Article ID: 945985 - Last Review: February 11, 2008 - Revision: 2.0

Software updates are not managed by Windows Small Business Server 2003 Update Services after you upgrade to Windows Server Update Services 3.0 Service Pack 1

View products that this article applies to.

System TipThis article applies to a different operating system than the one you are using. Article content that may not be relevant to you is disabled.

SYMPTOMS

Consider the following scenario:

You make changes in the Windows Server Update Services (WSUS) 3.0 console, or you make changes in the WSUS 2.0 console.
You upgrade to WSUS 3.0 Service Pack 1 (SP1).
You try to open the Update Services node in the Microsoft Windows Small Business Server 2003 Administrator console.

In this scenario, you receive a message that resembles the following:

Windows Small Business Server (Windows SBS) Update Services is not running because it automatically turns off if you customize Windows Server Update Services (WSUS).

For a list of specific settings that cause Windows SBS Software Update Services to turn off, see the Microsoft Web site. Even if WSUS is managing updates for your network, the accuracy of the status in the Windows SBS monitoring report or on the Update Services home page cannot be guaranteed. To use Windows SBS Update Services, reverse the changes that you have made to WSUS or reinstall Windows SBS 2003 R2 and WSUS 3.0

Back to the top

CAUSE

This issue occurs when one or more of the following conditions are true:

Under Automatic Approvals, the Default Automatic Approval Rule is enabled in Options.
Under Products and Classifications, All Microsoft Products is not selected in Options.
Under Synchronization Schedule, the Synchronize manually option is selected in Options.
Under Computers, the Use Group Policy or Registry settings on computers option is enabled in Options.
The Update Services service is stopped.

If these conditions do not apply, the Approve for Detection setting may have been disabled when you upgraded to WSUS 3.0 SP1. However, the option to change this is not available after you upgrade to WSUS 3.0 SP1. In this case, you must use a script to change the Approve for Detection setting.

Note You can still use the Windows Server Update Services 3.0 Administrators console to manage updates.

Back to the top

WORKAROUND

To work around this issue, you can use one of the following methods.

Back to the top

Method 1: Make the required changes in the WSUS 3.0 administrator console

If one or more of the conditions that are mentioned in the "Cause" section are true, follow these steps:

Under Automatic Approvals, make sure that the Default Automatic Approval Rule is disabled in Options.
Under Products and Classifications, make sure that the All Microsoft Products is selected in Options.
Under Synchronization Schedule, make sure that the Synchronize manually option is not selected in Options.
Under Computers, make sure that the Use Group Policy or Registry settings on computers option is disabled in Options.
If the Update Services service is not started. Follow these steps:
1. Click Start, point to Administrative Tools, and then click Services.
2. Right-click Update Services, and then click Start.

Back to the top

Method 2: Use a script to change the "Approve for Detection" setting

Copy the following script into a text file, and then use a .sql file name extension to save the file. For example, save the file as C:\FixR2.sql.

USE SUSDB
PRINT 'Using SUSDB';
GO

IF NOT EXISTS (SELECT * FROM dbo.tbAutoDeploymentRule WHERE ID = 2)
BEGIN
    PRINT 'Setting IDENTITY_INSERT to On';
    SET IDENTITY_INSERT tbAutoDeploymentRule ON;
    PRINT 'Inserting auto deployment rule';
    INSERT INTO dbo.tbAutoDeploymentRule(ID, Enabled, ActionID, Name) VALUES (2, 0, 0, 'Default Auto Approval Rule');
    IF @@ROWCOUNT = 0
        PRINT 'Warning: No rows were affected.';
    ELSE
        PRINT 'Rows were updated.';
    PRINT 'Setting IDENTITY_INSERT to Off';
    SET IDENTITY_INSERT tbAutoDeploymentRule OFF;
END
ELSE
    PRINT 'No work to do.  Record already exists.';
GO


--check automatic approval for detection
IF EXISTS (SELECT * FROM dbo.tbAutoDeploymentRule WHERE ID = 1 AND NAME = 'Scan AutoDeployment Rule' AND Enabled = 0)
	BEGIN
		PRINT 'Automatic Approval For Detection not enabled.';
		UPDATE dbo.tbAutoDeploymentRule SET Enabled=1 WHERE ID = 1
		IF @@ROWCOUNT = 0
			PRINT 'Warning: no rows were affected';
		ELSE
			PRINT 'Automatic Approval For Detection enabled.';
	END
ELSE
	PRINT 'Automatic Approval For Detection is already enabled';
GO

