none
2012 Server does not adhere to WSUS deadline

    Question

  • Yesterday I approved WSUS updates like we have in the past to our SERVERS target group and set the deadline to occur on 11/10/13 at 3:00 AM CST.

    Two of our file servers running Windows Server 2012 Standard installed the updates starting at 3:00 AM CST last night instead of on Sunday. We can see in the registry even just 6 minutes prior to the updates installing an event that states


    11/6/2013 3:00:24 AM CST

    Installation Ready: The following updates are downloaded and ready for installation. This computer is currently scheduled to install these updates on ‎Sunday, ‎November ‎10, ‎2013 at 3:00 AM.

    Followed by some events after indicating that updates have started to install:

    11/6/2013 3:05:10 AM  CST

    Installation Successful: Windows successfully installed the following update: Security Update for Microsoft Silverlight (KB2890788)

    Then at 3:15:49 AM CST this event is logged along with the same list of updates that were listed in the event logged at 3:00:24 AM.

    Restart Required: To complete the installation of the following updates, the computer will be restarted within 15 minutes:

    We are trying to figure out why only two servers in the same OU with the same policy and target group applied as the rest of the servers started installing the updates 5 days early. We have a mix of 2003/2008 R2 and several other 2012 servers that all did not reboot last night or install any updates. Only two servers.

    We are running WSUS 3.2.7600.226

    Any ideas what could have caused this?

    Wednesday, November 06, 2013 3:51 PM

Answers

  • The server in question, it's WSUS GPO is set to only install updates on SUNDAY @ 3am

    Aha! A core misunderstanding of the patch management behavior of WS2012!

    Windows 8 and Windows Server 2012 do not support the concept of a *weekly* installation event. Never have.

    Win8/WS2012 only support a DAILY event, so the updates were downloaded and installed at 3am on the NEXT DAY after approval.

    My original observation still stands though: I'm quite surprised you have not encountered this behavior previously.

    FWIW... my answer as given above is still 100% accurate, however it was based on a misunderstanding of the actual situation and thus I did not expand upon the daily vs weekly scenario.

    You mentioned a Sunday deadline, but failed to mention that the scheduled installation event was actually configured to be weekly. Ergo my point was that your deadline was irrelevant because the next installation opportunity was the next morning, at 3am, which for WS2012 is absolutely true in that only daily events are supported.

    The reason none of your other servers did that is because they're not WS2012 servers and it's an apples-to-oranges comparision. WS2008R2 and earlier DO support WEEKLY installation events.

    [ADDITIONAL 11/10/13]: Don's link to the blog post above, and specifically to the installation of KB2885694 (released Oct 8, 2013), is definitely relative in this scenario. After applying KB2885694, WS2012 systems will respect the AUOption='4' scheduled installation date/time settings rather than installing updates during the daily automatic maintenance event.


    Lawrence Garvin, M.S., MCITP:EA, MCDBA, MCSA
    SolarWinds Head Geek
    Microsoft MVP - Software Packaging, Deployment & Servicing (2005-2013)
    My MVP Profile: http://mvp.microsoft.com/en-us/mvp/Lawrence R Garvin
    http://www.solarwinds.com/gotmicrosoft
    The views expressed on this post are mine and do not necessarily reflect the views of SolarWinds.



    Friday, November 08, 2013 10:46 PM
    Moderator

All replies

  • Yesterday I approved WSUS updates like we have in the past to our SERVERS target group and set the deadline to occur on 11/10/13 at 3:00 AM CST.

    Two of our file servers running Windows Server 2012 Standard installed the updates starting at 3:00 AM CST last night instead of on Sunday.

    This, simply stated (and perhaps not so softly either), is simply a function of a severe misunderstanding of the purpose and operation of an approval deadline in combination with a scheduled installation event.

    A deadline does not, and never has, specified WHEN an update will be installed. It only specifies that an update will be installed NO LATER THAN the specified deadline.

