Is this computer use a WSUS server for updates? If so, that WSUS server may not be set to automatically approve those patches. Just a thought.

Also make sure the computer is set to automatically update other Microsoft products, not just Windows, maybe those patches are for Office or something.

Bingo!  Microsoft Update wasn't installed so when I clicked on "Windows Update", it wasn't checking for updates for everything else.  Installing Microsoft Update and running the check again shows all the updates.  Thanks!

I wish I had an WSUS server (or a domain environment).  It would make ensuring Microsoft Update is on these other 51 computers go so much faster/easier...

Should be able to run WSUS on a DC so long as you aren't using it for anything else.  Hell I've had Small Business Servers running Exchange, DC activity and WSUS along with file and print servers.  Of course this goes against everything MS says to do with Servers but then again that is their own product doing it.  Ugh, I hate SBS, but it proves how much a single box can do in a small environment.  Not to mention it is very affordable for Small Business.  Even more so if you are a non-profit.  A friend of mine gets enterprise class licensing for a fraction of the cost that a big enterprise would pay.  Yay for non-profits!

Once you go with WSUS, you will need to tweak and also make sure you only bring down the languages you need, by default it downloads ALL language packs of the patches.

Typically, once you setup a Domain Controller and WSUS server, you would make a Group Policy that tells all the workstations on the domain to get updates only from the WSUS server. If many of the computers on your network are personally owned, then it may be difficult to get each person to agree to putting it on the Windows domain, and then there's also the fact that they would not be able to get updates except when they have access to your WSUS server.

Technically, they wouldn't have to login to Active Directory. The workstations could be joined to the domain, make use of the Group Policies, and still use local logins. However, in that case, you could probably just make a registry change on each computer to get updates from your WSUS server instead of going through all the trouble of joining a domain and setting up Group Policies.

It's a matter of "choose your battle."

This is exactly why a domain environment hasn't been approved.  It's not so much how many personally owned laptops, but who uses them...


I think I've come across how to make the changes in the registry to have them use a WSUS server for updates, but changing registry settings on each and every computer on the network (nearly 200 of them) doesn't sound like much fun.  Plus, I've been told that we'll eventually get to a domain environment, so I will be able to end up using a GPO to configure WSUS settings, it's just a matter of "when".

As for getting updates when machines are unable to access a WSUS server.  How does this work for mobile users who use business laptops that are configured for a domain?  Are you able to configure them to get updates directly from Microsoft if it's unable to access your WSUS?  I have this capability with our anti-virus software, that'd be great if a domain-enabled Windows laptop would do that same...


Exactly


Thanks for all these tips on configuring WSUS.  These will definitely come in handy and save me a lot of time/stress when we finally get there