다음을 통해 공유

Green Check, Meet Blue Check

Green Check, Meet Blue Check


Most people in the SBS space by now have heard about the “Green Check”.  From https://www.microsoft.com/windowsserver2003/sbs/r2/default.mspx:


The “green check” of software health indicates that your computers running Microsoft software are up to date or the daily report details actions necessary for attaining “green check” status.


The idea behind the Green Check is that you can look at the Update Services node in Server Management and quickly see if all machines are successfully patched and up to date.  On most networks, this will be the case.  However, there are certain configurations that will put your SBS box in to advanced management mode for WSUS, which results in the Update Services node showing a blue check with instructions to configure and monitor your WSUS settings through the native Windows Server Update Services management interface (https://server:8530/wsusadmin).  We’ll return in later posts to the various causes and conditions that will generate a yellow check state; this article will focus exclusively on the blue check.


The display will be similar to this:


Windows Small Business Server (Windows SBS) Update Services is not running because it automatically turns off if you customize Windows Server Update Services (WSUS). For a list of specific settings that cause Windows SBS Update Services to turn off, see the Microsoft Web site. Even if WSUS is managing updates for your network, the accuracy of the status in the Windows SBS monitoring report or on the Update Services home page cannot be guaranteed. To use Windows SBS Update Services, reverse the changes that you have made to WSUS or reinstall Windows SBS 2003 R2.


In addition, your Server Performance Reports email will display a similar message (the details section in the email will show the identical message above):




Clicking on “Change Update Services Settings” on the left-hand side of the Update Services snap-in will display this dialog:


--------------------------- Update Services Settings --------------------------- Windows Small Business Server (Windows SBS) Update Services is not running because it automatically turns off if you customize Windows Server Update Services (WSUS). For a list of specific settings that cause Windows SBS Update Services to turn off, see the Microsoft Web site https://go.microsoft.com/fwlink/?LinkId=65708. Even if WSUS is managing updates for your network, the accuracy of the status in the Windows SBS monitoring report or on the Update Services home page cannot be guaranteed. To use Windows SBS Update Services, reverse the changes that you have made to WSUS or reinstall Windows SBS 2003 R2. --------------------------- OK ---------------------------


The SBS Update Services interface displays the blue check when WSUS is configured in a non-standard setting for an SBS network.  The settings that will require native WSUS management are relatively rare, and most SBS admins probably will never need to change these settings.  For those admins who do have a business need to modify the default R2 WSUS install, the key take-away I want to leave you with is that nothing is broken; you simply need to use the native UI to manage your server.  The other group who will receive the blue check are those admins who were exploring/experimenting/tweaking/ makingmodificationstotheircriticalbusinesssystemswithoutmakingabackupfirstbadadminbad.  This article is for those users.  Here are the changes that will cause you to go from green to blue:


The Approve for Detection option is not enabled for the All Computers group in WSUS 2.0.

The list of products to download updates for is not set to All Microsoft products.

The Target mode option is set to Server Mode in WSUS 2.0.

The WSUS service has been stopped

The update classifications does not have critical and security updates and service packs checked.

Approve for installation is checked.

The Approve for Detection classifications section does not have critical and security updates and service packs checked.

Synchronize manually is set


Here’s how to back out each of the changes above to get you back to the state where you can use the SBS Update Services UI:


The Approve for Installation option is enabled for the All Computers group in WSUS 2.0.


Where the setting above is for detection, this setting is for approval of updates.  Again, the setting must apply to all computers:




The solution is the same as above, click on Add/Remove Computer Groups… and make sure that “All Computers” is checked.  Click OK and then Save Settings on the left-hand side of the WSUS admin web site to save and apply.


The list of products to download updates for is not set to All Microsoft products.


You will find this setting under https://server:8530/wsusadmin/ and clicking on Options, then clicking on Synchronization Options.  Under “Products and Classifications”, locate the “Products:” setting.  It should be set to “All Microsoft Products”:




To change this, click on “Change… ” and select Microsoft at the top left hand side of the Add/Remove Products dialog.



Click OK and then Save Settings on the left-hand side of the WSUS admin web site to save and apply.



The Target mode option is set to Server Mode in WSUS 2.0.


There are two main modes for WSUS computer targeting – client-side and server-side targeting.  With server-side targeting, you use the Move the selected computer task on the Computers page in the WSUS admin to move one or more client. With client-side targeting, you use Group Policy or  manually edit the registry on each client computer to add those computers automatically to the appropriate computer groups.  SBS configures WSUS to use server-side targeting.  This setting is found under Options, Computer Options.  The correct setting is “Use the Move computers task in Windows Server Update Services”.



Change the radio button settings and then Save Settings on the left-hand side of the WSUS admin web site to save and apply.



The WSUS service has been stopped


This error throws a very specific message:


The Windows Server Update Services Service is not running.



This is because the Update Services service is stopped and/or disabled.  This service should be set to Automatic as in the screenshot below:



Start the service and refresh the console to get past this error.




The update classifications does not have critical and security updates and service packs checked.