    Ergo, the behavior you have observed is exactly the correct behavior expected, and frankly I'm quite surprised this hasn't happened previously. How many months have you been doing this?

    We are trying to figure out why only two servers in the same OU with the same policy and target group applied as the rest of the servers started installing the updates 5 days early.

    Plain and simply, this happened because [a] the update were approved, [b] the installation files were successfully downloaded prior to the scheduled installation event, and [c] the installation event happened. The real dysfunction here is why didn't the other servers download and/or schedule the installations!

    We are running WSUS 3.2.7600.226

    Well, actually you're not, since you're patching WS2012 systems. But now I'm just being pedantic. :-)


    Lawrence Garvin, M.S., MCITP:EA, MCDBA, MCSA
    SolarWinds Head Geek
    Microsoft MVP - Software Packaging, Deployment & Servicing (2005-2013)
    My MVP Profile: http://mvp.microsoft.com/en-us/mvp/Lawrence R Garvin
    http://www.solarwinds.com/gotmicrosoft
    The views expressed on this post are mine and do not necessarily reflect the views of SolarWinds.

    Wednesday, November 06, 2013 7:26 PM
    Moderator
  • this article might be relevant?
    http://blogs.technet.com/b/wsus/archive/2013/10/08/enabling-a-more-predictable-windows-update-experience-for-windows-8-and-windows-server-2012-kb-2885694.aspx

    Don
    (Please take a moment to "Vote as Helpful" and/or "Mark as Answer", where applicable.
    This helps the community, keeps the forums tidy, and recognises useful contributions. Thanks!)

    Wednesday, November 06, 2013 8:18 PM
  • Hello Lawrence,

    The server in question, it's WSUS GPO is set to only install updates on SUNDAY @ 3am - the same as what was used for the deadline.

    Of the 200 servers with identical setup - only the two 2012 servers installed patches prior to the defined time in the GPO.

    Whether there is a deadline or not, the server should only have installed patches at the predefined day of the week and time, in this case it did not.


    • Edited by E-Kuf Wednesday, November 06, 2013 8:38 PM
    Wednesday, November 06, 2013 8:38 PM
  • The server in question, it's WSUS GPO is set to only install updates on SUNDAY @ 3am

    Aha! A core misunderstanding of the patch management behavior of WS2012!

    Windows 8 and Windows Server 2012 do not support the concept of a *weekly* installation event. Never have.

    Win8/WS2012 only support a DAILY event, so the updates were downloaded and installed at 3am on the NEXT DAY after approval.

    My original observation still stands though: I'm quite surprised you have not encountered this behavior previously.

    FWIW... my answer as given above is still 100% accurate, however it was based on a misunderstanding of the actual situation and thus I did not expand upon the daily vs weekly scenario.

    You mentioned a Sunday deadline, but failed to mention that the scheduled installation event was actually configured to be weekly. Ergo my point was that your deadline was irrelevant because the next installation opportunity was the next morning, at 3am, which for WS2012 is absolutely true in that only daily events are supported.

    The reason none of your other servers did that is because they're not WS2012 servers and it's an apples-to-oranges comparision. WS2008R2 and earlier DO support WEEKLY installation events.

    [ADDITIONAL 11/10/13]: Don's link to the blog post above, and specifically to the installation of KB2885694 (released Oct 8, 2013), is definitely relative in this scenario. After applying KB2885694, WS2012 systems will respect the AUOption='4' scheduled installation date/time settings rather than installing updates during the daily automatic maintenance event.


    Lawrence Garvin, M.S., MCITP:EA, MCDBA, MCSA
    SolarWinds Head Geek
    Microsoft MVP - Software Packaging, Deployment & Servicing (2005-2013)
    My MVP Profile: http://mvp.microsoft.com/en-us/mvp/Lawrence R Garvin
    http://www.solarwinds.com/gotmicrosoft
    The views expressed on this post are mine and do not necessarily reflect the views of SolarWinds.



    Friday, November 08, 2013 10:46 PM
    Moderator