Green Check, Meet Blue Check

Green Check, Meet Blue Check

 

Most people in the SBS space by now have heard about the “Green Check”.  From https://www.microsoft.com/windowsserver2003/sbs/r2/default.mspx:

 

The “green check” of software health indicates that your computers running Microsoft software are up to date or the daily report details actions necessary for attaining “green check” status.

 

The idea behind the Green Check is that you can look at the Update Services node in Server Management and quickly see if all machines are successfully patched and up to date.  On most networks, this will be the case.  However, there are certain configurations that will put your SBS box in to advanced management mode for WSUS, which results in the Update Services node showing a blue check with instructions to configure and monitor your WSUS settings through the native Windows Server Update Services management interface (https://server:8530/wsusadmin).  We’ll return in later posts to the various causes and conditions that will generate a yellow check state; this article will focus exclusively on the blue check.

 

The display will be similar to this:

 

Windows Small Business Server (Windows SBS) Update Services is not running because it automatically turns off if you customize Windows Server Update Services (WSUS). For a list of specific settings that cause Windows SBS Update Services to turn off, see the Microsoft Web site. Even if WSUS is managing updates for your network, the accuracy of the status in the Windows SBS monitoring report or on the Update Services home page cannot be guaranteed. To use Windows SBS Update Services, reverse the changes that you have made to WSUS or reinstall Windows SBS 2003 R2.

 

In addition, your Server Performance Reports email will display a similar message (the details section in the email will show the identical message above):

 

 

 

Clicking on “Change Update Services Settings” on the left-hand side of the Update Services snap-in will display this dialog:

 

--------------------------- Update Services Settings --------------------------- Windows Small Business Server (Windows SBS) Update Services is not running because it automatically turns off if you customize Windows Server Update Services (WSUS). For a list of specific settings that cause Windows SBS Update Services to turn off, see the Microsoft Web site https://go.microsoft.com/fwlink/?LinkId=65708. Even if WSUS is managing updates for your network, the accuracy of the status in the Windows SBS monitoring report or on the Update Services home page cannot be guaranteed. To use Windows SBS Update Services, reverse the changes that you have made to WSUS or reinstall Windows SBS 2003 R2. --------------------------- OK ---------------------------

 

The SBS Update Services interface displays the blue check when WSUS is configured in a non-standard setting for an SBS network.  The settings that will require native WSUS management are relatively rare, and most SBS admins probably will never need to change these settings.  For those admins who do have a business need to modify the default R2 WSUS install, the key take-away I want to leave you with is that nothing is broken; you simply need to use the native UI to manage your server.  The other group who will receive the blue check are those admins who were exploring/experimenting/tweaking/ makingmodificationstotheircriticalbusinesssystemswithoutmakingabackupfirstbadadminbad.  This article is for those users.  Here are the changes that will cause you to go from green to blue:

 

The Approve for Detection option is not enabled for the All Computers group in WSUS 2.0.

The list of products to download updates for is not set to All Microsoft products.

The Target mode option is set to Server Mode in WSUS 2.0.

The WSUS service has been stopped

The update classifications does not have critical and security updates and service packs checked.

Approve for installation is checked.

The Approve for Detection classifications section does not have critical and security updates and service packs checked.

Synchronize manually is set

 

Here’s how to back out each of the changes above to get you back to the state where you can use the SBS Update Services UI:

 

The Approve for Installation option is enabled for the All Computers group in WSUS 2.0.

 

Where the setting above is for detection, this setting is for approval of updates.  Again, the setting must apply to all computers:

 

 

 

The solution is the same as above, click on Add/Remove Computer Groups… and make sure that “All Computers” is checked.  Click OK and then Save Settings on the left-hand side of the WSUS admin web site to save and apply.

 

The list of products to download updates for is not set to All Microsoft products.

 

You will find this setting under https://server:8530/wsusadmin/ and clicking on Options, then clicking on Synchronization Options.  Under “Products and Classifications”, locate the “Products:” setting.  It should be set to “All Microsoft Products”:

 

 

 

To change this, click on “Change… ” and select Microsoft at the top left hand side of the Add/Remove Products dialog.

