none
Puzzled over WSUS, restore points and Install History not jiving

    Question

  •                                    

    Hello,

    Long time lurker, first time poster, it is just a stab in the dark that WSUS is related to my problem but I am hoping someone can help me find out for sure.

     I have a notion that what gets installed from WSUS, should show up in the Update Install history on the client and a restore point should be created at the same point but I am not seeing that. Is my assumption off?

    Clients are Win7 Pro x64 SP1 imaged, Office 2010 STD 32bit installed via GPO prior to image. WSUS 3 running on 2003r2

    Our WSUS server is set to approve all updates for OS and Office to clients. (Although I would love to discuss the propriety of this sometime I am not looking to do that now :)

    The last update in WSUS shows Jan 8th

    The Update History on the client in installed Updates shows 1/15/13 as the most recent updates

    The Client shows a System restore point on 1/29/13 @ 22:05

    If I am reading the WindowsUpdate.log correctly we had a Windows Defender Definition file update at the same time of the restore 22:05

    Clients reboot 1/30 @ ~17:00

    Clients started noticing strange problems on a few machines on Jan 31st (2 Complete Program Folder hierarchies disappearing (not hidden), Excel 2010 launching at startup complaining of Language pack not being supported and immediate consecutive reboots)

    Using the restore I can bring the system back to where it needs to be.

    Scanning for files changed on/after the 28th, there is a Windows Defender shows nothing in History.

    Trend Micro Worry Free shows no activity during this time.

    Two machines were heavily scanned for malware over and above out normal protection, none found.

    No recent Group Policy changes.

    I would like to know how to figure out what caused all my problems and keep it from happening to other machines. If it is coming from WSUS I would like to stop it.
    I suspect an Office update but I can’t find the proof or the update.
    Update - I just now noticed that Outlook shows "Upgrade in Progress", "Upgrade Outlook Connector You must upgrade to the latest version of Outlook Hotmail Connector to continue using this email. We connect to Exchange 2007.

    Any help would be gratefully apreciated,

    Todd

    • Edited by ICXC_Nika Friday, February 01, 2013 9:24 PM
    Friday, February 01, 2013 4:52 PM

Answers

  • I have a notion that what gets installed from WSUS, should show up in the Update Install history on the client and a restore point should be created at the same point but I am not seeing that. Is my assumption off?

    Yes.

    Whether a restore point gets created or not has nothing to do with the Windows Update Agent, or WSUS, but rather with the CBS (on Vista and later) and/or the individual update being installed. WSUS and the WUAgent do not do installation activities. The WUAgent retrieves an installer from WSUS (or AU/WU/MU), downloads it and executes it. What happens after the installer execution starts has nothing to do with WSUS or the WUAgent and the only thing the WUAgent knows is that the installer returned a 'success' or 'failure' result code after it finishes doing whatever it does.

    Our WSUS server is set to approve all updates for OS and Office to clients. (Although I would love to discuss the propriety of this sometime I am not looking to do that now :)

    Be happy to discuss that in another thread at another time. :)

    The last update in WSUS shows Jan 8th

    That's consistent and expected. Patch Tuesday, January 2013. From that information I'll also infer that you are not synchronizing the "Definition Updates" update classification.

    The Update History on the client in installed Updates shows 1/15/13 as the most recent updates

    That's entirely possible too... where is Windows Defender getting it's signature file updates from?

    Where is Outlook 2010 getting it's Junk Mail Filter updates from?

    The Client shows a System restore point on 1/29/13 @ 22:05

    If I am reading the WindowsUpdate.log correctly we had a Windows Defender Definition file update at the same time of the restore 22:05

    That's entirely possible also.

    Trend Micro Worry Free shows no activity during this time.

    Running multiple AV/AM software packages can be problematic. You should choose one or the other.

    I would like to know how to figure out what caused all my problems and keep it from happening to other machines.

    Have you reviewed the EVENT logs for these systems? I think you're going to need to get much more granular in your event activity than just a Defender signature update and a system restart 18 hours later.

    If it is coming from WSUS I would like to stop it.

    Well, you've all but explicitly ruled this possibility out. If the last *update* installed to the machine was on January 15th, and WSUS isn't synchronizing Definition Updates, it seems near impossible, yes? Except for one thing... there were, in fact, updates released to WSUS on Jan 14, Jan 16, and Jan 22 that were applicable to Windows 7 systems, so your WSUS server should have received them, which begs the question of the most recent update being dated Jan 8.

    I suspect an Office update but I can’t find the proof or the update.