--check computer group target of approval for detection
IF NOT EXISTS (SELECT * FROM dbo.tbTargetGroupInAutoDeploymentRule WHERE AutoDeploymentRuleID = 1 AND TargetGroupID = 'a0a08746-4dbe-4a37-9adf-9e7652c0b421')
	BEGIN
		PRINT 'Target group of approval for detection is not "AllComputers"'		
		PRINT 'Inserting "AllComputers" group';
		BEGIN TRANSACTION;
			--delete all other computer groups assigned to this rule
			DELETE FROM dbo.tbTargetGroupInAutoDeploymentRule WHERE AutoDeploymentRuleID = 1
			INSERT INTO dbo.tbTargetGroupInAutoDeploymentRule(AutoDeploymentRuleID,TargetGroupID) VALUES(1,'A0A08746-4DBE-4A37-9ADF-9E7652C0B421')
		COMMIT TRANSACTION;
		IF @@error != 0
			PRINT 'Error: Insertion failed';
		ELSE
			PRINT '"AllComputers" Group added';
	END
ELSE


	PRINT '"AllComputers" is already the target group of approval for detection.';
GO

--check if "critical update" is in the auto approval classification
IF NOT EXISTS (SELECT * FROM dbo.tbUpdateClassificationInAutoDeploymentRule WHERE AutoDeploymentRuleID = 1 and UpdateClassificationID = 1)
	BEGIN
		PRINT 'Critical update is not in approval for detection classification'
		INSERT INTO dbo.tbUpdateClassificationInAutoDeploymentRule(AutoDeploymentRuleID,UpdateClassificationID) VALUES(1,1)
		IF @@ROWCOUNT = 0
			PRINT 'Warning: no rows were affected';
		ELSE
			PRINT 'Critical update is inserted to approval for detection classification';
	END
ELSE
	PRINT 'Critical update is already in approval for detection classification';

--check if "security update" is in the auto approval classification
IF NOT EXISTS (SELECT * FROM dbo.tbUpdateClassificationInAutoDeploymentRule WHERE AutoDeploymentRuleID = 1 and UpdateClassificationID = 5)
	BEGIN
		PRINT 'Security update is not in approval for detection classification'
		INSERT INTO dbo.tbUpdateClassificationInAutoDeploymentRule(AutoDeploymentRuleID,UpdateClassificationID) VALUES(1,5)
		IF @@ROWCOUNT = 0
			PRINT 'Warning: no rows were affected';
		ELSE
			PRINT 'Security update is inserted to approval for detection classification';
	END
ELSE
	PRINT 'Security update is already in approval for detection classification';

--check if "service pack " is in the auto approval classification
IF NOT EXISTS (SELECT * FROM dbo.tbUpdateClassificationInAutoDeploymentRule WHERE AutoDeploymentRuleID = 1 and UpdateClassificationID = 6)
	BEGIN
		PRINT 'Service pack is not in approval for detection classification'
		INSERT INTO dbo.tbUpdateClassificationInAutoDeploymentRule(AutoDeploymentRuleID,UpdateClassificationID) VALUES(1,6)
		IF @@ROWCOUNT = 0
			PRINT 'Warning: no rows were affected';
		ELSE
			PRINT 'Service pack is inserted to approval for detection classification';
	END
ELSE
	PRINT 'Service pack is already in approval for detection classification';

Click Start, click Run, type cmd, and then click OK.
At the command prompt, locate the following folder:
%programfiles% \Update Services\Setup
At the command prompt, type the following command, and then press ENTER:
executesql.exe -S MICROSOFT##SSEE -i C:\FixR2.SQL -l C:\Output.log

Back to the top

Method 3: Reinstall WSUS 3.0

Reinstall WSUS 3.0 by using the instructions in the "Uninstalling and reinstalling Windows Small Business Server 2003 R2 components on a server that is running WSUS 3.0" section of the Installing Windows Server Update Services 3.0 on Windows Small Business Server 2003 white paper. To see this white paper, visit the following Microsoft Web site:

http://go.microsoft.com/fwlink/?LinkId=89081 (http://go.microsoft.com/fwlink/?LinkId=89081)

Back to the top