none
Solving deadline installs

    Pertanyaan

  • Greetings everyone.

    I'm using WSUS in my enviroment,with my users machines in some groups and the servers in another.

    So, I made 2 GPOs, 1 for the users, which works perfectly, and other apart for servers with this spec:

    Windows Components/Windows
    Update
    hide
    Policy Setting Comment
    Configure automatic updating: 3 - Auto download and notify for install
    The following settings are only required
    and applicable if 4 is selected.
    Scheduled install day: 0 - Every day
    Scheduled install time: 03:00
    Policy Setting Comment

    ();">Specify
    intranet Microsoft update service location
    Enabled
    Set the intranet update service for detecting updates: http://wsusserver
    Set the intranet statistics server: http://wsuswerver

    (example: http://IntranetUpd01)

    It worked perfectly for 2 months, yet yesterday one server machines was updated due to deadline install, as log shows:

     # Initiating deadline install
    2012-06-27 13:22:24:137  680 ee8 AU   # Approved updates = 25
    2012-06-27 13:22:24:152  680 ee8 AU <<## SUBMITTED ## AU: Install updates / installing updates [CallId = {CAE67EED-774B-4E9B-991F-8087471FB404}]
    2012-06-27 13:22:24:152  680 b60 Report REPORT EVENT: {836F4DB7-9562-4B0A-82C2-9E4049D6DBD5} 2012-06-27 13:22:24:059+0200 1 188 102 {00000000-0000-0000-0000-000000000000} 0 0 AutomaticUpdates Success Content Install Installation Ready: The following updates are downloaded and ready for installation. This computer is currently scheduled to install these updates on ‎Wednesday, ‎June ‎27, ‎2012 at 1:22 PM:  - Security Update for Windows Server 2008 R2 x64 Edition (KB2644615) - Security Update for Windows Server 2008 R2 x64 Edition (KB2585542) - Security Update for Windows Server 2008 R2 x64 Edition (KB2620704) - Security Update for Windows Server 2008 R2 x64 Edition (KB2564958) - Security Update for Windows Server 2008 R2 x64 Edition (KB2676562) - Security Update for Windows Server 2008 R2 x64 Edition (KB2620712) - Update for Windows Server 2008 R2 x64 Edition (KB2641690) - Security Update for Windows Server 2008 R2 x64 Edition (KB2631813) - Cumulative Security Update for Internet Explorer 9 for Windows Server 2008 R2 x64 Edition (KB2675157) - Security Update for Windows Server 2008 R2 x64 Edition (KB2621440) - Security Update for Microsoft .NET Framework 4 on XP, Server 2003, Vista, Windows 7, Server 2008, Server 2008 R2 for x64 (KB2656351) - Security Update for Microsoft .NET Framework 3.5.1 on Windows 7 and Windows Server 2008 R2 SP1 for x64-based Systems (KB2604115) - Security Updat
    2012-06-27 13:22:24:168  680 b60 Report CWERReporter finishing event handling. (00000000)
    2012-06-27 13:22:24:183  680 dbc Agent *************
    2012-06-27 13:22:24:183  680 dbc Agent ** START **  Agent: Installing updates [CallerId = AutomaticUpdates]
    2012-06-27 13:22:24:183  680 dbc Agent *********

    :::::::::::::
    2012-06-27 13:22:25:993 3404 e5c Handler :: START ::  Handler: CBS Install
    2012-06-27 13:22:25:993 3404 e5c Handler :::::::::
    2012-06-27 13:22:26:009 3404 e5c Handler Starting install of CBS update 45732EBC-A984-4454-9A7D-7B7C72FBFD4C
    2012-06-27 13:22:26:009 3404 e5c Handler CBS package identity: Package_for_KB2644615~31bf3856ad364e35~amd64~~6.1.1.0

    .

    .

    .

    The annoying thing is that this only ocurred in 1 of the 35 serves in the group, the others didnt made any update in the next 30 min, as I chaged that GPO to disable windows update.