    There haven't been any Office 2010 updates released since mid-December, but there was an Office 2007 security update released on Jan 8th that would have been applicable to any Office 2010 systems with the Office 2007 Compatibility Pack installed.

    Update - I just now noticed that Outlook shows "Upgrade in Progress", "Upgrade Outlook Connector You must upgrade to the latest version of Outlook Hotmail Connector to continue using this email.

    This is a Windows Live thing.


    Lawrence Garvin, M.S., MCITP:EA, MCDBA, MCSA
    SolarWinds Head Geek
    Microsoft MVP - Software Distribution (2005-2013)
    My MVP Profile: http://mvp.support.microsoft.com/profile/Lawrence.Garvin
    The views expressed on this post are mine and do not necessarily reflect the views of SolarWinds.

    Saturday, February 02, 2013 2:29 AM
  • I would like to ask if you would help me focus in on how to find out what the last update was on the client.

    IMHO, the most reliable methodology of determing the last update of a client system would be to review the %windir%\SoftwareDistribution\ReportingEvents.log. This log records just the *events* that have occurred on the client. They are also recorded in the AppEventLog and sent to the WSUS server, but both the EventLog and WSUS server typically are configured to age those events out of their history. The ReportingEvents.log file is a permanent repository for the lifetime of the machine (unless you've deleted the SoftwareDistribution folder).
    One detail that may be helpful is that these are imaged machines and the ones I am having trouble with were in production only a few days at the time of the trouble so it is likely that WSUS was playing catch up.
    It could also be complicated by any update history done to the master system prior to being imaged. You'll need to know the deployment date of the clone and filter from that date.

    Can you unpack the "This is a windows live thing" please?

    The "Outlook Connector" is a utility that allows Outlook to use the MAPI protocol to retrieve email from MSN.com, Hotmail.com, and Outlook.com. As far as I know it cannot be updated via WSUS; only via download/install from live.com.
    Outlook is only used to connect to Exchange.
    Then you definitely don't need the Outlook Connector. It's likely that it was installed as a result of somebody downloading/installing Windows Live components. Also, Outlook will prompt for the Outlook Connector installation if the end-user attempts to create an account with an msn.com, hotmail.com, or outlook.com address.

    Lawrence Garvin, M.S., MCITP:EA, MCDBA, MCSA
    SolarWinds Head Geek
    Microsoft MVP - Software Distribution (2005-2013)
    My MVP Profile: http://mvp.support.microsoft.com/profile/Lawrence.Garvin
    The views expressed on this post are mine and do not necessarily reflect the views of SolarWinds.

    Thursday, February 07, 2013 11:59 PM

All replies

  • Hi Again,

    I am fairly confident my problems are related to a failed Office update, where can I look to see what the update was so I can disable it in WSUS?

    Thank you,

    Todd 

    Friday, February 01, 2013 10:09 PM
  • I have a notion that what gets installed from WSUS, should show up in the Update Install history on the client and a restore point should be created at the same point but I am not seeing that. Is my assumption off?

    Yes.

    Whether a restore point gets created or not has nothing to do with the Windows Update Agent, or WSUS, but rather with the CBS (on Vista and later) and/or the individual update being installed. WSUS and the WUAgent do not do installation activities. The WUAgent retrieves an installer from WSUS (or AU/WU/MU), downloads it and executes it. What happens after the installer execution starts has nothing to do with WSUS or the WUAgent and the only thing the WUAgent knows is that the installer returned a 'success' or 'failure' result code after it finishes doing whatever it does.

    Our WSUS server is set to approve all updates for OS and Office to clients. (Although I would love to discuss the propriety of this sometime I am not looking to do that now :)

    Be happy to discuss that in another thread at another time. :)

    The last update in WSUS shows Jan 8th

    That's consistent and expected. Patch Tuesday, January 2013. From that information I'll also infer that you are not synchronizing the "Definition Updates" update classification.

    The Update History on the client in installed Updates shows 1/15/13 as the most recent updates

    That's entirely possible too... where is Windows Defender getting it's signature file updates from?

    Where is Outlook 2010 getting it's Junk Mail Filter updates from?

    The Client shows a System restore point on 1/29/13 @ 22:05

    If I am reading the WindowsUpdate.log correctly we had a Windows Defender Definition file update at the same time of the restore 22:05

    That's entirely possible also.

    Trend Micro Worry Free shows no activity during this time.

    Running multiple AV/AM software packages can be problematic. You should choose one or the other.

    I would like to know how to figure out what caused all my problems and keep it from happening to other machines.

    Have you reviewed the EVENT logs for these systems? I think you're going to need to get much more granular in your event activity than just a Defender signature update and a system restart 18 hours later.