SBS Update Services requires that at least Critical Updates, Security Updates, and Service Packs are selected under Synchronization Options, Products and classifications, update classifications:






Adding other update classifications will not result in the blue check, but removing any of these three settings will:



Click OK and then Save Settings on the left-hand side of the WSUS admin web site to save and apply.



Approve for installation is checked.


SBS has its own approval process via Scheduled Tasks – the Update Services auto approval task:



Therefore, we do not support using the SBS Update Services in conjunction with the WSUS native “Approve for Installation” settings.  Clicking this check box will put you in to advanced management mode:



To resolve this, uncheck the checkbox next to “Automatically approve updates for installation by using the following rule:” and then click on Save settings.



The Approve for Detection classifications section does not have critical and security updates and service packs checked.


SBS Update Services requires that Critical Updates, Security Updates, and Service Packs all be automatically set to approve for detection.  Unchecking any of these will result in a blue check.  Adding other classifications to approve for detection will not result in a blue check.  This setting is located under WSUS Admin, Options, Automatic Approval Options.  A default install looks like this:



To change this, click on “Add/Remove Classifications… ” and make sure that at least these three settings are selected:





Click OK and then Save Settings on the left-hand side of the WSUS admin web site to save and apply.



Synchronize manually is set


By default, when WSUS is first installed synchronization is set to manual until you either click on Change Update Services Settings in the Server Management Update Services node or configure it manually through the WSUS admin.  SBS Update Services requires that the server be set to synchronize automatically.  The default time is set to 10:00 PM daily.  The time can be changed to whatever you prefer, but synchronize manually cannot be selected.



To change this setting, click on Options, click on Synchronization Options, and then choose “Synchronize daily at: 7:00PM”.  Click Save Settings on the left-hand side.


NOTE:  You should initiate synchronization through the SBS Update Services snap-in rather than through the WSUS admin.


Various changes that will NOT give a “Blue Check”


This is by no means a canonical list, but here are the most common changes that will not put your server in to advanced management mode:


Changing language settings (adding additional languages or choosing “Download updates in all languages, including new languages”).  SBS will automatically add languages based on client language settings.

  • Change the synchronization time (“Synchronize daily at: _____”).  This should be done through the SBS Update Services UI, however.
  • Removing update classifications other than critical update, security updates, and service packs
  • Adding update classifications other than Critical Updates, Security Updates, and Service Packs to Synchronization Options, Update classifications.
  • Adding an upstream proxy server under Synchronization Options, Proxy Server.
  • Changing the Update Source under Synchronization Options, Update Source.


  • Anonymous
    January 01, 2003
    ...because you messed around with the settings in the native WSUS console... never fear... read this

  • Anonymous
    January 01, 2003
    Mark and the SBS blog has the definitive "must keep" blog post for the R2 era... the "how to get rid...

  • Anonymous
    January 01, 2003
    PingBack from http://www.hilpers.com/1208367-wsus-im-sbs-2003-rc2

  • Anonymous
    January 01, 2003
    [Today's tip comes to us from Damien Leibaschoff] Please note that this is an ongoing issue that is under

  • Anonymous
    January 01, 2003
    I know this has happened to me, and a partner contacted me last week and it had happened to them. The

  • Anonymous
    January 01, 2003
    From the Windows Defender newsgroup:
    You may have already seen our blog posting on this but...

  • Anonymous
    January 01, 2003
    I've come to the conclusion that I must be the only SBSer in the blogosphere that uses the R2 patching

  • Anonymous
    July 14, 2006
    Nice work, Mark :-)

    Thanks very much for this.

  • Anonymous
    July 14, 2006
    Good article guys. One nitpick though... it's not a check. How can you call it a blue check? Putting aside the anglo-US thing (...you say check, we say tick...) it's a question mark! Blue Hook maybe? Blue Shield? ;-)

  • Anonymous
    July 14, 2006

    Good point.  I will re-christen it the "blue questionmark of death" :)

  • Anonymous
    July 17, 2006
    Official KB is now available http://support.microsoft.com/kb/921910

  • Anonymous
    December 01, 2015
    Thanks for the great info. I really loved this. I would like to apprentice at the same time as you amend your web site, how could i subscribe for a blog site?
    For more info on showbox please refer below sites:
    Latest version of Showbox App download for all android smart phones and tablets. http://movieboxappdownloads.com/ - It’s just 2 MB file you can easily get it on your android device without much trouble. Showbox app was well designed application for android to watch movies and TV shows, Cartoons and many more such things on your smartphone.
    For showbox on iOS (iPhone/iPad), please read below articles:
    Showbox for PC articles:
    There are countless for PC clients as it is essentially easy to understand, simple to introduce, gives continuous administration, effectively reasonable. it is accessible at completely free of expense i.e., there will be no establishment charges and after establishment it doesn't charge cash for watching films and recordings. Not simply watching, it likewise offers alternative to download recordings and motion pictures. The accompanying are the strides that are to be taken after to introduce Showbox application on Android. The above all else thing to be done is, go to the Security Settings on your Android telephone, Scroll down and tap on 'Obscure sources'.