    In WSUS that group apart called servers is also exepted from important, critical and security auto-aproved updates.

    So, could there be a way to avoiding this deadline install overriding GPO and WSUS config?


    28 Juni 2012 11:07

Jawaban

  • As far as I know, I dont have any deadline configured or I could say I don't even know where to configure it.

    So my next question would be, where can I check the values of the deadlines?

    Well, *somebody* configured a deadline. :-)

    You reported that updates were installed due to a deadline, and the logfile confirms this -- updates were 'scheduled' to be installed at 1:22pm local time -- and the only way the WUAgent 'schedules' updates to be installed immediately is if expired deadlines are discovered.

    Deadlines are set in the Approval dialog. You may find this section in the WSUS Operations Guide to be useful: http://technet.microsoft.com/en-us/library/dd939929(v=ws.10)


    Lawrence Garvin, M.S., MCITP:EA, MCDBA, MCSA
    Product Manager, SolarWinds
    Microsoft MVP - Software Distribution (2005-2012)
    My MVP Profile: http://mvp.support.microsoft.com/profile/Lawrence.Garvin

    02 Juli 2012 23:55
    Moderator

Semua Balasan

  • yet yesterday one server machines was updated due to deadline install
    Correct. Deadlines override anything configured in policy.
    So, could there be a way to avoiding this deadline install overriding GPO and WSUS config?
    Uhhh.... don't configure the deadline???

    Lawrence Garvin, M.S., MCITP:EA, MCDBA, MCSA
    Product Manager, SolarWinds
    Microsoft MVP - Software Distribution (2005-2012)
    My MVP Profile: http://mvp.support.microsoft.com/profile/Lawrence.Garvin

    01 Juli 2012 21:43
    Moderator
  • As far as I know, I dont have any deadline configured or I could say I don't even know where to configure it.

    So my next question would be, where can I check the values of the deadlines?

    02 Juli 2012 15:56
  • As far as I know, I dont have any deadline configured or I could say I don't even know where to configure it.

    So my next question would be, where can I check the values of the deadlines?

    Well, *somebody* configured a deadline. :-)

    You reported that updates were installed due to a deadline, and the logfile confirms this -- updates were 'scheduled' to be installed at 1:22pm local time -- and the only way the WUAgent 'schedules' updates to be installed immediately is if expired deadlines are discovered.

    Deadlines are set in the Approval dialog. You may find this section in the WSUS Operations Guide to be useful: http://technet.microsoft.com/en-us/library/dd939929(v=ws.10)


    Lawrence Garvin, M.S., MCITP:EA, MCDBA, MCSA
    Product Manager, SolarWinds
    Microsoft MVP - Software Distribution (2005-2012)
    My MVP Profile: http://mvp.support.microsoft.com/profile/Lawrence.Garvin

    02 Juli 2012 23:55
    Moderator
  • There was an automatic rule, approving critical and security updates to all the groups except servers.

    I still don´t know why my server took that update and deadline, still I guess that was what forced it to install updates and reboot.

    Thanks for your help Lawrence.

    03 Juli 2012 8:17
  • There was an automatic rule, approving critical and security updates to all the groups except servers.

    I still don´t know why my server took that update and deadline, still I guess that was what forced it to install updates and reboot.

    The specific update, and deadline, is identified in the WindowsUpdate.log. Also the Change.LOG, found in %ProgramFiles%\Update Services\Logfiles can also be used to help identify which update, when it was approved, and possibly who approved it.

    The log entries above are incomplete.. and any one of those updates (or ones not listed, since the entry was cut off) could have been the culprit.


    Lawrence Garvin, M.S., MCITP:EA, MCDBA, MCSA
    Product Manager, SolarWinds
    Microsoft MVP - Software Distribution (2005-2012)
    My MVP Profile: http://mvp.support.microsoft.com/profile/Lawrence.Garvin

    05 Juli 2012 15:30
    Moderator