    If it is coming from WSUS I would like to stop it.

    Well, you've all but explicitly ruled this possibility out. If the last *update* installed to the machine was on January 15th, and WSUS isn't synchronizing Definition Updates, it seems near impossible, yes? Except for one thing... there were, in fact, updates released to WSUS on Jan 14, Jan 16, and Jan 22 that were applicable to Windows 7 systems, so your WSUS server should have received them, which begs the question of the most recent update being dated Jan 8.

    I suspect an Office update but I can’t find the proof or the update.

    There haven't been any Office 2010 updates released since mid-December, but there was an Office 2007 security update released on Jan 8th that would have been applicable to any Office 2010 systems with the Office 2007 Compatibility Pack installed.

    Update - I just now noticed that Outlook shows "Upgrade in Progress", "Upgrade Outlook Connector You must upgrade to the latest version of Outlook Hotmail Connector to continue using this email.

    This is a Windows Live thing.


    Lawrence Garvin, M.S., MCITP:EA, MCDBA, MCSA
    SolarWinds Head Geek
    Microsoft MVP - Software Distribution (2005-2013)
    My MVP Profile: http://mvp.support.microsoft.com/profile/Lawrence.Garvin
    The views expressed on this post are mine and do not necessarily reflect the views of SolarWinds.

    Saturday, February 02, 2013 2:29 AM
  • Thank you Lawrence for taking the time to lend your expertise to sort through this with me. You have given me a ton to dig into so I can report back but I would like to ask if you would help me focus in on how to find out what the last update was on the client. One detail that may be helpful is that these are imaged machines and the ones I am having trouble with were in production only a few days at the time of the trouble so it is likely that WSUS was playing catch up.

    The Defender updates are coming from WSUS. Office 2010 is supposed to be coming from WSUS as well but I can't find any record of these installs. I have declined the existing Office 2010 updates to hopefully stop these problems from happening to the 20 other machines I deployed with these.

    Can you unpack the "This is a windows live thing" please? I believe that this half installed update is what has caused all my problems but I can not find hard evidence, just broken machines with missing directories and this error only visible on the file tab of Outlook. Outlook is only used to connect to Exchange.

    Thank you again for jumping in to help Lawrence,

    Todd

    Thursday, February 07, 2013 1:52 PM
  • I would like to ask if you would help me focus in on how to find out what the last update was on the client.

    IMHO, the most reliable methodology of determing the last update of a client system would be to review the %windir%\SoftwareDistribution\ReportingEvents.log. This log records just the *events* that have occurred on the client. They are also recorded in the AppEventLog and sent to the WSUS server, but both the EventLog and WSUS server typically are configured to age those events out of their history. The ReportingEvents.log file is a permanent repository for the lifetime of the machine (unless you've deleted the SoftwareDistribution folder).
    One detail that may be helpful is that these are imaged machines and the ones I am having trouble with were in production only a few days at the time of the trouble so it is likely that WSUS was playing catch up.
    It could also be complicated by any update history done to the master system prior to being imaged. You'll need to know the deployment date of the clone and filter from that date.

    Can you unpack the "This is a windows live thing" please?

    The "Outlook Connector" is a utility that allows Outlook to use the MAPI protocol to retrieve email from MSN.com, Hotmail.com, and Outlook.com. As far as I know it cannot be updated via WSUS; only via download/install from live.com.
    Outlook is only used to connect to Exchange.
    Then you definitely don't need the Outlook Connector. It's likely that it was installed as a result of somebody downloading/installing Windows Live components. Also, Outlook will prompt for the Outlook Connector installation if the end-user attempts to create an account with an msn.com, hotmail.com, or outlook.com address.

    Lawrence Garvin, M.S., MCITP:EA, MCDBA, MCSA
    SolarWinds Head Geek
    Microsoft MVP - Software Distribution (2005-2013)
    My MVP Profile: http://mvp.support.microsoft.com/profile/Lawrence.Garvin
    The views expressed on this post are mine and do not necessarily reflect the views of SolarWinds.

    Thursday, February 07, 2013 11:59 PM
  • Thank you for this great information Gavin! The ReportingEvents.log gives me the timeline I am looking for. My workaround to my problem was to repair office but hopefully this will help me find the cause.

    Todd

    Thursday, March 07, 2013 2:07 PM
  • I discovered the root of my initial problem and it had nothing to do with WSUS or any updates. There was a bug in a 3rd party helpdesk tool we are using, the deployment of this tool would just wipe out some directories and files and the results were not pretty.

    Thank you again for the help Lawrence.

    Todd

    Monday, March 18, 2013 2:04 PM