none
Some servers not patching during expected patch windows

    Pregunta

  • Hi everyone,

    I have a very limited patch window to do updates in, and I've run across some problems, and wanted to ask if anyone has a solution.

    The behavior is simple,  the server gets the patch from wsus - and then for some reason it decides that it cannot run the patch during the current patch window, and must run it during the next.

    These patches need to be manually tripped - basically i have to RDP into the server and manually start the patch process.  Running Wuauclt /updatenow will sometimes also work, but doing it through the interface works 100% of the time.

    I'd like to avoid these cases, they take time away from reporting and have caused a few cases where I was getting close to my deadline because a lot of these popped up.  It is frustrating, because month to month this will happen on different servers, it never seems to have any sort of pattern.  It has happened on server 2008 R2 and server 2003 boxes as well, virtual, or no.

    Here's an example from the last patch cycle. Keep in mind, a patching window is currently open when this message is presented, every Tuesday between 9 PM and 11 PM.  (unfortunately, we aren't allowed to patch the servers inside this patch group on any other day but the last Tuesday of every month, and they must be successful.)

    Log Name:      System
    Source:        Microsoft-Windows-WindowsUpdateClient
    Date:          3/26/2013 9:00:10 PM
    Event ID:      18
    Task Category: Automatic Updates
    Level:         Information
    Keywords:      Success,Download
    User:          SYSTEM
    Computer:      PRDTO2SRCW03.Canwest.TV
    Description:
    Installation Ready: The following updates are downloaded and ready for installation. This computer is currently scheduled to install these updates on ‎Tuesday, ‎April ‎02, ‎2013 at 9:00 PM:
    - Cumulative Security Update for Internet Explorer 9 for Windows Server 2008 R2 x64 Edition (KB2809289)
    - Security Update for Windows Server 2008 R2 x64 Edition (KB2807986)

    miércoles, 03 de abril de 2013 14:31

Respuestas

  • Date:          3/26/2013 9:00:10 PM

    Description:
    Installation Ready: The following updates are downloaded and ready for installation. This computer is currently scheduled to install these updates on ‎Tuesday, ‎April ‎02, ‎2013 at 9:00 PM:
    - Cumulative Security Update for Internet Explorer 9 for Windows Server 2008 R2 x64 Edition (KB2809289)
    - Security Update for Windows Server 2008 R2 x64 Edition (KB2807986)

    Looks like you're being bitten by a misconfiguration/misunderstanding of how the WUAgent handles patch acquisition and scheduling.

    What happened here is that the WUAgent finished downloading the update at 9:00:10PM (10 seconds after the scheduled installation event on 3/26), so it scheduled it to be installed at the next available installation event, which is Tuesday, 4/2 @ 9pm.

    The updates must be downloaded prior to the scheduled installation event in order to be installed at that event.

    If you have a locked down maintenance window from 9p-11p, then you have two possible approaches:

    1. The client detects and downloads the updates prior to Tuesday, 9pm, so they can be installed at the start of the maintenance window.
    2. The scheduled installation time is shifted to 10pm, so that updates can be downloaded between 9pm and 10pm and be installed at 10pm.

    This is the point where you might also find it useful to shift the maintenance window to the half-hour boundary. A maintenance window from 9:30pm-11:30pm, can download updates at 9:30pm, install them at 10pm, but have the added float of an extra 30 minutes to complete the installations and reboot. Now, in reality, though, typical monthly patch cycles should install and reboot in not more than 15 minutes, so this advantage is more theoretical than practical.


    Lawrence Garvin, M.S., MCITP:EA, MCDBA, MCSA
    SolarWinds Head Geek
    Microsoft MVP - Software Distribution (2005-2013)
    My MVP Profile: http://mvp.support.microsoft.com/profile/Lawrence.Garvin
    The views expressed on this post are mine and do not necessarily reflect the views of SolarWinds.

    • Marcado como respuesta Loregrant jueves, 04 de abril de 2013 15:40
    miércoles, 03 de abril de 2013 22:55
    Moderador

Todas las respuestas

  • Date:          3/26/2013 9:00:10 PM

    Description:
    Installation Ready: The following updates are downloaded and ready for installation. This computer is currently scheduled to install these updates on ‎Tuesday, ‎April ‎02, ‎2013 at 9:00 PM:
    - Cumulative Security Update for Internet Explorer 9 for Windows Server 2008 R2 x64 Edition (KB2809289)
    - Security Update for Windows Server 2008 R2 x64 Edition (KB2807986)

    Looks like you're being bitten by a misconfiguration/misunderstanding of how the WUAgent handles patch acquisition and scheduling.

    What happened here is that the WUAgent finished downloading the update at 9:00:10PM (10 seconds after the scheduled installation event on 3/26), so it scheduled it to be installed at the next available installation event, which is Tuesday, 4/2 @ 9pm.

    The updates must be downloaded prior to the scheduled installation event in order to be installed at that event.

    If you have a locked down maintenance window from 9p-11p, then you have two possible approaches:

    1. The client detects and downloads the updates prior to Tuesday, 9pm, so they can be installed at the start of the maintenance window.
    2. The scheduled installation time is shifted to 10pm, so that updates can be downloaded between 9pm and 10pm and be installed at 10pm.

    This is the point where you might also find it useful to shift the maintenance window to the half-hour boundary. A maintenance window from 9:30pm-11:30pm, can download updates at 9:30pm, install them at 10pm, but have the added float of an extra 30 minutes to complete the installations and reboot. Now, in reality, though, typical monthly patch cycles should install and reboot in not more than 15 minutes, so this advantage is more theoretical than practical.


    Lawrence Garvin, M.S., MCITP:EA, MCDBA, MCSA
    SolarWinds Head Geek
    Microsoft MVP - Software Distribution (2005-2013)
    My MVP Profile: http://mvp.support.microsoft.com/profile/Lawrence.Garvin
    The views expressed on this post are mine and do not necessarily reflect the views of SolarWinds.

    • Marcado como respuesta Loregrant jueves, 04 de abril de 2013 15:40
    miércoles, 03 de abril de 2013 22:55
    Moderador
  • Thanks Lawrence,  I'll talk to the powers that be and see if we can come to a compromise like this.  The sad part about this issue is it never seems to happen on our test servers :)

    jueves, 04 de abril de 2013 14:55