in WSUS.  Everything WSUS had offered was approved.  The Baseline Security Analyzer came up with 4 patches WSUS didn't even list: KB974234, KB969559, KB973709, and KB954430.  The catagories in WSUS these 4 patches fell under were checked, so WSUS should have detected we needed them.  A search of WSUS under ALL PATCHES, under both Declined (Show Any) and All Except Declined (Show Any) did not find those four patches, so WSUS never detected/downloaded them.  Makes me wonder how many other patches we've trusted WSUS to give us that is didn't...

  • To help reduce the number of unapproved updates I created a new view and then seleted all the programs that were not applicable to me or my network. Then simply dissaprove all the updates in that view.

  • Is there any particular advantage to the discrepancies between WSUS and MU?  It seems that this only introduces confusion....

  • yes, in our environment we abandoned WSUS as after all WSUS updates were installed and after reboot, Windows Update always reported more updates available. WSUS was synchronized and auto approved for Critical Updates and Security Updates.

    In the end we started with WUInstall for the servers and then got BMC Patch Management for clients.