Dear Guys, I have a question about update distribution in wsus. We have windows 2008 and wsus installed on it. It provides updates to 140 PC and approval mode is automatic. Imagine it gets 20 updates for windows 7. wsus installs 11 updates first and wsus pushes the PC to get the rest of them (9 updates) the next time the PC gets restarted. Why the PC doesn’t get whole updates once. Is there any priority order for updates to get installed? Thanks and regards, Bahman

The first thing to note, simply since it makes it easier to visualise the process, is that WSUS doesn't "push" anything to the PC. You can visualise the WSUS server as simply pretending to the Microsoft update servers, but one which you control. The client computer connects to WSUS and asks if there are any updates available, WSUS then responds with a list of available downloads relevant to that client (eg relevant and approved for install), and with that list the client will download those updates from WSUS. So WSUS can give a different response to different client machines depending on their individually configured approvals. When new updates are made available by Microsoft, the WSUS server will first download those that it requires for its clients, and if I remember correctly, only once ALL of those downloads have completed (eg the synchronisation process has completed), will WSUS report those updates as available to the client. At the client end I'm not 100% certain, but I believe Windows will start reporting that there are updates available as soon as it has the first one downloaded (depending on your settings obviously), so I think it's quite possible to do a batch of installations and reboot before the entire batch has completed downloading, in which case you would obviously get another prompt once the remaining updates have downloaded. Additionally, some updates may have dependancies on each other, or need to be installed separately from each other (for instance many service packs, new versions of IE etc need to be installed on their own), which could explain why not all updates are installed on the client machine in one go.

Sorry, after all that I forgot the part of your query about priorities. No, certainly as far as I'm aware the client side (remember it's the client that controls the download not WSUS) of things doesn't have any priority system. In terms of things like update classifications, eg critical, important etc, that you might want to prioritise, essentially those are purely guidance from Microsoft. Depending on your setup a "critical" update might be critical or it might not really matter at all since there's no risk, so that judgement is left to you as WSUS admin rather than trying to determine that automatically.

Imagine it gets 20 updates for windows 7. wsus installs 11 updates first and wsus pushes the PC to get the rest of them (9 updates) the next time the PC gets restarted. Why the PC doesnt get whole updates once. Almost always this is a function of the coordination (or lack thereof) between the WSUS server downloading updates files and their availablility to the client to be detected/downloaded. If the WSUS server has not downloaded files for all approved updates when a client performs a detection, the client will only be able to download the files that do exist on the WSUS server. This results in the client only getting part of the updates for one installation cycle, and then getting the rest of the updates for the next installation cycle. The 'fix' for this is to provide sufficient advance notice between the approval event and the installation event so that the WSUS server can download all of the update files and the clients have time to execute detections after those downloads are completed. Having the client execute detections more frequently can also help, as well as approving smaller numbers of updates at one time. With respect to the question about prioritization, this is how you would implement that prioritization. Approve the Security Updates first, and the non-security updates later, thus ensuring that all of the security updates are downloaded before the download queue gets backed up with non-security updates. Creating an empty target group and approving updates for the empty target group can also help manage the downloads to the WSUS server without making the updates available to the clients. Then, when the downloads to the WSUS server are complete, add the approvals for the populated/production target groups, and the WSUS download is no longer a factor that affects the client behavior. Is there any priority order for updates to get installed? From the client side, no. Updates are installed in a random and unpredictable order. The only way to control the installation order of updates is to control the availability of those updates to the client through the approval process.Lawrence Garvin, M.S., MCITP:EA, MCDBA, MCSA SolarWinds Head Geek Microsoft MVP - Software Packaging, Deployment & Servicing (2005-2013) My MVP Profile: http://mvp.support.microsoft.com/profile/Lawrence.Garvin http://www.solarwinds.com/gotmicrosoft The views expressed on this post are mine and do not necessarily reflect the views of SolarWinds.