The Yellow shield that’s always there


I’m probably the only business owner of an R2 box that sees that.  It’s the nearly daily “Yellow Shield” I get in the daily monitoring email that tells me that I probably need to go into the console and approve the Defender update.  Or the IMF update.  Or the Forefront update.  Or whatever future product may have a defintion change.  Lord help the firm that installs an Exchange 2007 box behind a SBS 2003 R2 system as those 2007 IMFs come out ALL THE TIME .  And why am I the only business owner that sees that? Because every var/vap I talk to that controls R2 boxes say that they don’t send that email to the client.  They can’t.  There’s no advertised “Green Check of health” in the box.  They’ve all said they’ve stopped sending the emails to the clients as it leads to questions they can’t answer.


When I blogged about the Best practice of setting Defender Updates to auto update that an R2 box can’t do I forgot about two others…. Exchange IMF updates and upcoming Forefront updates.


So here’s this box that advertises as making patching easier…. and quite frankly in this area it makes it harder.  Someone was asking me the other day “So how can I position patch management to make money for a business”…. and I had to stop and think and honestly say… it doesn’t.  And especially not when you’ve got either a var/vap or an in house guy having to rdp to the server on a near daily basis and approve the defintion files.  Not to mention, it puts the firm at risk should someone not be there to do this. 


And what are larger, more cost conscious var firms doing?  Not using the R2 WSUS and instead using Kasaya or other tools to patch and control.


Because every time that yellow shield shows up…. it costs.


Which is why most have stopped sending it to their clients…..because it’s a visual evidence that patching costs….. too much on an R2 box.

3 Thoughts on “The Yellow shield that’s always there

  1. I hate to say “I told you so” since I never actually did tell you anything back when R2 came out, but “I thought about telling you so”

    I have SBS 2003 SP1 with WSUS running nicely and didn’t really see the need to update then, and especially now. However, I thought there’s a way (somewhat crude, but yet still there) to autoaccept definition updates? The downside is it’s autoaccepted for EVERYTHING listed as a definition, no way to filter and say “give me just Defender updates, skip IMF and give me weekly Forefront updates”. It seems to be an all or nothing proposition.

    Am I wrong?

  2. bradley on February 24, 2007 at 9:18 am said:

    There is no way to auto approve them at all.

    Update Level
    When you install Update Services, Setup configures a default update level for automatic approval of updates for the Server Computers group and the Client Computers group. The update level is the level of automatic approval that you want for a computer group. The available update levels for the Server Computers group and the Client Computers group are:

    Update level Action
    High
    Approve all security and critical updates and all service packs for installation.

    Default setting for the Client Computers group.

    Medium
    Approve all security and critical updates for installation.

    Default setting for the Server Computers group.

    Low
    Approve all security updates for installation.

    None
    Do not automatically approve updates.

  3. The “green check” is a nice idea but the concept is flawed. The green check is fine for consumer products but not for something that is professionally managed – like SBS. I don’t yet have any customers on SBS R2 but my own server is. I stopped using the WSUS integration almost immediately, because I didn’t like the presets. I manage WSUS manually. I can live without a green check.

Post Navigation