 

 

Click OK and then Save Settings on the left-hand side of the WSUS admin web site to save and apply.

 

 

The Target mode option is set to Server Mode in WSUS 2.0.

 

There are two main modes for WSUS computer targeting – client-side and server-side targeting.  With server-side targeting, you use the Move the selected computer task on the Computers page in the WSUS admin to move one or more client. With client-side targeting, you use Group Policy or  manually edit the registry on each client computer to add those computers automatically to the appropriate computer groups.  SBS configures WSUS to use server-side targeting.  This setting is found under Options, Computer Options.  The correct setting is “Use the Move computers task in Windows Server Update Services”.

 

 

Change the radio button settings and then Save Settings on the left-hand side of the WSUS admin web site to save and apply.

 

 

The WSUS service has been stopped

 

This error throws a very specific message:

 

The Windows Server Update Services Service is not running.

 

 

This is because the Update Services service is stopped and/or disabled.  This service should be set to Automatic as in the screenshot below:

 

 

Start the service and refresh the console to get past this error.

 

 

 

The update classifications does not have critical and security updates and service packs checked.

 

SBS Update Services requires that at least Critical Updates, Security Updates, and Service Packs are selected under Synchronization Options, Products and classifications, update classifications:

 

Default:

 

Minimum:

 

Adding other update classifications will not result in the blue check, but removing any of these three settings will:

 

 

Click OK and then Save Settings on the left-hand side of the WSUS admin web site to save and apply.

 

 

Approve for installation is checked.

 

SBS has its own approval process via Scheduled Tasks – the Update Services auto approval task:

 

 

Therefore, we do not support using the SBS Update Services in conjunction with the WSUS native “Approve for Installation” settings.  Clicking this check box will put you in to advanced management mode:

 

 

To resolve this, uncheck the checkbox next to “Automatically approve updates for installation by using the following rule:” and then click on Save settings.

 

 

The Approve for Detection classifications section does not have critical and security updates and service packs checked.

 

SBS Update Services requires that Critical Updates, Security Updates, and Service Packs all be automatically set to approve for detection.  Unchecking any of these will result in a blue check.  Adding other classifications to approve for detection will not result in a blue check.  This setting is located under WSUS Admin, Options, Automatic Approval Options.  A default install looks like this:

 

 

To change this, click on “Add/Remove Classifications… ” and make sure that at least these three settings are selected:

 

 

 

 

Click OK and then Save Settings on the left-hand side of the WSUS admin web site to save and apply.

 

 

Synchronize manually is set

 

By default, when WSUS is first installed synchronization is set to manual until you either click on Change Update Services Settings in the Server Management Update Services node or configure it manually through the WSUS admin.  SBS Update Services requires that the server be set to synchronize automatically.  The default time is set to 10:00 PM daily.  The time can be changed to whatever you prefer, but synchronize manually cannot be selected.

 

 

To change this setting, click on Options, click on Synchronization Options, and then choose “Synchronize daily at: 7:00PM”.  Click Save Settings on the left-hand side.

 

NOTE:  You should initiate synchronization through the SBS Update Services snap-in rather than through the WSUS admin.

 

Various changes that will NOT give a “Blue Check”

 

This is by no means a canonical list, but here are the most common changes that will not put your server in to advanced management mode:

 

Changing language settings (adding additional languages or choosing “Download updates in all languages, including new languages”).  SBS will automatically add languages based on client language settings.

  • Change the synchronization time (“Synchronize daily at: _____”).  This should be done through the SBS Update Services UI, however.
  • Removing update classifications other than critical update, security updates, and service packs
  • Adding update classifications other than Critical Updates, Security Updates, and Service Packs to Synchronization Options, Update classifications.
  • Adding an upstream proxy server under Synchronization Options, Proxy Server.
  • Changing the Update Source under Synchronization Options, Update Source.