WSUS: Service Packs may be reported as not applicable even though they are installed

WSUS: Service Packs may be reported as not applicable even though they are installed

  • Comments 2
  • Likes

The question about how Service Packs are reported is one that seems to come up all the time, and understandably so because it can be very confusing if you don't understand what's really going on.  Fortunately our very own Joe Tindale wrote up a great explanation that I thought I'd share today:

========

Why is it that when clients send status reports they may report service packs as "not applicable" even though the service pack is really "installed"?

Ideally we would want the service pack to get reported as "installed" but certain variables may cause the service pack to ultimately show up as "not applicable". In most cases the client may install the service pack from WSUS so we know at one point the service pack was "needed", however once installed the service pack may report as "installed" for some time and then eventually be lumped into the "not applicable" category.

****UPDATE****

The reason for this is because at times WSUS can have a hard time distinguishing between not-applicable and installed and may not get it right for service packs due to the way they happen to be authored.  Moving forward we are going to make some changes to ensure service packs are authored in a way to prevent this issue from happening again.  In the meantime it would help to understand that WSUS is not a auditing tool and was not designed as such.  WSUS is a security compliance tool and that’s why in all the summary reports (e.g. per computer summary) we lump “installed” and “not applicable” together.  For example, when you look at the details pane for a computer you'll see a count for the number of updates that are either installed or not applicable. The key here is that both states represent “not needed”, and since WSUS is a security compliance tool, having an update fall into either "not applicable" or "installed" shows that the computer is compliant with regards to that update.

****UPDATE****

So what's the bottom line?  As long as you understand that "installed" and "not applicable" both represent compliant you are OK.

========

Hopefully this sheds a little more light on what can be a confusing issue.  Thanks Joe!

J.C. Hornbeck | Manageability Knowledge Engineer

Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment
  • PingBack from http://www.ditii.com/2008/08/27/wsus-clients-reports-service-packss-as-not-applicable-even-though-they-are-installed/

  • I disagree that "not applicable" equates to compliant.  I have a WSUS server (3.0sp2, disconnected) that I've been feeding updates to for more than a year via the backup/restore method and now the August 2010 updates (I.E. and O/S) that are applicable to XP are listed as "not applicable" for XP clients, but within the same batch of updates, WSUS did push updates to the system on which it is installed (Server 2003).  Also, WSUS did correctly push MS Office updates, but for some reason the clients/server believe that the other updates aren't applicable.