none
WSUS 3.0 - All Computers group inexplicably selected for updates deployment

    Pergunta

  • Hi there

    I recently deployed MS updates to our client estate, and somehow unintentionally managed to deploy to the All Computers group without realising it.

    I'm hoping someone has experienced this before, and can offer some clarity.

    Like most places, we don't deploy updates when they're released to the entire estate. We break up the deployment, and initially deploy only to selected test groups (stage 1) to allow us to guage any potential negative impact. A period of time after the initial test deployments, we deploy to another single group (stage 2). A period of time after that we deploy to all client machines (stage 3) via the Workstations group.

    One thing: we never use the All Computer group for deployments. We use custom groups underneath the Workstations group initially, then we use the Workstations group, with inheritence, to patch all machines.

    So imagine my surprise (nay, blood-curdling horror) when, a few hours after deploying to the stage 2 group, a colleague advised me that deployments are going out to the entire estate, including remote offices.

    Checking the WSUS console for the patches in question, I was presented with the plain fact that I had somehow selected not just the single stage 2 group for the thirty or so approved patches, but had also managed to select the All Computers group too.

    My question is, since I remember clearly only intentionally manually selecting the stage 2 group, how on earth did I manage to select the All Computers group??

    As you will know, to select a group, you have to click on it once to access the drop-down menu, then click once again to install. I am clear that I did not do this for All Computers. Nor are there any automatic approval rules in place.

    I simply used the ctrl button to select the same patches I had sent out at an earlier date (stage 1) and then selected the stage 3 group.

    I am at a loss as to how I managed to select the All Computers group at this stage, I truly am.

    I have checked the change.log and softwaredistribution.log files from the WSUS server, and clear as day, for each update I approved for install at stage 2, the update goes to the custom stage 2 group, and then it goes again to All Computers.

    I'm baffled. And understandably not very popular in the office. If someone has encountered this before, I'd really like to know if there is some obscure trick or keyboard stroke sequence which can inadvertently cause the All Computers group to be selected. Or if there is any other reason for this to occur other than me goofing up.

    Best regards

    John

    segunda-feira, 16 de setembro de 2013 19:29

Respostas

Todas as Respostas

  • Hi,

    As far as I know, when we approve updates to computer, we need to choose groups that you want to deploy updates to, please recheck what groups you selected.

    Since you haven’t choose all computers, clients shouldn’t have received the updates.

    There is an unassigned group you should pay attention to; client computers will be added once the client connects to the server by default.

    You can refer to:

    Step 3: Configure WSUS

    http://technet.microsoft.com/en-us/library/hh852346.aspx#BKM_ConfigureComputerGroups

    Step 7: Approve and Deploy Updates in WSUS 3.0

    http://technet.microsoft.com/en-us/library/cc708475(v=ws.10).aspx

    In addition, you can check the reports to see if any helps.

    Hope this helps.

    quarta-feira, 18 de setembro de 2013 08:37
    Moderador
  • Hi Daniel

    Thank you for responding.

    Yes I've checked the WSUS server logs as I mentioned in my post, and they confirm that the All Computers group was selected at the same time as the stage 2 group.

    I am not disputing that the All Computers group was selected, what I am certain of is I did not intentionally, deliberately select it, so I was wondering if there are any known WSUS bugs or issues or gotchas which can cause the All Computers group to be inadvertently selected.

    If not, then I guess I have to question my sanity!

    Thanks again for responding.

    John

    quarta-feira, 18 de setembro de 2013 08:56
  • Or if there is any other reason for this to occur other than me goofing up.

    Nope. :-)

    Lawrence Garvin, M.S., MCITP:EA, MCDBA, MCSA
    SolarWinds Head Geek
    Microsoft MVP - Software Packaging, Deployment & Servicing (2005-2013)
    My MVP Profile: http://mvp.support.microsoft.com/profile/Lawrence.Garvin
    http://www.solarwinds.com/gotmicrosoft
    The views expressed on this post are mine and do not necessarily reflect the views of SolarWinds.

    quarta-feira, 18 de setembro de 2013 15:13
    Moderador
  • Fair enough.

    Thanks for responding.

    John.

    quinta-feira, 19 de setembro de 2013 08:31
  • If not, then I guess I have to question my sanity!

    that, or, a mild suspicion of the office prankster... (don't leave your console unlocked when he's around ;)

    Don
    (Please take a moment to "Vote as Helpful" and/or "Mark as Answer", where applicable.
    This helps the community, keeps the forums tidy, and recognises useful contributions. Thanks!)

    quinta-feira, 19 de setembro de 2013 09:37